This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Be Sure You Own and Control Your Data in the Cloud

Contractual, technical, and political solutions to thorny problems.

Moving enterprise data to the cloud raises a host of novel issues. Some will be solved contractually and some technologically, but others are inherently political.

Everyone wants to become more agile by embracing cloud technologies. Herewith a handful of considerations you'll need to understand before moving critical data to the servers of a cloud supplier. They proceed from the basic to the more subtle to the near imponderable.

Own your own data. It may seem obvious, but you need it spelled out in the contract. Until fairly recently the question of data ownership was not addressed in the default contracts of some cloud vendors. This is beginning to change. For example, section 8.1 of the Amazon Web Services agreement begins: "As between you and us, you or your licensors own all right, title, and interest in and to Your Content."

Control your data. The contract should specify what outside parties your data can be shared with -- ideally, this is some variant on "only those necessary for fulfilling the terms of the contract." What use can the supplier make of your data? Same answer. They shouldn't be able to mine it for any purpose. If there are exceptions in which the cloud supplier's employees will access your data, do they promise to tell you if this happens? When UC Berkeley decided whether to go with Google or Microsoft for cloud services, they noted in their decision matrix that neither company would commit to informing them if or when employees accessed university email data.

No roach motels. It's unacceptable if data checks in but cannot check out. Assure that the contract spells out your right to get your data back, at the end of the term or earlier if you choose to withdraw. Your data must be available in appropriate standard (not proprietary), readable formats. The contract should say how long your data will be available after termination, and enumerate any costs for getting it out (ideally this will be zero).

Quick access when needed. In litigation-related discovery actions, you may have e-discovery obligations with a timetable attached. Make sure that you can have the needed access in an emergency.

Encrypt. In the best of all possible worlds, your data would never rest in the clear on someone else's equipment, and all employees who access it would do so over secure connections. (Secure access from mobile devices can be a challenge, but that's another blog post.) Encryption is no panacea, not even the elusive quantum crypto. Data are likely to spend time unencrypted in your supplier's memory, for example when decrypted for processing, though recent research holds out hope of improvement here.

Keep governments out. This is a tough one. The US government claims the right under the US PATRIOT Act to examine whatever data they want to that is stored with a US vendor, even if the physical storage is in other countries. They can do so without telling the vendor, or you. Europe's concern over this privacy hole is costing US companies cloud business.Those behind the "advanced persistent threat," believed to be Chinese state actors, may have an easier time carrying out industrial espionage in the cloud (though even the best of corporate and government security hasn't kept them out). The best you may be able to do here is choose your hosting venue with care, and encrypt, and work to improve the laws in your country.

What other wrinkles of moving enterprise data to the cloud have you grappled with? Please let us know in the comments.