Key risks for businesses using Cloud Computing in 2015

Risk 1: International data protection laws

Cloud-based working necessitates placing company data on third party servers in data warehouses that could be located anywhere in the world. This carries a potential risk for businesses as they can come into conflict with local laws. Keep in mind that data protection laws and rights are applied in the jurisdiction in which the data is stored, rather than where it is generated, modified or created. The jurisdiction where a cloud provider is physically storing data is an issue of key importance. This couldn’t be more apparent with the revelation at the start of 2014 of the US’s National Security Administration (NSA) highlighted by press leaks which revealed that the organization has been gathering and storing metadata from Verizon and nine other US based Internet companies.

Risk 2: US law and due diligence when selecting third-party suppliers
Be aware that, under the Foreign Corrupt Practices Act (FCPA), businesses are held liable for the conduct of their third-parties. This includes agents, consultants and distributors and could, potentially, extend to cloud service providers. As such, it's extremely important to go through the same due diligence to identify potential fraud and corruption risks when selecting a cloud service provider as you would with the other third parties. This should include being able to document the way in which you have attributed a risk assessment to cloud service providers and demonstrate that you can flag them for re-assessment as required.

Risk 3: Data protection vs. data disclosure
Adopting a cloud computing strategy across the globe can expose multinational companies to contradicting laws in different countries. For example, if a French company (which is subject to French data protection laws) takes out a service contract with a cloud provider that centrally stores its email data in the US, the company makes itself vulnerable to breaking both French and US laws in the event of US litigation or investigation – even if that data was created or modified outside the US or France. Penalties on both sides can be very high, data protection breaches carry fines in the millions as well as criminal sanctions in some countries, and the failure or inability to respond to US discovery risks penalties or even spoliation fines which can be significantly higher.

Risk 4: Where does your cloud service provider store its back-up data?
Find out where your cloud services provider backs up copies of your data (they all make copies of client data to maintain 24/7 access and to offer service level guarantees). Ask for the backups they make of your data to be stored in the same location you specified for your original data and applications. FRA strongly recommends that high-risk data – such as financial, corporate and personnel related data is always housed in its jurisdiction of origin or one that carries similar protections. Emails are often highly sensitive in EU jurisdictions and carry strong data privacy rights, which makes transmitting or producing them outside of their jurisdiction of origin, not just risky, but potentially illegal. Of particular concern are providers who store data in the US (or in a location where the data can easily be accessed from the US).

Risk 5: Fraud in the cloud...?These days, personal and corporate information is a valuable currency and there are unscrupulous people willing to break the law to get their hands on it and then trade with it. In order to prevent theft of fraudulent activity you should familiarise yourself with your cloud service provider's own security policies and determine what procedures are in place to control access to information they hold. In particular:
Ask your cloud service provider about its policies on passwords, laptop and portable device use by staff, personal software download policies and their tolerance of cyber-slacking.

Get your IT department to check the kind of encryption used by your cloud service provider to transport data.

Make sure you build these two points into any risk assessment of cloud service providers as carelessness in either of these areas has the potential to expose cloud service providers to data leakage and information theft as well as increasing the possibility of malware getting onto their servers. All of which can compromise your company's data.

Greg Mason, Partner at FRA, comments: “Growth in cloud usage will continue during 2015 as the technology, besides being incredibly convenient, offers a range of cost savings. For businesses this comes down to the fact that the cloud has the ability to bring together applications and software within a pool of centrally located servers and allow access to them from any remote location. For consumers, it means they don’t necessarily have to buy the top of the range smartphone or tablet with the most memory just because they have a large digital film, music or photo library - choosing instead to save money and buy a device with less memory then putting their media content straight into the cloud. However, just because the number of cloud based applications has increased and the technology has enjoyed mainstream success during 2014, it doesn’t mean that there aren’t significant risks in using it - particularly for users at an international level.”

Kylie Tanner, Digital Forensic Analyst, at FRA concludes: Cloud computing provides many benefits, particularly in a time of economic uncertainty, but security, privacy and legal matters must be carefully considered and continuously surveyed. It is likely that, in the not too distant future, companies relying on cloud computing will be subject to litigation along with their cloud service providers. It is, therefore, imperative that they fully understand the legal, security and privacy issues that surround the technology before implementation – and that, once deployed, board members, legal teams and IT departments all work together to stay one step ahead to avoid cyber law headaches as well as potential incidents of fraud and corruption.