Your SlideShare is downloading. ×
Cloud Computing and the Public Sector
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Computing and the Public Sector

520
views

Published on

Presented by Philip Nolan, partner, Mason Hayes+Curran on 6 April 2011.

Presented by Philip Nolan, partner, Mason Hayes+Curran on 6 April 2011.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
520
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Irish Public Sector: The Cloud Effect6 A p r i l 2 0 11Regulating the Cloud: Legal Considerations for CloudComputing in the Public SectorPhilip NolanPartner and Head of Commercial Law
  • 2. Just as the Internet has led to the creation of new businessmodels unfathomable 20 years ago, cloud computing willdisrupt and reshape entire industries in unforeseen ways.To paraphrase Sir Arthur Eddington – the physicist whoconfirmed Einstein’s Theory of General Relativity - cloudcomputing will not just be more innovative than we imagine;it will be more innovative that we can imagine.
  • 3. Overview• How are other governments adopting the cloud?•What themes/patterns are emerging?•What are the risks to be overcome? •Data security •Export of data •Long term retention
  • 4. Survey of leading countries• United States• United Kingdom
  • 5. United States• Exemplar and global leader for public sector cloud adoption• Policy has been driven directly by White House• Extremely sophisticated implementation
  • 6. “Cloud First”• Federal Cloud Computing Strategy, 8 February 2011• All Agencies/Departments to “evaluate safe, secure cloud computing options before making any new investments”• Cloud options must be rejected before procuring traditional IT
  • 7. “Cloud First”• Requires a “transparent security environment” between the Government and cloud providers• “The environment will move us to a level where the Federal Government’s understanding and ability assess its security posture will be superior to what is provided within agencies today.”
  • 8. How does it work?• Very controlled process directed by General Services Administration (GSA)• Vendors must seek centralised pre-approval from GSA• Minimum standards: • Full ownership of data hosted in the cloud • Full copies of data downloadable at any time • Hosted within the continental US • 99.95% uptime • Compliance with all applicable laws
  • 9. How does it work?• Security assured under the Federal Risk and Authorization Management Program (FedRAMP)• Detailed and specified security obligations are set down• All vendors are continually assessed and monitored
  • 10. How does it work?• Solutions meeting these standards are pre-approved to be offered to US Federal Agencies• Solutions are sold on “apps.gov”, a centralised store• Purchasing officers/CIOs for each agency can purchase services from this site
  • 11. Free cloud/ web 2.0 services• E.g. Twitter, Facebook, blogs etc…• Special terms of service have been centrally negotiated• Removal of terms that are objectionable, e.g. indemnities, extreme limitations on liabilities• Agency wanting to use web 2.0 services can adopt these terms
  • 12. Best of All Worlds• procurement pre-screening centralised → legal compliance and security centrally assured• single price must be provided → market power of entire government leveraged• final purchasing decision is made by individual agency → services purchased are suitable for end user
  • 13. United Kingdom• “G-Cloud”• Project driven by Cabinet Office• Phase 2 reports just published
  • 14. UK vs US• Suggests a broadly similar approach to US • G-Cloud authority setting basic standards • Applications store for Government • Pre-approval required • Data is to remain with UK • Data is to remain under control of public body • Data to be returned on demand• Differences • All applications must be provided on at least two infrastructure providers to avoid lock in • Government to run its own data centres
  • 15. UK: Hybrid Cloud Approach• A hybrid cloud model: services will be run on both the UK Government’s own dedicated infrastructure and that of private entities, e.g. Microsoft• Infrastructure used will depend on degree of security required. Differing security standards (matching existing government security levels) will be provided
  • 16. Emerging themes • A global move to the cloud by public sectors • Some differences in approach, but patterns clearly emerging: • Centralised pre-approval, not a free-for-all! • Variable security standards: public info v tax returns • Public sector “champion” drives the initiative • Purchasing authority remains decentralised • Insistence that sensitive data remain within jurisdiction
  • 17. Programme for Government: The Challenge • “We will make Ireland a leader in the emerging I.T. market of cloud computing by promoting greater use of cloud computing in the public sector.” • What are the legal impediments to achieving this objective? • Can we overcome them?
  • 18. Legal Issues • Stem from a myriad of sources, but can be stated simply • Three key issues • Data security • Data export • Data availability • Problems with solutions
  • 19. Data Security: Problem • Data Protection Acts 1988-2003 • Obligation on a “data controller” to ensure appropriate safeguards are in place • Failure = breach of statutory duty and liability in damages • Duty does not disappear when data is handed over to a “data processor” or put into cloud
  • 20. Data Security: Solution • Ensure cloud provider has adequate technical safeguards in place (NB: public sector pre- approvals) • Insist that provider agrees, in contract, to comply with Irish law • Require cloud provider to accept liability for data breaches (e.g. LA-Google Contract) • Seek audit rights
  • 21. Data Export: Problem • Export of personal data outside of EEA is heavily regulated • Generally need consent of data subject or special agreement to export data outside of EEA • Public bodies have specific security concerns – can the data be accessed by foreign states? • USA PATRIOT Act • UK Regulation of Investigatory Powers Act 2000 • High profile but similar powers in most states • Discovery in civil litigation
  • 22. Data Export: Solution • Geographic location of cloud is key, potential “deal killer” • Insist that cloud is based in EEA to address DPA issues • Where security issues: Irish cloud! • Ireland = European data centre capital! • High level concerns may call for dedicated government cloud infrastructure (e.g. UK) • Issue does not arise for non-personal, non-sensitive information, e.g. publicly available document hosting
  • 23. Data Retention: Problem • Public sector under far reaching obligations to ensure that data is stored safely and is accessible over longer term: National Archives Act, Freedom of Information Act • Data subjects have a right to access and modify their data under Data Protection Acts • Similar private sector obligations: tax, employment, health and safety law • Does the cloud offer long term storage and access?
  • 24. Data Retention: Solution • Ability to download any information when needed. • Data back-up and that provider has disaster recovery systems • Ensure access to data in event of insolvency under contract
  • 25. Conclusion • Cloud is being enthusiastically embraced by neighbouring governments – Ireland is falling behind the curve • However, we can catch up! • Legal issues are surmountable with care and proper contracting • Best practices exist which can be followed
  • 26. The Irish Public Sector: The Cloud Effect6 A p r i l 2 0 11Regulating the Cloud: Legal Considerations for CloudComputing in the Public SectorPhilip NolanPartner and Head of Commercial Law