Around this time last year, the cloud computing contract signings were coming fast and furious -- not just for commodity work like IT management or email, but for software and infrastructure closer to the core of corporate value. Not long after that, the calls started to come in to Greg Bell, principal and the Americas service leader for information protection at KPMG.
Cloud services customers more often line of business leaders that IT executive -- were panicked as they began to realize that their intellectual property (IP) was now at risk. Some, like one client who discovered that he'd potentially exposed his company's precious formulas, had to bring the software and associated processes back in-house -- at no small expense. "They quickly went through an assessment, made very aggressive movement [into cloud computing], and then had to retreat because they were not able to put the proper controls in place," says Bell.
There's always some danger when handing over critical company data to a third party. "Cloud computing entails IP issues similar to traditional IT outsourcing in that you are entrusting sensitive data to a provider who probably won't treat it as carefully as you would," says Jim Slaby, sourcing security research director for outsourcing analyst firm HfS Research. "Your applications will be running on IT infrastructure you do not own or control."
But cloud-based services introduce increased IP threats. The nature of the business-whether its software-, infrastructure-, or platform-as-a-service -- makes understanding where the data is, who has access to it, and it's how being used more difficult, notes KPMG's Bell. There's a much higher degree of virtualization -- from networks to storage to servers. "[For example,] a highly-distributed, highly-virtualized pool of storage resources used by a cloud service may make it much more difficult for the provider to guarantee that deleted files have been securely deleted -- not just [removing] the file-system pointer to the data, but [overwriting] the actual data itself -- from every single location that the cloud provider might have stored them on," says Slaby.
Cloud providers are more likely to use subcontractors to meet spikes in demand. Cloud-stored data often hops from country to country, some with weak IP laws or enforcement. "Similarly, if your provider uses personnel who can remotely access your data and IP from countries with weak IP laws, you may be putting your IP at risk of theft or misappropriation, with little recourse," explains Rebecca Eisner, partner in the privacy and security practice of Mayer Brown. Finally, because many cloud services have grown out of consumer offerings, their standard contracts are severely lacking. "A term in a contract that provides that the cloud vendor owns all content a customer may put on its systems may be okay if that content is a picture of your dog, but may not be so good if you're talking about your development environment," says Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie.
Sign up for CIO Asia eNewsletters.