Adopting IaaS: The Legal and Security Issues You Can't Ignore

Posted November 10, 2015 | Leadership | Amplify
In this issue:


Cloud computing is trending because of the benefits of cost reduction, scalability, control, and flexibility. The economic incentives to purchase your computing infrastructure from specialized cloud providers (i.e., IaaS) are swiftly realized. Your business can immediately shed the capital and operating costs of paying for privately owned equipment and the staff to manage and maintain that equipment. The risks of IaaS, in comparison, are more nebulous and long-term, and they are harder to predict because the factors contributing to these risks are out of your hands. Data security is now the province of your IaaS provider; data integrity is also highly impacted by your provider; and data legality is affected by international regulations and politics. It is always a tricky situation when your cost-benefit analysis necessitates weighing matters that do not compare well -- not so much apples to oranges, but apples to pernicious vine seeds that may or may not sprout and overtake your apple trees.

The issues detailed below can and should be addressed prior to implementing an IaaS product, and to whatever extent possible, by your legal agreements with your provider.


First off, it is important to understand that information security can never be fully outsourced. No matter what you pay for, administration of IaaS resources must be undertaken with care. This care should be commensurate with the sensitivity of the data that is being stored remotely. Another consideration is whether you are using a public cloud, private cloud, or a hybrid situation. Deploying and administering your infrastructure is still your responsibility. Permissions must be properly configured, keys must be managed, applications must be developed and updated with security in mind, and employees must be trained to avoid spearphishing and social engineering attempts on their credentials.

It is tempting to consider an IaaS package to be the "one and done" and get back to work. Someone else is doing the work now, right? No: that is like ditching your car and hiring a chauffeur ... without doing a reference check on the driver or giving him directions. How is he going to get you where you need to go? With any valuable resource, you must tailor it to your needs and manage it well. In the eyes of your customers and the law, you are still responsible for the security of your data, so do your due diligence before choosing a provider. Ask potential vendors probing questions about their security certifications, their policies and risk-control processes, their technical mechanisms, and whether they undergo external audits. These are considered industry best practices. Your business should absorb this information and match it up to your internal capacity to carefully manage the IaaS product. Security companies such as Symantec have detailed the myriad assumptions and mistakes that administrators make in adopting an IaaS platform.1 This process is known as performing a risk assessment, which organizations should always undertake when making an important business decision.


Network access, data integrity, and data availability must be considered as you shift your proprietary information into the cloud. Cloud providers have specialized expertise in providing computing infrastructure, yes, but that does not mean that their service is not susceptible to breakdowns or interruptions. Ultimately, it is your business that will suffer the consequences of any interruption of access or any flaws in your data integrity.

From the business angle, you should be prepared with a business continuity and disaster recovery plan. From the legal angle, you should ensure that your service-level agreement (SLA) specifies, in terms that you find acceptable, how and when the provider will provide its services, address interruptions, and offer redress when there are disruptions to service. Not only will you need access to your corporate data on demand, but your customers and clients may have the right to demand access to or amendment of it, or the right to know that it is maintained with integrity. In the US, healthcare patients have a right to request their medical records,2 students and their parents have the right to view educational records,3 and so on. Your ease of access to customer information is integral to compliance with the many consumer privacy protection laws.

Conversely, you do not want the IaaS provider to have free access to your data. The service agreement should explicitly specify "hands off" the data that the provider stores for you, unless access to it is required in order to provide you services. There should be no opportunity for the provider to monetize or otherwise use your data. There will be some unforeseen hiccups with IaaS, but their impact will be mitigated if your operations plans are in place and your legal protections are in order.


Before you moved your computing infrastructure to the cloud, it may have taken a lot of effort to maintain and store said equipment, but you certainly knew where it was -- in your server closet, room, or whatnot. But when it comes to IaaS, where exactly are your computing resources located, and where is your data located? These questions, in turn, trigger a panoply of other questions with regard to data privacy regulations.

The Internet and "the cloud" seem to promise a uniform situation with universal availability from any location. In reality, there are myriad political and legal factors that inconveniently pull back the veil on this fiction. The location of your data may cause it to be subject to international data protection laws and even foreign government surveillance. Since Edward Snowden revealed the US National Security Agency's (NSA) surveillance activities, many foreign countries are no longer accommodating of the interests of American companies in transferring data across nation-state lines. In the US, we view data privacy as a consumer and market-based issue. For example, we are fairly comfortable with the tradeoff between allowing our personal information and behavior to be leveraged in return for the free Internet and free apps on our smartphones. In many other parts of the world, privacy is a more visceral issue and is labeled a fundamental human right. From religious texts invoking privacy to the experience of Nazi use of data to create population identification systems, there is a deep and troubled history with piercing the shield of personal privacy.

