Cloud Computing Legal
Threats
Master Thesis Information Studies: Business Information
Systems
Ioannis Markopoulos
10865462
Faculty of Science
Supervisor/First Examiner Second Examiner
Dr. Alexander Boer Tom Van Engers
Acknowledgments
I would like to thank my supervisor Dr. Alexander Boer for guiding me through my whole research, providing me with the correct methodology and structure in order to conclude with valued results. I would also like to thank my parents that supported me every single moment.
Table of Contents
Abstract ... 5
Introduction ... 5
Background ... 6
3.1 Cloud Computing definition ... 6
3.2 Cloud Computing service and deployment models ... 6
Research Design ... 7
4.1 Research questions ... 7
4.2 Research methods ... 7
Literature Review
... 85.1 Personal Data Protection ... 8
5.1.1 EU rules: ...8
5.1.2 US rules: ... 10
5.1.3 Netherlands Rules ... 11
5.1.4 Outcomes of the Rules ... 12
5.1.5 Governmental Access to personal data ... 12
5.1.6 Sensitive information ... 13
5.2 Data controllers and data processors ... 13
5.2.1 Confusion on the processor’s identification ... 15
5.3 Contracting issues ... 15
5.3.1 SLAs ... 15
5.3.2 Criteria for the establishment of SLAs ... 16
5.3.3 Service Level Objectives Overview ... 16
5.3.4 Inaccurate agreements for end-users ... 17
5.3.5 Proper approaching of SLAs ... 17
Surveys ... 18
6.1 Survey Design ... 18
6.2 Survey Results ... 20
Interviews ... 24
7.1 Research Strategy... 24
7.2 Analysis and report ... 25
7.3 Empirical Study ... 25
8.
Conclusion ... 30
9.
Discussion and suggestions ... 33
Appendix ... 37
Appendix A: Survey ... 37 Appendix B: Interviews ... 48
Abstract
The Cloud has evolved through years and now it remains at its peak. If offers enormous flexibility to organizations as well as end-users. More and more software development organizations have invested in the Cloud in order to win the battle among others, gain trust from customers and achieve top security measures. This research paper illustrates the legal threats that these software organizations face that are coordinated with the existing laws in order to fully comply with the rules. We have conducted an extended research for this purpose in order to highlight these threats and propose a solution based on our findings, survey and interviews.
Introduction
Cloud Computing is one of the most important technological achievements, nowadays, due to the unlimited opportunities that it offers to its users. Enterprises are investing on it, trying to create such an infrastructure that will host huge amount of data from
organizations to end-users. The increased need for minimizing the costs, its flexibility and adaptability have resulted in drawing the interest of every customer that wants to rely its data into the cloud.
Cloud Computing proves to be more significant than any other IT invention that has been proposed and established until today. It changes radically this world, how the information flows and how it affects its users. This happens due to the countless benefits that it offers. As for the individual who has to buy, install and update a software program, now he is given the possibility of using online services which eradicates all of the above concerns (3). The developer who constructs applications can now upload them to a computing platform of his preference, with the help of code libraries and programming languages of his choice (3). Enterprises can rely all their data and their software programs in dedicated servers away from their location which are carefully managed and
maintained. This is how mobility, collaboration, scalability will be increased for the benefit of all Cloud Computing users.
In order to achieve an efficient deployment of Cloud services a lot of factors need to be taken into serious consideration. One of these are the legal threats that Cloud Computing imposes. In this research paper we will try to analyse the European and United States rules that exist and protect cloud customers rights as well as the problems that these rules impose. We will identify who is the controller and who is the processor of the upholding data in order to clarify the existing privacy problems and the proposed solutions until nowadays. This leads us to also examine the agreements and contracts that are proposed by the cloud providers and their impacts.
For this purpose, we have formulated three research questions and we will find out if there is, finally, a common path between the user and the provider that will let Cloud Computing arise, evolve and lead this IT world into a new day. Thus, a brief definition of Cloud Computing and its models will follow in order to understand the purpose of our research questions. A literature review will be conducted in most of the recent legal threats. Surveys and interviews will be created in order to gather experts and non-experts
opinions about how they view the Cloud Computing legal threats that prove to be the most important factor of moving to the cloud. These statistics will be analysed, categorized and presented. Last but not least, there will be a discussion on the results that we acquired above and we will propose some solutions on how the users can trust their data into the cloud and what changes need to be done in order to do so.
Background
3.1 Cloud Computing definition
Almost all Information Technology organizations as well as regular users have declared that Cloud Computing has a bright future in Technology in the upcoming years. Both of them also agree on the multiple security problems that arise. There are many definition that can describe Cloud Computing; as the National Institute of Standards and Technology states,
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
3.2 Cloud Computing service and deployment models
Due to the fact that the paradigm of cloud computing is new, there are various security issues which need to be resolved before cloud computing is fully accepted by the broad community; both enterprises and end-users. Before we will look into the research
methodology, a deeper explanation is needed of what cloud computing encompasses and from where the security threats will derive from.
Cloud Computing deployment models are divided into four different ones (1);
o The Private Cloud in which its infrastructure is monitored through an organization or a third party one. Private cloud users are considered as trusted by the organization, in which they are either employees, or have contractual agreements with the organization.
o The Community Cloud that is used from many organizations at once and
encompasses problems that are common to all of them. The community users are regarded as trusted by the organizations.
o The Public Cloud that is offered to the end users and is controlled by an
organization that provides these cloud services to them. Public cloud users are considered to be untrusted, which means they are not tied to the organization as employees and that the user has no contractual agreements with the provider, except for the usage agreement that they sign for in order to use these cloud services.
o The Hybrid Cloud that is derived from at least two cloud infrastructures in which they are connected with each other through a gateway that is controlling the data that flow from the one part to the other. The users of hybrid clouds can be
considered as both trusted and untrusted.
o Software as a Service (SaaS). The user can access applications offered online in the cloud and cannot be controlled by him as he can only change some personal configuration settings (1). These cloud services are offered mainly to end-users and not enterprises. These users appear to be reluctant to upload their data into the cloud due to the insufficient privacy agreements that they sign.
o Platform as a Service (PaaS). The PaaS service model offers the services as
operation and development platforms to the user in which he can use the platform to develop and run his own applications, supported by a cloud-based
infrastructure that also offers him tools and other services (1).
o Infrastructure as a Service (IaaS). The user is offered infrastructure resources as a service such as data storage, processing power and network capacity but he does not manage the cloud infrastructure. Thus, he can deploy his own applications or even operating systems into the cloud. (1).
