This tip discusses questions to ask and clarifications that should be requested from your cloud computing provider before signing on the dotted line, according to Mark Weston, Principal at UK law firm Matthew Arnold & Baldwin LLP.
1. A customer should check its own (and the cloud provider's) processes on data handling, clarifying where the data is located and how it is managed. This should include an inspection of the processes involved if the cloud service provider loses customer data.
2. A customer should check the service provider's policies on data and data corruption, asking if data is backed up and whether it can easily be reconstituted from the backups.
3. A customer should clarify policies on identity management and access control. This should cover issues that boil down to who is authorised to do what and under what circumstances. This should cover who is authorised to have sight of the customer's data.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchVirtualDataCentre.co.uk you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchVirtualDataCentre.co.uk is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
A customer should clarify whether the cloud provider authorised itself to see the data and which controls exist to prevent data being copied or otherwise removed -- and this encompasses removal by the cloud service provider and removal by members of the customer organisation -- is there a robust audit trail?
4. There should also be robust audit-checking procedures for data colocation to ensure that a competitor of the customer cannot access the customer's information, even though both the customer and its competitor may be hosted on the same hardware.
It is worth noting here that most cloud computing services offered today are on a shared server basis, i.e., any given server is shared between multiple organisations. This is because the economies of scale allow for a cheaper service provision. Nevertheless, primarily due to security concerns, certain more security-conscious organisations are opting for non-shared cloud services, which are offered with greater guarantees of security. IBM, for example, offers such a service.
5. A customer should check compliance with regulatory requirements such as accounting and auditing standards, banking regulation, corporate governance, information provision requirements (such as Sarbanes-Oxley), data regulation, etc. The policies of the cloud service provider (such as the data protection policy) should also be carefully scrutinised. There are already data checks on export of data to certain jurisdictions.
For example, European data protection law would prevent export of personal data to the United States. However, in reality, most large organisations that provide cloud services will be able to take advantage of one of the legal exceptions to that restriction.
6. A customer should check how easy it is to terminate and move to another cloud computing service provider -- not contractually but practically!
Mark Weston is a Principal at Matthew Arnold & Baldwin LLP and a Contributor to
SearchVirtualDataCentre.co.uk
This was first published in November 2009