Companies everywhere are moving core enterprise systems to the cloud. Formerly complicated and expensive on-premises outsourcing implementations are now relatively simple and inexpensive in the cloud. This reduction in cost and complexity is causing an explosion of cloud services and cloud service providers. With multiple cloud services, many companies are losing track of the who, what, where, when and why of their data. Below, we outline potential issues involved in having multiple cloud services and service providers, along with a proposed action plan to stay on top of your growing cloud services environments.
Who is ‘the cloud’?
“The cloud” doesn’t exist. “The cloud” is a hodgepodge of private, public and hybrid data centers used to store data and host cloud services. Cloud service providers typically operate independently from data centers and are ecosystem-driven — they want your data in their environment so you will purchase more of their offerings. To achieve this exclusivity, many cloud service providers prohibit or otherwise restrict access to data or the ability to transfer data between cloud environments. Failure to address these issues in the planning and contracting phases can lead to a nightmare.
What’s in your clouds?
With multiple environments and services, it is easy to lose track of what data goes into which environment, and who has access to the data. Not all cloud services are the same — failure to monitor and enforce security levels and access limitations could lead to disastrous results. For example, if one provider is HIPAA-compliant and another is not, transferring protected health information from the HIPAA-compliant cloud to the non-HIPAA-compliant cloud could lead to significant regulatory fines.
Where is your data?
To offer competitive services, providers are always looking to reduce costs. One way they do this is by offshoring data storage and processing. Depending on the type and sensitivity of the data being offshored, this practice could subject you to the laws of foreign jurisdictions. These foreign legal obligations could arise even if your data is stored in the U.S. but processed offshore. These compliance obligations get even more complicated if you are dealing with sensitive data, such as protected health information or financial data.
When can you exchange data, and are there transition services?
The ability to transfer data between environments is not always permitted, even if possible. If the legal agreements do not permit the transfer of data between environments, you may not be allowed to do so. Likewise, if the implementation plan does not specify compatible data schema and formatting, you may be technologically prevented from exchanging data between systems. Additionally, many companies fail to plan for the transition from one vendor to another. Without proper planning for the end of the relationship, your cloud vendor may not have an obligation to help you migrate your data to a new service provider, or worse, it could delete all of your data without liability.
Why do you have so many vendors?
The abundance of cloud service offerings designed to address specific business needs may entice your organization to purchase similar cloud services in multiple business areas. Additionally, business needs change and the cloud vendor’s offerings may expand, which can lead to overlapping or duplicate cloud services. Overlapping cloud systems increase costs and, if sensitive data is involved, increase exposure to risk of security and contractual breaches.
How do you move forward?
The issues identified above are just the tip of the iceberg. Your vendor management strategy depends on a number of factors, including industry and risk tolerance. It is important to develop and implement a vendor management process. Here are some things you can do to develop your own vendor management process:
- Identify key stakeholders across your organization and develop a cross-functional team to address vendor management issues and participate in the process. Team members could include management, legal, IT and procurement. Your efforts to establish a complete solution are unlikely to be successful if you do not have the support and involvement of your organization’s key stakeholders.
- Understand the types of data your organization has and establish the criteria your organization will use to classify data.
- Use your established classification criteria to develop policies and procedures that set expectations for your personnel and vendors on how to handle and manage your data and access to your systems.
- Map how data flows through your organization by identifying which vendors have access to which systems and the type and scope of access they have.
- Follow the process and be diligent; processes only work if they are applied consistently.
With proper planning, management and execution, you can successfully manage your expanding cloud services portfolio.
Kyle Wood is senior counsel at Perkins Coie LLP — Technology Transactions and Privacy Group. Jordan De La Cruz is an associate at Perkins Coie LLP — Technology Transactions and Privacy Group.