Research Design
4.1 Research questions
In order to fully comprehend and answer to the above legal concerns we need to analyse how these issues affect the Cloud providers and users in all deployment and service models. Thus, we will try to answer to the following questions:
o Which are the currently identified legal issues that are related to privacy of cloud computing customers?
o What are some of the present solutions proposed to solve these issues?
o What other solutions can be proposed in order to solve these confidentiality issues?
4.2
Research methods
In order to realize which aspects of Cloud Computing legal threats have a deep impact to both users and enterprises, all of the challenges need to be identified mainly from searching the literature. Using this technique we will be able to answer questions 1 and partially 2. Based on the information gathered we will have a clear view on how cloud customers and providers try to surpass these privacy problems. The literature review:
Addresses our research focus in data privacy.
Provides critical review of the existing literature on the subject.
Illustrates all the current aspects of the subject we are working on.
Our literature review structure is to identify all the current rules that exist in Europe and United States. We chose those two continents due to the fact that most of the cloud providers are based in there and their biggest amount of customers belong to these countries. Thus, we analyse what are the laws, the privileges of the providers according to these rules, how the data transfers happen as well as how the above matters are trying to be addressed. At last the Service Level Agreements will be also described. Based on the above topics, the currently proposed solutions will be also reported. Literature review is mainly based on historical information from articles written by experts in the cloud, official regulations and outcomes from past researchers that provide their own aspects for the cloud legal threats. After researching on a topic we will try to go deeper by validating the current statements from other sources by balancing them with our own judgment and
finally using them as a guide for our further research methods. The scope of our literature review will provide all the issues that we need to solve and further analyse through other research methods but we will provide it with a logical order while keeping in mind the
chronological date of our findings as we aim for relatively new ones.
description of the relevance of each finding to our audience
effectiveness and applicability of these findings for the creation of our survey interviews structure
Based on the fact that we have answered the first research question and partially the second one we will conduct a survey in which we will create questions based on the conclusions that we have made during the literature review. These questions will be deployed only to end-users of cloud computing. In this way we will try to observe and analyse their attitude towards the present legal threats and their perspective on specific issues. Later, we will be enabled to add-on statements to the third question as we will have already obtained what are the main problems for end-users in the SaaS environment. By analysing the survey results we will have the chance to compare and embed the
outcomes that we will make out of the survey to the final solutions chapter that will be fully described in the Conclusion chapter. The correlations that we will make will give us
valuable guidelines on how to find a unique, complete solution based on the analysis of the ranking of their answers.
At last, we will conduct interviews with cloud computing experts who are working in either cloud provider enterprises or use cloud products and services from providers. These interviews will be conducted keeping in mind many criteria that are described in the Research Strategy chapter. This qualitative approach, with the help of the survey’s outcomes, will fully answer the third research question from every perspective. The end result that we will provide such a solution that it will be based on how the cloud providers and governmental organizations should approach properly their customers and minimize or even extinguish the data privacy issues.
Literature Review
5.1 Personal Data Protection
In order to comprehend the difficulties on how to increase data protection to the customers of the provided cloud services we must describe the laws that have been formulated in order to achieve data privacy. Due to the fact that most of the companies that affect users exist in Europe and United States we will consequently analyze our research in these two continents.
5.1.1 EU rules:
According to Wikipedia statements, The Data Protection Directive was founded in 1995 in order to protect the data and personal information of individuals across EU countries. The Directive is divided into 33 articles in 8 chapters and it was officially initiated in October 1998. (5). In the Directive it is stated that the Data Controller is responsible for keeping data safe and only under specific circumstances they have the right to process these data. It is also mentioned that the individuals have the right to be aware of who the data controller is. They should also know the reason of their processed data if needed and they have the right to opt out and ask for a compensation from the controller (5).
In each member state of the EU there should be an authority that controls the
correctness of the implementation of the Directive and provides governmental guidance if the data has been breached. (4). Data can also be transferred to third counties only if the data controller can assure that the recipient will adopt with the aforementioned rules. (4).
The Directive managed to enhance the awareness of how data protection should be implemented in all EU countries, including those that were lacking in enforcing similar laws. On the other hand there are many disadvantages as many member states failed to comply with the criteria within the Directive. Furthermore, the rules that apply on
transferring data in third countries are antiquated. Individuals and organizations that share their data cannot rely on this Directive anymore. The biggest percentage of the data controllers insist on a creation of a new one that will provide more coordinated rules that increase protection in personal information. (6 ).
Nowadays, all the EU countries retain their own laws that refer to the 1995 Directive and this results to a different protection level to personal data. This new internet era requires for a new data protection technique that will provide a similar protection to all. This means that individuals and companies can be aware of the destiny of their data that are exposed online, enterprises that host data can relocate from countries that have weak protection practices. Thus, a new legislative was proposed in 2012. The General Data Protection Regulation is expected to be finalized by the end of 2015 and applied in a two year transaction period to all EU members. (7)
This regulation resolves many issues. To begin with, users of cloud computing in general have the right to request for a deletion of their uploaded data from cloud providers. These providers have to ensure that all of the requested information is deleted even if they have to communicate with third parties that host these data. The “right to be forgotten” is going to be established, although many adjustments are expected to be enforced. Also, users have the right to know if and when their data is exposed. They also have to agree or disagree on the processing of their data. They should also earn easy-to-comprehend information on if their personal data is exposed to governmental organizations and why. Companies cannot transfer data outside of Europe without taking all the appropriate legal measures to secure them. Data should not be integrated with other datasets and in case of the illegal processing of them, there are severe regulations that companies have to face. Furthermore, Information Technology systems should be designed in such a way that will provide anonymous information to external parties. This will prove data protection-friendly to all users. At last, end users can address their problems and concerns anywhere in the EU that retains a data protection authority for all. Companies on the other hand have to find the national authority of the country they are mainly settled. (7)
Taking all these new rules into consideration we are prompt to clarify if the protection will be increased. According to Schmitt’s and Stahl’s statements, more power will be given to end-users that use cloud services or social media networks as they can request for their information and decrease it if they want to. Also, the EU can fine whoever does not obey with the rules. There will also be data protection officers to all mid-level organization. All these regulations are expected to have an international effect as many countries outside of Europe are expected to follow the same path due to the fact that users from non-EU countries that use services from within European organizations have now the right to
address their privacy issues to the EU data protection authority. The General Data Protection Regulation will finally have a huge impact on how contracts between service providers and customers are formed. Companies that host data from their customers have to review these agreements. This will ultimately result in giving the power to the people and not organizations even if that means that a lot of them will have to opt out Europe and provide their services in other continents. (9).
