Cloud computing – cost effective and efficient but legal risks to be considered

Government is a major consumer of Information and Communication Technology (ICT), with a spectrum of operational requirements stretching from software – including everyday email applications – to data management services and centres and beyond.

There is an increasing demand from government departments and agencies for readily available, highly responsive and flexible ICT service delivery that is cost effective and efficient.

How potentially might this strong demand by Government for cost-effective and efficient ICT solutions be met? Several significant technological advances in recent years have resulted in the development of a new ICT-delivery model, referred to as ‘cloud computing’.

Wikipedia’s general definition serves as a useful starting point: “Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the internet). The name comes from the use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user’s data, software and computation.”

While cloud computing offers much promise in meeting government requirements, it brings its own risks and legal challenges. It is only natural for a certain degree of uncertainty and mistrust to accompany emerging technologies such as cloud computing, one of the fastest growing trends in ICT.

The benefits of cloud computing include:

• reduced IT costs through shared resources and reduced in-house IT workforce
• the ability for IT services to more rapidly adjust to meet fluctuating and sometimes unpredictable service demands and pay only for the services used
• increased accessibility and flexibility as users can access systems regardless of location and the device (e.g. mobile) they are using, as long as they have an Internet connection
• shared resources, which give users access to software that is not installed on a workstation in the organisation but on servers at a remote location.

Counter-balancing these benefits are potential disadvantages and legal issues including:

• data security concerns due to mission-critical data being managed by an external cloud service provider
• security and performance issues arising from sharing an IT resource with third parties (i.e. other customers of the cloud service provider)
• loss of control over data location – data are stored in the cloud on one or more servers around the globe, with the data being subject to transfer to other servers in other locations depending on operational demands. An organisation may be unaware of the actual location of its data at any time. Any transfer of data to different countries may result in different laws applying to the data, including those about data management and privacy
• reliance on an external cloud service provider for the ongoing availability and functioning of IT systems that support the organisation’s daily operations
• dependence on ongoing availability and performance of the Internet connections of both the cloud service provider and the organisation.

Clearly, any decision to proceed with a cloud-computing-based IT solution needs to include a risk management assessment and cost benefit analysis, as is the case with any significant ICT procurement.

The Queensland Guideline

In May 2012, the Office of the Queensland Government Chief Information Officer released the Cloud Computing Guideline, as part of the Queensland Government Enterprise Architecture for departments and agencies using cloud computing services.

Section 1.4 sets out the definition of cloud computing adopted by the Queensland Government and the Federal Government, as developed by the US National Institute of Standards and Technology:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models and four deployment models.

^{Refer http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGEA%202.0/Cloud%20computing%20
guideline.pdf}

The five essential characteristics identified are: on demand-self service, broad network access, resource pooling, rapid elasticity, and measured service.

The essential characteristics are:

• On-demand self service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
• Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. mobile phones, tablets, laptops and workstations).
• Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge of the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country, state, data centre).
• Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
• Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing bandwidth, and active user accounts). Resource usage can be monitored, controlled, providing transparency for both the provider and consumer of the utilised service.

The three service models in the accepted definition of cloud computing are:

• Software as a Service (SaaS) in which the applications are accessible from various client devices through a thin client interface such as a web browser
• Platform as a Service (PaaS) in which end users develop or deploy applications on top of cloud infrastructure
• Infrastructure as a Service (IaaS) in which the provider manages the hardware but allows the end user to manage the operating systems, storage, and/or application deployment.

Under the four deployment models:

• Private Cloud: The cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
• Community Cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organisations that have shared concerns (e.g. mission, security requirements, policy and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off the premises.
• Public Cloud: The cloud infrastructure is provisioned for open use by the general public.
• Hybrid Cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, bound by standardised or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).

Potential legal issues

Various important legal issues are raised for government by cloud computing, including privacy, confidentiality, security and liability, all of which need to be properly addressed in each Customer Contract entered into under the Queensland Government Information Technology Contracting (GITC) v.5.02 framework. This framework applies to all ICT goods and services procurements by government departments.

^{The information in this publication is provided for general purposes only. It is not to be relied on as a substitute for legal advice. Crown Law and the Department of Justice and Attorney-General accept no liability for losses caused by reliance on the material in this publication. Formal legal advice should be obtained for particular matters.}