So you've decided, or it's been decided for you, that your company will use cloud applications in 2013. Maybe you already are among the converted and you're ready toexpand use of cloud apps. What you may not have seen among the forecasts for cloud adoption rates are shifting sands under your feet in the form of local, national andinternational laws that put you in the cross hairs - mandatory fines and potentially jail sentences - should your information be compromised. That's why lots of people are rethinking their plans, and justifiably so.
Consider a typical deployment. You select a cloud vendor, get an SLA and ensure you have redundancy in case of an outage. That's the promised ease of use and deployment, correct? But did your cloud vendor explain that each country or geography where you have customers and employees has very specific, and very different, cloud data protection regulations? If you have employees accessing cloud applications from China, for example, there are more than 200 local and provincial laws you must adhere to, and those regulations are complicated further by China-specific industry sector-based regulations. Among the most onerous are the country'sState Secret Laws.
Companies doing business in Australia have been warned that the risk for litigation should be factored into their due diligence when selecting a cloud vendor. Each country or geography where they store and process data and which may be different from where they physically operate also has specific data laws that must be followed. To complicate matters, these rules and regulations are very likely to change over time, particularly as technological advances emerge and government regulators fine tune their policies. A solution to these challenges that gives companies downstream flexibility is critical.
As a first step, cloud customers need to scrutinize service provider security policies thoroughly before jumping into an arrangement based primarily on cost savings and scalability.
In regulated jurisdictions, cases of information misuse will be investigated and prosecuted. And more often than not, the cloud user will be the target of the litigation. As highlighted in Australia's Cloud Computing Information Sheet, for example, if a business can't answer basic questions about where its data is located, who owns and controls the service provider organization, and what happens to data when contracts terminate, the business is directly at risk.
Put another way, seize the day and take advantage of everything cloud has to offer now, but trust no one when your personal hide might be on the line. Big brand or little, domestic or foreign provider, read the contract closely. Carefully investigate statements made by cloud providers about legal compliance or other security credentials. Especially with international vendors, they may not know the details of the regulations that an individual enterprise needs to adhere to, let alone those of a specific geographic region, or the specific policies of an industry group. Should data become compromised, they are not liable in most cases.