There are many circumstances that can arise with the result of your data falling into the hands of a third-party provider, such as vendor acquisitions, mergers, or outsourcing to SaaS. The risks surrounding data in the cloud will rise and fall significantly if your business is not on top of the regulations regarding data ownership.
It is vital for your business to be fully aware of the potential risks, and also what the possibilities are of a third party becoming involved and perhaps withholding your data.
Customers must ask themselves some important questions -- will a third party follow the same security regulations and guidelines as my chosen vendor? What's the policy toward retracting my data from the third-party cloud? Do I have a business continuity plan if there is an issue with the third party? How much, if anything, do I know about this third party?
"Generally, companies signing up to cloud solutions would be expected to do extensive research before investing in that solution and it is the CIO's responsibility to make sure that sufficient due diligence is done to have cloud as part of their infrastructure plans.
Nevertheless, businesses need to be aware of user access privileges and what sort of access they are granting a third-party cloud provider. Questions they need to ask are, 'Who at the back end has access to my data?' and, 'If they do have access, how often and why?'" says Nassir Nauthoa, General Manager, Intel GCC.
Joe Fagan, Cloud Sales Director, Seagate EMEA, believes it's a little bit more complicated than this: "Few people really understand all the legislation surrounding third-party cloud services because the legislation itself has not yet caught up with reality."
"In fact, in most territories, there are conflicting pieces of legislation regarding retention and disposal of certain types of data. For the time being, best practice is to be able to demonstrate that reasonable efforts are being made to comply with the most relevant industry sector and geographic legislation that applies. The cloud service provider is normally aware of the applicable legislation and should consult partners in this regard."
Who's in control?
Critically, once your contract agreement has been signed and your data is in the cloud, it's important to understand who has ownership and responsibility for it. Too often, companies get into service agreements with cloud providers without understanding the regulations surrounding such issues.
"One of the main challenges of adopting cloud solutions in the Middle East is that while there are regulations in place, they are confusing, inconsistent and in some cases contradictory. Lack of a clear regulatory environment is slowing down cloud adoption in the region," says Kevin Harris, Enterprise Technologist, Cloud Computing, Dell Emerging Markets.
Sign up for CIO Asia eNewsletters.