Articles Posted in Cloud Computing

On Friday, April 22, Pillsbury hosted a meeting of the Washington, DC, chapter of the Cloud Security Alliance (CSA-DC). Dr. Ramaswamy Chandramouli, Group Chair of the NIST Cloud Computing Security Working Group addressed members of CSA-DC representing local businesses, government agencies and various consulting and law firms regarding the work NIST is doing to develop a security architecture for cloud services.

Dr. Chandramouli’s presentation focused, among other things, on the various ways the software development life cycle (SDLC) needs to be adapted to address the move to cloud based services, including ways to maximize the ability to move applications from one cloud provider to another. According to Dr. Chandramouli, when moving to the cloud, a number of aspects of the SDLC need to be re-evaluated, from access controls and use of things like OpenID to the use of third party-provided digital libraries and APIs. As Dr. Chandramouli and a number of other participants at the meeting noted, the move to the cloud also requires an examination of your disaster recovery/business continuity planning.

Naturally, the discussion turned to last week’s Amazon EC2 outage, opinions about its cause and a discussion of its effects.

Cloud computing is getting a lot of traction in a time of shrinking budgets. Industry experts speaking at NASSCOM 2011 are expecting cloud based services to be roughly a quarter of the outsourcing industry over the next two years.

So the business team is ready to move everything to the cloud. “But wait,” says the General Counsel, “if someone else has our email what happens if they get served with a subpoena? They won’t protect our information the same way we would.”

While there is no case law directly addressing discovery of corporate email held by cloud providers, there are some instructive analogs found in cases involving third-party email providers under the Stored Communications Act (“SCA”) and in cases addressing the concept of “control” under US Federal regulations that should be considered by large corporations thinking of migrating email to the cloud.