Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

When your data's in the cloud, is it still your data?

When your data resides on a cloud provider's infrastructure, your ownership rights could be compromised. For example, what's to prevent the cloud provider from deciding to access your data and use it for its own purposes? That's why any contract for cloud services should include language clearly affirming your ownership of your data.

The good news is that well-established cloud vendors are beginning to include language along these lines in their standard contracts. For example, section 10.2 of the Amazon Web Services contract states:

"Your Applications, Data and Content. Other than the rights and interests expressly set forth in this Agreement, and excluding Amazon Properties and works derived from Amazon Properties, you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content."

It hasn't always been this way with cloud computing, but as customers have voiced their ownership requirements, providers have made improvements in this area. As the cloud continues to evolve, if customers clearly state their needs, then smart cloud providers will listen and respond.

Depending on the nature of your data and how it's processed in the cloud, it may also be necessary for the contract to include language affirming your institution's ownership of the results of any processing of its data that occurs while on the cloud provider's system.

With ownership clarified, the next step is to identify the limitations on how the cloud provider may use your data. In most cases, you'll want to limit the provider's use solely to that which is necessary for it to fulfill its obligations under the contract. It is also prudent to specifically exclude the provider from any mining of your data.

Be ready for the divorce

Once your data and processes have moved to cloud, you become more dependent upon the provider. You could be locked into its services, a situation that increases the cloud providers leverage over you in negotiating contract terms.

I know this sounds like advising someone to find a divorce lawyer before getting married, but to mitigate the risk of vendor lock-in, you need to plan in advance for the eventuality that you may decide to switch to a different provider or bring your data and processes back in-house. With this in mind, the contract should state your rights to access your data on an ongoing basis. Specifically, the contract should:

* Describe the process by which your data will be returned, whether done midterm or upon contract termination.

* State the amount of time the provider will have to turn over your data.

* Specify that the data must be provided in a commonly used format that is pertinent to your expected needs, and not in a proprietary or otherwise inaccessible format.

* Define how long after termination of the contract your data will remain accessible.

* Quantify the cost to you (ideally none) to export your data.

Some vendors have begun to embrace these ideas. For example, see Google's Data Liberation Front efforts and Microsoft's Office 365 commitments regarding Data Portability.

Other access issues

When codifying your rights to access your data, be sure to consider emergency situations. For example, e-discovery obligations to preserve, collect and produce data for litigation-related discovery actions can be more difficult to comply with when your data is in the cloud, because you do not have direct control. Yet your failure to produce pertinent data in a timely manner can result in significant fines. This risk can be mitigated by contractually requiring the cloud provider to establish mechanisms by which you can retrieve your data within a specified time frame.

Finally, the contract should obligate the provider to destroy your data after termination of the contract and should specify the manner in which this should be done, the time frame for doing so, the need for the cloud provider to produce certification of destruction, and your right to audit.

Join me at UCLA on Jan. 19-20 for my seminar "Contracting for Cloud Computing Services."

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Amazon, Google, Microsoft, Topic, UCLA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cloud computing, internet
Latest Blog Posts
Whitepapers
  • SOA Adoption for Dummies
    This book describes our approach to SOA adoption, which we call SOA rocket science. SOA adoption, like a real-world rocket, experiences a danger zone between blast-off and the weightlessness of orbit. When fully realized, SOA can transform your business. But until firmly established, your SOA dreams can plummet back to earth.
    Learn more »
  • Printer Usage and Cost Management Strategies for the Australian Mid-market, an Unrealised Opportunity
    This whitepaper was commissioned to aid senior business and ICT decision makers of medium-sized government and corporate organisations, including marketing, finance, and technology executives to better understand the current use of print devices including copiers, printers and multi-function Page 19 Reproductions in whole or in part are prohibited. This whitepaper also provides insights into how current management practices can be improved to optimise investments and improve sustainability. Read on.
    Learn more »
  • Top 5 Myths of Safe Web Browsing
    There are a lot of misconceptions out there about safe web browsing. You might think you're being safe. But without the facts it’s next to impossible to stay protected against today’s changing threats. In this paper we describe the top five myths of safe web browsing, what the facts really are, and what you can do to stay secure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.