Legal issues in clouds: towards a risk inventory

Cloud computing technologies have reached a high level of development, yet a number of obstacles still exist that must be overcome before widespread commercial adoption can become a reality. In a cloud environment, end users requesting services and cloud providers negotiate service-level agreements (SLAs) that provide explicit statements of all expectations and obligations of the participants. If cloud computing is to experience widespread commercial adoption, then incorporating risk assessment techniques is essential during SLA negotiation and service operation. This article focuses on the legal issues surrounding risk assessment in cloud computing. Specifically, it analyses risk regarding data protection and security, and presents the requirements of an inherent risk inventory. The usefulness of such a risk inventory is described in the context of the OPTIMIS project.

[1]  Rebecca Wong,et al.  Data Protection Directive 95/46/EC , 2013 .

[2]  M. Braun,et al.  Kommentar zum BDSG und zu den Datenschutzvorschriften des TKG und TMG , 2013 .

[3]  Benoit Hudzia,et al.  Future Generation Computer Systems Optimis: a Holistic Approach to Cloud Service Provisioning , 2022 .

[4]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .

[5]  Karim Djemame,et al.  Towards a Service Lifecycle Based Methodology for Risk Assessment in Cloud Computing , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[6]  T. Grance,et al.  SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing , 2011 .

[7]  Karim Djemame,et al.  A Risk Assessment Framework and Software Toolkit for Cloud Service Ecosystems , 2011, CLOUD 2011.

[8]  Christopher Millard,et al.  Contracts for clouds: comparison and analysis of the Terms and Conditions of cloud computing services , 2011, Int. J. Law Inf. Technol..

[9]  Karim Djemame,et al.  Brokering of risk‐aware service level agreements in grids , 2011, Concurr. Comput. Pract. Exp..

[10]  Sadie Creese,et al.  The Cloud: Understanding the Security, Privacy and Trust Challenges , 2011 .

[11]  Christopher Millard,et al.  Who is Responsible for 'Personal Data' in Cloud Computing? The Cloud of Unknowing, Part 2 , 2011 .

[12]  Martijn Warnier,et al.  Privacy Regulations for Cloud Computing: Compliance and Implementation in Theory and Practice , 2011, Computers, Privacy and Data Protection.

[13]  Frank Gens,et al.  Cloud Computing Benefits, risks and recommendations for information security , 2010 .

[14]  Daniele Catteddu,et al.  Cloud Computing: Benefits, Risks and Recommendations for Information Security , 2009 .

[15]  Odej Kao,et al.  Risk Management in Grids , 2009 .

[16]  Lauren B. Movius,et al.  U.S. and EU Privacy Policy: Comparison of Regulatory Approaches , 2009 .

[17]  W. H I T E P A P,et al.  Protecting Mission-Critical Workloads with VMware Fault Tolerance , 2009 .

[18]  Nicholas G. Carr,et al.  The Big Switch: Rewiring the World, from Edison to Google , 2008 .

[19]  Giordano Vicoli,et al.  A Middleware Improved Technology (MIT) to Mitigate Interdependencies between Critical Infrastructures , 2007, WADS.

[20]  Ricardo J. Rejas-Muslera,et al.  Defining a Legal Risk Management Strategy: Process, Legal Risk and Lifecycle , 2007, EuroSPI.

[21]  Xavier Parent,et al.  Specifying Legal Risk Scenarios Using the CORAS Threat Modelling Language , 2005, iTrust.

[22]  Rachel Burnett,et al.  Legal risk management for the IT industry , 2005, Comput. Law Secur. Rev..

[23]  T. Bedford,et al.  Probabilistic Risk Analysis: Foundations and Methods , 2001 .

[24]  Jean Cross,et al.  The Risk Management Standard , 1995 .