Throwing Security Over the Wall
Although it’s common knowledge that most cloud vendors do not accept responsibility of your data – you do. The Amazon AWS web services terms of service stipulate that the cloud vendor doesn’t accept liability for lost or altered data, and that customers are responsible for “taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.”
Ok, let’s assume the cloud vendor gets attacked by the ‘next generation of malware’ (like Flame) or just plain old gets compromised. Some may think they can retreat to the cloud vendor, who has already said they are not responsible for the safekeeping of your data.
Other issues can arise such as privacy/protection laws among government, regional, and even local authorities. In some countries there are strict restrictions on whether information can be stored outside of the country. If you look at the US only, privacy laws can widely differ depending on whether the environment is federal, state, or local.
Jurisdiction matters immensely on where the data is stored, as it may be applicable across multiple jurisdictions. From a legal point of view, location matters. For example, if data is being stored off-shore the US laws may not have any effect. Cloud vendors can store your information on a variety of servers across the world.
Another issue is who is to notify people of compromised personal data, the service provider or the organization? Who pays those costs? If an internal end user posts data that can be compromised, again who is responsible? It would appear that in all cases you are.
Interesting subject. Any thoughts or real-life experiences? Have you dealt with this issue with your cloud vendor if you have one?