In my previous post, “Is your company ready for the Cloud?,” I mentioned that there are issues that needed to be included in any in-depth analysis concerning the use of cloud or hosted services for business. The most serious of these, which are applicable to all companies performing such an analysis, are related to data ownership, security, and privacy laws and regulations.
Even in some of the most highly regulated nations, governments have largely failed to address these concerns in relation to cloud-based services, while simultaneously strengthening the regulations concerning the protection of consumer data that businesses must comply with. This creates a serious conundrum for companies looking to utilise cloud or hosted solutions.
Even though a hosted solutions service provider might state that the customer owns their data, in many cases there are very limited, if any, provisions for getting local backups of your data. For many cloud-based services, there are few provisions for exporting your data off the service if you wish to terminate or migrate to a different solution. In fact, many business owners who use a cloud service don’t spend much time considering this issue; of those that do, many dismiss it as being a trivial concern. This is usually due to a lack of understanding of the possible long term consequences of this grey area: after all, it’s your data, you own it, the service provider has assured you of this, it’s in the service contract, so it’s not a problem.
However, it’s one thing to state that the hosted data belongs to the client company, but an entirely different idea to ensure that client companies retain complete control of their data.
You only have control of your data if your hosted solutions provider offers you the following:
- A local backup and copy of your data that is local, current, complete and usable
- A guarantee that you can remove all of your data from the hosted servers at the termination of your contract
Without these, the guarantee of data ownership becomes mooted.
This is especially an issue when dealing with large, multinational hosted service providers who utilise data farms all over the globe (Microsoft Hosted Services, Google Apps, Salesforce, IBM Blue Cloud, etc.), but it applies to all levels of hosted and cloud service providers.
For example: what happens if your service provider goes bankrupt, or experiences a major natural disaster? What are your options in such a scenario? What are your contingency plans? Have they been tested, and how effective are they? Can you provide access to searchable archives of all your data, like email, going back several years, as would be required if you were served with a legal notice to grant such access?
In recent years, file sharing services like DropBox, Windows Live Drive, and SugarSync, have become increasingly popular among consumers, largely due to their simplicity and convenience. You need access to your files from any location, and you can have it. However, it’s this very simplicity that can create large problems for a company. Of increasing concern is the recent rise in use of these services in companies by users, especially road warriors. Disregarding some of the inherent security issues intrinsic to these services, the greater threat is that they can be used to easily circumvent the IT security policies of your business.
You’ve spent time and resources ensuring data security and privacy compliance, only to have it all mooted by your users sharing corporate data through public file sharing services. This can be particularly dangerous to a company in the case of employee terminations and layoffs, as you have no control over where copies of all those files may now reside – potentially giving former or disgruntled employees the ability to damage your business.
Even the strict enforcement of internal policies may not be sufficient to protect you from this becoming a threat. You have the option of trying to completely block access to these services from your network, requiring stringent network monitoring and security protocols, or you can allow employees to use these services by issuing company controlled accounts. In this scenario, the company has control over the access rights and can easily disable a user’s account prior to termination, or as needed.
However, no matter how stringent your internal security policies are, no matter how much due diligence is given to securing your data from a corporate perspective, you have no true control over access to your data from within a hosting provider’s company. Add to this that many widely used cloud services, like DropBox and Google Apps, have experienced security issues within the services themselves that compromises security of hosted data. Going forward, these hosted service providers will increasingly become more enticing targets; and it’s a known fact that most security measures are reactive to threats after they become known. Given current legislation, any resultant damage, or violation of regulations and laws, is still the responsibility of the companies using the cloud services.
US and Canada have fairly stringent privacy laws that dictate what a company is allowed to do with customer data, and what measures they need to take to ensure customer privacy. However, there are some significant disparities, and outright conflicts, between the laws of these neighbouring nations. The onus of complying with laws protecting your clients’ data is on you, but the laws have not addressed the role of cloud and hosted services in this area. In case of a breach at the hosting company, it is you who are liable if your customers’ data is compromised.
When your data is housed in a data centre in another country or countries, whose laws and regulations differ vastly from those of your home country, you have even greater concerns. Some of the fastest growing providers of data centre services are located in countries like India and China, who have almost no effective consumer data privacy regulations, and where government agencies can demand unrestricted access to data stored on servers in their countries.
Additionally, the laws relating to data ownership and access by 3rd parties have not yet been clearly set out, and very few precedents have been set to determine if the data owners need to be notified if the hosting provider is required, for instance, to give access to client data by legal agencies. For example, under various Canadian and US laws, companies must secure and ensure the privacy of their clients’ information; they must also maintain processes for archiving and retrieving data in case of audits or subpoenas. Most of these laws and regulations protect and spell out the rights of privacy, and requirements of access by legal entities, of data stored on a company’s servers and computers; the same applies to SOHO’s, and consumers’ home computers.
This landscape becomes very murky when it comes to data stored at data centres by hosted or cloud service providers: there has been very little progress made in addressing whether a service provider’s client data is protected by the same laws and regulations covering that client if they were hosting all their data on their own on-site systems. The landscape becomes obscured in a veritable fog when dealing with data stored in data centres on foreign soil. In fact, there has been greater progress on regulating greenhouse emissions for data centres than there has been on regulating the contents of data centres!
The topics I’ve touched on in this post cover issues which are not technical, but legal and procedural. As such, any business seriously considering employing cloud services in their environment needs to include these aspects in their exploratory analyses; you should consult lawyers versed in the respective laws and regulations governing your specific industry, to ensure that you understand exactly what requirements you need to meet to stay in compliance. This will allow you to determine what types of cloud and hosted services you can utilise, to what extent, and what specific terms you should be looking at including in your service contracts with the providers.
You need to understand what their business models are and how your business will be affected by them. Make sure you thoroughly analyse your risks, and include measures in your planning to mitigate them, as well having contingency plans in place for if and when things go awry. Without considering these issues, you risk exposing your business to being vulnerable on several different fronts.
The cloud services industry is still relatively young and these are issues that are finally beginning to be addressed in a legal and political framework. However, even if each nation enacts effective regulations addressing these issues, and their ramifications, the much larger grey area of international regulations will still need to be addressed. Given the way governments work, this may take a while.
This doesn’t mean that you should avoid hosted and cloud solutions completely: the advantages to the cloud may be great enough to be worth it. What you should do, however, is explore options, as much as possible, which are local, or ones which are situated within your nation’s borders and subject to the laws of your home country only. In cases where the best of breed solution is one which utilises a globally distributed infrastructure, you should perform both risk analysis and opportunity-cost analyses to determine whether there are enough mitigating factors, or if you can implement them, to make it a viable option.