Subscribe
About

Cloud owners liable for security

Therese van Wyk
By Therese van Wyk
Johannesburg, 19 Aug 2011

No matter how good a company's security solutions are, there is someone, somewhere who is capable of compromising those systems. When that happens, the person ultimately responsible has to pick up the bill. In the legal world, that bill is called liability.

The payer will try to fork out as little as possible, of course, and will likely also reduce risk upfront, before taking on any responsibility for breaches.

In cloud computing, this means solution providers give no security guarantees unless they provide the infrastructure.

Ultimately, insurance is the only way to transfer all liability for security breaches to someone else, said Galix Networking MD, Simeon Tassev, speaking at the , IDC IT Security Roadshow in Johannesburg this week.

“In terms of the design of your private cloud, the custodian of the data and the security infrastructure is responsible,” said Tassev. “You design your private cloud, so if you expect that someone else will provide you with additional security just because you're in the cloud, you will have a problem.

“However, if you have a security solution, and you've done everything you should in accordance to that solution, then the liability should lie with the provider. You rely on the underlying technologies in the solution - encryption, for example. If someone hacks into your system because of an exploit in those technologies, the vendor should be responsible.”

But events mostly turn out differently.

“No vendor will take that responsibility,” said Tassev. “Unless they are the one providing you with the public infrastructure.”

A vendor taking liability mostly means greater cost to the buyer.

“As an example, Microsoft will provide you with cloud services. If you do your own solution using Microsoft technologies, they won't take the responsibility. But if you subscribe to their client services, they will say your information on their cloud services offering is secure, and they will take liability.

“Unfortunately, to have that 100% guarantee, you always pay a premium.”

If the company decides to implement its own solution, guarantees won't be any cheaper. It will have to introduce multiple levels of security, not just for boundary protection, but encryption and authentication also, even physical security if required.

And using a hosting centre for a solution introduces another factor: the centre will be liable for what they agree to in the contract, no more. In a similar way, providers building outsourced Web sites limit their liability.

“I still have to see a company that designs a Web site that will take full responsibility for that site,” said Tassev.

“From a liability point of view, you as custodian of your brand need to protect that brand. Your service provider may assist you with certain technologies - Web application firewalling, network access control or strong authentication before accessing data. But at the end of the day, they will not take the liability away,” concluded Tassev.

“The only way to pass liability to someone else is insurance, else it is yours.”

Share