The CFO's Cloud Computing Nightmare
Cloud computing has its many benefits, but as with all products delivered by service providers, there are risks involved for companies who choose to place their data in the hands of a third party. For CFOs, the possibility of an entire database of financial data disappearing overnight is truly the stuff of nightmares.
Erik Laykin, Managing Director of Duff & Phelps LLC, a U.S-based international consulting firm serving Fortune 100 customers, sat down with Carol Ko from Asia Cloud Forum (CFO Innovation’s sister publication, owned by Questex Media) to discuss the potential problems of data retrieval from a cloud computing facility, if a service provider unfortunately goes bankrupt or gets acquired.
What are the problems of data recovery if a cloud computing vendor goes bankrupt or gets acquired by another company?
In an ordinary bankruptcy or in a Reorganization Bankruptcy under Chapter 11 of the United States Bankruptcy Code, the cloud computing provider that is going out of business would be reorganized and would be able to continue to function as a business. There would be ample notice given to the owners of the data, so that they would be able to transition the data to a new system through which the data may be preserved. Or, as a result of the reorganization, the cloud computing provider may continue to operate it’s systems in a normal fashion and under the supervision of the administer or trustee of the bankruptcy.
But in more severe cases where the business ceases to function and goes into liquidation, one faces several interesting questions. For example, how will a company be able to provide assurances that the data that they are hosting will not be deleted, erased, destroyed, moved, transferred, or otherwise made inaccessible? Will the system that is housing the data become entangled in litigation, seized, locked down or made inaccessible because there are no employees to maintain the system? The data may still be there, but there is nobody there to access the system. There is a wide variety of scenarios where the owner of the data may all of a sudden lose access to his or her data.
In that case, one must question the adequacy of backups and ask whether or not there is a secondary, off-site location where a mirrored copy of the data is kept. This is part of disaster recovery (DR) contingency planning.
Today, DR must involve the company as well as third party providers that are providing infrastructure to run the business—and today that infrastructure often involves cloud computing.
A business that is leveraging cloud computing infrastructure to support that business should have a contingency policy. This policy allows another “alternative” provider to step in and handle cloud computing systems, should the original provider go out of business.
Insurance companies will start to write policies to cover these types of failures. In this case, if there is a third-party cloud computing provider that goes out of business, insurance coverage may include “cyber coverage” that allows the company to maintain another third party system. Hopefully your Contingency Policy will have already identified whom the new providers will be and they will have been endorsed by your insurance carrier.
What are the legal rights of companies in recovering their data from hosted data centers?
Legal rights are determined based on the terms in the service level agreement (SLA) entered into with the service provider. A company can give away all of its rights, or it can retain all of its rights. Always read the fine print in the agreement carefully and be prepared to negotiate with the service provider.
As a buyer of services, don't be intimidated by the contract that the seller of the services presents to you. Read it in its entirety. If you don't agree with it, consult legal counsel to make sure the agreement protects your rights and your reasonable and defensible ability to collect the data.
Are the existing laws, personal data privacy protection provisions and corporate data ownership rights enough to protect against malicious data center hacking and accidental data leakage at cloud computing data centers?
No, I don't think that there is enough protection against malicious hacking of cloud computing systems.
Laws are designed to enforce a set of standards and to provide a framework with which to prosecute a crime. The laws themselves do not defend against a criminal hacker.
To defend against a criminal hacker from hacking a system, appropriate technological protections are needed, but physical and social protections to ensure that the systems are safe are necessary as well.
The laws that are currently in place are designed to provide law enforcement and the civil judicial system the powers needed to bring an action against an individual or an organized criminal group that has been identified as being culpable in a crime.
A number of countries, including the US, now have an effective legal framework for the prosecution of cyber crime. While many other countries need to take action, I think the world has made significant progress over the last few years.
Cyber crime—whether it is an attack on a personal system, a cloud computing system or a corporate system—has entered into the mainstream consciousness of the business world. And I believe that the general population is becoming more aware that this is a serious issue. As a result, law enforcement is now better equipped to handle the various types of complaints and claims that arise.
Major challenges however still exist. Cyber crime requires quick action, as the trail of the cyber criminal can be traced for only a limited period of time.
Sometimes this requires cooperation between multiple jurisdictions. Cyber criminals cross international boundaries frequently and easily. Unfortunately for law enforcement, it is very difficult to cross those international boundaries without an agreement that is crafted ahead of time. Fortunately, there are more bilateral and multilateral agreements being made between law enforcement agencies. That is certainly helpful—but there is much progress to be made.
In the United States, I have advocated for the establishment of a 'National Cyber Corps' . This would be a national team similar to the 'United States Coast Guard’ and the ‘United States Secret Service’ with the mandate to protect the cyber world. Right now we don't have that. We have different traditional law enforcement agencies trying to function in this manner, but with very limited resources and support and very little cross agency cooperation.
More importantly the private sector is largely left out of most national cyber protection structures. My aim is to encourage better cooperation between the public and private sector on this issue and it seems that this National Cyber Corps proposal is starting to gain some traction.
Are cloud computing data centers potential targets of cyber crime attacks? What are the likely consequences?
I think they are major targets for cyber crime attacks. As an attacker, I would have to spend a great deal of effort to pursue 10 to 15 different companies for their corporate and trade secrets. If I were to attack one cloud computing system, however, I can do greater damage or steal a larger cache of valuables with the same amount or less effort. Cloud computing data centers host the data of dozens or hundreds of companies, which makes them very attractive targets.
The cloud computing system has the same security challenges as any other company, and these challenges must be taken very seriously. Most reputable cloud computing systems providers are making a strong effort—and that’s important. If security is breached, the entire cloud computing system model is challenged.
This story first appeared on Asia Cloud Forum, a Questex website.