Nº 1 2013 > Current cloud regulation
Regulation in the cloud
Given the potential economic and social impact of cloud computing, policy-makers are considering how to embrace and harness the cloud.
The general principle is to ensure that what occurs in the cloud does not fall outside existing legal rules and controls.
This article draws on the chapter “Demystifying Regulation in the Cloud: Opportunities and Challenges for Cloud Computing”, by Professor Ian Walden, Queen Mary, University of London and Baker & McKenzie, which examines trends in the regulatory treatment of cloud computing. The chapter is part of ITU’s report Trends in Telecommunications Reform 2013.
Competition or control?
Consumer concerns about data portability may reflect broader worries about the competitive nature of the cloud market. For example, provider “lock-in” may occur within any segment of the cloud market — software as a service (SaaS); platform as a service (PaaS) or infrastructure as a service (IaaS). This can inhibit the movement of data, applications or services.
Anti-competitive effects may also arise from a lack of industry standards or from a de facto standard attributable to a market leader. Restrictive licence conditions may also undermine competition. For example, in April 2010, under its licence agreements with independent developers, Apple imposed the exclusive use of its own programming tools and approved languages for the development of iPhone Apps. The European Commission took the view that imposing such restrictions could do harm to competition, and in September 2010 Apple voluntarily removed the restrictions.
Public procurement practices may be another source of anti-competitive behaviour. One example is the case of Google versus the United States Department of the Interior. In October 2010, Google filed a claim against the United States Department of the Interior alleging that its public procurement practices relating to a USD 59 million contract for ICT services illegally distorted competition by requiring messaging technologies to be based on Microsoft Business Productivity Online Suite, thereby excluding Google from public procurements and restricting competition. The court granted an interim injunction in favour of Google. The judgement did not find bad faith or wrongdoing by Microsoft, but it in effect brought to a halt the deployment of Microsoft’s Business Productivity Online Services cloud computing solution and e‑mail system at the United States Department of the Interior. The decision was intended to avoid lock-in effects and harm to competition.
Cloud services enable cloud users to achieve efficiencies in equipment and real estate. But large data centres consume vast amounts of energy, raising environmental concerns. A recent report by MusicTank, for example, argues that close-to-consumer cloud storage may be needed to reduce the environmental impact of online music streaming services. The report suggests that YouTube alone accounted for 0.1 per cent of global energy consumption.
Steps have already been taken to encourage the operators of cloud data centres to minimize energy use. In 2009, for example, the European Commission issued a Code of Conduct on Data Centres Energy Efficiency. This set of voluntary measures targets efficiencies in the design and operation of data centres.
Mechanisms for reducing energy costs include building data centres where natural and passive cooling is available. Distributed storage techniques mean that data processing loads can be shifted to geographical zones where power is cheap. Similarly, the flexible architecture of cloud enables redundancy to be minimized.
Ensuring that cloud computing occurs in a secure environment is a concern not only for users, but also for governments trying to facilitate the take-up of cloud. Cloud service providers could use existing security standards, such as ISO/IEC 27001 for information security systems or SAS70, both of which provide for external auditing and certification.
Various cloud-specific standardization initiatives are being pursued. For example, the Cloud Security Alliance is developing the CloudTrust protocol to promulgate best practice in the industry and transparency for cloud users. Within ITU’s Telecommunication Standardization Sector, Study Group 17 has been working on cloud security since April 2010, developing guidelines and requirements in a number of areas, including identity management.
A third source of cloud security standards is the public sector. In some countries, public authorities are beginning to adopt cloud computing solutions offered by the private sector, but only where those services have been externally accredited as offering sufficient levels of assurance. Given the scale of public procurement of information technology products and services, such government-led security standards are likely to influence market developments. If these standards are over-specified, they risk undermining the cost-benefits of cloud computing by imposing unnecessarily stringent requirements.
The subject of data protection and privacy in the cloud is dealt with in a separate article (see https://itunews.itu.int/En/3412-Data-protection-and-privacy-in-the-cloudBR-Whose-cloud-is-it-anyway.note.aspx).
Facilitating cloud services
What measures should governments take to facilitate the provision and adoption of cloud computing? Some general approaches have been suggested. For example in May 2012, the European Parliament published a study identifying ways that policy-makers should facilitate cloud computing. These include addressing legislation-related gaps; improving terms and conditions for all users; dealing with stakeholder-security concerns; encouraging the public sector cloud; and promoting further research and development in cloud computing.
The Business Software Alliance has published a survey of 24 countries to identify their level of “cloud readiness”. Each country was given a score based on an index of seven policy areas: privacy protection; information security; cybercrime measures; protecting intellectual property; ensuring data portability; liberalized trade rules; and the necessary information technology infrastructure.
The survey identified a sharp divide in cloud readiness between advanced economies (Japan is considered the leader) and developing countries. Obstacles to adopting the cloud include poor progress towards a national broadband network, restrictive policy on Internet content, a discriminatory approach to foreign technology companies, and the lack of an appropriate framework for the development of ICT standards.
A study in Africa produced a cloud readiness index based on factors such as Internet penetration, literacy rates and value lost as a result of electrical outages. South Africa ranked top, Zimbabwe, Sudan, Senegal and Kenya also in the top five.
An ITU study on cloud computing in Africa, published in April 2012, recommended the following measures to facilitate cloud computing:
- Regulatory progress to address data protection and security concerns;
- Ensuring that States are aware of regulatory best practice;
- Careful preparation of cloud computing outsourcing contracts, including robust clauses on data security and availability;
- Ensuring that cloud contracts reflect regulatory requirements;
- Establishing data centres in Africa to reduce the cost of bandwidth and increase speed of access;
- Ensuring that data centres are service orientated, agile, automated, well protected and ecologically sound;
- Introducing or upgrading regulations such as data protection laws;
- Launching training programmes;
- Ensuring cross-border standardization and regulation by participating in cloud standardization initiatives.
A cloud readiness index for Asia evaluated 10 key attributes across 14 countries, including international connectivity, power grid quality, business efficiency and global risk (such as the presence of earthquake fault lines). It found that Japan led the region, with Hong Kong (China), the Republic of Korea and Singapore following closely behind.
Hong Kong’s international connectivity and many data centres gave it the potential to become a data hub for north Asia, while the Republic of Korea benefits from an ambitious cloud strategy involving government funding of up to USD 2 billion by 2014.
The widespread adoption of appropriate cloud standards is required to address a range of concerns among cloud providers and users, including the integration of legacy systems with cloud interfaces, and data and application portability and security.
Regulation can facilitate the adoption of cloud computing by establishing an environment in which both providers and users have certainty and trust.