on October 4, 2016
The term “cloud computing,” — a process by
which remote computers are used to store, manage and process data
— is no longer an unfamiliar term. According to at least one estimate, “approximately 90 percent of
businesses using the cloud in some fashion.” American Airlines is assessing major providers of
cloud services for an eventual relocation of certain portions of its customer website and other applications
to the cloud.
What some may not realize is that there are actually
three main types of clouds: public, private and hybrid. Public
clouds are those run by a service provider, over a public network.
For example, Amazon Web Services offers public cloud services, among
others. A private cloud is operated for a single entity,
and may be hosted internally or by a third-party service provider. A hybrid
cloud is a composition of two or more clouds, such as a private cloud
and a public cloud, such that the benefits of both can be realized where
appropriate. Each of these cloud infrastructure types has different
advantages and disadvantages.
For a given company looking to migrate to the cloud,
the appropriate option will be motivated in part by business considerations;
however, data privacy and security laws, compliance best practices, and
contractual obligations will provide mandatory baselines that companies cannot
ignore. As such, relevant laws, best practices, and contractual obligations
serve as a useful starting point when evaluating the appropriate cloud option.
Most every organization has data flow systems that
receive data, and then process and use the data to deliver a service. Below are
three initial steps a decision maker should take when evaluating a potential
cloud infrastructure choice.
First, consider the statutory
implications of the types of data being processed
For example, is the system collecting social security
numbers and driver’s license numbers? Pursuant to California Civil Code Section 1798.81.5, businesses that “own or license” personal
information concerning a California resident are required to “implement and
maintain reasonable security procedures and practices . . . to protect the
personal information from unauthorized access, destruction, use modification,
or disclosure.” Of course, many other state and federal laws may also
provide additional obligations, such as the HIPAA Security Rule, which applies to certain health information under
certain circumstances.
Deciding which relevant laws apply, and then
interpreting language such as “reasonable security procedures and practices” is
a complicated process. Companies should consult experienced legal counsel regarding these risks, especially in light of
potential liability.
Second, consider any relevant
contractual obligations
For example, many companies may have contracts that
provide for certain service level availability (SLA) obligations for services
they provide. It is also possible that these contracts could have their own
security requirements in place that must be met.
Third, decide which cloud architecture
option makes sense in light of the first two steps as well as business
considerations
After senior decision makers, with the benefit of
experienced legal counsel, have decided what elements of applicable laws, best
practices, and contractual obligations apply, further business considerations
may need to be addressed from an operational standpoint. For example,
interoperability with other services may be an issue, or scalability may be an
issue.
Through these requirements, in conjunction with
appropriate information technology stakeholders, the appropriate cloud
architecture can be chosen. Private clouds can offer the strongest security
controls, as they are operated by a single entity and can offer security
options not present in public clouds. As such, a private cloud may be
appropriate where a very strong security stance is deemed necessary.
Public clouds are often less expensive, but offer a more limited range of
security options. A hybrid cloud may be appropriate where an entity hosts
certain high security data flow systems, as well as other systems with less
sever security requirements.
For example an entity that has an HR system
that contains social security numbers, as well as an employee shift scheduling
system might choose to host the HR system on a private cloud, while hosting the
customer feedback system on a public cloud system, with limited cross over and
interoperability between the two systems.
Once you have chosen which cloud suits your business
and data flow, the real work of getting appropriate contract documents in place
begins. We’ll discuss those issues in a future blog
post.
No comments:
Post a Comment