Sampling of issues we are addressing

Electronic Discovery

Legal systems in both developed and developing economies generally presume that a company, as a legal entity, will possess and control the records and information assets that may serve as evidence in legal proceedings in which a company may be involved. Further, there are various important affirmative legal duties for a company to preserve and produce those records and information assets in those legal proceedings, including regulatory reporting (tax records, environmental discharge reports), compliance audits, internal investigations and, of course, civil litigation.

In the 21st century, cloud computing business models (a) challenge the presumption that a company possesses, or even controls, all of the digital business information for which the law imposes duties to preserve and produce, and (b) potentially jeopardize a company's ability to preserve and produce required records and information. As a result, companies face substantial barriers to implementing cloud computing solutions if, as a result, their compliance capabilities and legal profiles are compromised.

The rules of evidence in both civil and common law systems also emphasize the importance that business records and information be authentic and reliable as evidence. It is vital to assuring the long-term success of cloud computing that information security management be a strong feature of the varied service agreements, in order that the records and information in the custody and control of the service provider align to the standards for authenticity and reliability required by their customers and the surrounding legal environments.

Portability and Interoperability

Businesses using the cloud should be prepared for the worst. Yes, large cloud providers can make it easier to handle general availability issues well. But what happens when the cloud provider isn't good enough? What are the considerations for moving applications across clouds? Or should businesses perhaps consider building a cross-cloud solution in the first place?


The ability to govern and measure enterprise risk within a company owned data center is difficult and still in the stages of maturation in most organizations. Using cloud computing resources could lead to many new unknowns in the areas of governance and enterprise risk. Online agreements and contracts are untested in a court of law and consumers have yet to taste an extended outage of services that they may someday determine is needed on a 24x7 basis. Questions still remain on the ability of user organizations to assess the risk of the provider through onsite assessments. Governance of the provider's facilities and services could leave the user without recourse or recompense placing the risk of use squarely on the shoulders of the user. The storage and use of information that is considered sensitive by nature may be allowed but it could be unclear as to who is responsible in the event of a breach. If both the code authored by the user and the service delivered by the provider is flawed, who is responsible?

15 Domains of Concern

  • Information lifecycle management
  • Governance and Enterprise Risk Management
  • Compliance & Audit
  • General Legal
  • eDiscovery
  • Encryption and Key Mgt
  • Identity and Access Mgt
  • Storage
  • Virtualization
  • Application Security
  • Portability & Interoperability
  • Data Center Operations Management
  • Incident Response, Notification, Remediation
  • "Traditional" Security impact (business continuity, disaster recovery, physical security)
  • Architectural Framework