This article can also be found in the Premium Editorial Download "Information Security magazine: Combatting the new security threats of today's mobile devices."
Download it now to read this article plus other related content.
Lawyers are abuzz over cloud computing. Though offsite data storage and services are hardly new concepts (think Skype or Yahoo! Mail), the eyes of the law, which traditionally trail well beyond technology, are nervously fixating on "cloud computing," or generically speaking, distributed online services such as SaaS (Software as a Service), IaaS (Infrastructure as a Service) and PaaS (Platform as a Service).
As companies look to cut costs and gain flexible, convenient access to services and massive storage/data back-up options, burgeoning interest in cloud computing solutions is understandable. But "computing in the cloud" is rifled with legal mystery --ahem, fear of unknown and uncertain legal risk.
Understanding the mechanics and practicalities of how cloud computing works and how moving to the cloud legally impacts clients and corporations are just the tip of
Concern and caution hovering over cloud computing may be both misguided and reasonably justified. Demystifying Web-based applications and services, and the risk/security of cloud computing is key to removing barriers to the cloud. For starters, lawyers may need help understanding "the cloud," namely how it works, where data resides and the complexities of data storage, access, retrieval, and security to better assess legal risk. As if understanding technology -- such as local data storage and security issues, and application of existing law weren't challenging enough -- cloud computing adds yet another layer of complexity and challenge for lawyers looking to insulate corporations and businesses from litigation risk. They may want assurances about the integrity and privacy of data, especially when it's stored across the country or globe, while they await concoction of new regulatory cloud computing schemes or amendments to existing laws, such as to the Electronic Communications Privacy Act (ECPA) or the Computer Fraud and Abuse Act (CFAA). Of course, lawyers may also be on the lookout for clarity when it comes to understanding how security or privacy can actually be better in the cloud, especially in light of recent newsworthy hacks.
Information technology and security professionals who interface with lawyers and non-technical management are positioned to squelch many cloud concerns. By using straightforward, practical explanations and real-world analogies/examples, minus excessive technicalities when possible, you can impart a firm understanding of the mechanics of cloud computing and help lawyers gain perspective. With your technical prowess, you can help legal and non-technical management make sense of thorny issues like data privacy and unauthorized third party access. For example, if your company is considering a migration to Google Apps, but is encountering pushback due to concerns about third-party access, unreasonable government intrusion or seizure, or disaster recovery, you can play a pivotal role in helping lawyers or management understand how data is stored or handled (e.g., encryption), the practicality of access by third parties, and technical processes in place to handle unforeseen risks. You'll need to make sure a cloud computing service gives you answers to these questions. The end result, of course, being that you can more easily accomplish your technical and security objectives.
You can also head-off or anticipate management "what-ifs" related to computing in the cloud. For example, if legal is concerned that a government warrant or subpoena served on a cloud computing data center could disrupt your company's access to services, make it known what precautions are set in place to prevent disruption. Again, you'll need to make sure the service provider provides these details. If cloud concerns center on disaster recovery, discuss the processes in place that mitigate risk, perhaps talk about how cloud vendors like Google and Amazon can offer assurances that their services are designed with disaster recovery in mind. You can also talk lawyers and management through risk anxiety of cloud technology and help shape policy by addressing issues such as the need t to conduct a forensic analysis of data stored in the cloud, or what if the integrity of the data is compromised by the storage medium such that it loses value in court.
Sure, maybe you didn't go to law school, but you have the real-world technical savvy that can prove instrumental to helping lawyers litigate and shape the development of sound and workable cloud computing law, as well as corporate policy. In many ways, you are a powerful player in driving away fears, substantiated or not, that would otherwise impact acceptance and comfort of new technologies. So, go ahead, let your voice of technical reason resonate in the law.
Julie Tower-Pierce is an attorney, past professor of cybercrime & cyberlaw, and co-author of Virtual Incorporation. Send comments on this column to email@example.com.
This was first published in March 2010