Shop Talk: Cloud Computing Poses New Risks, Opportunities

The technology of cloud computing—where businesses can “rent” IT equipment or software applications over the Internet—sounds like a great idea. Simplify your IT infrastructure, lower your costs. What's not to love about that?

THE PANELISTS

The following executives participated in the Jan. 25 roundtable regarding legal and compliance challenges in modern IT infrastructure.

Cary Berger,

Vice President, Legal Affairs & General Counsel,

eHarmony, Inc.

Warren Chan,

Principal, Risk Services,

Crowe Horwath

Barbara Danzi,

Chief Information & Security Officer,

Garda Cash Logistics

Tanya Forsheit,

Founding Partner,

Information Law Group

Noel Haskins-Hafer,

Internal Audit Leader,

Intuit

Bart Kimmel,

Risk Services,

Crowe Horwath

Robert Lindquist,

Vice President & Chief Compliance Officer,

Ingram Micro

Jason Mefford,

Vice President, Business Process Assurance,

Ventura Foods

Richard Miller,

Compliance & Privacy Officer,

CoreLogic

Maryanne Siek,

Director, Records Management,

Freeport-McMoRan Copper & Gold, Inc.

Desmond Tan,

Vice President, Internal Audit,

Synopsys, Inc.

Ekkie Tepsupornchai,

Senior Enterprise Architect,

Parsons Corporation

Well, plenty, if you happen to be the corporate compliance officer at a company rushing into “the cloud.”

What if the vendor providing you services via the cloud proves unreliable or financially unstable? What if you have a security breach and valuable intellectual property is exposed to prying eyes? What if you outsource critical business operations via the cloud, and that affects your tax rate and financial reporting? Worst of all: What if you in corporate headquarters have really good answers to those questions, and your employees blissfully blunder in the cloud anyway without telling you?

No surprise, then, that when Compliance Week and Crowe Horwath gathered a dozen compliance, audit, and IT executives in Los Angeles in January for an editorial roundtable to discuss cloud computing, ambivalence was the order of the day. Yes, attendees universally said, cloud computing is an intriguing technology and one that's here to stay. But wow, the legal and compliance risks that come with it are daunting.

Warren Chan, a principal in IT risk services for Crowe and co-host of the event, said the challenge for compliance officers boils down to one fact: Once upon a time, companies stored all their data on servers they owned, that they could see and touch and manage whenever they wanted. And those days are gone.

Cloud computing is not so much a technology issue, but rather “a new way of interacting and doing business,” he said. “Now we have a completely different paradigm.”

Compliance officers are essentially squeezed between that new paradigm and old human behavior. For example, the economics of cloud computing are powerfully compelling; people can store huge amounts of data with vendors such as Google, Rackspace, or Amazon.com at rock-bottom prices. But the threat is that anyone can strike those arrangements with cloud vendors, including employees who won't understand (or won't care) about security, privacy, or other compliance obligations.

That risk of employees acting on their own, with no easy way for a company to monitor behavior and intercede where necessary, worried attendees the most.

“We really don't know who has their own private cloud, what they're doing with it, and what they've got out there,” said Noel Haskins-Hafer, internal audit leader at Intuit.

Yes, an employer can ban such activity. But a policy alone won't change how employees use the cloud and all the conveniences it brings, argued Jason Mefford, vice president of business process assurance at Ventura Foods. “We can yell and scream and jump up and down all we want, but people are always going to be one step ahead,” he said. “It's not an IT issue; it's a human behavior issue. The thing is, you can't restrict everything.”

Cloud computing also runs the risk of reconstructing “silos” of information, those dreaded pockets of insular knowledge and behavior that compliance departments have spent the last few years trying to knock down. Without a broad strategy of how to handle the cloud, and one that employees will actually support, each employee could create pockets of data in the cloud others don't know about.

