As an increasing number of companies are turning to public or hybrid clouds for efficiency, simplification, and cost-savings, the legal and business risks associated with public clouds must not be overlooked. By undertaking appropriate due diligence measures companies can minimize their risk and take advantage of the undeniable benefits of cloud computing.
What is Cloud Computing
Cloud computing is the use of a network (typically the Internet) to store, manage, and process data. Cloud computing services can be private, public, or hybrid. In a public cloud, cloud services are available to the public through the Internet, typically by entering into a standard form contract. In contrast, private clouds are built specifically for the exclusive use of a single customer.
Due Diligence for Cloud Service Providers
Before engaging a cloud service provider, due diligence must be undertaken to determine whether cloud computing is appropriate and, if so, whether an agreement with a particular cloud provider will meet the company’s needs given the nature of the data.
Although similar due diligence should be completed for cloud computing arrangements as other outsourcing arrangements, there are additional complexities associated with cloud services. In particular, the market creates challenges as many cloud computing vendors are relatively new.. Further, public and hybrid cloud services are generally managed the same for all customers, with a single set of security controls. Despite cost-savings, the limited customer control associated with public and hybrid clouds creates additional risks and challenges.
As cloud computing typically involves sharing and transferring information over the Internet, data held in a cloud is at risk for data loss and security breaches. While responsibility for these risks lies with both the company and the service provider, the company purchasing the cloud services is ultimately responsible for protecting the data. One of the most important risk-reduction strategies is effective due diligence.
Although companies are generally aware of the nature of cloud computing and its associated security concerns, many companies fail to perform sufficient due diligence when contracting with a cloud provider. While the amount of due diligence required may vary depending on the nature and sensitivity of the data, it is important that all companies considering cloud services undertake adequate due diligence measures.
To begin, companies should identify their specific needs and computing requirements and compare them with the available cloud service providers. In assessing available service providers, the following should be considered:
- Service Provider’s History: Find out as much as possible about potential service providers including, the service provider’s financial stability, infrastructure, operational practices, and the length of time it has been in business. This information is often obtained through customer references. A well-established provider should be able to provide a list of references.
- Terms of the Agreement: Carefully review the cloud computing agreement prior to signing to ensure that security issues are adequately covered, the service provider has no ownership in the data stored, and appropriate penalties and protections are available if a provider fails to perform its obligations.
- Data Storage: Assess how the cloud provider will protect the data and what security standards and procedures are being applied to help prevent data loss or a security breach. The locations of the data center and the parties who will be granted access to and control over the data should be considered.
- Known Security Vulnerabilities: Ask potential service providers about any known security vulnerabilities and whether they have dealt with any prior security breaches. Further, inquire into how data breach notifications will be handled and the process for revoking the access rights provided to the third party on termination.
As the use of cloud computing services becomes increasingly more widespread, companies are faced with the task of determining whether cloud services are appropriate for their organization and, if appropriate, choosing a cloud service provider. While there are undeniable benefits associated with public and hybrid cloud arrangements, companies must be cautious to ensure that adequate due diligence is undertaken before entering into a cloud computing agreement in order to minimize the risk of data loss and security breaches.