Why are hybrid clouds so important

Seven tips for successful cloud computing

Hardly any IT trend is as provider-driven as cloud computing. With European business customers still far from the mass phenomenon, the number of companies that dare to tackle the topic is growing significantly. Ultimately, there will be cost savings and major cuts in administration. If you are thinking of venturing into the cloud, you should also keep an eye on the legal side in addition to the technical and economic aspects. Because the legislation is lagging behind the developments. Orientation points for potential pre-igniters.
1. Pay attention to the questions of liability - not only to customers!
It is no coincidence that technology is still considered a no-go, especially in the finance and insurance sector.
The more critical the data that the company releases via a cloud model, the more serious the consequences can be. “At the moment, cloud computing is good for applications without personal data, for non-business-critical content. Every company has to check for itself how high the risk of a project is, ”says Ralf Blaha, IT legal expert at Heid Schiefer Rechtsanwälte. "Liability is always an issue here because there are different obligations towards different groups: employees, suppliers, customers," says Karin Peyerl, lawyer specializing in data protection law at Cerha Hempel Spiegelfeld Hlawati. In addition to sensitive customer documents, there can also be problems with tax-relevant data. It remains the responsibility of the customer company to comply with retention and availability obligations.

2. Can your data leave Austria?
As young as the market for cloud solutions may be, the variety of providers is just as great. Some keep the locations of their data centers secret: a problem for their financial data, for example.  
Domestic companies such as Raiffeisen Informatik and S&T, European providers such as T-Systems play a role, as do offshoots from large international corporations such as IBM or Microsoft. Big players like Google or Amazon offer direct contracts with domestic customers. And more and more smaller IT houses want to play along. It is clear that there should be a relationship of trust with the provider, but not enough. The most important question is where the data is located. Some critical information is not allowed to leave Austria according to the data protection law or financial requirements. In contrast, Google and Co. lack any information about the whereabouts of the data. "They distribute the data all over the world, depending on capacity, the location of the data centers is secret," says lawyer Blaha. That alone may not be a reason for exclusion. In any case, it is important to know what you are getting yourself into.
3. How far should the data be outsourced?
In-house clouds, private clouds, hybrid clouds or full outsourcing: the legal situation changes depending on the level of outsourcing.
"For me, cloud computing is a special outsourcing area with new rules of the game," says Axel Anderl, partner at Dorda Brugger Jordis Rechtsanwälte. Accordingly, there are also a number of gradations in outsourcing. From a technical point of view, you can even speak of clouds in-house with some solutions. There are no legal concerns here. The next step is what are known as private clouds. The customer outsources the infrastructure to a specific provider in a specific closed data center. “This is actually traditional outsourcing,” says Anderl. The legal situation is relatively secure. If you dare to venture further into the cloud, hybrid models are available, in which companies keep their infrastructure and only outsource it at peak times, which entices with even greater flexibility and cost savings. According to Anderl, this area is also gradually becoming a “real issue”. How far one dares can only be answered if one takes a close look at the company's needs and possible risks.

4. Beware of US law!
The trend of data outsourcing is strongly driven by US companies - and as with so many recent developments, the contracts are often not adapted to domestic legal practices.
“Often, form-like contracts are used, and you can tell that the development is still in its infancy,” says Anderl. It is therefore advisable to enter into service level agreements, i.e. individual contractual arrangements, with the provider. According to Anderl, the contracts of the large corporations often contain “no liability and warranty in the sense that they are customary for continental European contracts”.
5. Integrate the ISO standard!
Pay attention to a minimum record for introduction, operation and maintenance in the contract.
Attorney Karin Peyerl from CHSH Cerha Hempel Spiegelfeld Hlawati advises integrating the ISO standard 27001 into the contract in order to have a benchmark for the provision of services. This standard regulates the requirements for the introduction, operation and maintenance of information security management systems. This ensures that logging is carried out in accordance with the standard. “That is certainly not a perfect solution, but the overall problem is that there are still no other standards by which one can act,” says Peyerl.

6. Pay attention to your user obligations!
Not only the provider of cloud applications but also their users have obligations that must not be neglected.
Lawyers argue that anyone who overlooks the fact that they owe a certain amount of debt to the cloud provider and has not obtained sufficient information can fall into the liability trap more quickly than they would like. Regardless of which provider you conclude cloud contracts with - it is always advisable to get external consultants on board. Not only do IT lawyers argue for their own business here, it also makes sense to draw on the knowledge of IT management consultants, for example. If consulting costs are enough to neutralize the savings and technical advantages of the cloud solution, the solution is not worth the money anyway.
7. In case of doubt: wait and see.
Various legal initiatives at EU level could clarify data protection law this year. It may be worthwhile for companies willing to outsource to wait and see.
"At the moment there are initiatives at EU level that examine the data protection aspects and examine whether the legal provisions in the member states are sufficient," says Anderl. So it can pay off to wait a little longer before jumping on the cloud bandwagon. At the moment, the legal aspects are certainly still the biggest obstacle to the spread of cloud computing. “The technology is miles ahead of the law,” says Blaha. "At this point in time, you simply have to assess the risks correctly and make a cost-benefit calculation to see whether it is already worthwhile for your own company."
Jürgen Leidinger