The term “cloud computing,” -- a process by which remote computers are used to store, manage and process data -- is no longer an unfamiliar term. According to at least one estimate, “approximately 90 percent of businesses using the cloud in some fashion.” American Airlines is assessing major providers of cloud services for an eventual relocation of certain portions of its customer website and other applications to the cloud.
What some may not realize is that there are actually three main types of clouds: public, private and hybrid. Public clouds are those run by a service provider, over a public network. For example, Amazon Web Services offers public cloud services, among others. A private cloud is operated for a single entity, and may be hosted internally or by a third-party service provider. A hybrid cloud is a composition of two or more clouds, such as a private cloud and a public cloud, such that the benefits of both can be realized where appropriate. Each of these cloud infrastructure types has different advantages and disadvantages.
For a given company looking to migrate to the cloud, the appropriate option will be motivated in part by business considerations; however, data privacy and security laws, compliance best practices, and contractual obligations will provide mandatory baselines that companies cannot ignore. As such, relevant laws, best practices, and contractual obligations serve as a useful starting point when evaluating the appropriate cloud option.
Most every organization has data flow systems that receive data, and then process and use the data to deliver a service. Below are three initial steps a decision maker should take when evaluating a potential cloud infrastructure choice.
First, consider the statutory implications of the types of data being processed
For example, is the system collecting social security numbers and driver’s license numbers? Pursuant to California Civil Code Section 1798.81.5, businesses that “own or license” personal information concerning a California resident are required to “implement and maintain reasonable security procedures and practices . . . to protect the personal information from unauthorized access, destruction, use modification, or disclosure.” Of course, many other state and federal laws may also provide additional obligations, such as the HIPAA Security Rule, which applies to certain health information under certain circumstances.
Deciding which relevant laws apply, and then interpreting language such as “reasonable security procedures and practices” is a complicated process. Companies should consult experienced legal counsel regarding these risks, especially in light of potential liability.
Second, consider any relevant contractual obligations
For example, many companies may have contracts that provide for certain service level availability (SLA) obligations for services they provide. It is also possible that these contracts could have their own security requirements in place that must be met.
Third, decide which cloud architecture option makes sense in light of the first two steps as well as business considerations
After senior decision makers, with the benefit of experienced legal counsel, have decided what elements of applicable laws, best practices, and contractual obligations apply, further business considerations may need to be addressed from an operational standpoint. For example, interoperability with other services may be an issue, or scalability may be an issue.
Through these requirements, in conjunction with appropriate information technology stakeholders, the appropriate cloud architecture can be chosen. Private clouds can offer the strongest security controls, as they are operated by a single entity and can offer security options not present in public clouds. As such, a private cloud may be appropriate where a very strong security stance is deemed necessary. Public clouds are often less expensive, but offer a more limited range of security options. A hybrid cloud may be appropriate where an entity hosts certain high security data flow systems, as well as other systems with less sever security requirements. For example an entity that has an HR system that contains social security numbers, as well as an employee shift scheduling system might choose to host the HR system on a private cloud, while hosting the customer feedback system on a public cloud system, with limited cross over and interoperability between the two systems.
Once you have chosen which cloud suits your business and data flow, the real work of getting appropriate contract documents in place begins. We'll discuss those issues in a future blog post.