I provide this historical background to underscore the contemporary challenges for companies with international customers (which includes nearly every Internet commerce business). Until October 2015, 4,000 US companies operated under a Department of Commerce program with the European Union that permitted them to transfer the personal data of EU citizens across national lines. As a consequence of the furor over the revelations of global NSA surveillance, that agreement was just invalidated, without concrete plans to either replace it or enforce the current gap in the law. Countries throughout the rest of the world are closely watching the US-EU standoff and have voiced their own complaints and concerns about international data transfers. This situation adds another layer of risk and uncertainty for any company seeking to store its data in the cloud. If you have no business need for your data to cross the Atlantic, then make sure that you voice that preference in your contract and make provision for extracting it whenever you need to.


I can hardly think of a commercial situation these days that does not invoke problems around privacy and confidentiality. The US does not have an overarching data privacy regime but instead regulates the matter via many sector-specific laws. There are data privacy regulations that protect Americans as healthcare patients, financial and credit customers, students, drivers, video consumers, telemarketing targets, and so on. Broader laws exist in the area of data breaches, and even broader authority lies with the US Federal Trade Commission, which can investigate and fine companies for privacy infractions in the name of fair trade practices.

In our cyber landscape, data breaches are a constant. An IaaS vendor should be expected to satisfy certain confidentiality and security standards for protecting your systems and their contents. It should also notify you about security incidents that may have compromised your data. In the unfortunate instance of a breach of information or other harm caused to your business operations, your contract should apportion the responsibility and liability between you and your provider. These provisions will affect your ability to respond to and investigate breaches in an era where timeliness is expected by regulators, the media, and consumers.

Furthermore, the distributed service model works because IaaS providers colocate users' virtual machines and provision their resources to maximize customer usage. This is an efficiency, but also a potential problem. When the customer's machine is virtual, but the physical server is actual, guess which reality trumps the other when security is breached? The consequence of sharing the same machine is that colocated data may be susceptible to leakages to other clients located on the same server. Recently, researchers found a way to steal Amazon's secret encryption keys in a side-channel attack on a colocated client. This hacking took place in a lab environment and hence is still a hypothetical threat. As similar threats have been exposed over the years, reputable providers have addressed them. Nonetheless, it demonstrates why it is critical that your cloud provider be a reliable major vendor.

In sum, legal protections can serve as a safety net to cover any gaps in the security of the actual resource. Legal provisions and security best practices should work in concert. One without the other is insufficient in the area of IaaS products, because this is neither an established area of legal doctrine nor of business standards. In addition to the matters detailed in this article, there are business and sector-specific legal issues with regard to intellectual property, trade secrets, foreign direct investment, and corporate governance when you move to an IaaS paradigm. To reliably protect your business interests, you must take matters into your own hands. Work with your legal and technical support teams to ensure that you are comprehensively assessing the risks of moving to IaaS and designing sound administration practices for managing this valuable resource. Remember, security can never be wholly outsourced!


1 Wueest, Candid, Mario Ballano Barcena, and Laura O'Brien. "Mistakes in the IaaS Cloud Could Put Your Data at Risk." Symantec Corporation, 2015.

2 Under the Health Information Portability and Accountability Act (HIPAA), patients have the right to access and amend their medical records. This applies to business associates who provide contracted-for services to healthcare providers. See: "Right to Access Medical Records." US Department of Health and Human Services (HHS).

3 Under the Family Education Rights and Privacy Act (FERPA), eligible students have the right to access and amend their personal information. See: "Family Educational Rights and Privacy Act (FERPA)." US Department of Education.

About The Author
Annie Bai
Annie C. Bai, CIPP/US, CIPM, is a graduate of NYU School of Law. Ms. Bai is Privacy Counsel at Single Stop, a national anti-poverty nonprofit and speaks on modern privacy law for New Directions for Attorneys at Pace Law School. She consults with for-profit and notfor-profits on privacy and data security on privacy audits in a variety of industry sectors. Ms. Bai is a member of the Technology Operations Committee for Per Scholas, an IT workforce… Read More