In a recent article we looked at some of the employment risks for customers associated with cloud computing.
Following on from Cloud computing: Employment law implications, we now consider how best to assess the other risks associated with cloud computing.
Balancing competing needs
It is often difficult to balance the needs of a large number of very different customers whilst retaining flexibility to deliver cost-effective and scalable cloud services.
It means many cloud providers are only prepared to offer generic service levels and limited liability for risks such as loss of data. For cloud customers, this can mean cloud services carry more risk than equivalent non-cloud ones.
So what can a cloud customer do?
In a nutshell, the only valid option is to manage risk.
A pre-contract risk assessment is therefore essential, and a good one should consider:
- Cloud provider due diligence – does the cloud provider have a good security history and a good credit rating? Does it use sub-contractors (if so, can the contract be enforced against the sub-contractors)? What happens to the cloud customer’s data if the cloud provider goes insolvent or is bought out by someone else? In those circumstances, does the cloud contract allow the cloud customer to terminate without penalty?
- Tiered clouds – is it better to keep critical or sensitive data out of the cloud altogether? Or to have a ‘public’ cloud – such as Google or Amazon – for non-critical data; and a ‘private’ cloud – one holding only the cloud customer’s data – for critical information?
- Service issues – what is actually being provided (for example, data storage space shared with multiple other customers)? What are the core service hours of the cloud (if the cloud is hosted in California, and maintenance takes place in the middle of the night, does that mean no UK access to data in the morning)? Are the service levels suitable?
- Data issues – is data for each customer segregated? Does the cloud provider know where each of its customers’ data is located, and is data deleted on request? Who will own data created in the cloud? (A cloud customer will want to ensure it keeps ownership of anything it creates). When the contract ends, how easy is it to recover data stored in the cloud? And is that data in a form that can be easily interpreted or used by the cloud customer?
- Security standards – what security standards does the cloud provider adhere to? Is it possible to audit the data held in the cloud? Does the cloud provider adhere to any regulatory or legal frameworks governing the cloud customer (for example, data protection legislation, financial services regulation, PCI compliance, export controls or restrictions)? Does the cloud provider vet its employees and does it have proper security in place to limit access to the cloud customer’s data to employees on a ‘need to know’ basis?
- Disaster recovery – what systems does the cloud provider operate to avoid loss of data or other disaster? How does the cloud provider define force majeure, and what happens to the cloud contract if there is a force majeure event? Does the cloud customer’s business interruption insurance cover losses that occur if the cloud fails (for example, loss of data, loss of connection)?
- Contract lock-ins and termination assistance – how long will the cloud contract last for? Can it be terminated for convenience? What happens to the cloud customer’s data on termination? Does the cloud provider offer any handover assistance to a new company at the end of the cloud contract?
Ongoing risk management
Once a cloud customer signs up to a standard cloud contract, the issue becomes one of ongoing risk management. The cloud customer’s IT policy, disaster recovery and document retention policies then become critical documents.
The IT policy should be clearly written, and should set out what employees can, and cannot, do on the cloud-based systems. Employees who use the same cloud applications for both work and home could inadvertently expose the cloud customer to risks of intrusion or hacking through the back door.
A good disaster recovery plan and associated back up procedure should deal with how critical documents are to be handled. The golden rule is to ensure critical documents are always accessible – even if the cloud is not. This might mean storing copies of these documents elsewhere, or not putting them into the cloud in the first place.
The cloud customer’s document retention policy (which should also include a policy on personal data) should set out how data used or created in the cloud will be held, transferred and deleted. This is essential, because not all cloud providers can, or will, say whether a cloud customer’s data has actually been deleted.
Policies should live in the business
But clear policies alone are not enough; each policy has to live in the business. Policies should be reviewed regularly, tested and enforced, and employees should be reminded regularly of the requirements of each of the policies.
Making the most of the cloud
Taking all this into account, cloud customers are advised to:
- undertake a proper risk assessment before signing up to a cloud contract
- read (and, if possible, amend) cloud contract terms carefully before signing
- make sure your IT policy, document retention and disaster recovery policies reflect how the cloud will be used
- regularly review the risks associated with cloud computing, and update your policies and procedures accordingly
We can help you draft or review a cloud risk assessment, cloud contract terms, and any associated policies to help you make the most of any cloud computing opportunities.
Click Here to read full article.
|