Published by Al Saikali

When a company decides to store its data in the cloud, one of the choices it must make is whether to store the information on physical resources devoted solely to its data and computing services, or share those resources with other entities who are using the same cloud provider’s services.  At the risk of oversimplifying, an analogy is deciding whether to rent a house or rent a unit in a multi-tenant building.  The latter option is often less expensive and, as a result, seemingly more attractive, but it may raise more security concerns because you share the same space with other renters.

 

A recent study entitled, “Hey, You, Get off of My Cloud:  Exploring Information Leakage in Third-Party Compute Clouds,” suggests there may be certain risks associated with the multi-tenant or “multiplexing physical infrastructure environment” when it comes to cloud computing.  The study explains how it may be possible for an attacker to place a malicious virtual machine (“VM”) in the multi-tenant environment cloud server and then extract confidential information via a cross-VM attack.  The study concludes that, “there exist tangible dangers when deploying sensitive tasks to third-party compute clouds.”

 

What does this mean for a company looking to store confidential information in the cloud?  At a minimum, an inquiry should be made to determine whether and to what extent the company will be sharing infrastructure with other entities using the same cloud provider.  If there will be a sharing of infrastructure, the study suggests a few approaches for mitigating the risks associated with such sharing.  First, the cloud provider can adjust the internal structure of their services to complicate an attacker’s ability to place the VM on the same machine as its target.  Also, the provider can put into place blinding techniques that minimize the amount of information that can be leaked.  The only “foolproof solution,” however, is to “insist on using physical machines populated only with their own VMs and, in exchange, bear the opportunity costs of leaving some of these machines under-utilized.”

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

As “the cloud” becomes an increasingly important and more widely used tool for computing and data storage, companies (and their lawyers) must address a number of challenging issues.  Some of these issues include but are certainly not limited to:

  • How does a company minimize the risk of data breach and maximize the security of their data at a “reasonable” cost?  What level of security strikes a balance between practicality, financial reasonableness, and protection?
  • What policies should a company adopt to help ensure the security of its data while maintaining the privacy rights of its employees?
  • How can a company maximize the security of its customers’ private information, particularly if the information is stored in the cloud?  What are the minimum standards, if any, that the law requires of a company seeking to store information in the cloud with respect to ensuring the security of their customers’ information?  Are there any legal requirements or customs that a company should expect a third-party cloud vendor to meet?
  • What role will the law of other countries play in regulating data stored in the cloud, particularly where a cloud vendor may store information in servers all over the world?
  • What are the emerging trends in litigation?  What causes of action are being brought successfully against cloud vendors and businesses that use them when a customer’s private information has been breached?  Which defenses have been successful in limiting liability?  What does a customer have to show to establish the existence of a cognizable injury?

It does not appear that there are easy answers to many of these questions.  What does appear clear, however, is that corporations and individuals are increasingly moving their data and computing platforms into the cloud.  So at the very least  these issues should be considered and they create a potential minefield ripe for litigation.

It is hoped that this blog will serve as a forum for discussion of these and other issues relating to the law regulating data security, cloud computing, data privacy, and “all things E.”

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.