While untold numbers of print and imaging businesses are saving money these days by moving to the cloud, IT experts say these companies need to ensure that their cloud contracts include ironclad legal protections. Otherwise, they’ll suffer an uncertain future.
“Look at the news on any given day,” says Ron Zalkind, chief technology officer at CloudLock, a service provider that helps companies secure public cloud accounts, such as Google Apps and Sales Force. “You’ll clearly see that the number of risks and data breaches is only accelerating.”
Indeed, according to a study released earlier this year by Dresner Advisory Services (http://dresneradvisory.com), security concerns alone about the cloud still remain the primary barrier to a business’ move there, according to Howard Dresner, founder, DAS.
Raj Samani, chief technology officer, Intel Security EMEA, agrees: “As we enter a phase of wide-scale adoption of cloud computing to support critical applications and services, the question of trust within the cloud becomes imperative. This will become integral into realizing the benefits that cloud computing can truly offer.”
Case in point: An Intel report on cloud security released earlier this year found that more than one in five businesses are concerned about the security risk posed by the cloud, according to Samani.
Moreover, getting from ‘uncertainty’ to ‘protected’ can be more difficult than one might expect, given that many cloud service providers are reluctant to put their security assurances in writing.
“We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers,” says Alexa Bona, a managing vice president at Gartner (http://www.gartner.com), a market research group.
Even so, a significant percentage of businesses apparently believe putting together a workable cloud contract is worth the hassle, given the potential savings.
A survey released earlier this year by Viavi Solutions (http://www.viavisolutions.com/en-us), an IT services firm, for example, found that 28% of 740 organizations surveyed said a majority of their computer applications were already in the cloud.
And more than four-out-of-five organizations surveyed predicted that they’d be using computer cloud applications in some way by 2017.
Meanwhile, Experton Group (http://www.experton-group.com), an IT consultancy, found that in a recent study of 150 managed cloud services projects, companies that went to the cloud achieved an average savings in computing costs of 25%.
Moreover, according to Paul J. Wash, chief information officer of Dell, a global technology adoption study released by Dell (http://www.dell.com) last year found the following:
- 42% of businesses that migrated to the cloud reaped costs savings.
- 40% reported that their operations became more efficient.
- 38% said they felt their IT resources were better allocated when centered in the cloud.
The study also found that when companies combined migrations to the cloud with the adoption of other new advances in IT, such as Big Data applications and widespread dissemination of mobile devices, they enjoyed 53% higher growth rates than businesses that shied away from those new technologies.
Fortunately, federal governments on both sides of the Atlantic are working to ensure that businesses reap those savings without incurring any unnecessary booby traps.
EU regulators, for example, are aggressively pushing for more detailed cloud security agreements between providers and companies, and rolled out their first set of guidelines in 2014 (https://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines) — guidelines they worked out with key global cloud service providers like IBM, SAP and Microsoft.
Plus, similar efforts are underway at the U.S. National Institute of Standards and Technology (http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHome).
Essentially, the standards — which will apply to cloud service providers doing business with the federal government — are expected to serve as best practice cloud security contract templates for all of U.S. industry.
Until the hoped-for government guidelines arrive here in the U.S., it makes good business sense to ensure you have the key provisions you need in a cloud contract to ensure your data — and your print and imaging business — is secure.
Below is a distillation of the guidelines that are currently being recommended by the EU and those currently in development at U.S. NIST:
Be sure there are limitations on where your data will be geographically located.
Nail this down, or your company data could end up on a server in Iran. “You should stipulate certain countries you do not want your data to pass through—i.e. data cannot pass through HUAWEI routers, the Chinese equivalent to Cisco—as certain governments can seize property whenever they like,” says Andre W. Ahern, CEO, Ahern & Associates, a business consulting firm.
Be sure you have a detailed exit strategy from your cloud service provider.
Should you decide to move onto to another provider, you’ll want to be sure there is a clear pre-agreement about the transition.
Specifically, nail down how you’ll move your data and the data format your data will be sent to you for the transition. You’ll also want the kind of cooperation your old provider will give you in writing—and the amount of time you’ll have to secure your data. Otherwise, if you have nothing in writing, you could simply lose all of your data with a move.
