Feeds

Cautious Brits less likely than US firms to puff on clouds - survey

'The UK attitude is it is inherently less safe with a third party'

High performance access to file storage

A "fragmented" legal framework, the "attitude" of regulators and a naturally cautious approach to security issues are among the reasons why UK businesses have made less use of cloud computing than US counterparts, according to experts.

IT law and cloud computing specialists Charles Park and Christopher Mann of Pinsent Masons said that EU financial services rules also present a sizeable regulatory barrier to businesses in that sector that are looking to utilise the cloud.

A survey by Redwood Software, of 100 UK and 200 US senior IT decision makers at a range of companies with more than 1,000 employees, has revealed that 58 per cent of US businesses use cloud computing for "private data storage" purposes compared to just 35 per cent of UK firms.

The survey also showed that while 47 per cent of US companies use cloud facilities for "capacity management", just 24 per cent of UK firms do the same. Fewer than a half of UK companies have considered using the cloud to deliver a "more integrated supply chain", compared with 81 per cent of US businesses, according to Redwood Software.

The software provider also said that its survey had recorded more positive attitudes towards cloud computing from US companies than from their counterparts in the UK.

Charles Park said that UK businesses may have an unduly negative attitude to the security associated with outsourcing.

"I think there is a more conservative approach towards, for instance, security risk," Park said. "The UK attitude is 'it is inherently less safe with a third party' whereas there is a strong argument the reverse is true, if you opt for a reputable supplier with industry-accredited security levels. The industry has generated a lot of hype, so caution, if not scepticism, is understandable."

Park added that the greater prevalence of start-up firms in the US is likely to be another factor, as the pay-to-use model suits their cash flow requirements. Christopher Mann said that cloud providers may have engaged in more "lobbying" for business and on regulatory issues in the US because of the complex nature of operating in the EU market. However, he said there had been signs that this trend was changing.

"The approach to regulation in the EU is pretty fragmented – in spite of intentions to the contrary," Mann said. "This is particularly so in the cloud space given that relevant rules, even if they are somewhat harmonised, can be approached and interpreted differently. I expect this compounds the tendency for providers to see the US as a bigger market and so prioritise any necessary lobbying there. However, we have seen cloud providers lobbying in the EU of late – part of this may be the natural progression as the US market becomes more saturated."

Last year the European Commission outlined plans to create new model contract terms that businesses could use in forming contracts and service level agreements with cloud computing providers in a bid to improve businesses' trust in using cloud technology. The European Telecommunications Standards Institute (ETSI) has also been asked to help set out what new standards are required for the way that cloud services work. Those standards could relate to data security, interoperability and data portability, the Commission said.

Shortly after the Commission had issued its 'communication', titled 'Unleashing the Potential of Cloud Computing in Europe', financial services expert John Salmon of Pinsent Masons warned that the document contained insufficient detail to guide firms in the sector in their efforts to comply with EU auditing requirements.

"No mention is made of what an organisation should do when faced with conflicting demands from EU and foreign regulators in respect of the same data," Salmon said in his blog at the time. "It seems that the consensus among financial regulators across Europe is that the Markets in Financial Instruments Directive (as amended) (MiFID) ties their hands in respect of cloud auditing requirements, at least for organisations bound by its requirements. As a consequence, the FSA in its interpretation of the Senior Management, Systems and Controls sourcebook must follow suit."

MiFID states that investment firms must in respect of the outsourcing "of critical or important operational functions or of any investment services or activities ... take the necessary steps to ensure that ... the investment firm, its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the competent authorities must be able to exercise those rights of access."

Salmon had said that the Commission had missed an opportunity to provide practical guidance on how financial services firms could comply with the MiFID rules in the context of cloud computing.

"The EU's strategy could have stated that 'effective access to data' may not in all circumstances be taken to mean that a customer must be able to detail the exact location of data at all times," he said. "It also could have questioned whether 'effective access to business premises' requires physical inspection. Had the Commission taken this approach, it could have gone a long way to achieving its stated purpose of moving European markets, especially financial ones, toward becoming 'cloud-active' as the communication put it."

The Information Commissioner's Office (ICO) has previously outlined its conditional support for businesses using independent auditors of cloud providers' data and security practices when evaluating whether cloud providers meet the standards required by the EU's stringent data protection rules for the processing of personal data.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Seagate brings out 6TB HDD, did not need NO STEENKIN' SHINGLES
Or helium filling either, according to reports
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
USA opposes 'Schengen cloud' Eurocentric routing plan
All routes should transit America, apparently
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.