Like any new technology, data storage in the cloud has gone through a maturation period. Employees started out, way back in 2007, moving a few files over to Dropbox.com. Then, IT started experimenting with cloud storage through more robust services like Rackspace Cloud Files. Now, executives are starting to wonder if all enterprise storage can be hosted in the cloud, and not in an on-premise data center.
Yet, a recent uproar over the Google Drive service for consumers raised several important questions about cloud storage. Many of these consumer-level questions—about who owns your data, how the data can be used and what happens if the data is lost or stolen—are helpful for enterprise executives to ask as well. The answers may depend on the fine print in your own contract with a provider.
Questions About Google Drive
Every so often, a debate about cloud storage crops up, and it presents a good opportunity for IT executives to take stock of their own agreements, especially when it comes to storage. Last week, Google announced Google Drive with great fanfare. Within a few hours, users were already gaining access to the service, which provided 5GB of document and media storage for free.
According to the Google terms of service, Google has the right to use consumer data to improve and even promote their own services. The company also has the right, according to the terms of service, to create "derivative works" from content stored in Google Drive, and to "publically display and distribute such content" even with their partners. Yet, the wording is not necessarily that alarming.
That's because, with most cloud storage vendors, the policies tend to be open to interpretation.
Michael S. Neustel, a U.S. Patent Attorney with Neustel Law Offices says most cloud storage vendors have similar policies related to using, modifying and reproducing data. This allows vendors the freedom to move an archive from one data center to another. Neustel says it is unlikely Google would ever use private data for a television commercial. In fact, the terms state clearly that the user still owns the data, and that private storage archives will remain private.
However, Neustral says the policies are overly vague. Google has one standard terms of service they use for all of their services. "The Google Drive policy is inherently unfair to users since it requires Google Drive users to provide Google with several unnecessary rights to their copyrighted works," he says.
Neustral says the policy might apply for a service like Google Translate, where the data has to be analyzed and even parsed for intended meaning, but not for cloud storage. That's a good lesson for CIOs who need to understand cloud storage policies—one size does not fit all.
Enterprise Cloud Storage: Read the Contract
That's why, for enterprise cloud storage, most experts say the most critical step with storage policies is to investigate the actual contract you have with the vendor. This might require scrutiny from a corporate attorney, and further investigations into such intangibles as how to retain data archives if a cloud storage vendor goes under and how to encrypt access to the cloud storage.
Ashley Podhradsky, the Assistant Professor of Computing and Security Technology at Drexel University has studied the security issues with cloud storage, and is also a member of the Cloud Security Alliance. She says one recent strategy with cloud storage is for the cloud infrastructure to integrate directly into an on-premise data center.
"This allows the corporations network administrators to control cloud access through services such as Active Directory and LDAP (Lightweight Directory Access Protocol, an Internet protocol for accessing data). The encryption keys are starting to be managed on the corporation side opposed to the cloud provider, which aims to include the corporation into more of the security practices," she says.
Thankfully, most cloud vendors have clear policies about who owns the data. Aaron Messing, a technology and information privacy attorney with Olender Feldman *** (), says there is not much debate about the fact that the enterprise owns the data. He says there are vagaries about how quickly data should be destroyed upon request (say, within a specific timeframe), or whether the vendor is blocked from sharing any data publically (such as e-mail addresses or customer lists).
Beyond studying the agreement with the vendor, and negotiating the terms that make sense for the type of data you will be storing, Messing says only certain types of data are appropriate for the cloud.
"We strongly recommend against storing any type of personally identifiable information, such as date of birth or social security numbers in the cloud. Similarly, sensitive information such as financial records, medical records and confidential legal files should not be stored in the cloud where possible," he says.
Messing also adds that, if a company does decide to store some financial data in the cloud, you should use strong encryption and keep a second local archive in order to mitigate risk.
These fine details about the risk of losing data, encryption standards, and who is liable in breach often depend on the negotiating skills of the CIO. Joy Butler, an attorney and book author, advises CIOs to negotiate the terms of a cloud storage contract thoroughly. The main goal: make sure the goals of the company are mirrored in the vendor agreement. For example, she says if the corporate policy is to staunchly control customer data, that should be reflected in the agreement with a cloud vendor.
"Once you sign a provider contract, you will have very few options for legally terminating a contract in which you had some or equal bargaining power. In contrast, if bargaining power was clearly uneven and the vendor contract was presented as a take-it-or-leave-it proposition, you may be able to terminate the contract and re-claim your data by arguing that the vendor contract was unconscionable," she says.
Is Google Drive a Lawsuit Waiting to Happen?
Butler says she does not anticipate any major lawsuits over data ownership in the cloud mostly because, at the enterprise level, most of the contracts are detailed enough for the specific agreement. At the consumer level, the debate over terms of service for cloud storage might lead to a change in the wording, especially if consumer push back about particular words or phrasing.
That's essentially what is happening now with Google Drive. A few experts have argued that Google does have the right to use data for their own advertising—not in a TV commercial, but for their AdWords program. Enterprise cloud providers say this is one major difference between enterprise hosting and consumer-level hosting. Praerit Garg, the co-founder and president at Symform, a cloud storage vendor, says most providers will have a clause about managing the data, which typically means protecting the data but not viewing or analyzing it.
Yet, with Google Drive, he says there may be different motivations for analyzing the data.
"A company that is able to generate revenues through targeted advertising using the information it stores will be much more motivated to view, analyze and reuse the information than the company that simply offers a subscription-based service for managing and protecting the data," he says.
In the end, Google Drive is a good reminder about studying vendor agreements and terms of service, negotiating terms that match existing corporate policies, and deciding which data is appropriate for the cloud and which data should never leave the servers in your own data center.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology.