This tip discusses questions to ask and clarifications that should be requested from your cloud computing provider before signing on the dotted line, according to Mark Weston, Principal at UK law firm Matthew Arnold & Baldwin LLP.
1. A customer should check its own (and the cloud provider's) processes on data handling, clarifying where the data is located and how it is managed. This should include an inspection of the processes involved if the cloud service provider loses customer data.
2. A customer should check the service provider's policies on data and data corruption, asking if data is backed up and whether it can easily be reconstituted from the backups.
3. A customer should clarify policies on identity management and access control. This should cover issues that boil down to who is authorised to do what and under what circumstances. This should cover who is authorised to have sight of the customer's data.
A customer should clarify whether the cloud provider authorised itself to see the data and which controls exist to prevent data being copied or otherwise removed -- and this encompasses removal by the cloud service provider and removal by members of the customer organisation -- is there a robust audit trail?
4. There should also be robust audit-checking procedures for data colocation to ensure that a competitor of the customer cannot access the customer's information, even though both the customer and its competitor may be hosted on the same hardware.
It is worth noting here that most cloud computing services offered today are on a shared server basis, i.e., any given server is shared between multiple organisations. This is because the economies of scale allow for a cheaper service provision. Nevertheless, primarily due to security concerns, certain more security-conscious organisations are opting for non-shared cloud services, which are offered with greater guarantees of security. IBM, for example, offers such a service.
5. A customer should check compliance with regulatory requirements such as accounting and auditing standards, banking regulation, corporate governance, information provision requirements (such as Sarbanes-Oxley), data regulation, etc. The policies of the cloud service provider (such as the data protection policy) should also be carefully scrutinised. There are already data checks on export of data to certain jurisdictions.
For example, European data protection law would prevent export of personal data to the United States. However, in reality, most large organisations that provide cloud services will be able to take advantage of one of the legal exceptions to that restriction.
6. A customer should check how easy it is to terminate and move to another cloud computing service provider -- not contractually but practically!
Mark Weston is a Principal at Matthew Arnold & Baldwin LLP and a Contributor to
This was first published in November 2009