Insights from practitioners in Information Management

Cloud Computing – What’s the Risk?

Cloud Computing – What’s the Risk?
Presented by Shirley Cowcher
CT Group Australia
25 January 2012

When I started discussing this topic with my work colleagues one of them told me that they were in two minds about the risks associated with Cloud Computing. They believed that there were far more benefits than there were problems.  This opinion was the result of a personal experience she had had.

A couple of years ago her external hard drive failed. It was the early days of digital cameras, having weened herself off the point; shoot and hope for the best that we’ve all experienced with film – or am I the only one old enough to remember life before Digital cameras and smartphones?

The hard drive contained an archived copy of electronic images of her young children.  She didn’t think that she had a problem as she still had all the original images on her computer, but just in case there was a problem she decided to send copies of the images to her Yahoo mail account – just as well she did as a few weeks later, before she had got around to buying a new external hard drive, her computer crashed and she was unable to recover anything from it.  Had she not sent those images to the Cloud they would have been lost.  So, she is all for using this publicly available technology to ensure that she doesn’t lose those irreplaceable memories.  Just to let you know she now has 2 backups and 3 synchronised computers.

So while we were discussing the positive side of things, I then told her the story of a very good friend who was using the same cloud service provider, Yahoo, for all his personal email communications.  This included dealing with a number of issues associated with finalizing the estate of his wife.  His account was hacked and when he finally got access to it all his emails and addresses had been deleted.  No back up, no copies being downloaded to an Outlook account, nothing.  All lost and no assistance from Yahoo to try and recover any of the information.  His own fault, you’ll say, he should have had backups.  Perhaps so, but surely there should be some security to protect the information stored in the cloud.  Just so we are clear on this matter of the cloud providers providing security for your information, a study conducted in April 2011, by Ponemon Institue, found that “The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility” (Security of Cloud Computing Providers Study, Ponemon Institue, April 2011, p1). This same study indicated that cloud providers in the study identified that “…the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications… improved security or compliance with regulations is … an unlikely reason for choosing cloud services” (Security of Cloud Computing Providers Study, Ponemon Institue, April 2011, p1)
We all bandy the term Cloud Computing about but what is it?  The National Institute of Standards and Technology define Cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services)…”  Cloud services are usually grouped as:-

•    Infrastructure as a Service (IaaS) – vendor provides computer hardware, including CPU processing, memory, data storage and network connectivity.  This may be shared between multiple customers.  The vendor controls the hardware but the customers controls the applications on the computer. (Amazon EC2, Rackspace Cloud, Telstra).
•    Platform as a Service (Paas) – vendor provides infrastructure as a service and operating systems and server applications such as web servers.  This allows customers to use the vendor’s infrastructure to deploy web applications developed by the customer.  The vendor controls the hardware, operating system and the server applications and the customer controls and maintains the applications developed by them (Google Apps, Microsoft Windows Azure)
•    Software as a Service (SaaS) – vendor uses their cloud infrastructure and cloud platforms to provide customers with software applications. (Google Docs, Google Gmail, Microsoft Office 365 – which includes Microsoft Office Web Apps, Exchange Online, Sharepoint Online, Dynamics CRM Online and Lync)

Now if this isn’t confusing enough there are four models of cloud deployment.
•    Public Cloud – organizations use the vendor’s cloud infrastructure which is shared via the internet with many other organizations and members of the public.
•    Private Cloud – organization has exclusive use of cloud infrastructure and services.
•    Community Cloud – private cloud shared by several organizations.
•    Hybrid Cloud – combination of the three previously mentioned models.

Are you as confused as I am?  Well, my understanding of all this is that if I go with the Cloud I am paying a vendor to allow me to access their servers, their operating systems, their software and all my data/information is going to stored on their hard drives.  In addition, I might not know where their servers are located or my data/information may be stored on multiple servers that are located in different locations.  Are we all clear on what is going on here? So let’s talk about risk.
I am a risk taker- Just like every one of you.  Twenty-five years ago I took the risk to start my own business.  In my early twenties with a young child on my hip and a husband who had no idea what I wanted to achieve I set about establishing a business that would provide services to other businesses to help them manage their information and minimize the risks associated with the mismanagement of their information.

When I started my business there were two things that stood out as being most important:-
•    Look after people (employees, contractors, clients)
•    Look after the brand (provide quality and don’t compromise on delivering what is promised)
In meeting these two objectives I had to ensure that I was meeting my legal obligations as a manager, consultant and company director.

