Cloud Computing: What Leaders Need to Know

As corporations and governments increasingly move their information technology operations to the cloud, managers are taking on new responsibilities regarding the protection of the personal data of their customers. Leaders need to ensure that their organizations utilize cloud service providers that enable them to meet such responsibilities.

Cloud computing is the storing, processing and use of data on remotely located servers accessed over the internet. The cloud enables organizations to command computing power without having to make major capital investments. By using the cloud, companies and governments can make their services more efficient at lower cost.

For all its promise, the cloud presents a critical challenge to institutions that employ it: Customers will only knowingly consent to the release of their data to cloud service providers if they have confidence that their data is safe. Where in the past organizations could build safeguards regarding the handling of data into their own systems, now they must rely on their cloud provider to ensure that data is properly handled.

The consequences of a failure properly to maintain personal data can be severe. In an article providing guidance to educational institutions contemplating cloud usage (http://www.huffingtonpost.com/daniel-j-solove/educational-institutions-…), George Washington University Law School Professor Daniel J. Solove provided a telling anecdote regarding the risks attendant to losing control of data through outsourcing:

“In one instance, a university medical center outsourced transcription of its medical records to a company in California, which then subcontracted with a person in Florida, who subcontracted with a person in Texas, who ultimately subcontracted with a person in Pakistan. The person in Pakistan wasn't paid by the person in Texas, so she wrote to the medical center and threatened that she would expose all the records unless the medical center got involved and made the Texas person pay.”

Other risks might be regarded as more pedestrian, but are of potentially equal consequence to persons whose data is abused. At least one cloud service provider makes it a practice to scan the data it processes in order to discern the particular interests of individuals and, ultimately, to target advertisements to them. While various degrees of “anonymity” might be applied to such practices, the spectre of abuse of such personal information rests only “a click away.”

Managers are thus confronted with the dual task of achieving the efficiencies of the cloud and safeguarding the personal data of their customers. In essence, they must develop confidence in the practices and policies of their cloud service provider.

The starting point for any manager is to select a cloud services provider that commits to a baseline set of data safeguards. The key is to contract with a provider that puts its customers, rather than its own corporate interests, first. The manager’s due diligence should include scrutiny of the following:

  • The level of the provider’s investments in privacy and comprehensive security measures meant to ensure the protection of customers’ data.
  • The extent to which the provider is able to provide clear and easy-to-understand information about where the data resides as it is processed, who can access it, and what specifically is being done with it.
  • The extent to which the provider supports its customers’ obligations to meet industry-specific and geography-specific compliance regimes.
  • The provider’s compliance with world class industry standards verified by independent third party experts.
  • The provider’s willingness to subject itself to appropriate sanctions if it fails to live up to its privacy and security commitments.
  • The provider’s willingness to agree contractually to limitations on the use of the data turned over to it for processing.

Of course, due diligence must extend beyond ensuring satisfactory policies and practices. Managers should engage in routine assessments of providers’ compliance.

Finally, managers would do well to follow and engage in the many policy debates concerning cloud issues, as they have a unique opportunity to enhance the acceptance of cloud services by their customers. Increased confidence in cloud services will stimulate growth and innovation in businesses of all sizes.

It is incumbent upon businesses and governments to take full advantage of the advantages provided by the cloud. At the same time, businesses must continue to protect the fundamental interests of consumers in privacy and security. 21st century managers must be vigilant in ensuring that the lure of the new not lead to disregard of basic concerns, lest the economic advantages of the cloud stall owing to a lack of public confidence.