Rajesh concluded his presentation by reiterating the dynamic nature of the Internet and technology which in combination would give rise to different types of legal issues in the event of breaches or system failures. He stressed that organisations must remain vigilant and be prepared, and be aware of need for expert support in data retention and preservation of computer output evidence for compliance with rules of evidence in the event of criminal prosecution or litigation.
He also added that appropriate measures must be put in place to protect confidentiality and privacy, as the consequences of failure to do so could be severe.
Steps to Better Cloud Security
To you protect your corporate crown jewels in the cloud, here are 10 steps to follow:
1. Pick the right provider. Take due diligence seriously. "Given that the category and its players are still relatively new, consider how you'll extract yourself and your sensitive IP in the event that your cloud provider fails abjectly to live up to its contract, goes out of business, or is acquired by a competitor," advised Slaby. "Take a careful look under the hood at any prospective cloud provider's plans around disaster recovery." If you want sophisticated protection of trade secrets, seek out only providers that offer sophisticated solutions with higher-security requirements.
2. Select the right service. Do everyone a favour -- don't sign your first-ever cloud contract for a core business function. "Many clients looking for benefits of the cloud are purposely moving IP last," said Bell, testing the waters with commodity services like IT service management or QA on standard software. "It's a way to make sure they understand the nuances."
3. Read the fine print. Cloud services are deceptively simple in the ads. "In many cases, that simplicity is masking underlying complexity that has been considered and resolved against the customer," said Hansen of Baker & McKenzie. "Read the contract, not the website," added Church. "There are terms that directly contradict the advertising, and these need to be ferreted out before any data is moved." It's not unusual to see "get out of jail free" provisions disclaiming vendor liability if confidential information is published. Never, ever, sign the cloud provider's online contract, advises Todd Fisher, partner in the outsourcing practice of K&L Gates, who has reviewed agreements giving the service provider use of client data for purposes other than for the provision of the services or ownership of derivative works based on that data.
4. Add some fine print of your own. If your cloud computing deal involves IP-related data, strong contractual protections are critical. Eisner of Mayer Brown suggested including requirements that the provider follow stated and approved security and other industry standards, rights to audit or to receive regular audit or certification reports, rights to name the locations where data and applications will be processed and stored, rights to approve subcontractors, a change control process that provides for advance notice and opportunities to work around or mitigate pending changes, and reasonable liability for non-performance by the provider. Make sure the protections and controls are explicit and measurable, added Slaby.
Sign up for CIO Asia eNewsletters.