At Berman Fink Van Horn, we recently investigated moving a substantial portion of our data to the “Cloud”. Simply stated, cloud computing is an emerging, fast, and potentially simpler way to add computing power, storage, and services with minimal technology infrastructure, management effort, or service provider interaction. While many companies have embraced cloud computing, after an exhaustive analysis of the benefits, which are many, and the risks, which are also many, we decided against moving to the cloud at this time.
Data security is a paramount issue for us. It should be a paramount issue for any business. In addressing this concern, the European Network and Information Security Agency (ENISA) produced a report on the benefits and potential pitfalls of cloud computing. Giles Hogben, editor of the ENISA report, observed:
The business case for cloud computing is obvious–it’s computing on tap, available instantly, commitment-free and on-demand. But the number one issue holding many people back is security–how can I know if it’s safe to trust the cloud provider with my data and in some cases my entire business infrastructure?
Currently, a cloud provider assumes virtually no liability for a breach of security; all of the risks reside with the user. With this in mind, when investigating cloud providers and performing your due diligence, you should request from each potential cloud provider a written report on its data processing and data security practices. Some cloud providers offer certification summaries on their data processing and data security activities, and the data controls they have in place, in an independent service provider audit performed pursuant to the Statement on Auditing Standards No. 70 (commonly referred to as “SAS70”) [soon to be replaced by the Statement on Standards for Attestation Engagements No. 16 (“SSAE 16”) report]. If the cloud provider has been audited, you should obtain a copy of the SAS70 audit and review the appropriate sections (i.e. description of internal controls, auditor’s testing of effectiveness of controls).
In addition to investigating the security that a cloud provider offers, it is vitally important to make further investigations. When considering a cloud provider for your business, pay special attention to the following: How stable is the cloud provider? Is the cloud provider a start-up? Who supports the cloud provider financially? How sophisticated does the cloud provider appear to be? What is the cloud provider’s data recovery plan? What happens to your data if the cloud provider goes out of business or declares bankruptcy? How can your data be migrated from one cloud provider to another? What are the costs to switch from one cloud provider to another? Are any of the cloud provider’s services outsourced? What happens if the cloud provider is acquired? What if any third party backup systems are utilized?
Most legal issues involved in cloud computing are currently resolved during contract negotiations. Unfortunately, unless your business is a very large company, your ability to negotiate contract terms with the cloud provider will be, at best, limited. Therefore, you will likely be in a position of simply comparing contracts between different cloud providers. When undertaking these comparisons, pay particular attention to the cloud provider’s obligation to notify you of security breaches, data transfers, changes of control, and access to data by law enforcement entities. Reviewing these terms can help you make an informed decision about which cloud computing provider best suits your needs.
In conclusion, given the lack of regulation and legal decisions regarding cloud computing, it is critical that you make an informed and educated decision before you jump to the Cloud. Let us know if we can help you with your due diligence.