5.1.2 US rules:
In the contrast with EU, US does not acquire similar laws. Companies inside the US follow some legislations that are established differently. Thus, there are many minor federal privacy laws that end-users and enterprises can rely on. There are at least 19 such laws in the US. The most important are discussed below.
o HIPPA: The goal of HIPPA is to provide privacy for individuals that share their health data. HIPPA identifies who has access to this information such as the health
provider. (10)
o FACTA: The FACTA has been created in order to maintain privacy in people’s credit and debit cards. (10)
o COPPA: This federal data protection law has as a main goal to protect children’s (under 13) data and submit these to their parents if needed. (10)
o GLBA: This law forced all companies that offer financial services to customers to retain their data in a safe environment. These companies should also offer the consumer the chance to withdraw his data and most importantly form a
compliance with third parties that also hold this data that they will not get exposed. (11)
There is not a specific mandatory law all across the US member states in case of data breach. In each case there is an examination of all facts that are gathered to investigate if there is indeed a data breach, according to the applicable laws of each state. (11)
As we observe from the aforementioned federal US laws we realize that there is a huge difference in how EU and US approach data protection concerns. As far as company’s data transfer from US to EU is concerned, a manual framework exists. This framework
defines the EU/US Safe Harbor as way for the US companies to transfer their data from EU to US in such a way that they comply with the EU Data Protection Directive. (11)
As for the data transportation outside of US there is no specific law that protects them but there are minor laws, like the above, that strive for data protection during their
relocation and require special contracts with the third parties that will ultimately hold these data. (11)
To sum up, data protection in Europe is more well-founded than any other country or continent as it mainly represents human privacy rights. Europe tries to persuade US to increase their privacy laws or else the Safe Harbor agreement will be extinguished if not strengthened. (12). On the other hand, we observe arguments about US level of privacy. According to Phil Lee supports that the US laws are strong enough to secure data privacy to users that upload their personal information. He states that there are several different
rules that are cover many privacy scenarios. US businesses take into serious consideration the current US laws and they aim for a successful compliance with them. But as far individuals are concerned, in the US they have the Federal Trade Commission whilst in EU they seek for protection from the national data protection authorities.
5.1.3 Netherlands Rules
Netherlands is one of the EU countries that find challenges in implementing the EU Directive. In 2000, though, they proposed their own Personal Data Protection law that was initiated one year later. This law is under enforcement through “College Bescherming Persoonsgegevens” (CBP) and it has many restrictions for the cloud providers. Specifically the data processors should provide to the CBP their name, address, multiple categories of their data. They should also indicate how the data are secured and to whom these data will end up with. (32). Enterprises, governments and their affiliates can assign their own data protection officers although it is not obligatory. The data officers are the ones who check if data processing is in accordance with the Dutch Data Protection Act. (33)
As far as data collection and processing is concerned there are several restrictions. In the first case the data controller can gather data only if his purpose is specifically noted with clear statements. In the latter case the he can only process personal data if the processing is essential to ensure protection among its data subjects or if there are legal matters that the controller is involved. Also sensitive data are fully protected and cannot be processed unless the data owner agrees to. (33).
Data controllers and processors are obliged to enforce the necessary measures in order to offer the appropriate protection against data breaches among other organizations. If there is a data breach, though, there are no specific rules that there should be
notifications. Although there is a legislative that the CBP must be notified instantly or else there will be the according fine. (33).
The transfer of data to countries outside Europe is only happening of this country offers similar standards of protection. If this country is US then the aforementioned Safe Harbor law should take place. There are also 3 categories of data that exist under the Electronic Communication Services Provider (SCP). The traffic data is one of them in which traffic data can be obsoleted when they are useless. They can be held though if their existence is essential or if there is an authorization. The second category is Location data that they are also mentioned (like the Trafific data) in the Article 11.5 of the “Dutch Telecommunications Act”. These data can only be processed if the processing is nameless or if there is
authorization from the user. The last category are the cookie rules. Here, the user must approve their usage. From early 2013 the personal information that is gathered from cookies is reckoned as “personal data” except if the cloud provider has legitimate proofs against this. (33).
Recently new rules about cookies are obligatory. One of them is the enforcement of less restrictive laws against cookies that their purpose is the collect information in order to enhance the performance of the service or to the cookies that are not considered dangerous for the users. Furthermore, an organization that uses tracking cookies has to obey with the rules of the Dutch Data Protection Act except if it can prove that data
processing is not happening. Also, the Dutch authority can now detect how companies act and use their cookies. (34).
In these new rules there also exists the obligatory data breach notification in which the data controller has to inform the Dutch Data Protection Authority about this breach. Also, companies need to have a specified method to respond to data breaches. These data breaches will be recorded and maintained or else big fines will be imposed. If data are very well encrypted then the user should not be notified, only the Data Protection
Authority. If data are not well encrypted then users should be notified about specifications of the breach, its outcomes and contact information about it. If a cloud provider has sub-processors and there is an incident of a data breach then the provider should be
immediately notified. (34).