“You should always be aware of what the exit strategy is when signing on for any cloud provider,” Ahern says. “A lot of providers will entice customers with cheap sign-on specials or monthly fee deals, but when the customer tries to leave, they charge an arm-and-a-leg to break contract.”
Beware of cloud providers that insist on the unilateral right to change contract terms.
Essentially, this right can give your cloud service provider a blank check to make changes to your contract terms on a whim—which will leave your data in the lurch. If the provider refuses to budge, be sure you can live with this provision.
Get documentation on how your provider will secure your data.
Any decent cloud provider will have internal protocols in place designed to safeguard your data and your company’s privacy. Get those protocols in writing. And get a guarantee that your provider’s security standards will be certified annually.
“Every cloud provider should have multiple data center locations as a backup to the other in case there is a loss of power or other complications at one of the data centers,” Ahern says.
Get documentation that your provider is aware of all local, regional, national, and international laws that pertain to the security and privacy of your data.
Get documentation and descriptions of the systems your provider has in place to comply with those laws. Also, get similar documentation that your provider is aware of and can comply with such laws that are specific only to companies in your industry.
Ensure that your provider will be able to provide usable data, should your institution be faced with an e-Discovery request during litigation against your institution.
Your attorney should know how to ensure this request is properly fulfilled.
Ensure that the cloud contract clearly states that your company retains ownership over all its data, and that the cloud service provider has no right to use your data.
Otherwise, the cloud provider may try to resell your data to third parties.
Ensure that your legal agreements extend to the subcontractors hired by your cloud provider.
This is an easy provision to overlook — and could wreak havoc on your contract with your provider if forgotten.
If possible, ensure that your IT director will be able to meet with the cloud security chief to evaluate the provider’s security protocols.
Also, ensure that your IT director will get immediate notice when any changes are made to those security protocols.
Ensure that you will be notified if your cloud provider suffers a security breach or is hacked in any way.
As we’ve all discovered the hard way, companies are often reluctant to inform clients that they’ve been breached.
Ensure that you’re able to encrypt your data before it leaves your company’s computers.
This provision can save untold headaches. Once encrypted, your data becomes much less of a problem for you in the cloud, no matter what goes on there.
“Adding an extra encryption on your data is a good precaution,” Ahern says. “What is more important is that the cloud provider’s data centers are SOX and SSEA 16 compliant: These are regulations which stipulate certain security measures for cloud servers.”
Arpan Joshi, a software design engineer at Concur, an SAP company, agrees with Ahern: “Encryption is a powerful mechanism for safeguarding an organization’s data and information both in-premise and on the cloud especially with the increasing use of cloud.”
Ensure that your data will be wiped clean from servers and other computerized storage devices that are taken out of service by you cloud provider.
Otherwise, a server or external hard disk with all your company’s trade secrets could pop up on eBay, and be sold to a pimply faced 15-year-old—or a competitor.
Secure a detailed agreement with your provider on how your provider will handle a system crash involving your data.
Also secure an agreement on how a security breach of your data will be handled. Don’t assume your cloud provider will be diligent.
Monitor the Cloud Security Alliance (https://cloudsecurityalliance.org): For the latest ideas and developments in cloud security, monitor this industry group. Its specific mission is to work on establishing international standards for security and privacy in cloud service agreements.
Grab the CSA’s forthcoming cloud security best-practice guidelines.
Top IT players from around the world are currently vetting a forthcoming CSA document, (https://cloudsecurityalliance.org/media/news/open-peer-review-big-data-security-and-privacy-handbook-100-best-practices-in-big-data-security-and-privacy/).
Once released, the document will offer an exhaustive look at the latest thinking on cloud security and how it’s best achieved. Essentially, the document will enable an IT representative from any business to walk into negotiations with any cloud provider and talk intelligently and perceptively about what that business wants from a cloud provider in extremely detailed, erudite terms.
“Security vendors and cloud providers must arm customers with education and tools, and cultivate strong relationships built on trust, in order to continue the adoption of cloud computing platforms,” says Jim Reavis, chief executive officer of the Cloud Security Alliance.
Once you — and your legal staff — are satisfied that your cloud contract is airtight, there’s only one thing left to do: kick back and begin to reap the benefits of the cloud.