Cloud services customers -- more often line of business leaders than IT executives -- were beginning to realise that their intellectual property (IP) was now at risk. Some, like one client who discovered that he had potentially exposed his company's precious formulas, had to bring the software and associated processes back in-house -- at no small expense.
There is always some danger when handing over critical company data to a third party. "Cloud computing entails IP issues similar to traditional IT outsourcing in that you are entrusting sensitive data to a provider who probably won't treat it as carefully as you would," said Jim Slaby, sourcing security research director for outsourcing analyst firm HfS Research. "Your applications will be running on IT infrastructure you do not own or control."
But cloud-based services introduce increased IP threats. The nature of the business -- whether it's software-, infrastructure-, or platform-as-a-service -- makes understanding where the data is, who has access to it, and how it's being used more difficult, noted Greg Bell, principal and the Americas service leader for information protection at KPMG. There is a much higher degree of virtualisation -- from networks to storage to servers. "[For example,] a highly-distributed, highly-virtualised pool of storage resources used by a cloud service may make it much more difficult for the provider to guarantee that deleted files have been securely deleted -- not just [removing] the file-system pointer to the data, but [overwriting] the actual data itself -- from every single location that the cloud provider might have stored them on," said Slaby.
Cloud providers are more likely to use subcontractors to meet spikes in demand. Cloud-stored data often hops from country to country, some with weak IP laws or enforcement. "Similarly, if your provider uses personnel who can remotely access your data and IP from countries with weak IP laws, you may be putting your IP at risk of theft or misappropriation, with little recourse," explained Rebecca Eisner, partner in the privacy and security practice of Mayer Brown in the US.
Finally, because many cloud services have grown out of consumer offerings, their standard contracts are severely lacking. "A term in a contract that provides that the cloud vendor owns all content a customer may put on its systems may be OK if that content is a picture of your dog, but may not be so good if you're talking about your development environment," said Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie.
As the name suggests, data and IP in the cloud may as well be floating in the ether minus any vendor obligations or controls introduced by the customer into the deal. "Typically, [customers] are focused on cost reduction and performance. Intellectual property issues are viewed as 'lawyer issues,'" said Mayer Brown's Eisner. "In reality, a cloud provider's ability to protect intellectual property rights should receive as much scrutiny as the information security, price and technical solution."
Sign up for CIO Asia eNewsletters.