Professional Documents
Culture Documents
Richard Kemp∗
Kemp IT Law, London, UK
a r t i c l e i n f o a b s t r a c t
Article history: Enterprise (large organisation) computing workloads are moving from ‘on-prem’ to ‘in-
cloud’ increasingly quickly, and the cloud is forecast to account for almost half of enter-
prise IT by 2026, up from 10% today. But the benefits of the enterprise cloud need to be
Keywords: weighed against increasingly burdensome duties around cloud and data security. This com-
Cloud computing ment piece provides a checklist of the sources of enterprise cloud security duties and a
Information security checklist of best practices to manage them.
Cloud security © 2018 Richard Kemp. Published by Elsevier Ltd. All rights reserved.
Data protection
GDPR
Cloud contracts
Cloud governance
Standards
After the demanding bow wave of GDPR readiness legal Aggregating the elements of the private cloud and Infras-
work in the run up to 25 May 2018, IT lawyers may be forgiven tructure (IaaS), Platform (PaaS) and Software (SaaS) in the pub-
for thinking that the biggest change is now behind them. How- lic cloud, and comparing their projected development over
ever, GDPR heralds rather than ends a period of broadly based the next ten years with ‘traditional’ enterprise computing,
structural change in technology adoption, business transfor- open source IT research organisation Wikibon is forecasting
mation and IT law and regulation. Nowhere is this better that the cloud’s share of enterprise computing will grow from
shown than in the legal aspects of the rapidly developing area around 10% today to 45% by 2026.1
of cloud security. For enterprise users, the cloud provides a range of ben-
A central feature of this change is the epic migration now efits and opportunities, including provisioning flexibility, ac-
well underway in enterprise (large organisation) computing cess to new services, assisting digital transformation, speed
from ‘on premise’ – traditional IT infrastructure at the user of deployment and cost efficiencies. However, enterprise-scale
– to ‘in-cloud’ – open access to the public cloud, the more ded- organisations operate in a business environment that increas-
icated resources of the private cloud and their hybrid cloud ingly emphasises the criticality of cloud and data security -
combination. The development of the enterprise cloud is as the legal, technical, operational and governance controls that
significant as the migration of electricity generation out of the an organisation puts in place to ensure desired information
factory to the UK national grid in the 1930s but with many security outcomes.
more facets, as each component of computing – power, pro- As IT workloads migrate to the cloud, the benefits of
cessing, network, memory, storage and software - gets the cloud provisioning need to be weighed and balanced against
cloud’s ‘as a service’ treatment. security risks and duties. Organisations are therefore estab-
lishing cloud security and compliance governance procedures
∗
Kemp IT Law, 21 Napier Avenue, London SW6 3PS, UK
E-mail address: richard.kemp@kempitlaw.com
https://doi.org/10.1016/j.clsr.2018.06.001
0267-3649/© 2018 Richard Kemp. Published by Elsevier Ltd. All rights reserved.
computer law & security review 34 (2018) 928–932 929
Table 1 (continued)
to manage their cloud security duties. To assist in the process, rity from the customer side, and the NCSC (UK GCHQ’s Na-
we have provided the following checklists of the sources of tional Cyber Security Centre) published in September 2016
enterprise cloud security duties and best practices to address fourteen principles for cloud security which form the basis of
those duties. the checklist of best practices for enterprise cloud security at
Many supplier organisations now produce materials on Table 2, Section A. Section B addresses the assurances that the
cloud security best practices.17 Governments and public sec- enterprise should obtain from its CSPs to back up their con-
tor organisations have tended to take the lead on cloud secu- tractual security commitments.
computer law & security review 34 (2018) 928–932 931
The NCSC document having confidence in cyber security explains the ways in which cloud buyers can determine and demonstrate
compliance with the principles. These include:
• CSP assertion
• CSP contractual commitment
• third party certification
• independent testing
• a mix of one or more of these.
Table 2 (continued)
How does the CSP propose to give the Enterprise satisfactory assurance that it will comply with its cloud security commitments?
Does the CSP have ISO 27001 19 (on information security management systems) certification?
Does the CSP have SSAE 16/18, Soc 2 [Type II]20 certification?
Questions:
(a) Has the certification been issued by an approved certifier?
(b) Is the certification accompanied by the full, relevant report and all other necessary supporting documentation?
(c) Is the certification still current?
(d) Does the certification cover the CSP service that is to be contracted for?
(e) Does the certification cover all data centres/locations at which Enterprise data will be stored?
(f) Will the CSP undertake to keep all certifications in force for the duration of the agreement, including by renewing any that time
out or lapse?
