Avoiding cloud computing legal issues: Checklist for selecting a provider

Tip

Avoiding cloud computing legal issues: Checklist for selecting a provider

This tip discusses questions to ask and clarifications that should be requested from your cloud computing  provider before signing on the dotted line, according to Mark Weston, Principal at UK law firm Matthew Arnold & Baldwin LLP.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

1. A customer should check its own (and the cloud provider's) processes on data handling, clarifying where the data is located and how it is managed. This should include an inspection of the processes involved if the cloud service provider loses customer data.

2. A customer should check the service provider's policies on data and data corruption, asking if data is backed up and whether it can easily be reconstituted from the backups.

3. A customer should clarify policies on identity management and access control. This should cover issues that boil down to who is authorised to do what and under what circumstances. This should cover who is authorised to have sight of the customer's data.

A customer should clarify whether the cloud provider authorised itself to see the data and which controls exist to prevent data being copied or otherwise removed -- and this encompasses removal by the cloud service provider and removal by members of the customer organisation -- is there a robust audit trail?

4. There should also be robust audit-checking procedures for data colocation to ensure that a competitor of the customer cannot access the customer's information, even though both the customer and its competitor may be hosted on the same hardware.

It is worth noting here that most cloud computing services offered today are on a shared server basis, i.e., any given server is shared between multiple organisations. This is because the economies of scale allow for a cheaper service provision. Nevertheless, primarily due to security concerns, certain more security-conscious organisations are opting for non-shared cloud services, which are offered with greater guarantees of security. IBM, for example, offers such a service.

5. A customer should check compliance with regulatory requirements such as accounting and auditing standards, banking regulation, corporate governance, information provision requirements (such as Sarbanes-Oxley), data regulation, etc. The policies of the cloud service provider (such as the data protection policy) should also be carefully scrutinised. There are already data checks on export of data to certain jurisdictions.

For example, European data protection law would prevent export of personal data to the United States. However, in reality, most large organisations that provide cloud services will be able to take advantage of one of the legal exceptions to that restriction.

6. A customer should check how easy it is to terminate and move to another cloud computing service provider -- not contractually but practically!

Mark Weston is a Principal at Matthew Arnold & Baldwin LLP and a Contributor to SearchVirtualDataCentre.co.uk 

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in November 2009

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.