IT and cyber-security consulting firm Enterprise Risk Management (ERM - Miami, FL) has this advice: “Know who you are working with and do your due diligence before you migrate your data to the cloud.” The firm notes that most cloud service provider agreements specify that the organization itself is still responsible for their own internal IT security. “Not all cloud computing services are created equal,” warns ERM's CEO Silka Gonzalez.
"Larger cloud providers should have the resources to provide strong IT security around the technology, right down to their own employees," she adds. "Smaller providers may not be able to offer the same level of comprehensive risk management.”
To ensure data security, Gonzalez recommends that enterprises start by asking these 7 baseline questions of their cloud providers:
1. Who has access to your confidential corporate information?
2. Where does the data reside?
3. How will the cloud impact E-Discovery?
4. What happens if you need to migrate your data to a new provider?
5. How would a security breach be handled?
6. What about liability, intellectual property and data jurisdiction?
7. Does the cloud provider meet all regulatory compliance standards?
ERM notes that the Florida Bar Professional Ethics Committee recently joined other states in publishing a proposed advisory specifically related to cloud computing and the ethical obligation of lawyers to understand the technology they are using and how it potentially affects client data confidentiality. Gonzalez recommends that companies bring in someone who specializes in IT security, understands cloud computing, is familiar with IT service provider agreements, and is up to date on regulatory compliance.
“It’s a lot cheaper to do your extra due diligence up front than to try to fix the problem after it occurs,” she concludes.