Tips from an attorney for secure cloud computing implementation
There’s no doubt about it.
The IT landscape is shifting to the cloud.
As the focus of IT support providers and IT consultants shifts to cloud-based services, so should the client organization’s vendor selection process. News surrounding the security vulnerabilities of some cloud services has prompted many C-level executives to gain a better understanding of how to assure the integrity of their confidential data.
This article is written by Polly A. Dinkel, Partner at Sideman & Bancroft LLP, and is the fourth in a series of cloud computing and IT security experts (see articles Mitigating the Risks of Cloud Computing, Top Cloud Computing Concerns and Questions to ask an Online Backup Provider) who share their experiences and expertise on how to overcome the common security concerns of cloud computing.
Tips to enhancing the security of data in the cloud
The best way to enhance the security of data in the cloud is to pay close attention to contract and Service Level Agreement (SLA) terms and negotiate terms that provide the appropriate level of protection for the data being stored.
- The SLA should include all of the measures that will be implemented by the vendor to secure the stored data. At a minimum, an organization must be aware of any regulatory or contractual requirements it has with regard to stored data and determine that by entering into the contract it will not be at risk of violating its own legal requirements.
- The contract should provide a suitable remedy in the event the vendor fails to meet its obligations or when security measures fail and the organization’s data is exposed or destroyed. Care must be taken that disclaimers of warranties and limitations of liability do not unacceptably limit the negotiated remedy.
- Forty-six states have adopted laws requiring notification upon an inadvertent disclosure of personal information. Ideally, the contract should require the vendor to notify its customer of any data security breach so that the customer can determine the appropriate course of action. If the security breach is caused by the vendor, then the costs should be borne by the vendor.
- The contract should also address the vendor’s obligations to protect any data in transit when the vendor is transferring it within its own systems, and between the customer’s system and the vendor’s system.
Additional measures to protect your data
Unfortunately, small and midsized businesses don't always have the clout or legal budget necessary to negotiate changes to standard contracts offered by cloud providers. If negotiating strong contractual protections is not possible, an organization can nevertheless take measures to protect its data.
- Conduct a thorough due diligence of the vendor’s encryption and access security, as well as the physical location of the data center. Check the vendor’s data center certifications.
- Investigate the financial stability of the vendor. In the case of a bankruptcy, the company could lose access to its data.
- Consider internal measures to protect the data, such as encrypting data sent to the vendor’s system and maintaining back-up copies of the data. These may not be acceptable solutions if the organization is under a regulatory obligation to maintain the confidentiality of information, or where the stored information constitutes trade secrets.
- Select a “private” cloud, rather than a “public” or “community” cloud to reduce the chance that others will inadvertently access the data and reduce the probability that the cloud will be a target of hackers.
- Look for redundancy in the storage model provided by the vendor, to reduce the risk of irretrievably lost or corrupted data.
Looking into moving to the cloud, but not sure where to start? Register for a free webinar on the Five Steps to Understanding and Implementing Cloud Computing.
