33
The prime risk management parameters are ‘impact’ and ‘probability’. As
the probability may be low, but not 'nil', an effective process must be
established comprising of two components to deal with actual risks:
Detection
Reaction
Detection
(
Chapter 3.2.4) is the process of flagging security incidents.
Various studies show that only about 50% of all security incidents are
detected within a week, while the rest are only discovered much later. Cloud
computing complicates matters further.
Detection of a security incident must trigger a suitable
reaction
.
Given the
changing architectures in Cloud computing, the procedures for obtaining
legal evidence of security incidents are subject to change, and both
enterprises and the courts have yet to follow suit.
Later in this book, we will examine the big picture that the management of
identities and authentication for a user's Cloud ecosystem, and explain why
these are strategic factors that must not be underestimated.
2.3
Cloud and the Law
Cloud Computing and the migration of private data (personal, business or
Government) to a Cloud provider are, as any larger technology project in the
business field, not only a technical, but also a legal matter. The three fields
of law most relevant in this context are data protection, compliance and
contract law.
8
2.3.1
Applicable law
From a legal point of view the first and most fundamental question to be
asked in the context of Cloud Computing is that of applicable law. This is
because different jurisdictions may have quite different provisions in the
relevant fields of law.
The question of which law is applicable arises also within the EU, despite all
harmonisation efforts. On the one hand this is due to the fact that
community law does not exist for each and every field of law or legal
question. On the other hand national differences exist even within the
8
An expanded version of this chapter can be found under