A recent Backup Technology blog briefly touched upon the legal concerns that many businesses have when considering a move to the cloud. This post looks to explore those concerns further. Many of the concerns relate to the lack of regulation in cloud computing, which often makes some larger corporations fearful in case something goes wrong with the service.
Although cloud computing is picking up momentum, it is yet to be taken up on a large scale by big corporations, who still prefer to use hardware. Two of the reasons that many big corporations give for not moving more of their IT to the cloud is the concerns over responsibility for the service provided and data security. Understandably, lawyers of big corporations are concerned that when things do go belly up, they will not be able to hold the cloud provider responsible, and even more worryingly they may in fact be liable themselves. This is a major stumbling block for many large corporations who would otherwise be quite keen to make a push to the cloud.
There are many calling for tighter regulation of the cloud computing industry, as well as a change to legislation that is better suited to the cloud. As things stand, US law does not empower prosecutors to hold cloud providers accountable for criminal activity facilitated by the cloud. This is not to say that the cloud provider itself did anything illegal, but simply allowed crime to occur by hosting a service for the criminal organisation.
A prime example is that of CloudFlare and LulzSec. LulzSec, a hacking group with ties to other high profile groups such as Anonymous, used CloudFlare to host their operations during June 2011, in which they targeted websites such as that of the CIA, gaming website The Escapist and sandbox game, Minecraft. CloudFlare, a website optimisation and security company, managed to escape liability for the attacks even though they had been hosting LulzSec’s website for several weeks. In theory, CloudFlare could have helped with any attempt to prevent the attacks from happening but chief executive Matthew Prince chose not to take the website offline. In fact, his company did quite the opposite, and continued to provide their service designed to protect LulzSec’s website from attack.
A recent article in Cloud Times has suggested that legislation needs to change to allow it to police the cloud computing industry properly. This is emphasised by the CloudFlare story, where a company was knowingly defending and hiding the website of a criminal organisation, but was not held accountable by any authority, because current legislation does not allow it. For cloud computing to be adopted by big business on a large scale, this is something that needs to change.