Cloud computing legal checklist

1. A customer should check its own (and the cloud provider's) processes on data handling, clarifying where the data is located and how it is managed. This should include an inspection of the processes involved if the cloud service provider loses customer data.

2. A customer should check the service provider's policies on data and data corruption, asking if data is backed up and whether it can easily be reconstituted from the backups.

3. A customer should clarify policies on identity management and access control. This should cover issues that boil down to who is authorised to do what and under what circumstances. This should cover who is authorised to have sight of the customer's data.

A customer should clarify whether the cloud service provider authorised itself to see the data and which controls exist to prevent data being copied or otherwise removed -- and this encompasses removal by the cloud service provider and removal by members of the customer organisation -- is there a robust audit trail?

4. There should also be robust audit-checking procedures for data colocation to ensure that a competitor of the customer cannot access the customer's information, even though both the customer and its competitor may be hosted on the same hardware.

It is worth noting here that most cloud services offered today are on a shared server basis, i.e., any given server is shared between multiple organisations. This is because the economies of scale allow for a cheaper service provision. Nevertheless, primarily due to security concerns, certain more security-conscious organisations are opting for non-shared cloud services, which are offered with greater guarantees of security. IBM, for example, offers such a service.

5. A customer should check compliance with regulatory requirements such as accounting and auditing standards, banking regulation, corporate governance, information provision requirements (such as Sarbanes-Oxley), data regulation, etc. The policies of the cloud service provider (such as the data protection policy) should also be carefully scrutinised. There are already data checks on export of data to certain jurisdictions.

For example, European data protection law would prevent export of personal data to the United States. However, in reality, most large organisations that provide cloud services will be able to take advantage of one of the legal exceptions to that restriction.

6. A customer should check how easy it is to terminate and move to another cloud service provider -- not contractually but practically!

Mark Weston is a Principal at Matthew Arnold & Baldwin LLP and a Contributor to SearchVirtualDataCentre.co.uk

Rate this Tip To rate tips, you must be a member of SearchVirtualDataCentre.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Cloud computing services IBM unveils zEnterprise mainframe Rackspace unveils open source cloud platform The big cloud question: Where to put my app? IBM cuts ribbon on cloud computing centre in Germany Oracle releases latest Sun Ray software The Daily Data Centre repository for July IBM joins forces with European Union on e-services research Citrix announces advanced virtualisation certifications for engineers Microsoft lets businesses run Windows Azure in their own data centres CIOs should plan for a second economic downturn, Gartner says Working with colocation or managed service providers IBM unveils zEnterprise mainframe Rackspace unveils open source cloud platform IBM cuts ribbon on cloud computing centre in Germany IBM joins forces with European Union on e-services research Citrix announces advanced virtualisation certifications for engineers Microsoft lets businesses run Windows Azure in their own data centres CIOs should plan for a second economic downturn, Gartner says Amazon.com attempts IT switch to cloud computing SAP certifies Verizon cloud platform HP and VMware collaborate to enable cloud computing RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.