LEGAL CONCERNS AND CHALLENGES IN CLOUD COMPUTING

LEGAL CONCERNS AND CHALLENGES IN CLOUD COMPUTING

?

Abstract

With technological advancement, the computing landscape is changing significantly. Presently, the services, infrastructure, as well as data are not owned by users for which legal issues have arisen in the computing services after the implementation of the cloud concept. Considering the concept of the Cloud, there is potential confusion as to who is in the possession of the information. Generally, the providers of Cloud are considered as the legal custodian, possessor, or owner of the information through which generating complexities in different legal areas are quite obvious. Complexities can arise in different areas, such as infringement of trademark, security and privacy of the data and its users, accountability of the service providers, and so on. Generally, Cloud computing has created a new era that is able to provide strong support to organizations in mobilizing their service line. This concept has helped in accelerating services to reach third parties and customers quickly. However, it has been identified that certain challenges are associated with Cloud Computing and it is quite important for the service providers to consider before implementation. Considering the business trends and emerging technological advancement, Cloud Computing has some security and regulatory challenges in providing security to capital and knowledge-based assets. This paper will be discussed about the major technical challenges associated with cloud computing which are presented in traditional on-site computing. Moreover, this paper will also address the potential background information associated with diversified protocols of cloud computing, such as PaaS or Platform as a Service. Different traditional contractual protection acts under civil law will be reviewed by considering the uncertain ethical and legal jurisdictional landscape for licensing agreements and SLAs.

Keywords: ?Cloud Computing, Terms of Service (ToS), Legal challenges of Cloud, Cloud, Privacy, Cloud Service Provider (CSP), Privacy Impact Assessment (PIA), SLA or Service Level Agreement, Legal and Privacy Issues.

?

Introduction

Cloud Computing is an effective example of contemporary emerging technology and business trends. However, it has been identified that the organizations are facing quite intense challenges in ensuring traditional security for the property resources of the corporation, such as Capital and Knowledge-based assets. It is required for the stakeholders, C-levels, and Corporate Counsel to analyse the role of regulatory and legal aspects which have been developed after the introduction of public and private clouds. The clouds have acted as the server farms or data centres where information and software can be stored remotely, instead of a hard drive which is located on the premises of the user. In order to meet the normal demand curve and supply curve, it is required limited site support and scalability. Sharing agreements, licensing agreement contracts, and pro forma of the documents have not the capability of delivering adequate legal remedies and resources for the protection of corporations; and these concepts are especially applied within the SMEs. Moreover, the emerging trend has reflected the development of a myriad associated with intellectual property, FDI or Foreign Direct Investment, trade secret, as well as corporate governance risk issues which areas require more explanation for litigating in the international and domestic markets. A persistent concern also existed in providing proper protection and privacy of the data from the perspective of the cloud community. Moreover, this paper will measure the ability of the service providers for ensuring that whether privacy has been compromised or not and whether data have gone lost or misappropriated. Considering the same, this paper will mainly address the infrastructural and technical challenges which are addressed by cloud computing to traditional on-site computing. This paper will deliver in-depth background data on different protocols, such as SaaS, Software as a Service, IaaS Information as a Service, PaaS Platform as a Service, and so on.

?

Legal and Contractual challenges associated with Cloud Computing

Generally, Cloud Computing has served in different countries, and being an emerging technology it has some dynamic complex aspects. Moreover, the dynamic legal environment has significantly affected both private and public laws. Therefore, protecting the customers' and service provider's rights has become quite challenging for Cloud Computing. That is why it is important to develop efficient and fair laws for both the customers and service providers [2]. Mainly, the complexities have come in different countries for the Cloud Computing dynamic environment as different countries have their own specific jurisdiction, laws, and regulations. In order to manage all the work during the time of implementation, support, and future up-gradation, the service providers, third parties, and customers must build contractual agreements [5].

