These and other related issues and tasks clearly need to be co-ordinated by management and your professional advisors, and brought together in a cohesive and informed way. One essential ingredient is the contract for supply of cloud services.
Even though there are a range of steps to be taken, both investigative and preventative, the majority of them will also need to be addressed in the contract.
This is a key document for several reasons. Firstly, there must be a comprehensive statement of the rights and obligations of both parties, otherwise the supplier will not be accountable for failures.
Secondly, even though there are a number of essential practical steps and precautions to be taken to move into the cloud, it is critical that cloud users protect themselves legally.
Without a thorough and enforceable contract, not only might you not be able to take protective action against the supplier, your insurance may be prejudiced and possibly the senior executives may have breached their duties by failing to ensure an adequate contract was put in place.
The contract must address a range of important issues. The items touched on above -- privacy, disaster recovery, backup, day to day access --must all be covered in your contract.
Apart from standard items that should be dealt with in a supply of services type agreement, there are very specific elements that must also be included, which are unique to cloud-related situations. I will touch on some of them here.
There are two critical geographical issues that must covered. Firstly, where is your cloud supplier -- is it an Australian corporation or is it an offshore entity? Even if it is a local entity, is it using sub-contractors who may or may not be on-shore?
Non-Australian entities are for the most part not subject to Australian law, and therefore you may not be able to say with certainty what rights you might be able to enforce against a foreign provider, no matter how comprehensive your contract is.
Secondly, in what country/location are the cloud supplier's data repositories? Where the data is stored offshore, it is essential to know the locations. Foreign laws vary enormously in terms of your rights, if any, to access your data.
The answers to these two questions will govern a number of different clauses that will need to be included in your contract to provide you with appropriate protection. One provision in particular that becomes very important will be a prohibition against moving the data, and/or sub-contracting to other parties to handle and manage the data.
An absolute no-no in using commercial cloud facilities is a standard form, non-negotiable contract. The interests of supplier and customer are so diametrically opposed in this particular sub-industry, a standard form contract would almost invariably be totally inadequate to protect a commercial user of cloud facilities.
Data is one of the most valuable commodities in the commercial world -- protect yours properly.
Sign up for CIO Asia eNewsletters.