5.1.4 Outcomes of the Rules
In United States companies do not seem to face any legal changes like the rapid ones in Europe. If this company does not follow the EU rules then the fine is too high, almost 5% of its annual revenue and it can rise up to 100 million. The problem is getting more extended due to the terms and conditions that are signed with their customers in which they remain the right to keep customer’s data in their databases. Furthermore 2/3 of the cloud services are based in US where the companies have to obtain the Safe Harbour Certification to ensure data transfer across EU. How many of them, though, get this certification? At last, the biggest concern remains in data breaches in which the customer is not notified in one day if his data are exposed as he may sign in the agreements that it is his own responsibility to encounter with data breaches. (26)
5.1.5 Governmental Access to personal data
Governmental access to cloud customers is essential for crime investigations. On the other hand, there are many privacy concerns on the level of access to these data. (35)
In Europe, new Regulations have been suggested. These suggestions will have a deep effect in the degree of commercialization of cloud customers but a low effect on governmental restrictions as they seem to be weak. This means that there are not any major restrictions for the authorities to limit their access and that automatically enables EU countries to have a view of cloud data whenever they think it is necessary. (35)
In the US the authorities are not eligible of accessing data whenever they feel so. There are many constitutions and multiple laws that do not give automatic access to US
government to people’s data in the cloud (35). Furthermore, there is a big chance for the EU citizens that have uploaded their data into the cloud to be reviewed from the US due to the USA Patriot Act. This happens when the cloud providers are based in the US. This Act has enabled US government to collect data and distribute them across its agencies. The EU Directive has a very broad meaning in its content. This results for the US cloud providers to respect it. (36)
5.1.6 Sensitive information
Sensitive information is the one that when lost it leads to major organizational damages. The most important categories are the geolocation information, the metadata and the biometric. In the first case laws have to be created and implemented to protect a person’s instant location that is shown through GPS information systems. In the second case URL information has to become private as its collection may prove to be very profitable for the provider but very damageable for the customer. At last, remote biometric results to the social security number of citizens. This number is not used as a number but as a password and governments can collect valuable information for a person without even having any troubles of requesting it. The protection of these three information retrieval aspects has to be enhanced or the consequences may prove inevitable. (37)
5.2 Data controllers and data processors
As technology arises, both companies and individuals are turning their interest in only using cloud services, such services that forced the world to form rules like the above mentioned. One of them is the Data Protection Act which represents United Kingdom and reflect on the EU and has a main subject the processing of personal data from the
controller. It is divided into eight chapters and it generally states that the data controllers are responsible for addressing the processors who will be obliged to sign contracts with them. If the data of the customer are stored outside the European Union the customers has to request the Data Protection Act law in order to achieve protection. (14).
In Cloud Computing the importance of the existence of the data processor and the data controller is huge due to their different responsibilities. The controller is the one who has to obey to the rules and in case of a breach he has to confront the price. He also has to ensure that the data being processed are in compliance with the Data Protection Directive and the Data Protection Act. (19).
According to the Information Commissioner’s Office, the cloud customer is, in most cases, the data controller and remains the legal entity that will decide who will process his data. He is the one who will comply with the rules. The cloud provider has to determine his role as it is not clear if he is the processor or even the controller. (ICO)
o Private Cloud: The cloud customer proves to be the controller. If the cloud provider is responsible for the maintenance of the provided to the customer infrastructure then he is the processor.
o Community Cloud: There can be many controllers as there are many of them who access the same cloud service. If one of them is also providing the cloud
infrastructure then he is the processor for the others. For instance, a big enterprise provides cloud services to other enterprises. If the cloud customers want to share their personal information with others they need to clarify their intermediate roles. o Public Cloud: In this case, the cloud customer faces problems in controlling his data
over the provider but he is required to comply with the current rules and specify how his data will be processed. The provider is also determining how the data will be analyzed and this also defines him as the controller.
Many organizations are hesitating to move to the cloud. If they do so, they need to take into consideration many parameters; which of their data will they upload to the cloud,
how the cloud provider that they will choose will process their data. A cloud customer who is the controller has to ensure maintenance and constant checking that everything is under control. Furthermore, the Data Protection Act forces the data controller to have written statements that prove that the processor acts with regards to the controller’s preferences and guidance. The cloud customer has to make sure that these contracts should be negotiated in order to achieve compliance with the rules. Thus, the cloud customer should review many factors; (18)
o The controller who is the customer has to be sure to check all the conditions, technical or not, that protect their data from loss of theft.
o The cloud customer has to ensure that the provider is offering his services constantly without availability issues.
o The cloud customers can also define third parties to help them increase the security of their chosen cloud services.
o The cloud provider must take the initiative to maintain and enhance their security standards.
There is no doubt that in IaaS the customer can assert encryption to his data from the provider while in the SaaS this is remains very difficult as the provider processes the
uploaded data in order to continue to the next steps for providing his services. Also, if there are indeed encryption techniques with an appropriate key that only the customer has, then this key should be protected accordingly or else there is a breach and the
consequences are the same with the data protection loss. In case of data deletion the provider has many copies of them. But the customer can request that he obsoletes his information from the cloud. (18)
We all have noticed that in SaaS data are processed from third parties that have as a goal to advertise their products. They use our data in order to specify what products or services are suitable for us. But we, as individuals, have the right to protect our data from being analyzed without our permission. If we sign agreements before uploading our data that state that our information can be processed by others for advertising purposes then these data are accessed without any breaches. (18).
The Data Protection Act specifies that data cannot be transferred outside the EU. If they are, then all privacy conditions have to be met. The cloud provider, if asked, should always provide with all the information on where the customer’s data is. (18)
When we are talking about international companies that affect thousands of companies and almost all, in the next five years, individuals we observe that they face major problems on processing the data they hold. Multiple contracts have to be signed in order for the data to be transferred abroad. Until now, the EU has released some conditions that “controller-to-controller” and “controller-to-processor” transfers can be made. (15).
Under the current presented laws the one who holds data for the controller appears to be the processor. IaaS providers should not be processors. They differ a lot from the SaaS ones. This creates confusion on who to trust your data and who to finally select to use. The distinction between who is the processor and the controller, according to Kuan Hon, should be completely avoided as the cloud computing customers should be responsible
For sure, there must be a separation on who the controller is and who the processor as there are different laws that are applied now to each one of them. Consequently, three main topics remain to be solved; the degree of freedom that the controller provides to the processor, if the SaaS controllers keep track on end-user’s data and if the processor can be a co-controller due to the increased visibility and power to its users of the initial controller. Answers to the above concerns will be given through time. The relationships of the
processor-controller will grow and will controlled as their importance keeps increasing. (17)
5.2.1 Confusion on the processor’s identification
Data storage has become more important than its processing. The real problem with data storage is that there are no proofs where the data is held. Data protection rules cannot be immediately applied in each situation. The confusion between processing of these data can be solved according to Dr Ursula Widmer who states that the data controller is responsible for who will process his data. The controller has also to pay
attention on if the processor is complying with the local implemented rules. Due to the fact that there are no exclusive data protection regulations other than the current laws, all cloud users do not seem to have many options but to put the pressure on themselves. (29)
5.3 Contracting issues
5.3.1 SLAs
The Service Level Agreements (SLAs) define the future legal speculations of an agreement between the cloud provider, in our case, with the cloud customer. The customer needs to comprehend the context and the mentioned obligations that he has. He should also be able to know all the key symbols and the actions and operations of his chosen service. The customer must understand that it is his decision to agree on the statements of the contract. On the other hand, the SLAs should provide with all the appropriate information that the customer needs, the condition of the service that will be provided, performance statistics and cover up all the financial issues. (20)
In most cases, the full length of a SLA is divided into five categories; (20)
o The consultation phase in which the customer tries to analyse, clarify and re-suggest the upcoming agreement.
