How to Protect Your Intellectual Property in the Cloud
IT professionals know that handing data over to a third-party is always risky, but cloud computing creates unique concerns for IP. Here are nine tips to protect critical corporate data wherever it goes
Mon, February 06, 2012
CIO — Around this time last year, the cloud computing contract signings were coming fast and furiousnot just for commodity work like IT management or email, but for software and infrastructure closer to the core of corporate value. Not long after that, the calls started to come in to Greg Bell, principal and the Americas service leader for information protection at KPMG.
Cloud services customersmore often line of business leaders than IT executiveswere panicked as they began to realize that their intellectual property (IP) was now at risk. Some, like one client who discovered that he'd potentially exposed his company's precious formulas, had to bring the software and associated processes back in-houseat no small expense. "They quickly went through an assessment, made very aggressive movements [into cloud computing], and then had to retreat because they were not able to put the proper controls in place," says Bell.
There's always some danger when handing over critical company data to a third party. "Cloud computing entails IP issues similar to traditional IT outsourcing in that you are entrusting sensitive data to a provider who probably won't treat it as carefully as you would," says Jim Slaby, sourcing security research director for outsourcing analyst firm HfS Research. "Your applications will be running on IT infrastructure you do not own or control."
But cloud-based services introduce increased IP threats. The nature of the businesswhether it's software-, infrastructure-, or platform-as-a-servicemakes understanding where the data is, who has access to it, and how it's being used more difficult, notes KPMG's Bell. There's a much higher degree of virtualizationfrom networks to storage to servers. "[For example,] a highly-distributed, highly-virtualized pool of storage resources used by a cloud service may make it much more difficult for the provider to guarantee that deleted files have been securely deletednot just [removing] the file-system pointer to the data, but [overwriting] the actual data itselffrom every single location that the cloud provider might have stored them on," says Slaby.
Cloud providers are more likely to use subcontractors to meet spikes in demand. Cloud-stored data often hops from country to country, some with weak IP laws or enforcement. "Similarly, if your provider uses personnel who can remotely access your data and IP from countries with weak IP laws, you may be putting your IP at risk of theft or misappropriation, with little recourse," explains Rebecca Eisner, partner in the privacy and security practice of Mayer Brown. Finally, because many cloud services have grown out of consumer offerings, their standard contracts are severely lacking. "A term in a contract that provides that the cloud vendor owns all content a customer may put on its systems may be okay if that content is a picture of your dog, but may not be so good if you're talking about your development environment," says Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie.