The perils of the cloud

Hardly an issue of any IT journal goes by without mentioning the efficiencies which can be achieved through cloud computing – and as recent blogs will attest, I’m a big fan of DropBox and Evernote. Not only can such services help efficiency, but there are economies of scale to be achieved too.

Simplicity and efficiency in this context come at a price.  The cost in cash terms to “run and maintain” is easy to quantify – but how is your risk appetite for fines and imprisonment, just for saving to the cloud.  I can hear lawyers everywhere sucking in their breath!

Imagine the scenario: you have just changed a document at work and pressed “save”. As far as you are concerned, it was just a minor tweak to something which existed already – but the mere action of saving it has made your employer liable to a fine and sanctions.

Too far fetched? Not a realistic scenario?

Let me add some additional details:

  • the document contained details of a seemingly innocuous valve, although all you changed was the part number
  • that valve has just been defined as subject to some sort of export control (maybe it is high-tech, or even has a dual military use)
  • your company has outsourced its storage to a cloud provider and they routed the ‘save’ to their least busy data cluster – which just happens to be overseas

Congratulations – you just exported controlled information.  But can get worse – let us say that you want to send an order for some of these valves to the manufacturer, and that company is right down the street from you.  However, your ERP system is connected to theirs via some clever cloud-based interface and so you send the request electronically … and the cloud supplier is in another country.  Well done, that’s now two exports and an import!

And in some countries it doesn’t matter whether you knew or not, the technical breach is enough to result in fines, sanctions, and a whole world of pain.

Who will help you? Sadly, as it would seem that cloud providers may not be on the hook they may not wish to help, although there is certainly some distinct opportunity for a sales pitch or two

  • cloud computing where the country of storage is guaranteed?
  • a secure encryption (or rights management) overlay so that there is never any overt export/import of accessible information? (Although I’m uncertain whether this has ever been tested in law!)

I’m sure that these circumstances only exist in a small number of companies, but they do exist. I have seen opinion suggesting that the breaches have occurred and continue to occur, probably daily. And given the potential savings which can be achieved from cloud storage, maybe the risk appetite of some firms assesses this as a reasonable gamble.

Cloud storage and computing is here to stay, but for some organisations perhaps the following Roman epithet is as valid today as it was 2000 years ago: caveat emptor.