Every bit as common as the marketing hype about the benefits of the cloud have been stories about high profile failures. We look at some of the major areas of risk here but it must be understood that the risk profile for each institution entering the cloud may be different depending on the nature of your own infrastructure, your staff capacity and skill sets, the type of computing you are doing and the cloud deployment model you are considering. In general the risks fall under a number of major headings:
The most hyped security concerns relate to the public cloud where resources are accessed via the internet. Securing an infinitely scalable resource with a correspondingly large number of potential hackers is not easy. Having said that, many of the major cloud players have considerably greater capacity and resource to put into state-of-the-art security measures than does the average FE college or university: a point made eloquently in a blog post by Chris Sexton (2011).
This resource contains a section on security in the cloud which considers the security requirements of each of the different deployment models. It must be remembered however that any security system is only as good as the weakest link and, that in any deployment model, compromised user accounts are likely to pose at least as great a threat as direct hacking of data centres.
"… they [Google] can afford to spend much more on security than we can. In fact, they can afford to spend more on security than most governments."
Data protection is amongst the legal issues that cause most concern for those considering cloud options and some institutions will only consider cloud providers who guarantee that data will be stored within the EU. There is much controversy surrounding the legal implications of data storage in the US and of statutes such as the USA Patriot Act and the Homeland Security Act although many commentators (eg MacDonald et al 2010), conclude that the risk of governments accessing their data is largely theoretical and could happen whether there are laws permitting it or not.
Lack of clarity about precisely where data and hardware are located also gives rise to concerns about jurisdiction. It is argued that some cloud providers are being mistakenly treated as data controllers or processers. Researchers at Queen Mary, University of London, (Hon et al 2011) suggest that some of these providers would find it impossible to know whether the data stored or processed in their systems is personal data or not and term the general situation as regards personal data the ‘cloud of unknowing ‘. There is a lot of work going on in the sector to clarify and provide guidance on legal issues and the key sources are referenced in the section on legal issues of cloud computing.
"Concerns over government acts that give access to data, for example, the USA Patriot Act and the Homeland Security Act miss the point that governments could potentially access data held within their country or that of their allies whether there are laws allowing it or not."
Macdonald et al 2010
"Infrastructure as a Service and Platform as a Service providers, and certain Software as a Service providers, who offer no more than utility infrastructure services, will often not know whether information stored or processed through their services is ‘personal data’ or not – hence, the ‘cloud of unknowing’. Infrastructure cloud providers are qualitatively distinct from services such as social networking websites."
Hon et al 2011
Information governance issues
This is really encompassed by the headings above but data security and legal issues can be compounded by lack of control over who has access to data and lack of visibility about what processing is taking place. For example, a customer cannot really audit the fact that data required to be deleted has not been copied elsewhere which may mean they fall foul of their own compliance obligations and/or lose certification to International Organization for Standardization (ISO) or IT Infrastructure Library (ITIL) standards.
Furthermore, encryption is only a partial solution to concerns about data privacy and security because encrypted data cannot generally be processed: it may be stored in an encrypted format but it needs to be unencrypted for processing in the cloud. Disaster recovery plans may also be complicated by the fact that customers do not know where their resources are hosted. The cloud computing toolkit produced by Aberystwyth University for the Archives and Records Association (Convery 2010) is written from the point of view of an information professional and offers comprehensive guidance on assessing the risks of migrating certain types of information to the cloud.
The Kindura Project sought, amongst other objectives, to address the fact that: ‘Researchers are notoriously reluctant to spend time curating and archiving their research data.’ and has looked at automation and workflows in relation to archiving research data in the cloud in order to address an alternative type of risk ie that intellectual assets were at risk of loss due to poor archival practices.
"… data that is processed using cloud services will usually be present unencrypted in a machine somewhere in the cloud. This limits the types of processing in the cloud that are legally permissible for types of data that are subject to certain laws and regulatory regimes …"
"Is the organisation satisfied with storing information in a multi-tenant environment where it cannot be classified, have retention or metadata applied to it once it has been transferred to the cloud?"
Freedom of information
Institutions must consider if and how outsourcing their information to the cloud may adversely affect their ability to comply with the Freedom of Information (FOI) Act. Firstly we should quash any notion that an institution can avoid such obligations by simply claiming that by storing it in the cloud, they no longer ‘hold’ the information in question and therefore are not obliged to disclose it under FOI.
Though such information may not be physically held by the institution it is still very much within their intellectual control, still remains their responsibility and still remains subject to disclosure under the Act (or under the environmental information regulations depending on the subject matter). The requirement to undertake comprehensive searches across the entire (or at least most) of the institution to identify and retrieve all the information pertaining to subject X, Y, Z may pose a number of practical problems given the nature of cloud storage.
Many cloud service providers specialise in storing and managing one particular type of information: YouTube for video clips, Flickr for photos etc each requiring different accounts (possibly many within the same institution) and each providing different ways to describe and search for information. In this heterogeneous world there simply isn’t the means to centrally search for ‘all information we have relating to subject X’. Indeed it is highly unlikely that the institution will even know that a particular department or individual within it has chosen to create and store information pertinent to an FOI request somewhere in the cloud. There is more on the issue of preservation and retrieval in the section on ‘data preservation and retrieval’.
Institutions are used to undertaking due diligence checks on suppliers and cloud providers should not be viewed any differently although there appears to be considerable nervousness around particular areas including service-level agreements (SLAs) that are weak on supplier obligations and lack of clarity about subcontracting arrangements.
Suppliers appear to be equally nervous about some of these issues: for example Apple would not contract with the Bloomsbury Colleges as a consortium in order to enable them to use iTunes U for the Bloomsbury Media Cloud Project. ESCROW agreements are theoretically possible in the cloud but not offered at present. The Cumulus Project noted that the ‘development and policing’ of satisfactory SLAs will take on greater prominence in a cloud environment pointing out that identifying reasons for failure is difficult enough when systems are hosted entirely on-premise.
"According to the terms of service for Google Apps, the services might be interrupted, untimely, insecure, full of errors, give inaccurate or untimely results, and have low quality, but Google and partners would have no liability to you."
"It is frequently difficult to identify reasons for failure of a module or system when deployed on site with hardware, software and networks all part of the potential mix. It will become harder still to manage a failure situation with cloud deployment with its extensive infrastructure of software, networks and servers off site, as well as corners and reputations to be defended."
Cumulus Project 2011
Whilst institutions might not be contractually tied to a particular supplier for any length of time, there are particular risks related to ‘lock-in’ when moving to a cloud environment. One is the proprietary nature of the systems and the paucity of technical standards to ensure the portability of data should you choose to move to another supplier (the supplier side response to this is that a premature focus on standardisation could compromise innovation). The other is the risk that, through downsizing or restructuring internal IT service departments, you lose the capability to deliver services in-house in the future. These topics are covered further in the costing technology and services guide.
"Few standards (except service suppliers de facto) exist in the cloud so there is a danger that lock-in can readily be created unless specific measures are taken to prevent this."
Clark et al 2011