Security in the context of cloud computing is an extremely important subject, and one that you have to be entirely sure that you are happy with before you enter into any form of agreement. We are seeing that the barriers that are thrown up by local jurisdictions and data protection laws mean that you have to be extremely careful that you have the provisions in the contract that you sign with the provider, that cover you against any eventualities. Classic public cloud agreements that we’re seeing at the moment, often include clauses which allow the suppliers to move the data to the US, for terms of management, which is often directly in breach of many local laws.

We’re seeing our clients adopt the cloud, primarily in the areas of collaboration and test environments. These are small areas where’s it is simple to do a pilot without too much risk and the benefits can be seen quite quickly.

We’re seeing cloud computing as absolutely a legal minefield for some of our clients, and you have to get external council to review any agreements that you finally enter into. It’s such a problem in some areas that we’re already seeing some of the more advanced insurance companies, certainly in The States, producing specific cyber insurance policies.

Data security in the cloud is a problem. You’re going to come up against all sorts of issues with regulatory compliance, if you can’t tell your regulator exactly where you data is at any one time. Another problem we’ve come up against with a client recently was where an eager executive, who was keen to solve a problem, had bought some cloud services on his own credit card and transferred some data from the company on to the cloud, only to find when the lawyer examined the click through agreement he’d signed later, that he had inadvertently given away the IP to all that data to the supplier.

It’s interesting to look at what the actual inherent risks of cloud computing are. From a recent survey that we did with clients, we found that their issues were around things like integration and disaster recovery. Whereas from a TPI point of view, we would focus more on things about the unclear roles and responsibilities in current cloud agreements, as well as the inability to get terms and conditions which favour the client. When it comes to addressing some of these inherent risks in the cloud computing model, it’s important that you get the whole team together. You need to get a legal perspective to make sure that you’re not transgressing any data regulations; you need to get the HR departments involved as well as the straight forward technical departments and their approach with the architects to help us solve the problem.

Given the amount of advice that’s floating around about the cloud at the moment, it’s really important to narrow it down to the few essentials that you need to know as organisations before you get into this sort of engagement. Some of those things haven’t changed, some of them have. You still need to know what you’ve got, but instead of just going out there and counting servers as you would have done in a traditional outsourcing model, if you’re going to pay for what you use you, you need to know what you use, and that requires a greater deal of analysis within the businesses than previously you would have done. You need to be aware of the exact data requirements that you have for your industry and you need to know what you’re prepared to sacrifice in terms of flexibility, to gain the price points that are very attractively being offered by some suppliers.