Based on the nature of cloud computing and technological models there are some substantial regulatory aspects that can be used for the Cloud Computing service provisions. The issue related to applicable laws and jurisdiction can be associated to address cloud computing which is applicable through specific policies, rules, laws, regulations, and competent jurisdictions based on the specific country and region. These differences can be identified through different geographic locations of the involved stakeholders and obligations and rights of the individual stakeholders [1]. There are few special policies or regulations for managing the flow of information throughout the borders and some diversified jurisdictions craft rules. Managing disputes within the cloud are considered to be another potential issue that has addressed the accountable nature of different organizations and how those firms have managed the reinforced trust between cloud computing service providers and customs. According to the unique characteristics and different nature of Cloud Computing services, it is quite difficult to recognize the competent jurisdictions between different regions and countries. However, it is quite evident that this issue has already been managed by some countries, such as the UK by assigning particular organizations as regulators which have the capability of handling the disputes. Therefore, as it is an internal matter of Europe, it is not comprehensively applicable outside of the European Governmental and Political relationships. This issue is quite crucial as it has the capability of addressing the changing relationships between governments and politics between different countries [2]. Moreover, the effectiveness of the changing relationship of Cloud Computing can be served in different countries and the existing laws and regulations have governed these changes. For instance, if a suspended relationship between two different nations can be promoted for political issues and if the service provider of Cloud Computing belongs to one country and serves another country then it is important to build an independent regulatory system that can govern cloud computing globally. However, it has been analysed that, in order to set an independent regulatory system for globalizing the cloud computing service the international interference and a potential effort are needed to be established for governing and crafting the rules and regulations regarding Cloud Computing services [10].

There are some major challenges that are required to be covered in the SLAs, Contracts, and any kind of legal documents signed between both the Clients and Service providers. Considering the issue related to the robustness of the legal framework is enough for covering and delivering flexible cloud computing services and solutions [7]. This issue has mainly been raised when the customer needs have become scaled up or upgraded through the short or long run. The adoption of flexible agreements in cloud computing is required in designing the legal framework and it must follow all the terms and conditions of the agreements. Data flow over borders is another important factor that has mainly highlighted the way different laws and regulations of different countries can address the issues in data flow and the way the related contracts can reflect the legal and SLAs documents among different service providers and its consumers who are under the scope of individual jurisdiction. Moreover, it has been recommended that organizations of Cloud Computing Services may need to use a service catalogue for the customers. It may help the consumers to select a clear and well-defined service package. It is evident that Cloud Computing contracts have their own limitations where they can fix a particular limit to liability to the hosting providers to a certain state. Though no such potential risk can be drawn into the line, it is required to be addressed in the contracts thoroughly [11].

?

Contribution of Cloud Computing in Risk assessment and Risk Management

Considering the economic benefits of an industry the industrial forecast is highly associated with cloud computing. According to the perspective of IDC, a research company, it has been predicted that implementation of cloud services throughout the global markets may reach $72 billion by the end of 2021 and the same report has forecasted that investing in cloud computing may boost the overall forecast period which may capture 32% of IT departure growth in 2021 [6]. It is almost one-third of the overall growth in the following year. Based on the perspective of an ABI Research study it can be said that cloud computing has the potential of changing the view of the mobile application world by 2022 with a projected generation of $50 billion in revenue. In the presence of intrinsic opportunity in a service-based industry, there are various layers of low-high risk areas in connection with different types of cloud, such as PaaS, SaaS, IaaS, and so on [8]. Considering the demand curve, there are several ancillary third party contractors and subcontractors and small and large scale providers who have developed the myriad associated with 'pay-as-you-go' services in private, public, as well as in community clouds with proper varying level expertise and resources for varying the risk levels. Similarly, there are different emerging business models and technologies but there are very few organizations left that can deliver potential industry-wide solutions for mitigating the risks associated with cloud computing. According to a report published in June, 2018 the analyst entity Gartner has released its research findings where it was clearly mentioned that the existence of cloud computing may be evident with the security risks, and this cause potential challenges for the consumers while dealing with the vendors regarding the capability of the architects, policymakers, operators, coders, and the associates of technical mechanisms and risk control processes. In this case, the testing level is also done for verifying functionalities of the control processes and services [9].

For instance, based on the regulatory compliance issue, Gartner has set up the approach through which the consumers have become the ultimate responsible person for securing and integrating their own information. The research company has added that the best industry practices generally need the support of traditional service providers in order to undergo security certifications, external audits, and cautioning customers. In the case of developing a Merger and Acquisition (M&A) within a target scenario, the provider of cloud computing is highly required. For instance, the research company Gartner has advised its customers to discover if the organizational information would be available after M&A or not and if the format could be replaced by the upgraded application.

