Are companies getting into the cloud without considering outcomes?
There are companies out there that are well aware of the risks and, more importantly, how to reduce them. But there are a lot of companies that don’t have experience when it comes to the implementation of cloud applications and cloud infrastructure and don’t do a good job.
A business can be disrupted if a service it relies upon goes down. Is there anything a company can do about that?
In a contract, that’s one of the essential things that you’re trying to protect against. You have to ask: What could go wrong? You’re no longer in control of the data; some vendor is. And what you need to get really comfortable with, through due diligence and contractual terms, through auditing and benchmarking, is that the vendor can protect the data at least as well as (but hopefully better than) you could. The risk is that one day you wake up and see the news that your supplier just suffered a breach and it was all your data.
What questions should CIOs ask of their providers to minimize that risk?
You want to ensure that there’s proper ownership of data. You should continue to own your own data; you should be able to continue to use your data. You should be able to ensure that the vendors are backing up the data frequently.
Obviously, you’re looking for very, very thorough confidentiality protections. You’re looking for appropriate limitations in respect to the providers’ use of the data. A lot of providers are going to want to use that data in aggregated form for a whole lot of reasons. You might want to limit that, depending on the sensitivity of the data and other factors.
There’s a world of data-security questions that you’re going to want to ask.
What does due diligence look like?
Due diligence needs to be a process an organization can undertake to make the deal really clear. You need to understand how sensitive the data is that you’re pushing into the cloud and how critical the service is. If you understand the sensitivity of the data and the criticality of the service, you can prioritize.
So, for example, if you have sensitive data and a mission-critical process for utilizing it, that’s an area where you want to do a lot more diligence. A low-risk category would be where you’re dealing with a not-so-mission-critical process and generally available data. In those situations where you can accept more outages and more variability in the performance of the application, perhaps you need to do a bit less.
Are providers generally receptive to customers saying, “This is the contract we want,” as opposed to the provider determining the contract?
There are lots of applications out there that come with contracts that are not negotiable. And there are lots of contracts and providers where there absolutely is room for negotiation. That doesn’t mean that you don’t want to be aware of the risks even in those nonnegotiable deals. You should be able to identify red flags and, even if you can’t negotiate terms, you should enter into the deal with your eyes wide open.
What sort of clauses should companies watch out for?
One of the biggest red flags is going to be a contract that permits a vendor to use your data, without your authorization, in some way that the data could be identified. Any clauses that give the vendor sole control over your data and what can be done with your data, those are really alarming things.