If your organisation is not already in the cloud, you are most likely reviewing your cloud options or have it on your ‘to do’ list.
Some of the key drivers to moving to the cloud include:
- Financial – the decrease in capital expenditure means that more resources can be put towards business operations
- Functional – available and up and running in a shorter timeframe than having an infrastructure engineer setup the storage and bandwidth resources required
- Technical – greater flexibility to scale usage as required and access to security and up-to-date technology
- Strategic – ability to focus on core business operations instead of infrastructure
- Big Data – maximising the value of the wealth of data available to organisations
- Mobile Applications – cloud solutions support the growth of mobile application connectivity and synchronisation
There are now so many cloud solutions available, the responsibility of choosing one that can best meet the needs of the business can be quite daunting.
Many cloud providers require users to sign contracts that release the provider of their responsibility for data privacy, security and service availability. Some will suggest the customer is responsible for their own security, while others will specify a security standard such as ISO/OEC 27000, 27001 and 27003. Some will notify you of a breach, others will only notify you if required by law. It is therefore important to know what to look for when reviewing cloud contracts.
“Cloud contracts often lack detailed contingency procedures for what will happen if either the cloud provider or customer suffers a service disruption or security breach. Service-level agreements (SLA’s) must clearly define the company responsible for resolving the incident, as cloud solutions are often made up of multiple cloud providers,” commented Kareem Tawansi, CEO of software development provider, Solentive Software.
When reviewing cloud contracts, organisations should consider the following:
- Who are you contracting with? – Companies need to ensure that they know who is holding and protecting their data, and where it will be physically located in order to establish an enforceable contractual relationship with that party. If a supplier is simply re-selling datacentre resources, organisations can find that they have insufficient rights to require specific performance by the parties that actually hold their data. This is the most important consideration when considering any movement of data to the cloud.
- Who is responsible for the protection of data? – Many cloud providers use generic terms to indicate that they will make ‘reasonable efforts’ to protect the data, but strict liability remains with the company who owns it.
- Are regulatory requirements met in each legal jurisdiction that the data flows through? – Using an offshore datacentre may have its cost benefits, but organisations need to ensure that this will not put them at risk of breaching legislations. For example, Australian organisations must take ‘reasonable steps’ to ensure that their offshore cloud providers do not breach Australian Privacy Principles.
- What happens in the event of insolvency? – While it is highly unlikely that major cloud providers will become insolvent in the near future, it is still critical to look at what would happen if either party was placed into administration or liquidation. Specific rights to and conditions for return of the data, notice periods, and termination clauses should be reviewed closely. Even if neither party becomes insolvent, it is crucial to have an exit strategy.
“Watch out for clauses that seek to avoid written, mutually agreed variations to the cloud services agreement. This will typically take the form of a statement that by continuing to use the services, you consent to modifications of the terms by the provider.
“No matter which cloud service provider you choose to go with, as an added security measure it is always important to ensure that you have a local copy of your cloud files and databases and to always encrypt your data,” advised Tawansi.