According to the study of the ENISA or European Network and Information Security Agency, a government agency of the EU has developed for building advanced functioning internal marketing processes and designing reports for increasing the detailed perspective of agency findings to gain benefits and overcoming the risks through potential recommendations related to the European Network information security. Based on the report published by the editorial boards and expert panel of ENISA the security assessment was done by considering three use-case scenarios, which will be addressed below [10].

1. Generally, the SMEs have migrated to Cloud Computing Services
2. The impact of cloud computing is highly effective on service resilience
3. The role of cloud computing in?e-Governance, such as e-Health

Considering the above-mentioned scenarios the report of ENISA has been able to track ten security risks that may cause the outcome of cloud computing implementation. The ten security risks include lock-in (application and service portability, guarantee data), loss of governance, isolation failure (failure of mechanisms separating memory, storage, routing, as well as reputation among different tenants), management interface compromise, compliance risks (risk associated to industry certification through cloud migration), incomplete or insecure data deletion (inadequate data wipe out), data protection risks for both the providers and customers and malicious insider risks [1]. Though the report has addressed ten security risks there is no such prioritization criticality. In accordance with the different risk levels, the tabulated risks may be impacted in the business functionalities and measure the risk on a particular scaler range of 0-8 for evaluating the risk acceptance criteria [6].

?

Data Privacy Laws and Acts and possible solutions for mitigating the legal challenges

While placing the applications and potential data on the cloud servers, sometimes, the organizations have lost the ability to maintain complete control over the information. In some cases, the information becomes quite sensitive and critical which is required to be stored safely on the PCs. However, nowadays the companies can reside those crucial data into their online servers. Due to the existence of intense data security concerns, the companies are not able to access the data of other companies by taking advantage of the cloud advantage. Generally, there are three types of security concerns, such as Availability, Traditional Security, and Third-party data control. Based on the three types of security data concerns, there are some enabled data privacy laws through which the organizations which have used cloud computing can be able to mitigate the legal challenges.

Electronic Communication Privacy Act

According to this act, the information which may be stored within the cloud will be subjected to the less standardized legal enforcement for gaining the access to the user if the information has been stored in a PC. Furthermore, the SLAs and ToS regarding cloud service sometimes preserve and disclose the data to law enforcement during any kind of legal process. In this way, the data privacy issue can be managed by maintaining proper data collection, appropriate usage of data, safe data storage, data disclosure, data access, and retention [12]. These are some ways through which the user can get information about the effective approaches to handle the issues to reduce the negative impact [8].?

Stored Communications Act

The users of Cloud Computing are allowed to access and store crucial data and important files away from the PC. The Cloud is considered to be an effective application or a platform that can access several computing devices. Considering the effectiveness of the SCA or Stored Communication Act, the organizations can be influenced to develop and adopt new and emerging communication methods for ensuring the protection of the privacy rights of the citizens. The effectiveness of this act has tied the limitations of the governmental ability to compel the internet service to reveal the stored information. Mainly this law provides a clear definition of RCS or Remote Computing Services, and ECS or Electronic Communications Services. However, due to the existence of several complications and outdated approaches the legal department has interpreted the inconsistency of the Stored Communication Act [5].

Federal Information Security Management Act (FISMA)

In the year 2002, FISMA was enacted for recognizing the importance of IS or Information Security in the national and economic level security interest of the UK [7]. This act delivers a uniform regime for addressing the different levels of risks that may arise from different international and domestic sources. The effectiveness of this act allows the federal agencies to develop and implement programs for reviewing information security and generation of reports that may address the result of OMB or Office of Management and Budget. The takeover of the Cloud to different Federal agencies can reduce the costs and it can also increase the security and data privacy concerns. The Federal agencies are highly concerned about maintaining control over data and this can increase the visibility of different security incidents and risk management associated with the Cloud. The collaboration of OMB and GSA or General Services Administration has focused on making security and data privacy their top priority to facilitate cloud adoption by taking the Federal Cloud Computing Initiative. The government-wide program has delivered a standardized approach towards assessment, authorization of security through continuous monitoring for cloud products and services through implementing BPA or Blanket Purchase Agreement of GSA in order to promote the FedRAMP or Federal Risk and Authorization Management Program and IaaS or Cloud Infrastructure as a Service.

