Andrew Cormack of Jisc asks the next government for cloud policy guidance over safe and lawful use of cloud offerings
Cloud computing, used appropriately, could benefit many organisations. Cloud services could let businesses deploy robust websites for their customers, provide best-of-breed collaboration tools for their staff or store information in highly secure data centres. Scarce and valuable IT experts might no longer need to spend their time operating commodity systems, but could concentrate on developing and building innovative new services. New ideas could be brought into production without major capital investment. But at the moment many responsible organisations are not taking up those opportunities because of uncertainties over compliance and risk.
The problem has become particularly apparent during Jisc’s discussions with universities, colleges and cloud providers. In trying to identify appropriate services and agreements for the education sector we’ve heard many different, often conflicting, opinions on what legal and organisational arrangements are required. Even when looking at application-level services, which should be a simple translation of existing sub-contracting arrangements, it’s not clear which configurations count as international nor which of at least three possible legal provisions applies to those that do. For lower-level platform and infrastructure services, some of the implications of privacy law seem bizarre – will the law really compel an infrastructure provider to examine its customers’ information, rather than treating it as just bytes, in order to ensure it is taking appropriate measures to protect it? Organisations that want to be sure they protect information according to the law and best practice might well give up on clouds, even if their own systems cannot provide the same security against physical, technical or social attack.
We had hoped that Europe’s new General Data Protection Regulation would provide some clarity; it was, after all, announced as being “cloud-friendly”. However the various draft texts only deal with cloud services provided direct to European consumers or those used within a business group. For organisations that want to use third-party clouds to deliver their own services there is no obvious assistance. Indeed some proposals would actually increase the number and complexity of overlapping legal options that need to be taken into account.
This silence could, however, provide an opportunity for the UK to take a lead. It seems unlikely that more law is needed – the current problem is too much of that rather than too little. Much better would be clear cloud policy guidance, and possibly exemplars, for when and how third-party cloud services should be used. These should cover all levels of cloud provision, from infrastructure to application, and involve real-world situations, such as a SaaS cloud being built on an IaaS infrastructure. Clear statements of policy and regulation would help cloud providers develop appropriate platforms and contracts, while reassuring potential tenants that they can safely and lawfully use cloud offerings as a basis for their operations and services.
Without such cloud policy guidance and reassurance there is a risk that new applications will only be developed and deployed in the cloud by those unconcerned with compliance or user safety. Organisations that want to do the right thing will be hindered and delayed by the difficulty of working out what that is.
Andrew Cormack joined Janet, the UK’s National Research and Education Network, as Head of CERT in 1999. He is now the network’s Chief Regulatory Adviser, concerned with the legal, policy and security issues involved in providing the network and networked services to universities, colleges and research organisations. Previously he worked for Cardiff University’s IT Services operating, among other things, the first web cache in Wales. He can be found on Twitter as @Janet_LegReg and blogs at https://community.ja.net/
Other political week posts on trefor.net:
James Firth on why government should stop looking to big corporates for tech innovation
Gus Hosein on Data Protection Reform and Surveillance
The Julian Huppert crowd funding campaign here
Paul Bernal suggests government should hire advisers who know what they are doing
See all our regulatory posts here.