(g) If the CSP loses any relevant committed certification, is the CSP required to notify the Enterprise promptly?
(h) Can the Enterprise terminate for CSP breach in these circumstances?
Enterprise cloud migration is set to gather pace in the com- May 2018. The UK Data Protection Act 2018 also came into
ing months and years, bringing a wide range of IT benefits to force on this date - http://www.legislation.gov.uk/ukpga/2018/
large organisations. As we have seen recently with GDPR, se- 12/pdfs/ukpga_20180012_en.pdf.
10. https://eur- lex.europa.eu/legal- content/EN/TXT/HTML/?uri=
curity is in the public eye, and legal duties to keep cloud data
CELEX:32016L1148&from=EN. The NIS Regulations (SI
secure are becoming more onerous. Balancing cloud benefits
2018/506) - https://www.legislation.gov.uk/uksi/2018/
and security duties is therefore a critical success factor for 506/made - implemented the NIS Directive into English law
organisations in their cloud operations. Ensuring cloud secu- on 10 May 2018.
rity - the mix of legal, technical, operational and governance 11. The Directive and UK Regulations apply to relevant ‘digital
measures to achieve a desired information security outcome services providers’ and the ‘operators of essential services’.
– is moving centre stage as enterprises shift their computing ‘Cloud computing services’, as ‘enabling access to a scalable
and elastic pool of shareable computing resources’ are ‘digital
workloads ‘off prem’. Putting in place effective cloud security
services’ regulated by Articles 16-18 of the Directive and
governance, and the policies, procedures, and processes that Regulations 12-14 of the UK SI.
underpin it, will become indispensable. This piece aims to as- 12. https://www.legislation.gov.uk/ukpga/2003/21/contents
sist the process by providing checklists of security responsi- 13. http://www.legislation.gov.uk/uksi/2003/2426/contents/made.
bilities and best practices to address them. [Note: as at end May 2018, discussions are under way at EU
level to replace the ePrivacy Directive (2002/58)13 -
https://eur- lex.europa.eu/legal- content/EN/TXT/HTML/?uri=
end notes CELEX:32002L0058&from=EN - with a directly applicable
ePrivacy Regulation
14. http://www.legislation.gov.uk/ukpga/2016/25/contents/
1. ‘Cloud “Vendor Revenue” Projections 2015-2016’, David Floyer, 28 enacted
February 2017, Wikibon - https://wikibon.com/cloud-vendor- 15. Investigatory Powers Act 2016, section 4
revenue-projections-2015-2026/ 16. UK Home Office, Acquisition and Disclosure of
2. https://www.eba.europa.eu/documents/10180/2170125/ Communications Data Code of Practice, March 2015, para 2.13
Recommendations+on+Cloud+Outsourcing+%28EBA-Rec- https://assets.publishing.service.gov.uk/government/uploads/
2017- 03%29_EN.pdf/e02bef01- 3e00- 4d81- b549- 4981a8fb2f1e system/uploads/attachment_data/file/426248/Acquisition_
3. UK Financial Conduct Authority - https://www.fca.org.uk/ and_Disclosure_of _Communications_Data_Code_of _Practice_
publications/finalised- guidance/fg16- 5- guidance- firms- March_2015.pdf
outsourcing- %E2%80%98cloud%E2%80%99- and- other- 17. See for example the following CSP - (supplier-) side
third- party- it approaches from: AWS - AWS Security Best Practices (August
4. FCA’s Senior Management Arrangements, Systems and 2016); Cloud Security Alliance - CSA Security Guidance 4.0
Controls (SYSC) - https://www.handbook.fca.org.uk/ (February 2018); and Microsoft - Microsoft Cloud Security for
handbook/SYSC/8/ Enterprise Architects (August 2017).
5. https://www.handbook.fca.org.uk/handbook/DTR/ 18. Headline points. See the NCSC’s full document at
6. https://eur- lex.europa.eu/legal- content/EN/TXT/HTML/?uri= Implementing the Cloud Security Principles
CELEX:32009L0138&from=EN 19. See http://www.iso.org/iso/home/standards/management-
7. https://www.sra.org.uk/solicitors/handbook/ standards/iso27001.htm
handbookprinciples/content.page 20. https://www.ssae-16.com/ Note that SSAE 18, effective as of 1
8.https://www.sra.org.uk/solicitors/handbook/code/content.page May 2017, superseded SSAE 16 (and of course its predecessor,
9. https://eur- lex.europa.eu/legal- content/EN/TXT/HTML/?uri= SAS 70).
CELEX:32016R0679&from=EN. GDPR came into force on 25