Hugh,

I would suggest that we need to be very careful in distinguishing between
services offered by various cloud providers for "free" and services which
are contracted and paid for. I've been involved in many of these
arrangements over time and there are significant differences.

First off, rule number one is -- if a cloud service is "free", you and your
content is the product for the provider and the way they will make money.
The terms of service and contractual language will seldom be in your favor
and you have little to no leverage over the service provider. If the
provider decides to nuke your content, you have very little to say about
it. You get what you pay for. While this is seldom a major issue for most
folks, the RAIN post is a clear reminder of the risk.

If you pay for cloud services, there are generally two paths. In the first,
you "click through" an agreement and provide a credit card. For many
consumers, this is a typical approach for more advanced services. For some
organizations, it may be how they engage with a cloud provider. However,
you are stuck with the terms and conditions of that click through
agreement, so it is always in your best interest to read that agreement and
understand what you're signing up for.

The second paid path is what most larger organizations will encounter. This
is a negotiated arrangement with the provider. Contractual terms are agreed
upon and pricing is customized. In most instances, an organization can
contractually bind the provider to certain terms and conditions to ensure
confidentiality, integrity and availability of the data being held by the
provider. Data localization can also be agreed upon. This is very much like
any other outsourcing arrangement.

This last approach eliminates many of the concerns that people have about
certain providers. They are prohibited from data mining and required to
provide certain levels of protection of data. So many of the concerns
expressed by Hugh in his post are mitigated when a formal contractual
negotiation takes place.

The situations that I describe are typical when you or your organization is
dealing directly with a cloud services provider -- they are providing both
the platform and the software. But there are other providers out there who
provide a service or software, but leverage another provider's
infrastructure. These organizations are often the most risk because you are
contracting with one company, but you have no relationship with the company
that is actually hosting the data. A number of years ago, we were told by
outside counsel to use the firm's "e-discovery cloud". The URL was
something like: ediscovery.biglawfirmname.com. We signed on to the site and
noticed that the login page said, "Powered by Jim-Bob's E-discovery Suite".
We then looked at the IP address of that website and found that it was
going to a "cloud" provider in South Africa. We stopped what we were doing
and called by law firm. The partner claimed that the law firm was hosting
the site, onsite in their server room. When presented with the evidence we
had, he called in his tech guy. Well, it seems that BigLawFirm contracted
with Jim-Bob. Jim-Bob contracted with Billy-Joe for CPU and disk space, but
Billy-Joe had contracted with the South African "cloud" to provide that CPU
and disk, Oh, and the South African cloud was owned by a Japanese telecom
that was being bought by a Chinese company (I am dead serious about that).
And both Jim-Bob and Billy-Joe had click through agreements with the next
hop in the chain and neither could provide copies of what they agreed to.
Our only agreement was with BigLawFirm. BigLawFirm's only agreement was
with Jim-Bob. Our data was going to sit on a server in South Africa and be
managed by a company with whom neither we nor BigLawFirm had a direct
contractual relationship.

We put the data on USB drives and sent the data by courier to BigLawFirm,
with an admonition that the data better not end up in that cloud.

Recently, my team reviewed an arrangement with a company that provides
cloud-based flow charting tools (think Microsoft Visio). They are a
fraction of the cost of Visio, provide some nice bells and whistles, and
leverage Amazon Web Services for storage and computing power. "Great!" some
people thought. "We use Amazon as well". Yeah, but. The flow charting
company can't put our data in our Amazon space and our agreement with
Amazon does not supersede anyone else's agreements with Amazon, even when
it is our data. So if the flow charting company goes out of business or
fails to pay Amazon, our data could be at risk. The lesson here is that you
always need to understand who is involved in the end to end solution.

The overarching lesson here is that the cloud is not inherently
problematic, if the risks are fully understood and proper contractual
arrangements are made with all parties involved in the business process. An
organization should seldom use "free" cloud services and should use extreme
caution with "click through" agreements and with solutions that involve
multiple parties provided pieces of the solution. Employees should always
be cautioned about making contractual agreements on behalf of their
employer. The organization should have a vendor contracting process that
includes a security risk assessment and legal contractual review. Records
management / information governance should be part of that process.


Patrick Cunningham, FAI (CISM pending)

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]