Legal security in the cloud
Szymon Ciach talks to Dziennik Gazeta Prawna
Online data security depends on numerous factors, but a properly formulated contract is the best tool to control a cloud service provider. This is why the legal aspect is so important in the context of cloud computing solutions.
Selection of service provider
The constant development of cloud services and solutions has made it even more important to ensure appropriate data security. How can we strengthen control over information stored in the cloud? The best service provider should first be selected, paying particular attention to which security standards it applies. Global companies usually offer a higher level of data protection confirmed by a number of international standard certificates of compliance, such as ISO certificates.
The service provider contract should guarantee compliance with security standards. It is also worth seeking legal advice to verify whether the contract secures access to the data, specifies for what purposes it can be used, and what liability the service provider bears.
Liability for information security breaches varies depending on the nature of cloud services. On the one hand, Software as a Service (SaaS) model, which we use for e.g. e-mail purposes, offers the client a rather limited influence on data processing, with the process being managed by the service provider. On the other hand, Infrastructure as a Service (IaaS) model gives users much more control over information security, with the service provider’s liability limited to delivering services via appropriate panels.
Legal regulations ensuring a standardised environment for businesses and cloud service providers, are also of great importance for security in the cloud. Today, most legal solutions focus on the financial sector where the security of processed information is of high priority. It is therefore necessary to analyse applied cloud solutions for compliance with legal requirements prior to implementing cloud services. Regulators pay particular attention to where the contract is to be performed and so it is worth paying attention to the region in which data is processed, and this is often a country other than that where the cloud service provider is based. Global companies have servers all over the world, allowing them to ensure business continuity in case of local failures.
The contract should specify where data processing takes place. Control over the location can also be ensured by an appropriate configuration of services and the implementation of tools to check where the information is transmitted.
After selecting the service provider, verifying the contract and analysing the risk, it is then necessary to efficiently implement cloud services, which has an influence on the functioning of the entire organisation. In this respect, it is also worth seeking assistance from legal experts who will help in developing necessary procedures and internal policies.