Most companies now use some form of cloud computing whether through software as a service, platform as a service, or infrastructure as a service. Cloud computing’s cost-effective scalability can offer significant advantages to an organization, but it can also raise significant security concerns. Although many cloud providers offer assurances that their systems are secure, many are also unwilling to contractually guarantee the security of data placed in the cloud and are unwilling to fully indemnify a company in the event that the cloud storage is breached.1 The following provides a snapshot of information concerning cloud computing:
Percentage of those companies with 100-249 employees that use a cloud service.2
Percentage of eShop services that rely on cloud computing.3
Percentage of companies that view data security as a concern in moving services to the cloud.
To minimize data security risks companies should evaluate the following as they consider cloud computing:
- Does data need to be stored in a specific jurisdiction? Some jurisdictions require that data remain within their borders and by utilizing an open cloud environment, where data is transferred freely across borders, a company could inadvertently violate prohibitions concerning the cross-border transfer of data.
- Does the agreement set forth whether the vendor is dedicating hardware to the customer? Absent express language, the vendor is likely providing shared hardware to the customer.
- Does the agreement clearly explain who has rights to the data stored using the service? Depending on the underlying service, some agreements grant the vendor limited rights.
- To what extent is cryptography used? Is each separate record in the cloud encrypted, or does all data use the same encryption key? The value of these approaches vary based on the nature of the data and the processing costs.
- Who is responsible for backing up data?
- Does the agreement set forth standards for how the customer can export its data from the vendor? A customer may want to switch from one cloud vendor to another or may simply want to proceed in a different technological direction.
- Are the appropriate licenses in place to execute software in a cloud computing environment? For example, some software is priced based on the type of server on which it will be run. Meanwhile, the execution of the software in a cloud (or networked) environment may trigger additional considerations.
- Does the agreement give the customer sufficient flexibility to expand or contract the extent to which it uses the cloud services? One of the advantages of cloud computing is the idea that use can be scaled to match a customer’s needs.
- Are the agreement’s terms sufficiently defined to avoid ambiguities over what the vendor has contracted to provide the customer? Trending technology terms often must be defined to ensure all parties perceive them the same way.
- Does the agreement guarantee to maintain any current APIs or features, or does it promise to provide future functionality? Depending on the circumstances, schedules can be a useful way to ensure certain necessary functionality remains in the service.
- Will the network connections between the vendor and the customer provide sufficient bandwidth, and if not, what contractual recourse does the customer have? Although cloud computing is seen as ubiquitous, engineering realities may curb its availability. Customers should consider that risk when contracting.
- Will use of cloud services conform with any customer industry-specific needs or regulations?
- Does the agreement give the customer the ability to delete data stored by the vendor and confidence that such deletion can be achieved? For some categories of data, customers must ensure that data is completely removed from the servers.
- Does the agreement clearly set forth how the parties should communicate in the event of a data breach or service outage? Similarly, does the agreement contain adequate representations about the vendor’s steps to prevent either event?
- Does the cloud vendor have adequate liability coverage? Although no one wants the agreement to reach that point, it is important to understand the extent to which the provider could absorb a loss that might impact many (or all) of its customers simultaneously.