Potential risks related to Cloud Computing
The biggest perceived barriers for both consumer and SME take-up of cloud computing are lack of privacy, data security, provider lock-in, lack of standardisation, and jurisdictional issues relating to applicable law and law enforcement access to data.
Data security and privacy
Potential general data security risks arising from cloud computing relate to: an increase in threats to data confidentiality due to the concentration of data on common cloud infrastructure; the loss of IT control and governance by organisations using cloud services; and an increased risk of data interception in authentication and transmission procedures.
Multiple approaches exist to tackle these vulnerabilities, such as differentiation of the level of security needed by sensitivity of data or use of a ‘private cloud’ managed by the organisation itself or a provider. Additional data security assurance could also be provided through a form of audit and certification systems of cloud services providers.
Data security and standards
Transparency is often lacking in providers’ provisions concerning data security, in particular a lack of data integrity guarantees combined with disclaimers of liability clauses in contracts; a lack of standards regarding data control and security; and often unclear and incomplete information concerning security and privacy on cloud providers’ websites.
Jurisdiction and standards
Law-abiding consumers or business users storing their data in the cloud may well be affected by compulsory orders for disclosure, without notification, as in a public or shared cloud authorities may seize the servers or computers containing personal information of the guilty and innocent alike; this is compounded by a lack of standards in providers’ ‘thresholds’ of disclosure.
The main challenges surrounding the legal issues regarding privacy relate to: ambiguities as to the role of the cloud service provider; uncertainty regarding applicability of EU laws; the need for more effective data protection; uncertainty regarding laws governing international data transfers, and the lack of universality in data protection legislation.