With many organisations giving cloud computing serious consideration, a question we are often asked is, "Should we be putting our data in the cloud?" Organisations should be concerned about their data, wherever it is - it's a strategic business asset, after all. Indeed, this concern should extend to wherever the data is, depending on what it is and how it is being used.
Each organisation is different and no blog post would be long enough to map out all the different risks and options, but we can get an idea of where to look for causes of concern. Here we separate risks out into non-scientific but nonetheless helpful categories of security, privacy, supplier and compliance.
Security risks first, then. When we say data need to be kept secure, what we're really thinking is that malicious third parties can't get hold of it, to use or damage it in some way. Of course you need some kind of assurance that a cloud provider is protecting your data against security risks - just as you would need such an assurance from your IT department. It has been said that cloud providers can be more secure than internal IT, or indeed, storing data locally on a laptop PC. This may or may not be the case for your organisation, but the fact is, both need to be treated with equal diligence.
When we think about privacy risks, we're focused on personal information, whether it's about customers, suppliers or staff. The UK data protection act isn't strictly concerned about whether data is stored in the cloud or not - it only wants to be confident that you are only storing personal data that you need to store, and that you are storing and processing each type of data in an appropriate manner. In other words, while some data may be fine if stored in the cloud, other data may not.
Supplier risks mostly boil down to whether your supplier can be trusted. We've covered security, but equally you will want to be sure that the supplier is managing your data effectively, backing it up appropriately, and able to recover in case of a serious fire, flood or other critical failure. You may need to have some confidence in supplier staff, perhaps even to the extent of reviewing recruitment policy for certain data. There's also the question of what happens if a supplier goes bust - will you be able to access your data then, even if simply to export it?
While you may have everything taped, in some industries you will need to prove it. Compliance risks encompass your ability to demonstrate that you are following the rules - for example, by presenting event logs, running audits and so on. Certain regulations may also require that you know exactly where the data is, or that it stays 'in-country' - which can be a challenge for international cloud service providers. You'll also want to know whether your data will be kept confidential, if a court summons or an e-discovery request is received by the supplier.
The bottom line is that there is no hard and fast answer to whether you should be putting your data into the cloud. Simply put, you will need to decide for each type of data, the risks associated with its storage and processing based on the different options available - cloud or otherwise. In some cases a cloud-based option will be able to reduce your risk levels, and in other cases, you may be better off keeping the data in house. In other words, making a cloud decision without forethought could be as damaging as keeping the blinkers on and leaving things as they are.