Moving to the Cloud: Privacy

 

Green_GaugeThis post is the fourth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Few topics related to cloud computing create more passion than privacy.  Knowing how well your organization’s information will be safe-guarded is key to trusting a service provider and the decision to go to the cloud in the first place.

Privacy, while closely related to security, differs in that security addresses access and protection of information, privacy addresses who can access data and how it may be used.

When considering privacy, organizations should start with three documents from the service provider:

  1. Terms of Service / Contract:  Most cloud providers provide clear terms and conditions related to privacy in their terms of service.  These include statements about content ownership and access rights; clauses covering confidential information; statements regarding the provider’s access to customer data and content; and terms related to how the service provider will respond to subpoenas and other third-party demands for data.
  2. Service Level Agreement:  Many cloud providers include terms related to privacy in their service level agreement.   In some cases, the SLA stipulates time frames for addressing privacy issues.
  3. Privacy Policy:  Most cloud providers now have one or more privacy policies.  These policies may be universal to the provider’s service, or may cover specific aspects of the services (such as use of the web site/portal).

When looking to choose a cloud solutions provider, look at all three documents.  Verify that they are comprehensive and clear.  Understand how they address any particular regulatory requirements for your organization.  Validate that they are consistent — that no conflicts or gaps exist that could lead to confusion or misunderstandings down the road.

Make sure the review of privacy policies and looks at the specific customer agreements and policies.  Many cloud providers offer “free” or “consumer” services with different terms and conditions than their paid (or free) solutions for business, government, education, and non-profits.   Many organizations spin their wheels and raise unwarranted concerns by not focusing on the specific, applicable agreements, and policies.

Finally, review the privacy performance of the service provider.  If they have had any sort of breach, or a privacy dispute, understand the nature, scope, and response.  Understand if the breach was provider-related or due to the actions or inaction of the customer.  Assess the appropriateness of the provider’s response given the nature of the issue.

Again, due diligence is key.  A small amount of research, a few questions, and an accurate understanding of how a service provider plans and manages privacy will help organizations determine if the provider meets the organization’s privacy needs and priorities.

Next Post in the Series:  Lock-In

 

Previous Post in the Series:  Provider Reliabilty

4 replies
  1. Bob Siegel
    Bob Siegel says:

    Privacy concerns for cloud computing are multidimensional. Some concerns are along the lines described above such as:
    – How do you know that companies sharing the same server as you cannot see your data?
    – What controls are in place to make you comfortable with knowing that only you can see your information?
    – What is the cloud provider doing with the data that has not been shared with you?
    – Are their employees looking at your information and going analysis on it and reading my customers’ e-mails?
    – Are they transferring it to other third parties?
    – What training have their employees received?

    There are also legal implications that must be considered when using a cloud provider?

    Where the data is located is one of these concerns. For example, if the data is about people in Europe there are strict export requirements that must be fulfilled. If the data is in the cloud, has it been exported?

    Also, if there is a breach on a server in the cloud, how will the provider know what data was accessed? How will you be notified of a breach and in what time frame? Will you need to notify your customers even though your data may not have been accessed?

    Before moving to a cloud model a privacy professional should be consulted to confirm that your business may not be inadvertently negatively impacted.

    Reply
    • Allen Falcon
      Allen Falcon says:

      Bob,

      Good points and good advice. When working with organizations on cloud migrations, we discuss the types of data and related regulations and best practices. Certifications like Safe Harbor and EU Safe Harbor help mitigate the risk.

      Would you like to create a guest blog post on the core privacy considerations when moving to the cloud?

      Allen

      Reply

Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.