It's 2 p.m. Do you know where your cloud data is? Really?
Executives at one large Fortune 500 company thought they knew, but a routine audit of the cloud provider uncovered a serious problem.
"The cloud provider that we thought we had became merely a shell, and it outsourced the provision of the service to an offshore company that no one had even heard of and that the company would never have provided data to," recalls Brad Peterson, counsel for the company and a partner in the Chicago office of Mayer Brown LLC.
Fortunately, the problem was discovered and there was no harm done, but there might have been serious consequences if it hadn't been addressed. "We deal with companies with hundreds of thousands of customers. If a data breach can cost $400 to $500 per customer record and you lose 100,000 records, you've got a huge exposure," says Peterson.
With some cloud computing providers outsourcing underlying parts of their services to subcontractors, who may in turn outsource to others, do you really know who has your company's data or how secure it is? Industry insiders offer advice on how to ensure that every company in that daisy chain is protecting your information.
Security Haves and Have Nots
Major cloud computing providers, such as Google, Salesforce.com, Amazon and Microsoft, know the data security requirements of large enterprises and are happy to oblige.
"Most of the larger cloud service providers have gotten SAS 70 audits and ISO 2701 [security] audits in response to large businesses" that require it, says John Pescatore, an analyst at Gartner.
Google and others have even established dedicated U.S.-based data centers for government customers in order to comply with federal mandates that require government data to be stored domestically. The move helped Google win a contract to provide hosted email service to the U.S. General Services Administration in December; it was the first agency-wide federal cloud email deployment.
Still, security and compliance concerns are the top two inhibitors to the use of cloud-based services, according to a 2010 Gartner study. Some 42% of the survey respondents cited security, privacy and compliance as major concerns, though that's down from 49% in 2009, Pescatore says.
Sophisticated providers of software as a service (SaaS) have clauses dealing with data security in their contracts, Peterson says. "They understand customers' needs and provide hybrid offerings to address security concerns better than you might be able to address them internally," he says.
Contracts will usually give clients the opportunity to do the due diligence and spell out where data can be transferred and stored. Providers will give customers the right to approve subcontractors that will have access to their data and describe how they will respond to security incidents. They will also agree to give the customer the right to sign off on any changes before they are implemented, whereas a utility service provider may make changes and inform the customer afterward.