Around this time last year, the cloud computing contract signings were coming fast and furious—not just for commodity work like IT management or email, but for software and infrastructure closer to the core of corporate value. Not long after that, the calls started to come in to Greg Bell, principal and the Americas service leader for information protection at KPMG.
Cloud services customers—more often line of business leaders than IT executives—were panicked as they began to realize that their intellectual property (IP) was now at risk. Some, like one client who discovered that he’d potentially exposed his company’s precious formulas, had to bring the software and associated processes back in-house—at no small expense. “They quickly went through an assessment, made very aggressive movements [into cloud computing], and then had to retreat because they were not able to put the proper controls in place,” says Bell.
There’s always some danger when handing over critical company data to a third party. “Cloud computing entails IP issues similar to traditional IT outsourcing in that you are entrusting sensitive data to a provider who probably won’t treat it as carefully as you would,” says Jim Slaby, sourcing security research director for outsourcing analyst firm HfS Research. “Your applications will be running on IT infrastructure you do not own or control.”
But cloud-based services introduce increased IP threats. The nature of the business—whether it’s software-, infrastructure-, or platform-as-a-service—makes understanding where the data is, who has access to it, and how it’s being used more difficult, notes KPMG’s Bell. There’s a much higher degree of virtualization—from networks to storage to servers. “[For example,] a highly-distributed, highly-virtualized pool of storage resources used by a cloud service may make it much more difficult for the provider to guarantee that deleted files have been securely deleted—not just [removing] the file-system pointer to the data, but [overwriting] the actual data itself—from every single location that the cloud provider might have stored them on,” says Slaby.
Cloud providers are more likely to use subcontractors to meet spikes in demand. Cloud-stored data often hops from country to country, some with weak IP laws or enforcement. “Similarly, if your provider uses personnel who can remotely access your data and IP from countries with weak IP laws, you may be putting your IP at risk of theft or misappropriation, with little recourse,” explains Rebecca Eisner, partner in the privacy and security practice of Mayer Brown. Finally, because many cloud services have grown out of consumer offerings, their standard contracts are severely lacking. “A term in a contract that provides that the cloud vendor owns all content a customer may put on its systems may be okay if that content is a picture of your dog, but may not be so good if you’re talking about your development environment,” says Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie.
It’s really important when dealing with Cloud migration, you choose a supplier who understands all the nuances of your business & data protection requirement. Your probably thinking of moving to the Cloud now, if you havent already done so, & that’s fine. But think about who should own your data, and if your in a sector where this is paticulary important such as legal or finance, then this should be at the forefront of your mind. At Server Centre, we thoroughly understand your business first, before making recommendations & deploying solutions. We’re also Data Protection accredited too, so you can be assured we are in a position to understand your data needs.
We’ll leave you with some simple questions and tests you can ask of yourselves when planning data management in the Cloud, why not give us a call for more indepth discussions and advice?
Here’s a quick test to make sure your mission critical data does indeed belong to you:
At the end of the contract, can you still use your data or will it be returned in a format that won’t work in any other system? Your contract must specify that the data will be returned to you on demand, regardless of any outstanding monies owed, and in a format useable to you. Otherwise, you may end up with gobbley goop at the end of the contract whether or not the contract came to the end of the term or you quit the vendor. Indeed, this is the oldest trick in the book to forever bind customers to SaaS vendors.
If the vendor goes bankrupt and shuts down today, can you get your data back? You may not be able to if there is no specific clause in the contract spelling out if and when your data will be returned. Be sure to also get a guarantee that your data will be protected while the vendor is in a non-functional state and before you take receipt of it, preferably by a reputable third party. If you don’t, you could be found liable for any number of legal transgressions because as the “owner” of the data, you’re fully responsible for what happens to it.
Do you own the metadata too? So, you own the data, but do you own the data on the data too? Not if you haven’t clarified that in the contract.
Have you given the vendor and its assigns unfettered access to your data? Certainly, vendors and their subcontractors may have legitimate reasons to have access to your data. This might include routine redundancies for disaster recovery or the ability to provide you with lost passwords so you can access your data. But if you have given them blanket access to your data without specifying that the data can only be used in the course of delivering the service and can be used for no other purpose even if anonymized, then who owns the data is a moot issue because the vendor and/or its partners can still use it any way they want too.
Have you given the vendor unlimited archival time spans? Here again there are legitimate reasons a vendor needs to archive your data either as a back-up or to speed data delivery to users by jettisoning older data from the load until such is specifically requested. But if you have not established a time limit, a vendor can return a copy of your data to you at the end of the contract but keep a copy in the archives for their own use as well.
Have you defined the extraction or cleaning process? So, your data has been returned to you at the end of the contract, but how can you be sure one or more copies are not floating around the vendor and/or its subcontractor’s data centers? Spell out in the contract how your data will be scrubbed from all data centers it was stored in and demand verification that the cleaning procedure actually works before you sign the contract.
Have you prohibited data mining? You may be perfectly comfortable with a vendor aggregating your data with that of other customers to do analysis and make performance reports but unless you get real specific with the permissions language, you may have also granted them to right to mine your data for business prospects, customer contact information, and other information you didn’t mean to share. Further, such could make your company legally liable for privacy infractions.