“Now more than ever, it's critical for everyone to have a strategic view of the business and how their work fits into the company's overall requirements to maintain security and compliance,” Haskins-Hafer said.

For example, if a U.S.-based engineering group decides to outsource processing to a cloud provider outside the United States, do the engineers and the procurement teams understand the potential legal and compliance implications of managing data across borders? Has the legal department reviewed any intellectual property or trade secret concerns? Have the security implications of the proposed cloud model and provider been considered before the cloud is deployed?

“Now more than ever, it's critical for everyone to have a strategic view of the business and how their work fits into the company's overall requirements to maintain security and compliance.”

—Noel Haskins-Hafer,

Internal Audit Leader,

Intuit

Legal departments have plenty of other worries about cloud computing as well. Conducting an investigation or searching data for e-discovery purposes will rarely be as straightforward as it used to be, when companies knew where all their data was stored. In the cloud, data could be stored in multiple locations, or be moved among multiple locations, without the corporate owner's knowledge. That could raise concerns about legal ownership, availability, and privacy if the data is flitting across national borders.

“How do I apply my retention policy to the records when they're not in my custody?” asked Maryanne Siek, director of records management for Freeport-McMoRan Copper & Gold. “That's what really makes me nervous.” 

The roundtable discussed some solutions to the security issues that go along with cloud computing. One strategy: sort information by its sensitivity. Chan advised companies to develop a strong regimen of classifying types of information before making any move to the cloud. “Do you know upfront what's okay to put in the cloud and what's not?” he asked.

Other roundtable participants admitted that the answer to Chan's question is usually, um, no.

Crowe Horwath's Bart Kimmel listens in as Cary Berger, eHarmony's general counsel, shares his thoughts.

Barbara Danzi, chief information and security officer at Garda Cash Logistics, takes notes, while CoreLogic's Richard Miller offers some insights.

Tanya Forsheit, founding partner of Information Law Group, addresses the entire panel on what she considers are the biggest compliance challenges in the ever-evolving world of IT.

“In my experience with clients of all sizes, it's very rare that clients have done thorough data mapping or data classification,” said Tanya Forsheit, founding partner of the Information Law Group. “If they're small, it's a resource issue. If they're large, it's a scope issue,” she added. “It is one of the most tremendous challenges.”

Some corporations have taken first steps at classification, although that's largely a function of the business they do. Haskins-Hafer gave the example of Intuit, which has sky-high security and privacy concerns since it handles so much financial data from customers. Every time Intuit does an acquisition, before that new company's data is allowed into Intuit's data center, “we classify,” she said. “We have it looked at by internal audit and legal, because we want to make sure we've got it down.”

Attendees also wished that regulators would do more to allay security concerns. They expressed frustration that many regulations—the Federal Rules of Civil Procedure, Electronic Communications Privacy Act, the Gramm Leach Bliley Act, European Union Data Protection Directive, and more—haven't been updated to address the unique problems of a cloud-computing world.

“A lot of times, the laws are left to interpretation,” Chan said.

“You have to have an eye for what's practical, what's balanced, and what makes sense,” Forsheit added. “Regulators often don't have any idea about cloud computing.” When regulators do seek comment about cloud computing and new data technologies, the most important thing the private sector can do is to answer, she said.

Vendors also are still addressing companies' cloud computing concerns. “I think they want to be able to meet a lot of the concerns,” but are struggling with the challenge of being all things to all customers, said Ekkie Tepsupornchai, senior IT architect for engineering and construction company Parsons Corp. As time goes on, he said, vendors will likely develop more vertically driven niches to suit the needs of individual markets, even though the core service across those markets may essentially be the same.

The degree to which companies embrace cloud computing in the future will depend on each company's personal experience, Chan said: Either companies will wade further into the cloud as they get comfortable with cloud computing, or they'll retreat because of a bad experience. “We move toward things where we have positive reinforcement,” he said. "As soon as we get burned, though, it takes us a lot more to get back to the table."