Putting your information system infrastructure and/or data in someone else’s hands via cloud computing offers many advantages as compared to on-premise deployments. Many manufacturers have looked at the trade-offs between the two and have already transitioned various elements of their overall information technologies (IT) environment into cloud based environments provisioned by selected services providers. Many others are actively investigating this as a possibility.
Of course, besides assuring uptime, access and extensibility, one of the most prevalent concerns about putting your systems and data in the hands of a third party to manage is security. While most organizations claim they have done adequate due diligence in establishing and managing the security of their cloud based information systems, the reality is that this may not be the case at all.
To explore this a little further, consider some of the data points cited in a 2013 whitepaper from PwC titled “The Global State of Information Security Survey 2014”. One headline from this study notes that 84 percent of CEO’s globally express confidence in the adequacy of their security programs 1. However, digging into the information gathered as part of this survey reveals there is a great deal of disparity in actual security programs and preparedness in different countries/regions around the globe. For instance, companies in the U.S. are more likely to have a formalized corporate information security strategy but lag the rest of the world in key operational elements of such a strategy such as:
- Measuring/reviewing the effectiveness of these security policies in the last year.
- Having backup and recovery policies in place that ensure business continuity.
- Collaborating with others to improve security and reduce risks. 2
This seeming disparity between what CEO’s believe the readiness of their security programs to be (or at least are willing to state in a survey) versus actual results when compared with others globally comes at a time when the number of detected corporate security intrusions in the U.S. rose 117 percent and financial losses due to security incidents rose 48 percent year over year in 2013. 3
Looking at the variety of legal considerations and issues that pertain to cloud based IT infrastructures used in globalized environments also yields some thought provoking questions and observations that should be considered in any manufacturer’s cloud based information security program. A recent article published by Stovsky and Benesch in September 2013 offers the following three questions for consideration in this area:
- “Does your company understand the domestic and global data security and privacy landscape?”
- “Is your company adequately protected from legal risks and contract breaches?”
- “Has your company included compliance in the business case for ‘the cloud’?” 4
With regard to question #1, Stovesky and Benesch point out that that many countries globally have instituted broad-based legislation and regulations that are uniform across multiple industries. For instance, the European Union nations and Switzerland have passed expansive legislation standardizing rules in areas such as privacy, security, eCommerce, distance selling, and the use of “cookies” and other devices that impact the privacy of personal information across industries. Other nations including Canada, Australia, Mexico and many of the industrialized nations of Asia have enacted stringent privacy and security laws and regulations or guidelines that apply to all cross-border data transmissions.
The situation in the U.S. is radically different. In this country, privacy and security law is defined by industry sector where specific types of data are deemed to be particularly sensitive. Examples include Gramm-Leach-Bliley in financial services, HIPAA and HITECH in healthcare, and Sarbanes-Oxley in securities reporting. One consequence of this divergence in approach is that companies seeking to provision information on a global basis via the cloud must look beyond just their own compliance with highly variable laws and regulations worldwide and ensure that their third-party cloud services providers are also in compliance.
In their discussion pertaining to question #2, Stovesky and Benesch point to several interesting examples. With regard to compliance with the Sarbanes-Oxley Act in the U.S., the authors comment that manufacturers should consider negotiating terms into their contracts with Information-as-a-Service (IaaS) cloud providers that allow for periodic security audits as well as indemnity clauses providing remuneration for data security lapses and breaches. For companies that have employee’s health information stored in a third party’s cloud, the authors recommend that both employers and their cloud services provider ensure they are fully aware of the so called “MEGA Rule”. As a recently adopted extension to HIPAA and HITECH regulations in the U.S., Stovesky and Benesch recommend that employers ensure terms requiring compliance with HIPAA/HITECH regulations, including the MEGA Rule, be built into their contracts with applicable cloud services providers.
In the case of question #3, U.S. manufacturer’s that have not adequately understood the complexities and costs of maintaining compliance with a myriad of domestic and international laws and regulations may have miscalculated on the viability of a business case which initially supported a move into the cloud. Stovesky and Benesch recommend legal counsel supporting a manufacturer’s contracting process for cloud services ensure that questions such as those noted below are adequately addressed:
- “What are the vendor’s policies and procedures for managing non-compliance with information security?
- How does the vendor dispose of or remove data from recycled systems and devices?
- Does the vendor have employee background check procedures and compliance agreements in place?
- How are employees trained on security awareness?” 5
Cloud computing continues to attract the attention and wallets of many manufacturers, but companies pursuing this information deployment and management option need to recognize that this is still an emerging area on the ever-changing technology services landscape. For many, one of the biggest challenges to making this technology option work for them may be tied to the old proverb, “You don’t know what you don’t know”. Resolving that knowledge gap may make all the difference between a successful and an unsuccessful journey to the cloud.
Notes:
1. Loveland, Lobel, Nocerra, Harries, Hunt, Burg, and Roath; “The Global State of Information Security Survey 2014”; 2013; PricewaterhouseCoopers, LLP; New York, NY
2.Loveland, Lobel, Nocerra, Harries, Hunt, Burg, and Roath; “The Global State of Information Security Survey 2014”; 2013; PricewaterhouseCoopers, LLP; New York, NY
3.Loveland, Lobel, Nocerra, Harries, Hunt, Burg, and Roath; “The Global State of Information Security Survey 2014”; 2013; PricewaterhouseCoopers, LLP; New York, NY
4.Stovesky and Benesch; “Companies Must Include Legal Risks in Business Case for Moving to the Cloud”; IndustryWeek; Sept. 30, 2013.
5.Stovesky and Benesch; “Companies Must Include Legal Risks in Business Case for Moving to the Cloud”; IndustryWeek; Sept. 30, 2013.