Occidental Petroleum Corporation
Author: Bernhard Kainrath, Senior Manager, Legal Field & Deal Management, NetApp; Dr. Dierk Schindler, Head of EMEA Legal Field Operations & Worldwide Contract Administration, Attorney at Law, NetApp
If you're thinking of investing in any cloud service, be smart and make sure you do your homework first. Two seasoned practitioners - Bernhard Kainrath and Dr. Dierk Schindler - discuss the importance of knowing the risks before making any commitments, so you can get the top benefits from a cloud service without any unpleasant surprises.
Today, most of the technical and commercial barriers for companies to move to a cloud infrastructure have been removed, and exciting new business opportunities are possible. But beware - cloud computing isn't for everyone. Decision makers very often don't know the many risks that could lie ahead or, if they do, they don't know how to handle them. This article offers potential cloud customers an insight into questions to ask if they're thinking of moving their data to the cloud - and future trends to consider that could change everything.
Confidentiality, integrity and availability – the big cloud risks
Few can disagree - cloud computing technology offers many opportunities. It improves operational efficiency of the company, strengthening its competitiveness. It also helps improve flexibility, reduce capital costs and spend on technology infrastructure, providing adaptable “work from anywhere” environments, automation, a reduced carbon footprint and much more.
Depending on one cloud service provider only may create operational and commercial risk. Increasing dependence may shift the balance in contract negotiations in favor of the supplier. The customer may have to accept higher prices, or face a supply shortage that could quickly lead to business continuity risks.
While these risks may seem obvious, the consequences for data security and data protection are often less prominent. The so-called “vendor lock-in” can create a severe data security and data privacy problem, for example. First CIOs should consider their legal and corporate guidelines, and which systems and services are critical to the company before they outsource any of their services to the cloud. Then they might decide to have different types of cloud solutions or to keep certain data or applications “in-house.”
Know what questions to ask
Security in the cloud
The basic principles of IT security revolve around confidentiality, integrity and availability, known as the “CIA triad.” Everything that needs to be done to secure an IT infrastructure links to at least one aspect of the triad. These requirements do not change in the cloud. The advantages of the cloud may sound good but ultimately, with less direct control, customers have to rely on a high degree of trust – making it vital to address the following questions with the cloud provider:
Vendor lock-in means it is not easy to transfer a product or service to a competitor - or bring it back in-house again. An example of this could be a customer wanting to transfer their email activities from cloud one email provider to another.
The best way of avoiding vendor lock-in and cross-sector dependence on only one cloud provider is interoperability. Any contract between cloud provider and cloud customer must guarantee to support data relocation at both the beginning and the end of their business relationship. It should state clearly which data format and interfaces are used, when data will be imported or exported, and what the costs are, if any. It must also stipulate deletion of data after termination.
Open cloud standards and open source are keys to achieving true interoperability. Standardization efforts in cloud computing are evolving, but unfortunately there are still many construction sites. Many new standards that are explicitly designed for the cloud are not 100% mature, and there are no standards available for specific cloud business models.
When intrusions lead to leaks of personal data, the damage to a company's brand, customer relationships and intellectual property can be substantial. According to Kaspersky Lab's Global IT Risks Report,1 a global survey of attitudes and opinions of IT security, 94% of companies surveyed had experienced some form of external security threat and only 46% of businesses thought their conventional security solutions provided adequate protection. These figures are alarming, and take on greater significance given that an organization will need to engage the services of a cloud provider to process personal data on its behalf which could, in some circumstances, bear no responsibility for data privacy compliance.
A common misconception is that giving up control of data passes data privacy liability on to the cloud provider. The Data Protection Directive of the European Union (EU)2 requires Data Controllers to observe a number of principles when processing personal data. Data Controllers are bodies or people who collect and manage personal data and they must comply with the EU law when handling the data. If a company selects a cloud provider for storage and processing of data, the cloud provider will usually act as the Data Processor for them. This means that the Data Controller remains responsible for how data is processed and for compliance with data protection. In this scenario, if a cloud provider stores data outside the European Union, cloud customers must ensure that the data remains protected.
One response to this risk is to implement a hybrid cloud strategy. As a first step, Data Controllers must compare the risk levels in a private and a public cloud scenario. After that assessment they should think about which personal data can be moved into the cloud and which should never move. It's also recommended to create data categories for this purpose. Another important step is to obtain consent from individuals before collecting, processing, storing or transferring personal data. This can vary from country to country if data is processed in a multinational environment.
When you choose, take your time
Finally, we recommend spending some time in selecting the right cloud provider. Today, various cloud providers specialize in distinct markets, with niche cloud providers emerging that tailor their services for those markets. Seen from this angle, it's better to choose a cloud provider whose services are designed for your specific requirements, if not this can cause an additional set of risks.
If a cloud provider files for bankruptcy protection, the only thing that matters is how quickly you can access and repatriate your data. What precautions can you take in advance to minimize the drawbacks of a cloud provider bankruptcy?
What are the trends in cloud computing?
In the near future ownership of data will take on greater significance. The Internet of Things has the potential to disrupt everything. According to Cisco Systems3, the number of devices connected via the Internet is expected to reach fifty billion by 2020. These smart connected things, meanwhile, are available in all areas of our life, capturing, transferring, analyzing and acting on data. Everyday items such as white goods are collecting information, wearable items are monitoring our sport activities and cars can monitor the behavior of drivers. But where does all that data end up? For example, it could be sent directly to the cloud.
There is no doubt that all of the current developments in the Internet of Things can make our lives easier, but we need to be aware that data is hugely valuable. Who owns this data? Does the owner of a smart washing machine own the data about how they use it?
The biggest risk of all is that no one knows what is up ahead. Potential cloud customers should consider that cloud computing is not for everyone and weigh what level of risk they would be taking take if they decide to move data into the cloud. If organizations do finally decide in favor of the cloud, they should be as well-prepared as possible, in every way.
Clearly one of the biggest lessons you don't want to learn the hard way is that using cloud services requires a clear contractual understanding.
ABOUT THE AUTHORS
Bernhard Kainrath – Sr. Manager Legal Field & Deal Management, Northern EMEA
Currently, Bernhard Kainrath is member of the EMEA Legal Management Team at NetApp and leads a team of legal professionals and pre-sales project managers to support NetApp's "Big Deals" business in the Northern EMEA Area (Nordics, UK & Ireland, Benelux). His team works closely together with the sales teams and leads, negotiates and operationalizes complex deals. He gained many years of management experience at BMC Software and Hitachi Data Systems, amongst others. In addition to his international management responsibilities, he has been lecturing and authoring in his field since the beginning of his professional career.
Dr. Dierk Schindler, Member of the Board of NetApp Deutschland GmbH, Head of EMEA Legal Field Operations & WW Contract Administration, Attorney at Law
Dr. Schindler has studied Law at Augsburg University, where he also completed his doctorate thesis in European Law. In 2012, Dr. Schindler became Head of Legal Field Operations in EMEA and a member of the senior staff of NetApp's new General Counsel, Matthew Fawcett. In 2014 he assumed additionally the responsibility to lead the worldwide Contract Management & Services Team for the Global Legal Department. Dr. Schindler regularly presents at both, business and peer groups as well as at various universities in- and outside Germany. He also serves as a sworn member of the Board of Examiners of the Chamber of Commerce.