Information Technology Reference
In-Depth Information
When we talk about security risks, in practice this possibility, often does not
exist. In other words, the customer who provided data or content to the Grid/Cloud
supplier may suffer fatal consequences if such data are lost or damaged. An example
will clarify the point.
SaaSforyou
provides simulation services for aerospace compa-
nies using the paradigm of SaaS and, specifically, it collects data from the clients in
order to create tailored simulations. In order to make such simulations, which require
huge compute capacity,
SaaSforyou
opted for the Grid or the Cloud, and therefore
the clients' data are processed in the
SuperICTResources
's infrastructure before
being delivered back to the final customers. One day, for technical reasons, the
data processed in the Grid/Cloud network gets corrupted or lost, so that
SaaSforyou
is not able to deliver the promised simulations to the clients. The damage for the
company is huge, in terms of image, reputation and, ultimately, it affects the exist-
ence of the enterprise.
SaaSforyou
could not foresee this problem and therefore it
just has to face and solve the consequences. The company will expect some sort of
compensation from the technology provider and for these reasons the contractual
clauses on security and limitations of liability are absolutely fundamental. From
the technology provider's side, he is supposed to limit (or to try to limit, during
the negotiations) as much as possible his liability for security failures, while the
customer should try to allocate the risks to the supplier. If the SLA (or other agree-
ment) is negotiated between the parties, the customer should try to avoid clauses
similar to those frequently imposed by big international providers.
These provisions often state that the technology supplier will have no liability
for any unauthorised access or use, corruption, deletion, destruction, loss etc of any
customer's data or content, howsoever caused. In other words he does not guarantee
that he will be successful at keeping such data and content secure. In the case of
Grid/Cloud-based storing capacity, the provider may state that he does not warrant
that the data stored by the customer will be secure or not otherwise lost or damaged.
These clauses shift all security risks onto the customer, who should be aware of
that. These practices by big international market providers of Grid/Cloud-capacity
provision has induced many practitioners and commentators to point out the secu-
rity risks of Grid and Cloud computing (Brodkin 2008) and ultimately we could
even wonder whether the use of dispersed resources will prove to be a successfully
business model.
What should the customer ultimately do to protect his business? It is advis-
able to follow a twofold strategy: firstly, the client should require the provider to
list his security measures and systems in the SLA. A well drafted and complete
clause commits the technology supplier to adopt some specific standards, and in
this regard a provision like 'the provider will do his best to keep customer's data
and content secure' is too vague. In fact, in case of litigation, it will be necessary
to assess whether the provider really did his best to adopt security measures, there-
fore concrete criteria should be preferred. At the same time, the list of security
measures shall be flexible enough to contemplate future updates, so the provider
must be obliged to respect the most recent and efficient security measures even if
they are not listed in the SLA. If the parties do not draft this clause, the abovemen-
tioned general legal principle of liability applies and,
in concreto
, the provider will
