If you aren't familiar with cloud computing, this will likely be the year you learn more about it. Gartner, a leading information technology research company, predicts the industry will be worth $150 billion by 2013. Cloud computing is a computing model where services and storage are provided over the Internet. Think of it like your Gmail or Yahoo email. Your account information is stored on servers around the world and you can access it from a variety of devices, like your home laptop, work desktop, smartphone and tablet. Cloud computing allows you to get whatever data you need, when you need it, from any device.
Cloud computing can help businesses save money. Rather than purchase computing infrastructures, you can "rent" it from data centers that provide computing and software remotely. The systems work a lot like utility services, with a business paying a monthly fee for IT services. Moving programs from your workplace computers to an outside location can also speed up company computers and help your bottom line.
Cloud computing can be especially useful for businesses with teams located in different geographic areas. Access is available anytime, anyplace. Cloud computing can also offer peace of mind by backing up data. So, if one computer crashes, you can move on to another computer and resume work.
While there are clear benefits, there are also potential security risks. You are handing over critical services to a third party. One of the best ways to protect your sensitive information from data thieves and hackers is by taking the following three steps before leaping into cloud computing.
Step No. 1: Assess the risk you're willing to take.
With cloud computing, more people will have access to your information. Giving control of information like intellectual property, Social Security numbers, medical and payroll information to a cloud server means you are giving up a level of control over managing that data. Identify theft is often the biggest concern among company leaders, but information stored on a cloud could also conceivably be mined by marketers, subjecting your employees and customers to unsolicited advertising. Business owners must thoroughly evaluate whether the benefits of having such information stored in a cloud system outweigh the risks of it falling into the wrong hands.
Step No. 2: Vet the service provider.
This is not the place to cut corners or try the new guy on the block. Choose a cloud computing service based on experience, reputation, research and technical expertise. Ask to see the data center. The servers, routers, storage devices and power supplies should be physically secure. Have someone walk you through the facility and explain their security controls, which should include surveillance video and physical access monitoring.
You also want to understand exactly who has access to your information, how they are trained on security measures and how technologies are used to prevent loss or theft. Get as much information as you can about the people involved in managing your data. Find out who has access to what and when. How does the vendor know the person accessing your information is really who they say they are? Ask potential could computing providers how they monitor employees. Do they perform background checks before hiring new personnel? Once hired, do they have processes in place to thwart any employee shenanigans?
Cloud vendors have multiple clients and it's important to know how your data is protected from other users. Ask detailed questions about how your information is separated and protected from others. Find out how data is encrypted and how technologies are used to prevent data loss.
You should also find out what steps are in place in case of a disaster. Will your data and service be lost temporarily? Can it be completely restored? Finally, ask for references. Then, you can compare what the company has told you with their customers' experiences.
Step No. 3: Carefully draft and review servicing agreements.
Agreements should clearly address several security issues, including which employees have access to your information, how they are trained and how they are monitored. The agreement should also spell out how incidents will be reported and handled. You may also consider provisions to specify issues of service availability, network connectivity, filtering and backup, and recovery management.
When relying on cloud servers, you may not know exactly where your data is hosted, but you may want to ask the provider to commit to storing it in specific jurisdictions and adhering to local privacy requirements. If your company must comply with state or federal regulations relating to customer and employee privacy and data, be sure to include a provision in your contract, along with a guarantee from the provider that your data stay within that area. Ultimately, you are responsible for complying with government regulations.
Include a clear plan in case you ever need to move your data back to your own center or another cloud vendor. Get the vendor to explain what happens to your data if they undergo bankruptcy or a merger. Get details on what happens if you terminate the relationship. Finally, make sure all costs are clearly explained. Never assume anything.
By carefully evaluating your level of risk, thoroughly vetting the cloud service provider, and having clear specifications in the servicing agreement, you can reduce security threats. If a cloud computing provider is not willing to answer all your questions, it's not worth the risk of putting them in charge of your most sensitive data.
(This article is for information only and is not legal advice.)
Caryn Tijsseling is a litigation partner in Lewis and Roca's Reno office. She can be reached at CTijsseling@LRLaw.com and 775-321-3426.