HIPPA

In the health care centres, the Health Information Service provider has stored the medical information of the users which is considered to be a subject for privacy protection as per the HIPPA or Health Insurance Portability Protection Act. According to the effectiveness of the legislation, the cloud service providers have been able to fix a limit to the liability of the users to provide the cloud service with limited recourse for exposing the data from loss [9].

?

Conclusion

It is a report where it has been highlighted the major issues associated with cloud computing by specifically focusing on security, contractual, and legal issues. In order to maintain proper data privacy and security service, it is quite important for Cloud Computing Service providers to secure the key issues through aligning with the legislative and regulatory aspects of cloud computing.?It is quite essential to develop an effective collaboration among the customers, service providers, and legal agencies all across the nation through which cloud computing technology can be adopted by all the organizations. Based on the reformation of the contemporary policies, rules, laws, and regulations, it is possible for cloud computing service providers to avoid different types of failures which can be raised during the implementation process of cloud computing for both the cases of the short and long run. It is the main driver of Cloud Computing which is currently expanding continuously.?Though there are several potential causes for which implementation of Cloud Computing can face legal challenges but a probable cause for cloud boundaries can be considered the difference between the legal frameworks of the different countries. Using different legal frameworks, different nations have dealt with the cyber world through which the legal complexities have increased in the cloud platform. With it, the probability of causing loss of control over crucial and sensitive data has increased.

Reference List

[1] Alam, T. Cloud Computing and its role in the Information Technology.?IAIC Transactions on Sustainable Digital Innovation (ITSDI),?1, pp.108-115, 2021.

[2] Alenezi, A., Hussein, R.K., Walters, R.J. and Wills, G.B. A framework for cloud forensic readiness in organizations. In?2017 5th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud)?(pp. 199-204). IEEE, 2017 (April).

[3] Alenezi, A., Zulkipli, N.H.N., Atlam, H.F., Walters, R.J. and Wills, G.B. The Impact of Cloud Forensic Readiness on Security. In?CLOSER?(pp. 511-517), 2017 (April).

[4] Al-Ruithe, M., Benkhelifa, E. and Hameed, K. Key issues for embracing the cloud computing to adopt a digital transformation: A study of saudi public sector.?Procedia computer science,?130, pp.1037-1043, 2018.

[5] Bhushan, K. and Gupta, B.B. Security challenges in cloud computing: state-of-art.?International Journal of Big Data Intelligence,?4(2), pp.81-107, 2017.

[6] Domingo-Ferrer, J., Farras, O., Ribes-González, J. and Sánchez, D. Privacy-preserving cloud computing on sensitive data: A survey of methods, products and challenges.?Computer Communications,?140, pp.38-60, 2019.

[7] Esposito, C., Castiglione, A., Pop, F. and Choo, K.K.R. Challenges of connecting edge and cloud computing: A security and forensic perspective.?IEEE Cloud Computing,?4(2), pp.13-17, 2017.

[8] Fosch-Villaronga, E. and Millard, C. Cloud robotics law and regulation: Challenges in the governance of complex and dynamic cyber–physical ecosystems.?Robotics and autonomous systems,?119, pp.77-91, 2019.

[9] Ghorbel, A., Ghorbel, M. and Jmaiel, M. Privacy in cloud computing environments: a survey and research challenges.?The Journal of Supercomputing,?73(6), pp.2763-2800, 2017.

[10] Mushtaq, M.F., Akram, U., Khan, I., Khan, S.N., Shahzad, A. and Ullah, A. Cloud computing environment and security challenges: A review.?International Journal of Advanced Computer Science and Applications,?8(10), pp.183-195, 2017.

[11] Rad, B.B., Diaby, T. and Rana, M.E. Cloud computing adoption: a short review of issues and challenges. In?Proceedings of the 2017 International Conference on E-commerce, E-Business and E-Government?(pp. 51-55), 2017 (June).

[12] Younas, M., Jawawi, D.N., Ghani, I., Fries, T. and Kazmi, R. Agile development in the cloud computing environment: A systematic review.?Information and Software Technology,?103, pp.142-158, 2018.