o The planning of the contract follows. Both sides agree on signing the essential papers for their cooperation.
o The implementation. Here the customer leverages all the services that he has acquired.
o The maintenance phase in which the cloud service is being monitored and possibly updated.
o The completion of the agreement in which they both decide to expire their partnership.
The context of the SLAs must be very specific and accurate. There should be declarations of the purposes of the services, all the individuals or companies that take place into it, the length and how it going to be terminated. It should also mention where the services will be leveraged, by whom, the time and the exact service that will be
executed. It should also state historical statistics and metrics. At last but not least, clear specifications on the responsibilities of both sides should be placed, with respect to their roles and level of authority that they have as well as reimbursements in case of outages. (20)
5.3.2 Criteria for the establishment of SLAs
Many SLAs retain unexpected results. They may be terminated due to failures of the service. Thus, the provider needs to have a series of criteria; (21)
o The availability of the service. The higher it is, the more the interested customers will be persuaded to use.
o The speed of the services.
o The encryption standards that it provides by default. o Termination of the service percentages and statistics.
o Exact area that the data are kept that comply with the area rules. o Movability of the data to another cloud provider.
o Exit plan that provides the customer with a flexible progression.
For every single cloud service that is provided an SLA agreement must be signed. SLAs differ a lot. For instance, if they are too costly, then the expected availability is almost 100%. In case of a cost free service the customer do not usually have any rights on complaining about the outage of this service. (21)
SLAs remain the critical factor that united the provider with the customer. They are made for the benefit of both of them as they serve same interests. With their existence the end-user as well as companies that se use cloud services from other enterprises can feel safer. On the other hand, the providers are straggling to achieve effectiveness to user’s services with increased flexibility and interoperability. (21).
5.3.3 Service Level Objectives Overview
The Service Level Objectives (SLOs) are specific and significant parts of the SLAs that contain information about the quality and the effectiveness of the provided services as well as its characteristics and specifications (21). Below, all the essential data protection methods that exist in the SLOs. (22)
o Existing laws. The customer who is the controller can consult all the local applicable laws that exist about the processing of his data.
o The goals of the provider under this agreement: The cloud controller should be aware of his provider’s reasons to access his data.
o Data Deletion: The customer should be able to request his data to be obsoleted
completely and under any circumstances. Also, data that have been duplicated can be erased after the initial ones and not immediately. SLOs confirm the above actions.
o Law enforcement to requested data: The customer must be notified as soon as
possible in case his data is being kept for governmental reasons. SLOs ensure that all of the applicable governmental moves will be noted and explained.
o Clarity: The client needs to know about all the sub-processors that will access to his data in the future. SLOs should mention all of them.
o Liability of the provider: In case of data breach the customer must be notified with
specific steps that are described in the SLOs.
o Location of customer’s data: The provider must verify that it is his own fault if the data has been accessed in another country that different laws are applied. o Provider’s compliance with rules: The customer should know if his service provider
has aligned his services with the locally established laws.
5.3.4 Inaccurate agreements for end-users
SLAs do not represent as they should represent the cloud customers as they have been built in such a way that their goal is to mislead the customer for their benefit. The metrics are inaccurate. (24).
Users that mainly are involved with the SaaS services do not pay attention to the agreements that they sign. Most of the documents though cannot be understood clearly as they have been changed in such a way in order to deceive the end-users. In order for a company to misinform its customer’s different methods are being used. (25)
The lexical choice is the one that the end-user understands in a different way than he should the purposes and statements of the agreement. Syntactical transformation and negation are other methods that the end-user’s privileges and rights are deemphasized. Modality is a method that seeks on establishing multiple meanings on each sentence. The correct way that these agreements should be created is for the IS managers and the system designers to provide such statements that will give on both the user and the provider the advantage. This means all agreements should be redesigned and tables should be categorized in them with order for the client to comprehend. Also, companies should have their policy agreements P3P compliant. In this way the user will not have to worry as his contract will now be sealed. Lastly, users should be given the chance to opt out remove their personal information. (25).
To sum up, there are many methods that can be user to ensure data privacy for end-users and enhance their trust towards enterprises. All of the above should be implemented slowly. This is how the end-user can monitor and control them.
5.3.5 Proper approaching of SLAs
According to Salman A. Baset, SLAs have become more customer oriented as they are the ones who have to notice breaches. This happens because no one of the current IaaS cloud providers provide performance insurances as they focus more on availability
matters. SLAs are lacking in offering major insurances to their customers like a more private environment with failure readjustment measures. (30). Nevertheless, Cloud Computing has been advantaged from the existence of SLAs. Customers have the right to negotiate their agreement and ask for legal advice. SLA statistics are provided from how end-users perceive their cloud services and in order to understand them correctly these agreements are/should offer speculations about the data centres that data are being kept. (31)
Surveys
6.1 Survey Design
Surveys remain a good methodology in order to identify and derive to conclusions that refer to a population that is too big to measure. Our survey is an assessment survey as we are referring to a problem and we try to find a solution through it. The survey that we will follow is going to be an online one in a questionnaire format that will be easy for our responders to find and answer. The general steps that we will follow while conducting this survey are described below;
Indicate the evaluator; In our case are students of the same university
Indicate the interested parties; Those who will declare interest in participating like
end-users of cloud services
Identify the goals; This survey has been created for the purpose of finding solution
on the cloud computing legal threats that have been mentioned from an end-user perspective.
Identify the results; The results will be provided in a way that future researchers can
use these results and advance their research to a level that will provide them with solutions.
