When a new technology emerges, there’s both a flurry of innovative experiments and a fair amount of details that need some work. One detail that still faces the new technology of cloud computing is where liability should rest in the case of a security breach.
A senior official and banking behemoth HSBC recently voiced an inconvenient truth about the cloud and financial services: If something goes wrong in the cloud, the IT department in the financial service firm might be held liable. In the case of the financial services industry, this could even mean jail time.
“Right now a financial services IT professional is at risk if he outsources a service elsewhere and a leak happens,” Barry Childe noted at a recent industry event, the head of research and innovation at HSBC. “There is a risk that he would potentially go to prison. There's no get out of jail free card because he used a third party.”
Childe argued that the industry needs a code of conduct when it comes to cloud due diligence; there needs to be a standard to allow financial service firms to work with third-party cloud providers without having to take on the liability if one of these third-parties screws up.
Several details need to be hammered out, in fact.
First, there needs to be clear awareness of the security issues involved with using the cloud, and transparency from the industry so prospective cloud buyers know the level of security they are buying into when they choose a firm.
Second, best practices and standards need to emerge within the industry so security both is less of an issue and easier to communicate.
The point raised by Childe highlights the need for better regulation regarding cloud service liability. While the law might currently send a financial services IT boss to prison if a third-party cloud services provider leaks sensitive financial data, few would argue that this is a tenable long-term policy regarding liability; who in their right mind would shoulder the burden of promising financial security if they were not also able to ensure that security is met? Without an adjustment in liability expectations, the cloud becomes a dangerous place for any industry using sensitive data.
While the term “stifling innovation” gets bandied about far too frequently, there’s a legitimate concern about stifling the growth of the cloud if these liability questions are not better addressed.
Some cloud providers are already working on the problem, and some of the non-regulatory solutions are starting to emerge.
BroadConnect, for instance, now offers a more secure cloud-based voice-over-IP (VoIP) solution: voice of private Internet, also known as “VoPI.”
As we noted a couple months back, “while standard VoIP works in an unmanaged environment, which can lead to a number of service problems, ‘VoPI’ is fully managed and optimized for high-level performance.”
That’s because VoPI runs over its own private, point-to-point circuits, bypassing the public Internet entirely. This means that it is not subject to the same security concerns as VoIP that travels over the public Internet. Consider it like a closed-circuit network shielded from much of the outside world.
Such solutions will improve the security of cloud services, enabling cloud services to be used in sensitive industries. But like any issue with a new technology, the full solution to such problems will take time.
Edited by Alisen Downey