Now, just in case you don’t know, Information Enterprises Australia provides solutions and people to support company’s information management needs.  We do that as an:-
•    Employment Service;
•    Consulting Service;
•    Training Service; and
•    Publisher – The Australian Records Retention Manual and F is for Filing

As a company that employs people, particularly as most of them are offered as on-hire to clients, I had to be very familiar with Employment, Industrial Relations, OHS, Superannuation, Workers Compensation and Privacy law. On top of that there was the trade practice and fair trading laws, tax laws (Federal and State) and corporate law.  Now as a large majority of our consulting revolves around developing records retention schedules and processing “archived” records for clients, as well as publishing the Australian Records Retention Manual, my consultants and I also have to have a fair knowledge of things like laws of Evidence, Limitations of Actions, Torts as well as research legislation that is specific to the industry to which we are consulting.  Do you know that there are XXXXX pieces of Australian legislation (either Federal or State) pertinent to private companies that specify that records must be kept?  Some are quite obscure:-
•    Chemical Weapons (Prohibition) Act 1994
•    Space Activities Act 1998

So, what has all this got to do with Cloud Computing?  Well, just humour me here, while I explain a little more about my character.  Yes, I’m a risk taker but every risk I take is considered and measured.  I’m a “belts and braces” type of person and need to know that I have minimized the risks by being informed and doing everything to the best of my ability and within the law.  I’m the type of person that feels guilty when a police car flashes their lights behind your car – I immediately assume I’ve done something wrong.  And so to ensure that I don’t carry that guilt with me on a daily basis I research a topic and understand my obligations and the risks.  I’m sure there are a few of you here today who are much like me, and all of us know that ignorance is not a defence when dealing with the ATO or the legal system.

Not wanting to be the Director of Jail Terms for my company, and as a company director with a guilt complex, I made sure that I knew something about the law and the records the company needs to keep to keep me out of jail; however, as the GFC hit and the company profits were reduced I also wanted to reduce company costs.

The server is 4 years old and due to be replaced and that requires an upgrade of software – there goes between $25,000 – $30,000.  If I went with a Cloud IaaS provider I could reduce this cost and improve my cash flow by spreading the cost as a monthly payment over the year.  That is so tempting.  On top of that I use a Client Management Software that requires annual maintenance and regular upgrades that I could dispense with if I went with a Cloud SaaS provider and some of the ones I’ve looked at have developed some really great templates that address issues associated with the FWA awards and contracts.  Sounds great.

So I looked closer.
Do you know that Tax and Corporations law allows you to hold your financial records in electronic format, but they must be able to be convertible into hardcopy?  The Corporations Act even allows for your financial records to be kept on a computer which is owned and operated by a third party e.g. your company’s accountant, but you still have the responsibility to provide a hard copy.  Section 1301 seems to indicate that records can be held in a place other than the place of inspection providing that a method of allowing for the inspection of the records in written form is provided and that the corporation has lodged a notice with ASIC to indicate where the records are stored and where they are to be inspected (form 991).  Section 1302 also indicates registers that must be kept may be kept at another office or at the office of a person who may be responsible for maintaining the register on the company’s behalf but that all offices must be “…in this jurisdication”.  Based on this I’m not keen on maintaining any records that are required by ASIC outside of Australia and I need to be mindful that if I’m storing on a server elsewhere I need to lodge a notice with ASIC.

Do you know that the Privacy Act has a National Privacy Principle specifically related to the transferring of personal information overseas.?  It is principle 9 – Transborder dataflows – and it requires that personal information may only be transferred if  “…the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles”.  Organisations need to be mindful that if they do transfer personal information overseas that the Privacy Act does not over ride the privacy laws of the country that holds the information.
Now let me give you a scenario.  You have a very successful business and the new harmonisation of the OHS laws have be adopted in WA (they haven’t yet but they are coming).  Under these laws fines for a body corporate may be as large as $3million and for an individual conducting a business or an officer for a person conducting a business $600,000 or 5 years imprisonment.  Well, in your business you make decisions and supervise employees.  One of your workers notifies you that there is an electrical cable worn on a computer they use.  You ask the employee to tag it and remove it from the work area.  You check that it has been done and then take 3 days off work.  The employee has not been able to get hold a replacement computer so decides to use the one with the worn cable and while reinstalling the machine gets an electric shock.  Is it your fault?
Some things you should know about this new legislation:-
?    An electric shock is considered a dangerous incident
?    Dangerous incidents are notifiable
?    Failure to notify may result in a maximum fine of $50,000 for a body corporate
?    Failure to comply with the health and safety duty relating to this matter may result in a maximum fine of $500,000 for the body corporate and $100,000 for you as the officer.
It’s not your fault you did everything that you could to ensure that the employee was kept safe.  Did you document that?  Yes, you have my whole HR system supported through a Cloud SaaS provider.  It’s a great system and keeps costs down.  The SaaS provider has just notified you that their IaaS provider has gone out of business and they are in a legal battle to gain access to their systems and as such your data/information is also caught up in the battle.  What now?  That cheap solution is looking a little more expensive while you present your case to Worksafe explaining that you really can prove that you did what you said you did.  No worries, you do a back-up on an external hard drive – except it’s just the data and without the software that is provided by the Cloud SaaS provider it doesn’t mean anything.  OK, just pay the fines and let’s move on – in the case of a small business this could mean declaring bankruptcy.
I’ll admit that is probably a worst case scenario but I hope it highlights the fact that when you use the Cloud you are dependent on them for more than just access to computer hardware and software.  If you chose to adopt this leading edge technology then think about the issues that go beyond the reduction of business costs.
Issues such as:
?    Security systems
?    Contract conditions between:
o    You and the provider of SaaS
o    Your provider of SaaS and their provider of PaaS
o    Their provider of Paas and the provider of Iaas
?    Jurisdictional limitations of the law
?    System downtime
?    Data corruptions