Identify the tools; We used an online software tool that is appropriate for exposing
the survey and outlining and describing our results.
While the creation of the survey is happening we have kept in consideration specific questions that will enable us to derive the results we want. Specifically our guidelines are;
What is the core problem of cloud computing end-users and how is the SaaS being handled so far?
How do we expose the survey in such a way that we target to our desired responders category?
How do we understand the results after and how do we report them?
Taking these parameters into account we have conducted a survey in which we can observe in the Appendix A, all of the 14 questions that were asked to end-users. The answers are scaled from 1-5, with 1 being the lowest and 5 the maximum for each answer. The participants were selected from our common friend environment. It should be denoted that all of our participants are well educated and their age varies from 18 to 35 years old. We asked them directly to participate as we chose who will participate. The number of our respondents is 108.
We asked them 14 specific questions in order to find out
1. what their current knowledge is about cloud services that they use, 2. their willingness to change providers,
3. their level of interpretation of the agreements they sign as we identified from our literature review that these contracts are not readable and
4. how worried they are about the their cloud outages and data loses.
From their answers we expect to obtain results that will help us provide a solution that will be based on these answers as end-users play a very significant role on how SLAs and
governmental rules are being created. In Appendix A, a figure has been created out of each question visualizing the percentage the frequency of each answer.
In Appendix A, we can observe all the frequencies that indicate what our responders answered. Our questions were designed in such a way that we will mentioned all the aforementioned topics in cloud computing legal threats and find the possible relations to the questions that will provide us with more answers. Thus the questions were divided into four main categories;
Current awareness of applicable laws;
Q1: Laws have been created in order to force companies to conform to specific rules that protect user's personal information and make sure these data are not exposed. How aware are you of the applicable laws in your country that serve your rights?
Q2: How knowledgeable are you about the differences and similarities of EU and US data protection laws?
Cloud provider and end-user confidentiality issues;
Q3: When you use such an online application, how aware are you of where your data are being kept?
Q4: The contract that you sign before you create an online account, in any cloud service, should be in compliance with the applicable laws of your country. How much would you rate the level of compliance that companies have?
Q7: Please rate the number of possibilities that the data you upload from the moment you agree on using a cloud service might be exposed to other cloud providers?
Service Level Agreements;
Q5: Do you pay attention to these contracts when you sign them? How clear are they to you?
Q6: In most cases this contract is one way to go; agree or leave it. Obviously most users would prefer to negotiate the contact before signing it. How many times have you negotiated such a contract?
Q8: In case of data breaches from your provider, you can request for compensation. From scale 1-5 how much do you have to try in order to request for such a compensation? Q9: In case of poor availability from your cloud provider you may request for your data to be obsoleted. Do you believe that your data will be completely deleted?
Cloud outages and end-user’s responses to them;
Q10: If you cannot access your data in another country that you may be (due to different existing laws), would you continue using this cloud service?
Q11: Enterprises focus on profits. Laws are becoming more and more strict and in the end they have to comply with them, agree on protecting end-users data. Do you think that through time the companies will respect their customer’s privacy in the future?
Q12: Would you stop using an online application (f.e. a specific email account) if you realized that your data and your metadata (other cloud providers that connect their services with these data) will be exposed to other cloud providers/companies?
Q13: Do you believe that there can be a safe, secure online environment that will control how companies use and share the data they have?
Q14: How content are you with the current level of data protection that companies offer?
In order to make the statistical analysis and provide the correlations between our
questions we need clarify in what questions we can apply correlation methods. We explain below what are our expected correlations and in the next chapter we are identifying if there are indeed correlations by following specific steps.
Based on our literature review and our own personal judgments we have specified a theory of people’s attitudes towards existing Cloud Computing legal threats. Thus, we have designed the survey through this theory and then we interpret it through our results from the survey analysis. In figure 22 of Appendix A, we are visualizing the expected correlations that we have between the questions. These correlations are the outcome of the research of the literature review because some questions are the outcome or the consequence of another one. Also, from the results of the frequencies that we visualize in the Appendix A from each question we also obtain a better understanding of what correlations we can make. Taking this into consideration we have created 40 correlations. The pair of questions belong either to the same category as the meaning and the expected results is the similar or various categories. In figure 22 we have connected these questions and the arrows go to both directions as the correlation is expected to be either positive or negative.
Questions with the most correlations are number 14, 1 and 3. These indicate the level of people’s knowledge about the laws, the location of datacenters and their current satisfaction against the cloud providers. The rest of the correlations were made from our own judgment by connecting our findings from our literature review. In the Survey Results we will find out what correlations do exist through statistical analysis.
6.2 Survey Results
As mentioned, in the Appendix A we observe the frequency of the answers of our responders. From these frequencies we have concluded to some observations. Briefly these observations are stated below;
Basic knowledge about existing laws, similarities and differences between the laws across various countries as well as the location of their data.
Biggest percentage of responders do not read contracts from cloud providers, are not negotiating those contracts in any level.
Equal distribution between yes and no on if end-users should request compensation in case of data breach and the chances that data breaches happen.
Most of end-users do not believe their data will be completely deleted if they request so and they are not willing to use a cloud service if availability is lost.
Equal distribution on answers between yes and no on the trust degree that exists between end-users and providers as well as the current satisfaction on how providers handle their data.
Having already made our expected correlations we should clarify what statistical analysis we will apply to verify them. We have to report
The significance level “a”.
All the “p” values.
The value “a” which is the probability of our choice. If p<a then the null hypothesis is rejected and we have alternative hypothesis. On the other hand in every p that is above a, we cannot reject the null hypothesis.
For our first step, let us briefly describe how we measure the significance in each of the correlations that we will attempt. Generally statistically significant outcomes are the ones that are not based to chance. It is of vital importance that our results are statistically significant. We need to consider two factors before we indicate the percentage that we will choose to measure the significance. Firstly, we have the sampling error which is close to non-existing because our sample was collected by choice and not by lack. Also, the probability as a term can never assure us that it is fully correct as it remains a probability. Most of scientific reports state that probability of collecting a wrong decision is around 5%. This is aligned with the consequences of making a non-valid decision. The chance that we get statistically significant results is getting bigger as our sample is getting bigger. We interpret that anything above 5% (p>0.05) is a big possibility that the results happen by chance and we will not measure any correlations because our sample is relatively small. Thus, the p should be less than 0.05. Thus our significance level “a” is a=5%.
