Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It's a good question, made all the more relevant by the revelations regarding the National Security Agency's Prism program. So how can you best address these issues in your contract with your cloud vendor?
Stories by Thomas Trappler
One of the biggest stumbling blocks for companies contemplating entrusting a cloud-computing vendor with their data is the risk of unintended data exposure. A lot of data is sensitive. It might contain employees' financial information, patients' statutorily protected health information, other regulated information or proprietary intellectual property. Quite often, companies feel more control when they keep that sort of data in-house. But the risk that a cloud vendor might not handle your information as securely as you'd like can be mitigated.
One way to ensure that your cloud-computing contract covers all the issues that will be important to your company is to begin the process of exploring cloud vendors with a request for proposal (RFP). A solid RFP can be an effective way to compare and identify the best cloud services to meet your needs while also serving as the starting point for your cloud-computing contract.
When contracting for cloud-computing services, one challenge is that there may be more parties involved than your company and the cloud vendor. The vendor might outsource some of the services covered in the contract, or it could end up under different ownership after a merger or acquisition. On the client end, you might choose to work with a cloud broker. Because the introduction of third parties can increase risk, it's essential for potential cloud clients to identify third parties before adopting a cloud service, thoroughly understand their roles and ensure that their responsibilities are effectively addressed in the contract.