There are four key areas through which you can mitigate the risks of cloud computing:
1. The contract: make sure you have meaningful liability terms, with each party’s duties carefully articulated – otherwise the contract could prove ineffective. The most important terms in contract are those which establish which party bears the loss if service provider suffers a security breach. Ask the provider to indemnify you for losses as a result of a data security breach. These costs might include breach notices, attorney fees, mailing costs, credit monitoring expenses and call center expenses. Look closely and modify if necessary clauses that limit the provider’s liability and consequential damage disclaimers. The contract also needs clear exit terms in case of the provider becoming insolvent, with provision for you to get your data back or transferred to an alternative provider (including from third parties).
2. Due diligence: make sure your provider can deliver on their promises. The Cloud Security Alliance provides a framework of security concepts and principles designed to help you assess the overall security risk of a cloud provider.
3. Incident response procedures: try to lock your provider into incident response procedures that dovetail with your own. Stipulate:
4. Good insurance: the fourth emergency service is of course a good insurance policy: don’t under-estimate the costs associated with an incident such as a data breach. The language used in policies varies widely – make sure yours covers your real exposures.
Buying cloud is a leap of faith. Before making the decision to move your data to the cloud, work through the potential risks, and make sure you control the risks through the contract. In choosing a provider you may be offsetting price against safety and control – so your choice will depend on the sensitivity of your data.