A few weeks back, an undisclosed number of unfortunate users discovered that the data they had stored with file-sharing site Megaupload may be gone forever.
While they may yet get their data back, the incident raises questions for enterprises. To wit: If your cloud provider disappears or is commandeered by the law or other forces, what happens to your data? Just as importantly, will your customers or end users be able to hold you responsible for what is lost?
Liability for lost information isn't the same as security. But it's certainly related. If a breach occurs, the small print on a contract can mean disaster for unprepared cloud customers -- as a few Megaupload users are finding out the hard way.
The answer is that there is no one answer about who is ultimately responsible for data in clouds. At least one source states that responsibility depends on the kind of cloud service you've signed up for. Another says once data is encrypted, the encryptor is responsible for it, even if it is stored in a cloud.
"One of the most overlooked areas in contract negotiation between cloud providers and their clients is who is responsible for the safety and protection of data," writes Internet Evolution contributor Mary E. Shacklett in an email today. "The topic is rarely discussed in the boilerplate agreements presented by cloud providers -- which clearly places the responsibility on [the cloud customer to] ensure that this topic is discussed and added to the contract before any agreement is signed."
Still, a comprehensive agreement signed up front may not cover everything. Results of a sponsored study published nearly a year ago by researchers at The Brookings Institution as part of a "Cloud Legal Project" described the challenges of establishing liability by data location and jurisdiction of services. It also discussed issues of "confidentiality, integrity, availability, and security." Among the conclusions:
Perhaps the most disconcerting discovery of the Cloud Legal Project’s survey was that many providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web. In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes.
So even a contract you assume may be legally binding may in fact be subject to change at a moment's notice -- and unless you make adjustments up front, you may be responsible for finding that needle of change in a haystack of legal verbiage.
The issue of data ownership may have been in part behind the City of Los Angeles's decision to keep Google from supplying its cloud-based enterprise apps to the city's police department. While specifics about that failed arrangement were never divulged, at least one source speculated early on that the city's IT managers felt Google was unable to guarantee that data housed on Google's servers would meet law enforcement's rigorous demands around data ownership and oversight.
Does all of this mean that establishing reliable ownership over data is impossible with cloud services? Not at all. But just as there is no single answer to the problem, there is no single contract to rule all cloud relationships. The burden is on you, the enterprise subscriber, to ensure that your cloud partner signs on a dotted line you both can live with.
— Mary Jander , ThinkerNet Editor, Internet Evolution