For our second step, in the table below we visualize all the p numbers in order to
measure the statistical significance between among the questions. Any number below 0.05 indicates that we can apply a correlation method and interpret outcomes out of it. The table 1 which can be found in the Appendix A indicates the statistical significance between each question. It was measured with the help of a statistical tool and each number was calculated separately. The table is also useful for future work that researchers might need to use for further analysis.
For our third step, let us clarify that the
H
0 is our null hypothesis and we cannot reject it asthere is no correlation between two questions as they are independent. The
H
1 is ouralternative hypothesis in which there is a significant correlation between the two questions and consequently we reject the null hypothesis.
Finally, in order to find what correlations we can compare we just have to declare the numbers that are below 0.05. These are highlighted in the table 1 in the Appendix A. In this case we reject the
H
0 (null hypothesis) and we have theH
1. In figure 23 of the Appendix Awe can also find all the correlations that proved to be statistically significant from our expected correlations with a green arrow as well as the correlations that do not exist with a red colour. We indicate that we reject the null hypothesis in all the correlations with green colour whilst we cannot reject the null hypothesis in all the ones with the red colour. Thus, we move on by describing the correlations that we have identified that exist (
H
1) as there isno reason to discuss the absence of a correlation when the null hypothesis is supported.
The correlations that are derived from them are the following;
C 1: Q4 and Q11; We will find the correlation between what end-users believe is the
current level of compliance with laws and their belief on if providers will respect end-user’s privacy.
C 2: Q4 and Q13; We will find correlation between what end-users believe is the
current level of compliance of providers with laws and if their data can be stored in a private place by these providers.
C 3: Q7 and Q14; Here we will compare if end-users believe that their data will be
exposed and the level of their current satisfaction against their providers.
C 4: Q8 and Q14; We will find the correlation between the level of satisfaction and
the degree that end-users would request a compensation from their providers.
C 5: Q9 and Q10; In this case we will try to find the correlation between the
willingness of end-users to change provider in case of poor availability and their level of belief that their data will be deleted if they want to.
C 6: Q12 and Q13; We correlate if end-users would stop using a cloud service and if
they anticipate for someone that will control efficiently their providers in case of a data breach.
C 7: Q13 and Q14; We correlate if end-users are currently happy with the existing
services and their belief of the existence of someone controlling the providers. We observe that the C 2, C5, C 6 and C7 the p numbers are close to 1% which shows how big the statistical significance is and that their correlation is not by chance. As
mentioned before, we will also evaluate C 1, C 3 and C 4 as our selected p should be less that 5%.
We also observe that all of the p values that we see in the above table are very big and not close to our; α=0.05 value, except the ones below “a”. Thus we continue assuming that we reject the null hypothesis and that there are no cases that we want to discuss the absence of a correlation when we cannot reject the null hypothesis.
Before we identify what correlation method we will use we should clarify what correlation method we can actually apply. One major factor to limit down our analysis methods is to find out if our variables have normal distribution or a not normal one. We observe that our collection of data are ordinal (higher value means higher ranking) and each variable is not individually normal distribution. Thus there is no option for a Pearson correlation. Because of the fact that the measurement is in ordinal term, it can never be normal distribution. Our data is in Likert scales and this cannot be normally distributed as our 5-point Likert-type scale is an ordinal variable, so by definition it is not normally distributed. The preferable correlation method for our case is the Spearman one as it measures the correlation by the monotonic relationship between two variables.
We will indicate as ρ1…7 the Spearman correlation of each of our seven correlations. We should keep in mind that the calculations are made by measuring the ranks of the variables. (38). We also take into account that as the ρ comes closer to -1 or +1 the strength of the association is bigger. Specifically;
Small correlation exists between: 0.1 < |ρ| ≤ 0.25 Medium correlation exists between: 0.25 < |ρ| ≤ 0.5 Large correlation exists between: 0.5 < |ρ| ≤ 1.0
The software program that we are using is the IBM’s SPSS and consequently the figures are a result of its usage. We can obtain from the below figures that the significance number is the same with our previous calculations that were made with Microsoft Excel that through a regression analysis we acquired the statistical significance numbers of all of our variables. Now, let us describe our findings and provide our observations that will lead
us to our Discussion with valuable interpretations. The figures that represent the below correlations can be found in Appendix A.
In figure 1, we notice that the correlation ρ is 0.182 which means that the correlation between Q4 and Q14 is small but exists. In this case, we understand that the more the end-users trust that their cloud providers are in compliance with the laws the more they think that through time they will respect more their data that they hold. This is an interesting correlation because we interpret that companies show that they try to align their services to the existing rules and this affects the opinion of their customers in the SaaS environment.
In figure 2, we notice that the correlation ρ is 0.257 and it is a medium level of correlation. Here the more the providers obey to the governmental rules the more this affects the common belief of the end-users that there can be someone that will observe how these providers act in the future. From this we understand that end-users believe that their cloud providers can be guided in the future in order to protect customer’s data. The level of trust of end-users increases only if their providers offer a standard level of protection that is aligned with the rules that in the end are made to protect user’s data.
In figure 3, we notice that the correlation ρ is -0.174. This means that the correlation degree is low and that we have a reverse relation between our variables. Specifically, the more the cloud customers believe that their data will be exposed to third parties the less content they are with the current level of protection that is offered from cloud providers which makes sense. From this correlation we interpret that due to the small correlation degree users may eventually be happy in case of data breaches but these data breaches should be transparent to the end-user.
In figure 4, we notice that the correlation ρ is -0.220 which is a negative number. This means that the less end-users negotiate contracts before signing their agreements the more happy they are. This is a small correlation but we interpret that these users do not pay attention that much to the negotiation part in the SaaS environment.
In figure 5, we notice that the correlation ρ is 0.272 and it is a medium level correlation. The more users believe that their data will be obsoleted if they request it, the more they care about service availability. If they feel comfortable about their data handling then they care about availability of the cloud services they use. Thus, security remains a top priority for all SaaS users.
In figure 6, we notice that the correlation ρ is 0.320 and it is a medium level correlation. End-users believe that there can be someone that can control cloud provider’s data centers and their encryption level and in the same time they seem strict if their data are exposed to other providers. They are reluctant to continue using cloud services if data breaches happen but if they do, then they are sure that their providers will accept being monitored.
