Corporate Cloud Computing Dangers

 Computing, Security  Add comments
Apr 152011
 

I recently read some of the papers linked to from Andrew Cormack’s blog entry on the legal dangers of cloud computing, which made for interesting reading. And caused me to do some thinking. Whilst the legal aspects of cloud computing are complex and need to be examined (it would make things a great deal easier if there was an “Internet Nation” with it’s own laws), one of the dangers most obvious to me is an old danger to corporate computing with a cloud computing twist.

The old danger itself is what happens when non-IT specialists setup their own servers. Such servers are rarely physically secured properly (allowing data to be stolen), are often poorly backed up, and are sometimes even setup with old retired desktop machines. The dangers are obvious, although those who set them up are rarely aware that installing a server is only a tiny part of the work involved in maintaining a service.

Cloud computing offers similar dangers. An organisation that signs up to a cloud-based service is almost certainly going to get a suitable contract that covers many possible concerns, but an individual within that organisation may sign up to a cloud service with the defaults terms of service aimed at the consumer. Some of the dangers are :-

  1. If that individual makes use of their cloud service in a way that is important to the organisation, how do those responsible for IT services assess the risk of it when they are not aware that it is being used ?
  2. Does that cloud service offer a service level agreement sufficient to protect the organisation? Most consumer grade cloud services can withdraw that service or change the terms of that service without notice at any time. They also rarely commit to protect any data held on the cloud, or offer any guarantees of availability. Or confidentiality.
  3. A consumer using a cloud service is protected to some extent by consumer law. An individual within an organisation using a cloud service for their work, may well not be protected at all. Organisations are usually protected by contract law – when a contract exists!