“Cloud” computing has been a popular buzzword in the news for a few years now but it’s rarely defined. So in the interest of debunking some of the hype and identifying some of the unique risks, here goes…

Cloud computing means having someone else do your computing for you – taking data and calculations that you would have crunched on your own mainframe or workstation and, instead, crunching it on some computer on the internet. (The name comes from the IT diagramming convention of showing the internet as an amorphous cloud.) In theory, this gets you access to more and bigger computers than you would be able to afford yourself. It also gets you access to your data from any internet browser, not just your own dedicated computer. If you are a webmail user (yahoo, gmail, hotmail, etc), you are already using cloud computing.

There are two general business models for cloud computing providers. The first are companies who already have lots and lots of computers but who only need their computing power for surges. Amazon, Google and eBay might be examples. They have to build their data centers to handle Cyber-Monday. Renting computer time to you is a way to get back some of their investment when they’re not busy with their own crunch.

The second are companies who start out with the model of renting – the United Rentals of the computer world. IBM is moving aggressively in this space. A variation on this is Software-as-a-Service (or SAAS) where a particular vendor lets you move his application and the associated data out of your data center and onto his machines for a fee. Moving your financials to Peachtree’s online application might be an example.

In either business model, there are some serious security and legal issues to think through before you decide to outsource your computing. For example:

  1. Security – Are they able to keep your data separate from the data of all their other customers? Who else now has access to your confidential data?
  2. eDiscovery – If you get sued and have to turn over your computer records, can they segregate them? Can they produce your records fast enough to keep the courts happy? And how much are they going to charge you for the privilege?
  3. Privacy – What if the vendor gets a subpoena or request for your data? Will they fight it? Will they even tell you about it?
  4. Records Retention – Hopefully, you have a carefully thought-out policy that makes sure all information is kept as long as it is needed (either by the business or by law) but no longer. Keeping information longer than you need it is, by definition, risk without reward. How will you ensure that the vendor lives up to your policy?
  5. Privacy laws – Some of these vendors send data overseas. All of them send it outside your local jurisdiction. Is this contract going to get you in trouble with any processing, retention or transfer restrictions, such as those in the European Data Protection Directive? Worse, are you going to inherit those privacy obligations because your data is comingled with others?

Cloud computing can be a boon to small businesses that are growing rapidly and can’t yet afford a dedicated data center. But the cloud can also be a dangerous place. Don’t rush into the relationship without a lot of thought and consideration for the risks and for your mitigation strategy.

Leave a Reply