In figure 7, we notice that the correlation ρ is 0.305 and it is a medium level correlation. The more happy the end-users are the more they trust for someone to monitor cloud providers in the future. If they are content with the current data transfers and agreements then they are more assured for the well-being of their data in the future.
Interviews
7.1 Research Strategy
The research Strategy is our scientific methodology that we will follow in order to answer our research questions. These methods are aligned to the content of our research
questions. First of all we need to identify the nature of them. There are generally 2 main categories of identifying how to answer them (23); Trying to analyse the “what” questions that lead an exploratory research and the “how and why” ones that lead to the
explanatory questions. In our case, we try to find “what” the solutions to cloud computing existing legal threats are, then we are prompted to follow the first path.
We have conducted multiple interviews and we have applied one case study for all of them as the questions remain the same due to the answers we want to extract. We want them to be similar in nature and because we do not want to collect answers based on personal feelings but only experiences. Our protocol’s main goal is to gather data from our interviewees and we present how these data were extracted. We used this protocol in order to achieve accuracy in our results. Furthermore, our interviews that belong to our case study provided us with all the essential information that we need in order to provide a unique solution. Taking into account the different interview designs that exist we followed the structured interview approach because of the fact that we need specific answers about specific subject. We mainly followed six phases of interview research;
Categorizing; Create the goal of our research and provide a general description to
the interviewer before each interview
Planning; Compose the general architecture of our questions and research in
general
Interviewing; Execute the interview by keeping in mind all of the previous steps
Transcribing; Translate the interviewee’s answers to text
Evaluating; Selecting the method for categorizing the answers based on the
answers that we have received
Validating and Noting; Validating and provide the statements of our answers to this
paper
This approach of research is a qualitative one as we need to identify the proposed solutions from cloud computing specialists with a deep knowledge in the field of cloud services. The structure of our questions was made in order to extract as much as
information as we need in order to find out what are their current thoughts on the future of cloud computing legal issues. Thus, the questions were direct.
In our four interviews we managed to have interviewees with different roles in cloud computing. In our first one, we have an IT specialist that is currently working for a cloud provider that offer its cloud services in a B2B and B2C level. In the second one, we also have an IT architect that also works in consultancy promoting cloud services to B2B clients. In the third and fourth ones the interviewee is working for a cloud customer that uses cloud services from other providers and their perspective in the cloud is valuable because we need to see what their aspects are in respect to the future of the cloud as customers.
The interviews were later on transcribed into text the Appendix B after they were
recorded. The validity of our answers and records was identified by one colleague of mine as she transcribed them also and later on we compared them both in order to find the same answers.
7.2 Analysis and report
After finalizing the transcription part that we mention before we are prompted to analyse fully the content of the answers that we have received. We used various
techniques in order to analyse our answers as we wanted to shrink the text and keep the most valuable answers.
To begin with how the text was analysed, we first read the whole interviews in order to comprehend the general meaning and how specific answers can be interpreted and in which ways. Later, we managed to find out similarities and differences between each answer in each question. We understand that in each interview the answers are related among all the interviews as the questions remain the same. This is why we made
generalizations from these answers and then created five categories for all the interviews and briefed the most important generalizations into these categories. Each category is highlighted with specific colour and consequently the answers are colours as we can observe in the Appendix B. During our Empirical Study we can see the categories and their generalizations as well as our outcomes and observations of them.
As far as the validating and reporting part of our research strategy are concerned, our participants have every right to read this research paper as they contributed in providing a future solution for our readers. Our readers are university professors as well as students that have access to university research content as they have the chance to extend the current paper by taking into consideration our findings and results. Also, the writing of this paper is academic and our sentences have been selected carefully.
The structure of this chapter is to provide our audience on what the methodology is, how we approached each interview and why, how we analysed the content and where we provide our interpretations. The latter are described partially in the Empirical Study and the solutions in the Conclusion chapter in the third research question. At last, the integrity of our report as well as the confidentiality between us and the interviewees are important as we retain a relationship of trust.
7.3 Empirical Study
The findings of our interviews that are categorized by colour in the Appendix B can be seen below and they will enable us to answer to our third research question later on.
Interview 1
•IT cloud advisor and architect in a cloud provider enterprise •Using cloud serviced in personal life and working
environment
•Promoting cloud services to clients
Role and
expertise level
•Availability is not an issue by most enterprises/customers •New Cloud Computing paradigm is being designed in order
to avoid any kind of data loses
•Providers are adhering to existing governmental privacy rules •End-users will not stop signing contracts that give the
opportunity to the provider to have ownership rights for the data
•Data should be shared only with affiliates
•Providers give customers blank servers and let them encrypt their data
Expectations
•Multi-zone providers with multiple data centers are most favorable
•Cloud is easier and more flexible than ever, requiring entry level experience to leverage its capabilities
•Security measures should be identified prior the signing of contracts or else the cloud customers should create new measures and privacy insurance techniques
•Providers are seeking of storing client's data into their region in order to ensure compliance with the according rules
•Cloud customers should provide their own encryption and lost data become at least unreadable
•Notifying the customer is number one priority if data are lost, what type of data and what steps will be taken to retrieve them back
•Cloud providers can sell data as they feel obliged to them through their agreements
•Providers offer long term availability because of the low costs of maintenance that exist for their clients
•Information to cloud customers about where data is stores has been already provided
•Transformation of data should be owned by the provider while the inital data (before editing) should be onwed by the customer
•Price and security at top concerns for cloud customers •Providers should always have all the priviledges in conducting
the contracts
Preferences
•In data breaches situations, credentials should be revoked and complete notifications must be given
•Providers should negotiate more with end-users
•Providers should specifically define to their clients where the data centers are and what are the appliacble laws for the data that they store
•Due to the nature of cloud contracts, rules must be improved in a united format in all countries as customers cannot and should not negotiate contracts
•Providers should publish what security measures they take for data encryption
•Providers should make readable the information and contracts that are given to customers
•External organizations are not needed, multiple jurisdictions should be narrowed down -too many rules may prove insufficient
•End-users shoud have more control for their data
•Negotiations between providers and third parties should be controlled by someone and inform customers about what these negotiations entail
