Out of all the security concerns related to cloud computing, here's one you might not have considered: Customers using cloud services may put themselves at risk of patent litigation.
It may be a small risk, but it is another issue to consider when assessing the pros and cons of cloud computing, says Nolan Goldberg, a patent and trade secret litigation attorney for Proskauer Rose LLP in New York.
"I think IP [intellectual property] is going to be a huge barrier to cloud adoption," Goldberg said. "Using a cloud service creates a different risk profile than using a non-cloud version of the same service."
The court system is clogged with frivolous patent lawsuits, and customers who use a service that allegedly infringes on a patent could be sued through no fault of their own, said Goldberg, a speaker at the Interop Las Vegas trade show. Plaintiffs often go after customers in cases where a physical product may violate a patent, and the same litigation method could be used in the world of cloud computing, he said.
"One model of enforcing patents says I can go after the manufacturer, but once I do I'm done because then all his sales are licensed," Goldberg said. "But if I keep going after all his customers, I can keep going forever and the customer is really not in the best position to fight back. So it creates increased risk."
Goldberg used an example from the manufacturing world to explain how a customer could infringe a patent simply by using a product.
"If the supplier makes a machine capable of performing A, B, and C, but the customer is the one who actually presses the button that performs the steps, in that case the customer could be the direct infringer, and the supplier might be the indirect infringer," Goldberg said.
In the retail world, it's relatively easy to assess the risk because the manufacturing process and supply chain contain defined steps that customers and vendors may have visibility into, Goldberg said. But users of a cloud service hosted by Amazon, Google or some start-up may have little information on what happens under the covers.
"It's a bit of lack of transparency that makes it harder to investigate and assess your risk," he said.
How much actual risk is there? Is it enough to make cloud computing unappealing? Those questions, like many in the legal world, are tough to answer.
"There's an external exposure that you wouldn't have, but for the fact that you're using a cloud service," Goldberg said. "So is it a half a percent increase in risk? Is it a 2% increase in risk? And do we care, right? But, when you're figuring out the bigger question -- why do I move to the cloud? - if the answer is to save money, are you really going to save money if you're trading a little bit of IT costs up front for a huge legal bill down the road?"
Legal risks go beyond potentially frivolous patent lawsuits, Goldberg said. He is advising his clients not to put the most sensitive information, or a company's "crown jewels" into a cloud service because of the risk of exposing trade secrets. Customers have to evaluate the importance of data on an application-by-application basis, examine potential ramifications, the "increased risk profile" of the cloud, and "measure that against your benefits and make an informed decision," he said.
Service providers get tons of requests for private data from the government, which raises questions in multi-tenant cloud services, such as whether requests for one customer's data can impact the data of another customer, he said. Additionally, data in cloud services may be stored in multiple geographic regions, and storing data in one state rather than another might put a customer at increased risk of litigation.
Contracts with vendors typically say the vendor can change the terms of a contract at will, making it difficult to advise clients on risk, Goldberg said. The actual enforceability of a contract really isn't known until the contract becomes subject to a legal battle.
Even the question of who owns data in a cloud service is tricky, because vendors may have some rights to view data with automatic scanning tools and for behavioural marketing purposes.
"Who owns your data when it's placed on a cloud?" Goldberg said. "It may seem to be an easy question. You own it -- but do you, completely?"