As the name suggests, data and IP in the cloud may as well be floating in the ether minus any vendor obligations or controls introduced by the customer into the deal. "Typically, [customers] are focused on cost reduction and performance. Intellectual property issues are viewed as 'lawyer issues,'" says Mayer Brown's Eisner. "In reality, a cloud provider's ability to protect intellectual property rights should receive as much scrutiny as the information security, price and technical solution." "We are seeing some awareness dawning of how much weaker some cloud providers' contracts are in security terms," adds Slaby of HfS Research. "But the siren song of lower costs and greater flexibility is difficult to resist."
To you protect your corporate crown jewels in the cloud, here are nine steps to follow:.
Pick the right provider. Take due diligence seriously. "Given that the category and its players are still relatively new, consider how you'll extract yourself and your sensitive IP in the event that your cloud provider fails abjectly to live up to its contract, goes out of business, or is acquired by a competitor," advises Slaby. "Take a careful look under the hood at any prospective cloud provider's plans around disaster recovery." If you want sophisticated protection of trade secrets, seek out only providers that offer sophisticated solutions with higher-security requirements.
Select the right service. Do everyone a favor -- don't sign your first-ever cloud contract for a core business function. "Many clients looking for benefits of the cloud are purposely moving IP last," says Bell, testing the waters with commodity services like IT service management or QA on standard software. "It's a way to make sure they understand the nuances."
Read the fine print. Cloud services are deceptively simple in the ads. "In many cases, that simplicity is masking underlying complexity that has been considered and resolved against the customer," says Hansen of Baker & McKenzie. "Read the contract, not the website," adds Church. "There are terms that directly contradict the advertising, and these need to be ferreted out before any data is moved." It's not unusual to see "get out of jail free" provisions disclaiming vendor liability if confidential information is published. Never, ever, sign the cloud provider's online contract, advises Todd Fisher, partner in the outsourcing practice of K&L Gates, who's reviewed agreements giving the service provider could use of client data for purposes other than for the provision of the services or ownership of derivative works based on that data.
Add some fine print of your own. If your cloud computing deal involves IP-related data, strong contractual protections are critical. Eisner of Mayer Brown suggests includingrequirements that the provider follow stated and approved security and other industry standards, rights to audit or to receive regular audit or certification reports, rights to name the locations where data and applications will be processed and stored, rights to approve subcontractors, a change control process that provides for advance notice and opportunities to work around or mitigate pending changes, and reasonable liability for nonperformance by the provider. Make sure the protections and controls are explicit and measurable, adds Slaby.
Expect to pay more. Standard terms keep cloud computing cheap. "Their traditional business model is to replicate data automatically based on usage patterns," says KPMG's Bell. "When you remove that capability to do something special for your environment, you create additional costs."