Posts

Moving to the Cloud: Privacy

 

Green_GaugeThis post is the fourth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Few topics related to cloud computing create more passion than privacy.  Knowing how well your organization’s information will be safe-guarded is key to trusting a service provider and the decision to go to the cloud in the first place.

Privacy, while closely related to security, differs in that security addresses access and protection of information, privacy addresses who can access data and how it may be used.

When considering privacy, organizations should start with three documents from the service provider:

  1. Terms of Service / Contract:  Most cloud providers provide clear terms and conditions related to privacy in their terms of service.  These include statements about content ownership and access rights; clauses covering confidential information; statements regarding the provider’s access to customer data and content; and terms related to how the service provider will respond to subpoenas and other third-party demands for data.
  2. Service Level Agreement:  Many cloud providers include terms related to privacy in their service level agreement.   In some cases, the SLA stipulates time frames for addressing privacy issues.
  3. Privacy Policy:  Most cloud providers now have one or more privacy policies.  These policies may be universal to the provider’s service, or may cover specific aspects of the services (such as use of the web site/portal).

When looking to choose a cloud solutions provider, look at all three documents.  Verify that they are comprehensive and clear.  Understand how they address any particular regulatory requirements for your organization.  Validate that they are consistent — that no conflicts or gaps exist that could lead to confusion or misunderstandings down the road.

Make sure the review of privacy policies and looks at the specific customer agreements and policies.  Many cloud providers offer “free” or “consumer” services with different terms and conditions than their paid (or free) solutions for business, government, education, and non-profits.   Many organizations spin their wheels and raise unwarranted concerns by not focusing on the specific, applicable agreements, and policies.

Finally, review the privacy performance of the service provider.  If they have had any sort of breach, or a privacy dispute, understand the nature, scope, and response.  Understand if the breach was provider-related or due to the actions or inaction of the customer.  Assess the appropriateness of the provider’s response given the nature of the issue.

Again, due diligence is key.  A small amount of research, a few questions, and an accurate understanding of how a service provider plans and manages privacy will help organizations determine if the provider meets the organization’s privacy needs and priorities.

Next Post in the Series:  Lock-In

 

Previous Post in the Series:  Provider Reliabilty

Moving to the Cloud: Provider Reliability

 

Green_GaugeThis post is the third in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

One of the challenges in planning a move to the cloud remains the relative youth of the current industry.  While the concept of cloud computing is not new (tip your hat to Control Data in the 1980’s and their mainframe time-sharing service), most cloud computing services are relatively new.  Even services from long-standing, reliable vendors — like IBM and Dell — are relatively new ventures for these firms and have yet to be proven in a long-term market.

Organizations looking at any cloud service, be it SaaS, PaaS, or IaaS, must consider the reliability of the provider.  In doing so, it is the customer that must also understand the benchmarks being used by vendors when reporting their statistics.  Considerations include:

  • What is the availability of the service?  How well does the service provider meet their Service Level Agreement (SLA) benchmarks in terms of total downtime and/or service disruptions?
  • What is the reliability of the service?  How often does the service experience issues?  While most organizations tout availability, 6 disruptions lasting 10 minutes may have more impact on your operations than a single hour-long disruption.
  • Does the provider have performance benchmarks?  If so, how well does the provider meet the benchmarks?  In moving to the service provider, what expectations/needs will you have with respect to WiFi capacity, fixed network performance, and Internet capacity?   In many cases, the limiting factor on end-user performance is not the service provider or the Internet speed — it is the organization’s internal wired and wireless capacity.
  • What level of support do you expect?  Understanding how the provider delivers support — directly or through resellers/partners — is key to an organization’s long-term satisfaction with the service.
  • Does the vendor have the financial stability for the long-term?  With the number of start-ups in the cloud space, this factor may be the most difficult to ascertain.  Looking at the company’s financials, funding levels, and profitability can provide some insight.  Assessing whether the provider would be a good buy-out or merger target can also instill confidence that your provider will not go away unexpectedly.

With a modicum of due diligence, organizations can assess the reliability of cloud solution providers before making a commitment.  Reputable vendors will openly share their data and will not hesitate to discuss failures and how similar events will be prevented going forward.  And while, this type of discussion feels new, it is the same process CIOs and IT decision makers have been using for decades as they evaluate new technologies and vendors.  The players are new, but the process remains the same.

Next Post in the Series:  Privacy

Previous Post in the Series:  Moving to the Cloud: Cost Savings