Cloud Computing: Timely Tips
August 29, 2011Before entering a contract with a cloud computing vendor, it pays to do your homework on key privacy and security issues.
Chris Witt, president of Wake Technology Services, sums it up this way: "If you’re not comfortable with how the cloud vendor runs their operation and you’re not 100 percent confident that they can provide similar or even better protections than you are already providing, then you probably should not be moving forward with that vendor regardless of how good of a contract you can negotiate."…
Following are some timely cloud computing tips from Witt; Feisal Nanji, executive director at Techumen; and Gerard Nussbaum, director of technology services at Kurt Salmon.
Demand Transparency
Cloud computing customers should demand access logs, he adds. "If the hosting provider is not going to provide you with good logs on who is handling your information … then you have to be circumspect about the overall quality of the vendor."
Organizations also should demand the right to audit "pretty much anything within the cloud environment," Nanji adds. "If the vendor is doing a good job, then they really have nothing to hide."
Ask for Documentation
Address Physical Security
Size Up Use of Encryption
"In a perfect world, end-to-end encryption provides the best protection; however, this is not always feasible," he says. "Any tape or other removable media should be encrypted. That’s a no-brainer. All network communication should be encrypted. Again that’s straightforward."
But Witt urges cloud computing users to also ask vendors about encryption of data in storage area networks, or SANs. "There is technology available today to encrypt all data on the drives, and it is able to do it without a significant performance penalty. Encrypting those drives protects the organization from someone pulling a drive out of a SAN and walking away with it. That’s really what you want to do."
Ask About Breach History
If the vendor has had an incident, organizations should demand details about "the root cause analysis process [the vendor] went through to establish what needed to be corrected and the corrective action it took."
Demand Prompt Reporting of Breaches
Because hospitals, clinics and other covered entities must report major breaches to federal authorities within 60 days, a business associate agreement should require a cloud vendor to report incidents immediately, Nussbaum says. That way, the healthcare organization will have enough time to investigate the incident and notify those affected, as well as regulators, in compliance with federal healthcare breach notification requirements.
What Happens When Contract Ends?
The contract also should define the customer’s rights in the event that the vendor is acquired, Witt says. "The cloud market is still relatively young, and we’ll probably see some more mergers and acquisitions. In most cases, this shouldn’t present any problem, but if the acquiring organization is one that you do not care to do business with, then you definitely need an out."
Check Your Liability Insurance
"A hospital may find that standard business [liability insurance] coverage does not cover cyber-liabilities … including things like breaches, security violations and the like," he notes.
If this is the case, the organization may need to buy a "rider" to the insurance policy to cover these events. Unfortunately, Nussbaum says, "Many insurance companies are still exploring … how they would measure the potential liability if they were to issue such riders." As a result, he says, the riders "may either be unavailable or extremely expensive."