Computerworld -
It's 2 p.m. Do you know where your cloud data is? Really?
Executives at one large Fortune 500 company thought they knew, but a routine audit of the cloud provider uncovered a serious problem.
"The cloud provider that we thought we had became merely a shell, and it outsourced the provision of the service to an offshore company that no one had even heard of and that the company would never have provided data to," recalls Brad Peterson, counsel for the company and a partner in the Chicago office of Mayer Brown LLC.
Fortunately, the problem was discovered and there was no harm done, but there might have been serious consequences if it hadn't been addressed. "We deal with companies with hundreds of thousands of customers. If a data breach can cost $400 to $500 per customer record and you lose 100,000 records, you've got a huge exposure," says Peterson.
With some cloud computing providers outsourcing underlying parts of their services to subcontractors, who may in turn outsource to others, do you really know who has your company's data or how secure it is? Industry insiders offer advice on how to ensure that every company in that daisy chain is protecting your information.
To continue reading, register here to become an Insider
It's FREE to join
Computerworld - It's 2 p.m. Do you know where your cloud data is? Really?
Executives at one large Fortune 500 company thought they knew, but a routine audit of the cloud provider uncovered a serious problem.
"The cloud provider that we thought we had became merely a shell, and it outsourced the provision of the service to an offshore company that no one had even heard of and that the company would never have provided data to," recalls Brad Peterson, counsel for the company and a partner in the Chicago office of Mayer Brown LLC.
Fortunately, the problem was discovered and there was no harm done, but there might have been serious consequences if it hadn't been addressed. "We deal with companies with hundreds of thousands of customers. If a data breach can cost $400 to $500 per customer record and you lose 100,000 records, you've got a huge exposure," says Peterson.
With some cloud computing providers outsourcing underlying parts of their services to subcontractors, who may in turn outsource to others, do you really know who has your company's data or how secure it is? Industry insiders offer advice on how to ensure that every company in that daisy chain is protecting your information.
Security Haves and Have Nots
Major cloud computing providers, such as Google, Salesforce.com, Amazon and Microsoft, know the data security requirements of large enterprises and are happy to oblige.
"Most of the larger cloud service providers have gotten SAS 70 audits and ISO 2701 [security] audits in response to large businesses" that require it, says John Pescatore, an analyst at Gartner.
Google and others have even established dedicated U.S.-based data centers for government customers in order to comply with federal mandates that require government data to be stored domestically. The move helped Google win a contract to provide hosted email service to the U.S. General Services Administration in December; it was the first agency-wide federal cloud email deployment.
Still, security and compliance concerns are the top two inhibitors to the use of cloud-based services, according to a 2010 Gartner study. Some 42% of the survey respondents cited security, privacy and compliance as major concerns, though that's down from 49% in 2009, Pescatore says.
Sophisticated providers of software as a service (SaaS) have clauses dealing with data security in their contracts, Peterson says. "They understand customers' needs and provide hybrid offerings to address security concerns better than you might be able to address them internally," he says.
Contracts will usually give clients the opportunity to do the due diligence and spell out where data can be transferred and stored. Providers will give customers the right to approve subcontractors that will have access to their data and describe how they will respond to security incidents. They will also agree to give the customer the right to sign off on any changes before they are implemented, whereas a utility service provider may make changes and inform the customer afterward.
Exit Strategy
You need a cloud exit strategy
Standard cloud service contracts often don't require the vendor to return your data to you at the termination of the agreement, says attorney Brad Peterson, a partner in the Chicago office of Mayer Brown.
"If you rely on that data, it's a real problem. If you think about some of these small companies [that run their entire IT systems in the cloud], they could go out of business tomorrow," he says. And if a service provider goes bankrupt, "the courts could take months to decide whether to give back your data."
Companies need to keep data secure -- and accessible -- until its exit from the service provider, whether planned or unplanned, say industry watchers.
"Some of the big cloud providers feel like once they 'onboard' you and they have your data, they kind of have you by the back of the neck," says Lou Guercia, CEO of Scribe Software, a Manchester, N.H.-based provider of hosted and on-premises data integration systems. "When it's time to renew, that's a piece of leverage that a service provider has -- because they have your data."
With data integration services such as Scribe's, customers get local, real-time updated records of everything that's happening in a cloud application.
To make it possible for users to see those records, cloud software vendors can write a "connector" -- a task that should take one developer about a month. With a connector, "whatever data is running in their cloud can run on top of [the data integration service] -- and get that local copy of their data regardless of the application," Guercia says.
Today, vendors are more concerned about their reputations than they are about "squeezing a little revenue out of somebody" by holding data hostage, Peterson says. But that could change.
The cloud is a new phenomenon, and most contracts haven't been up for renewal yet. "But as the industry matures and begins to consolidate," says Peterson, "people might start to think they've got to grab every bit of revenue they can. It could get ugly."
— Stacy Collett
You are previewing premium content. 
Free Insider Guide