Cloud-based services are highly attractive to many organisations. They allow fast deployment, rapid scaling and minimal up-front costs, as well as reduced dependence on on-premise infrastructure. Today, most adopters are trialling cloud services, either through software as a service (SaaS) such as web or e-mail protection, CRM or common business applications; platform as a service (PaaS), such as programming or application development platforms; or infrastructure as service (IaaS), typically in the form of storage or network cloud services.
One of the most common barriers to adopting cloud services is confidence. This takes many forms but can often manifest itself in negotiating cloud provider contractual agreements. So what are the key emerging issues you need to be aware of to be able to adopt with confidence?
- Governing law and jurisdiction: Cloud providers by definition use shared or multi-tenanted datacentre facilities to provide low-cost and scalable services. These are often placed in locations or countries other than the where your business is located. Therefore, understanding what governing laws and jurisdiction will be applied to your provider's service or your data is key. Will the local legislation allow law enforcement agencies access to the cloud adopter’s data without consent? Can the cloud adopter’s data be located or transferred outside certain jurisdictional boundaries?
- Data ownership: If you are considering a cloud service that will include the transfer of your data to a provider, you need to ensure your data remains owned by you throughout its entire lifecycle and you can get can gain access to it at any time.
- Data protection and confidentiality: Data protection is often a major concern. How the provider protects the data, who has access to it, how is it transferred and stored are all critical issues that need to be addressed in any agreement. Perhaps, the biggest issue is to understand to what degree the provider is responsible for protecting your data.
- Regulatory compliance: Careful consideration must be given on whether any local or industry-specific laws/regulations may affect your choice of provider. Always factor in any local due diligence that you will need to conduct on your chosen vendor as a consequence.
- Service termination and exit: Upon termination of a service with a cloud provider, the agreement needs to specifically state what happens to the adopter’s data. Are the procedures to be followed on termination clear? Is it necessary for a hand-over period? What are your rights of termination and do these meet the business needs? Can the data be ported on termination or is the data deleted and, if so, how can the adopter validate successful deletion of data?
By selecting a cloud provider or partner, you are taking a part of your business’s assets and placing it in the trust of the third party. This is not significantly different to the traditional outsourcing model and all of the normal contractual checks, such as assessing the financial stability and dependencies of the provider, as well as demanding a clearly document service level agreement, will be need to be done. But due to the dynamic nature of cloud provision, you also need to make sure you can address the emerging issues, enabling you to select your provider with complete confidence.
James Hanlon, CISSP, is security practice manager for Symantec UK
This was first published in March 2012