A few weeks back, an undisclosed number of unfortunate users discovered that the data they had stored with file-sharing site Megaupload may be gone forever.
While they may yet get their data back, the incident raises questions for enterprises. To wit: If your cloud provider disappears or is commandeered by the law or other forces, what happens to your data? Just as importantly, will your customers or end users be able to hold you responsible for what is lost?
Liability for lost information isn't the same as security. But it's certainly related. If a breach occurs, the small print on a contract can mean disaster for unprepared cloud customers -- as a few Megaupload users are finding out the hard way.
The answer is that there is no one answer about who is ultimately responsible for data in clouds. At least one source states that responsibility depends on the kind of cloud service you've signed up for. Another says once data is encrypted, the encryptor is responsible for it, even if it is stored in a cloud.
"One of the most overlooked areas in contract negotiation between cloud providers and their clients is who is responsible for the safety and protection of data," writes Internet Evolution contributor Mary E. Shacklett in an email today. "The topic is rarely discussed in the boilerplate agreements presented by cloud providers -- which clearly places the responsibility on [the cloud customer to] ensure that this topic is discussed and added to the contract before any agreement is signed."
Still, a comprehensive agreement signed up front may not cover everything. Results of a sponsored study published nearly a year ago by researchers at The Brookings Institution as part of a "Cloud Legal Project" described the challenges of establishing liability by data location and jurisdiction of services. It also discussed issues of "confidentiality, integrity, availability, and security." Among the conclusions:
Perhaps the most disconcerting discovery of the Cloud Legal Project’s survey was that many providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web. In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes.
So even a contract you assume may be legally binding may in fact be subject to change at a moment's notice -- and unless you make adjustments up front, you may be responsible for finding that needle of change in a haystack of legal verbiage.
The issue of data ownership may have been in part behind the City of Los Angeles's decision to keep Google from supplying its cloud-based enterprise apps to the city's police department. While specifics about that failed arrangement were never divulged, at least one source speculated early on that the city's IT managers felt Google was unable to guarantee that data housed on Google's servers would meet law enforcement's rigorous demands around data ownership and oversight.
Does all of this mean that establishing reliable ownership over data is impossible with cloud services? Not at all. But just as there is no single answer to the problem, there is no single contract to rule all cloud relationships. The burden is on you, the enterprise subscriber, to ensure that your cloud partner signs on a dotted line you both can live with.
Good article, as always, Mary, and thought provoking.
It appears that we are assuming control is the same thing as responsibility. Now that there are more choices and we are relying on third parties to assist us, we retain the responsibility unless we specifically define the resonsibilities and assign, through contracts, that responsibility to the service provider.
Here again, this is why we need to think through the details and clearly specify what we want; then we will not be caught short and holding the bag.
DHagar
Mary, thanks for the posting. Clearly some food for thought on what business needs to be thinking about when considering cloud services. The interesting thing to think about is whether you would negotiate with a "traditional" outsource service provider without these considerations. And they more fundamental - store your stuff in one place and trust it to be there when you need it? Keep making us think! - Christopher
Yes, it does seem that the fine print of cloud agreements is still a work in progress. There is nothing set in stone, nothing standardized. It's worth having a lawyer draw up a comprehensive document.
Great blog, Mary. The quote from Mary S., and the idea that cloud providers simply post contract updates, both made me raise an eyebrow. But with all of that considered, you're right that the onus is on the user to protect his/her data. Remember that study that came out sometime last year? The one that showed that cloud vendors don't think it's their responsibility to worry about cloud security? That should be proof enough that users have to make their data their responsibility.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Like other leading technology-using businesses, Walmart is starting to look like a vendor in its integration of the latest technologies to serve its customers. That's what led it to buy two Silicon Valley cloud startups this week.
IT executives are worried about business units that use social media, Dropbox, Skype, and other public clouds without working through IT. This "cloud sprawl" creates concerns about security, compliance, and other potential problems for the enterprise, according to a study.
Cloud computing helped Netflix score a big win this week, meeting a thousandfold increase in demand and driving the Internet video service provider back to profitability. It provided Netflix with "availability, scalability, and cost savings," chief executive officer Reed Hastings wrote in a letter to shareholders.
Curious reports this week suggest that HP's blossoming interest in offering converged cloud services puts the PC giant in direct competition with Amazon. That's not how I see it.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Enterprises are discovering that using social networking within the secure setting of a SaaS provider's network gives them an unusual opportunity to freely collaborate with partners, suppliers, and even competitors.
Microsoft's recent decision to bundle its Office software with business partner offerings indicates that cloud software may be in the news, but licensed packages are still in demand for failover.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
