Around this time last year, the cloud computing contract signings were coming fast and furious—not just for commodity work like IT management or email, but for software and infrastructure closer to the core of corporate value. Not long after that, the calls started to come in to Greg Bell, principal and the Americas service leader for information protection at KPMG.
Cloud services customers—more often line of business leaders than IT executives—were panicked as they began to realize that their intellectual property (IP) was now at risk. Some, like one client who discovered that he'd potentially exposed his company's precious formulas, had to bring the software and associated processes back in-house—at no small expense. "They quickly went through an assessment, made very aggressive movements [into cloud computing], and then had to retreat because they were not able to put the proper controls in place," says Bell.
There's always some danger when handing over critical company data to a third party. "Cloud computing entails IP issues similar to traditional IT outsourcing in that you are entrusting sensitive data to a provider who probably won't treat it as carefully as you would," says Jim Slaby, sourcing security research director for outsourcing analyst firm HfS Research. "Your applications will be running on IT infrastructure you do not own or control."
But cloud-based services introduce increased IP threats. The nature of the business—whether it's software-, infrastructure-, or platform-as-a-service—makes understanding where the data is, who has access to it, and how it's being used more difficult, notes KPMG's Bell. There's a much higher degree of virtualization—from networks to storage to servers. "[For example,] a highly-distributed, highly-virtualized pool of storage resources used by a cloud service may make it much more difficult for the provider to guarantee that deleted files have been securely deleted—not just [removing] the file-system pointer to the data, but [overwriting] the actual data itself—from every single location that the cloud provider might have stored them on," says Slaby.
Cloud providers are more likely to use subcontractors to meet spikes in demand. Cloud-stored data often hops from country to country, some with weak IP laws or enforcement. "Similarly, if your provider uses personnel who can remotely access your data and IP from countries with weak IP laws, you may be putting your IP at risk of theft or misappropriation, with little recourse," explains Rebecca Eisner, partner in the privacy and security practice of Mayer Brown. Finally, because many cloud services have grown out of consumer offerings, their standard contracts are severely lacking. "A term in a contract that provides that the cloud vendor owns all content a customer may put on its systems may be okay if that content is a picture of your dog, but may not be so good if you're talking about your development environment," says Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie.
As the name suggests, data and IP in the cloud may as well be floating in the ether minus any vendor obligations or controls introduced by the customer into the deal. "Typically, [customers] are focused on cost reduction and performance. Intellectual property issues are viewed as 'lawyer issues,'" says Mayer Brown's Eisner. "In reality, a cloud provider's ability to protect intellectual property rights should receive as much scrutiny as the information security, price and technical solution." "We are seeing some awareness dawning of how much weaker some cloud providers' contracts are in security terms," adds Slaby of HfS Research. "But the siren song of lower costs and greater flexibility is difficult to resist."
To you protect your corporate crown jewels in the cloud, here are nine steps to follow:
Pick the right provider. Take due diligence seriously. "Given that the category and its players are still relatively new, consider how you'll extract yourself and your sensitive IP in the event that your cloud provider fails abjectly to live up to its contract, goes out of business, or is acquired by a competitor," advises Slaby. "Take a careful look under the hood at any prospective cloud provider's plans around disaster recovery." If you want sophisticated protection of trade secrets, seek out only providers that offer sophisticated solutions with higher-security requirements.
Select the right service. Do everyone a favor—don't sign your first-ever cloud contract for a core business function. "Many clients looking for benefits of the cloud are purposely moving IP last," says Bell, testing the waters with commodity services like IT service management or QA on standard software. "It's a way to make sure they understand the nuances."
Read the fine print. Cloud services are deceptively simple in the ads. "In many cases, that simplicity is masking underlying complexity that has been considered and resolved against the customer," says Hansen of Baker & McKenzie. "Read the contract, not the website," adds Church. "There are terms that directly contradict the advertising, and these need to be ferreted out before any data is moved." It's not unusual to see "get out of jail free" provisions disclaiming vendor liability if confidential information is published. Never, ever, sign the cloud provider's online contract, advises Todd Fisher, partner in the outsourcing practice of K&L Gates, who's reviewed agreements giving the service provider use of client data for purposes other than for the provision of the services or ownership of derivative works based on that data.
Add some fine print of your own. If your cloud computing deal involves IP-related data, strong contractual protections are critical. Eisner of Mayer Brown suggests including requirements that the provider follow stated and approved security and other industry standards, rights to audit or to receive regular audit or certification reports, rights to name the locations where data and applications will be processed and stored, rights to approve subcontractors, a change control process that provides for advance notice and opportunities to work around or mitigate pending changes, and reasonable liability for nonperformance by the provider. Make sure the protections and controls are explicit and measurable, adds Slaby.
Expect to pay more. Standard terms keep cloud computing cheap. "Their traditional business model is to replicate data automatically based on usage patterns," says KPMG's Bell. "When you remove that capability to do something special for your environment, you create additional costs."
Consider IP creation. It's less likely that new IP will be created in the course of a cloud computing deal than an outsourcing contract, but it happens. "Some customers hire a cloud provider to run a private cloud, where there might be the opportunity for the development of intellectual property," says Fisher of K&L Gates. "Another exception is if the customer needs the cloud provider to develop certain interfaces to access the cloud services." In such cases, the cloud buyer may want to retain ownership of the interfaces or prevent the cloud provider from reusing them for competitors. Geography becomes an issue as well. "If IP is going to be created in a cloud environment, the laws of the location where the IP sits should be checked to ensure that unexpected rights or hindrances don't arise," says Baker & McKenzie's Church.
Secure it yourself. Consider adding a layer of additional data security. "Unless their provider is willing to step up to stringent contract terms and service level agreements regarding data privacy, many enterprises will want to consider end-to-end encryption for any data that will reside in the cloud," says Slaby of HfS Research, "especially if it is subject to regulatory compliance concerns."
Prevent a lockout. Some standard cloud contract provisions make access to their data at the vendor's discretion if the deal is cancelled early. "Customers must always ensure that they can access their IP at any time and that, if the agreement terminates for some reason, they can get the IP out," says Hansen of Baker & McKenzie.
Revisit controls on a regular basis. "Buyers must keep their eyes open for potential new threats," says Slaby of HfS Research. "[For example], at some point virtualization attacks—in which malware breaks out of one virtual machine to corrupt or steal data in an adjacent virtual machine—will go from theoretical to real."
Be prepared to walk. If adequately protecting IP is too costly or hard to implement or track, back away. Always leave open the possibility that a cloud-based service might not be a good fit.