Businesses signing up for standard cloud services should not expect the provider to accept liability for data breaches and other security incidents, Microsoft and others have said.
At a Cloud Law Summit in London on Wednesday, Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.
"We're not an insurance company," Tayyip told ZDNet UK. "What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering."
Many businesses are turning to the cloud in the economic downturn to save on costs and for more efficient, scalable IT. However, a lot of potential buyers are nervous about who is to be held responsible in the case of a data breach or security incident, and so try to negotiate favourable terms that would put the risk onto cloud vendors, executives for the vendors said at the event.
Tayyip said that Microsoft and other big providers standardise their cloud services to make them more economic.
"It's to do with customers understanding the nature of cloud offerings," Tayyip said. "Some offerings are highly customised, so the pricing is highly customised. That's not [the cloud] business model, where we're seeking to standardise the service to keep costs down."
Nick Hyner, a legal services counsel for Dell in Europe, said he had found a gap in expectation when negotiating contracts with corporate customers.
"When corporate customers look at buying standard cloud services, there can be a mismatch between the value of the transaction and [their] expectations in terms of the financial and other risks vendors are willing to take," said Hyner. "[For example,] it's not possible or scalable to try to match individual security policies."
As none of the cloud providers accept liability, none of them has a competitive advantage in this area, according to Simon Bradshaw, a cloud-computing law researcher at Queen Mary, University of London.
"People are not deterred by liability issues because they won't get anything better anywhere else," Bradshaw said.
While consumers are protected by consumer laws, and large corporations have the economic clout to negotiate aggressively, small enterprises stand to lose out if their cloud provider has a data-protection problem, Bradshaw noted.
Liability issues are further compounded by cloud complexity, he added.
"Even the people that provide cloud services aren't sure quite how liable they are, as so often there are international relationships," said Bradshaw. "A British company contracts cloud services from an Italian company that buys infrastructure services from a US company — the customer doesn't have a direct business relationship with the person holding the data. When your data can be anywhere in the world, so can your legal headache."
Talkback
Ok, maybe it is just me. Maybe I just have a narrow-minded concept of "responsibility" or "expectations", but this sounds totally wrong to me.
<i>"We're not an insurance company,"</i>
No one is asking or expecting them to be an insurance company. They are only being asked to take responsibility for protection of the data they are being entrusted with.
<i>"If the offering does not meet customer needs, maybe the cloud is not a realistic offering."</i>
I couldn't have put it better myself. This is exactly what a lot of people have been saying from the very beginning - without the proper safeguards and definitions of responsibility, the "cloud" is a sucker's game.
<i>"When your data can be anywhere in the world, so can your legal headache."</i>
This is a perfect closing statement for the story. When you put your data "in the cloud", it can end up anywhere in the world, whether you want it to or not, and no one is going to take responsibility for that happening. No one, that is, other than YOU. Think carefully.
jw 12/2/2010
Microsoft seems a bit schizophrenic here; Brad Smith, Microsoft General Counsel
Brad Smith, Microsoft Vice President and General Counsel <a href="http://www.microsoft.com/presspass/presskits/cloudpolicy/docs/20100120_transcript.pdf">talking at the Cloud summit last month:</a>
We need Congress to modernize the laws, adapt them to the cloud, and adopt new measures to protect privacy and promote security. That’s why we’ve concluded that we need a cloud computing advancement act that will promote innovation, protect consumers, and provide the executive branch with the new tools needed for a new technology era.
We need Congress and the Administration to address three issues in particular: privacy, security, and international sovereignty.
But at the same time, the cloud also creates bigger targets for hackers and thieves. We can’t close our eyes to that reality. There is no benefit in underestimating the savvy of potential attackers now or in the future. Across the industry we first need to continue to dedicate ourselves both separately and together to strengthening the security of the cloud. This is going to remain a daily fact of life. We also need to take new steps throughout industry to implement new security standards such as those from the International Standards Organization and under the Federal Information Security Management Act.
As the federal government moves data to the cloud, we believe it needs to continue to adhere to procurement policies that ensure that it too implements these types of security standards.
These principles should ensure there’s transparency over how data is protected. They should ensure that service providers maintain a comprehensive written information security program. They should disclose whether the service providers architecture, infrastructure, and controls, satisfy well-recognized and verifiable security criteria. They should convey in plain language how their information will be accessed and used by service providers so consumers know what they can do and know whether and how they can reclaim their documents and data in the future.
Simply put, it shouldn’t be enough for service providers simply to say that their services are private and secure. There needs to be some transparency about why that’s the case."
M
Thats what I thought they where doing, so why the change in approach? bloody morons, how hard can it be to sit around a table and agree on some standards.
The simple truth is that once data is in a public cloud, the "owner" has lost control of it. No cloud service provider will accept liability for data loss or theft (don't forget many employees can and will steal company data for a quick buck - as HSBC recently testified) - just placing a value on it would be horrendous. The software exists to enable SMBs to create their own in-house cloud (broolz) - why would a company hand over control of its lifeblood?