Companies of all sizes store their data on external servers every single day, whether they know it or not. This could be an organization whose employees bring their own devices and use file storage and sharing apps that the IT department isn’t aware of, or it could be a business looking to eliminate IT infrastructure costs and leverage the convenience of the cloud by moving data offsite.
One step that companies and individuals must take in order to use cloud storage is accept the provider’s terms and conditions. However, both organizations and individuals often fail to actually read those terms and conditions prior to clicking the "accept" button, putting companies in precarious positions that leave their data vulnerable to risk. What do you get in the fine print? Sometimes, it’s not as simple -- or pretty -- as you might think.
It is extremely important, regardless of company size, to understand where your data is going and what your rights are. More often than not, there are provisions buried deep within the terms and conditions that give providers rights to change, alter or even delete files. Providers also build in safeguards to absolve themselves of liability in the event of a security breach.
It's critical companies not only understand the terms of the programs their employees are using for BYOD, but also those for the cloud sharing and storage resources designated by the company. Going in with eyes wide open is the only way to fully understand your rights and protect corporate data.
Here are six questions all organizations must ask when evaluating cloud sharing and storage providers, either on a company level or for employee devices:
1. What is the service provider’s level of access and who holds the encryption keys? Many agreements call for unfettered access to data stored on a provider’s servers and most providers actually hold the encryption keys, so snoops or hackers can access encrypted data because the keys are stored alongside the files.
2. Can the provider change or alter your information? Believe it or not, when you click "accept," you are giving some providers the right to change, alter or copy your data without your knowledge. This is often positioned by providers as necessary for backup or formatting reasons.
3. Can the provider change the service at any time? Is there a clause stating that service may be changed or suspended at any time or does your provider need to give ample notice to allow you to remove/retrieve your data before changing the service terms?
4. When do fees kick in? Many providers start with freemium models, but charges can pile on quickly. Be sure to know what your needs are and the storage thresholds in order to be thoroughly prepared from a budget perspective.
5. Does the provider assume liability if its servers are compromised? In general, providers rarely assume responsibility for any consequences resulting from a security breach.
6. What happens when the contract ends? Since your data is stored remotely, you’re no longer in possession of it, so you need to be sure you can get your data back -- particularly if the provider is the one who terminates the contract.
[Read Howard Marks' analysis of the collapse of cloud storage provider Nirvanix in "The Nirvanix Failure: Villains, Heroes, and Lessons."]
Many organizations don’t realize the level of inherent trust they must put in their cloud service providers once they hit the accept button on those terms and conditions. It's extremely important that organizations understand their data rights when using someone else’s infrastructure.
The cloud is extremely beneficial and has allowed small companies to grow and large companies to accommodate a geographically diverse workforce. With those benefits come risks, and companies must ask the right questions before signing on the dotted line.