This article first appeared in iGaming Business, 1 May 2012
Cloud computing is no longer the future - it is here. However, many businesses involved in remote gaming remain reluctant to embrace the cloud for fear of the perceived risks inherent with placing their systems and data into the hands of a stranger. This article explains where the real risks lie for the gaming sector.
The benefits of cloud computing should be familiar to us all by now: cost savings; instant scalability; immediate access to numerous servers thus minimising hardware liability risk and disaster recovery work-arounds; and allowing organisations to focus their IT teams on their core business, leaving expert IT infrastructure providers to look after the cloud. These benefits apply to the gaming industry as well as any other sector.
As businesses become increasingly more familiar with the nature of the risks that using the cloud introduces, the trend will be for increased movement from private and community clouds (where the business can ensure greater control and security over the stored data) to a hybrid or public cloud solution in order to fully realise the cost benefits. So what are these risks?
Cloud providers each offer their own distinct solutions and services. In addition to this, cloud providers range from large multi-national providers to relatively small companies. As such, each provider's standard contractual terms will vary. However, because of the 'pooling of resource' nature of cloud computing, the provider will seek to deliver each cloud service on the same contractual terms and conditions for all of its customers. For example, a cloud provider is very unlikely to entertain negotiations on the service levels relating to the performance of the technology as many customers will be subject to the same variance of performance. To have anything but a uniform set of service level obligations towards its customers would be impractical and expensive for a cloud provider to manage.
While many of the contractual terms will be similar to a standard software licence or IT services and support agreement, the remote gaming operator needs to carefully assess the impact those terms will have on its business. Operators must be satisfied not just with the functionality of the solution offered but also with the way in which performance of the system can be managed in the event of any defects or a change in circumstances, and in particular any outages resulting in system unavailability.
Therefore, from a customer perspective, one size does not fit all. In addition, the gaming industry, as a regulated industry, has some extra considerations to take into account.
Regulated industries are presented with additional obstacles when using cloud computing. There are general regulations that apply to most companies, such as the security and audit requirements of Sarbanes Oxley which all listed companies in the US must adhere to. Local jurisdictions will have their own financial services regulations, such as the Financial Services Authority requirements in the UK. In practice, all major cloud providers will have to cater for customer requirements in relation to commonplace or major regulatory obligations in order to attract and retain its customer base, but a customer should not automatically assume this is the case.
For the gaming industry, UK licensed gambling operators are required to report any suspected money laundering behaviour to the Serious Organised Crime Agency by the Money Laundering Regulations 2007 by submitting a Suspicious Activity Report. In addition the Gaming Commission places further obligations on gambling operators, such as the reporting of suspicious betting behaviour. Gaming operators looking to cloud computing must therefore ensure that they are granted sufficient access and rights, and have the requisite tools in place to enable them to monitor and report such behaviour within their cloud solution. Not having such access and control is unlikely to be an adequate defence if such behaviour does occur which, if the gambling operator is deemed to be in breach of its legal obligations, could result in criminal conviction.
Data protection and security
Data protection issues touch upon the gaming sector as it does with any other sector where an individual's data is gathered, stored, used or otherwise processed. Under EU law, like any other contractual arrangements where the customer is a data controller, gaming operators must ensure that the cloud provider contracts as a data processor subject to the requisite data security provisions. However, using a cloud computing solution adds an extra layer of complexity and, if insufficient due diligence is carried out, risk.
One such risk is, given the inherently international nature of cloud computing, the customer's data could be held in a territory (or a number of territories) other than where the customer or the data subjects are based. Where a customer is based in regulated jurisdictions, the transfer of data to other territories could place that customer in breach of their local data protection legislation. For example, the Data Protection Directive in the case of EU jurisdictions requires a certain threshold of protection for personal data transferred outside of the EEA. The customer must therefore ensure that any transfer is compliant, either by agreeing data transfer clauses with the cloud provider, or by selecting a cloud provider that will guarantee that all personal data will remain within the EEA.
In addition, the US Patriot Act places an obligation on US companies and their subsidiaries, which may be based in the EU, to give the US government access to data they hold. Not only could this put customers in breach of their local data protection laws (see transfer of data outside the EEA, above), but also could lead to the disclosure of other commercially sensitive data that the customer would prefer not to be disclosed.
Leaving the cloud
Another area of risk that operators need to recognise and manage relates to exiting a cloud relationship. The reality of using cloud computing is that the cloud provider is in possession of the customer's data.
When the customer decides to move away from the chosen cloud provider, or if the relationship is terminated for any reason, the customer will need access to its data in order to migrate it to another provider. Equally, in the event of a dispute, the cloud provider would be in a strong commercial position being in control of the data, and possibly providing the operator's platform or solution contained in the cloud. As such, the customer must carefully consider the various scenarios that may play out at the end of a contractual relationship and ensure that it is protected in the contract against any behaviour by the cloud provider (either during or after termination of the contract) that could jeopardise the customer's access to data or business continuity.
Operators looking to use cloud computing must first fully understand their own requirements and the nature of the technical and business model being offered by the cloud provider. With this understanding, an operator can select the best fit for a cloud solution, but then comes the important step of mitigating the risks that arise – be they regulatory or wider commercial issues.
Contracts function as risk management tools and, as this article has discussed, there are certainly risks with embracing cloud computing. However, those risks can be effectively managed if they have been anticipated, properly considered and where relevant dealt with contractually. Consquently such risks needn't be a barrier to operators fully embracing the benefits offered by entering the cloud.
Paul Barton is a Partner in Fieldfisher's Technology and Outsourcing Law Group
Nick Ball is an Associate in Fieldfisher's Technology and Outsourcing Law Group
Sign up to our email digest