What are the increased risks and how can you contain them? Does a solution lie in negotiating a comprehensive and balanced cloud supply agreement with the provider? Who should be responsible within your organisation for managing these issues?
In no particular order, the principal areas of concern for a purchaser of cloud services are: Privacy, security, data access, location and movement of data, sub-contracting/third party involvement, liability and responsibility, confidentiality, statutory or industry specific requirements, audit, performance accountability, security, business continuity, insurance, disputes, termination and changing suppliers. This is not an exhaustive list, but covers the key areas.
Before tackling these questions, there is a fundamental concept that must be accepted: understanding, implementing and using third party cloud facilities is a 'team' effort and not that of one or two people.
Yes, it is highly desirable to have one person manage the responsibility. However, that one person will need to understand the nature and breadth of the diverse range of personnel and roles he or she will need to oversee and draw information from. They will also need to maintain clear communication lines with, and support from, all those people.
There are clearly many IT related issues in setting up and operating a cloud connection, requiring the IT manager and support team to extensively investigate, including connectivity, storage locations, access, security and backup.
However, there are other areas requiring attention. Depending on the industry you are involved in, you may have industry-specific legislation or other requirements to identify and comply with regarding data handling and storage.
The Privacy Act is very likely to apply to data you collect or are supplied with, and retain. Your insurance may need to be reviewed (and possibly expanded and upgraded) to provide liability cover for the new data-handling circumstances.
If data is your core business, product liability cover may be an issue. It is essential that you put in place updated disaster recovery procedures and policies to take into account using the cloud.
Your executive management needs to be regularly briefed on all these issues and provided with status updates. Directors need to be advised that management of these issues likely goes to whether or not they properly discharge their legal duties as directors/executive managers.
Your HR department will need to look carefully at levels of access into the cloud facilities and whether additional terms are needed in your employment agreements. Internal staff guidelines and policies will also need to be expanded to cover what information can be put into the cloud and who is authorised to upload and download data.
It's a lot of work to do but preparing thoroughly and understanding the breadth of the risk you are taking is vital if you are to avoid major problems, and in the worst case, losing access and control of your critical business data.
In the second part of this series, I will explore some of the detail behind the key issues and questions posed.
Sign up for CIO Asia eNewsletters.