How to get into the cloud – and protect your data

It may look to some people as if there’s no negotiating room when entering into agreements with cloud service providers, especially when it comes to protecting sensitive data that may pass through the hands of third parties. Giving up control over access to your own organization’s data strikes many as just one of the compromises you have to make to take advantage of the cost and service efficiencies of the cloud computing model.

But depending on your position you may actually have more data protection cards to play than you think when you set up an agreement with a cloud computing provider.

In a post on Mondaq, Kelly L. Friedman, a partner with the Toronto office of Davis LLP who specializes in electronic information and data privacy issues, recently noted how the Ontario ministry of education persuaded Google (Nasdaq: GOOG) and Microsoft (Nasdaq: MSFT) to add contractual addenda protecting the data privacy of students who access Google Apps for Education and Office 365.

“Essentially, these addenda incorporate some important contractual protections, and create a ‘walled garden’ so that school boards maintain an important degree of control on student data within the ‘walled garden,'” Friedman writes in the post, which is titled “Canada: A Realistic Approach Is Needed To Cloud Computing.” Friedman notes that Google Apps for Education and Microsoft Office365 are being provided free to the school boards for student and teacher use. “Without the bargaining power that comes with pay-for-service, the addenda have done a fine job of reducing the risks of cloud computing for our kids.”

Kelly has some due-diligence desiderata for CIOs and other executives of organizations who actually do have some bargaining power and want to add data protection measures. Among the 12 tips she offers, Friedman recommends carrying out privacy impact and risk assessment before moving data into the cloud and doing a security audit of the service provider.

“Ask the service provide to produce any certifications to national, industry and international standards for data security, including encryption technologies,” Friedman says. Get a picture of how your enterprise’s data will be segregated from other data, and make sure you negotiate to preserve the ownership of your data and the permitted uses of your data by the service provider.

“Ensure you are provided with data breach notification and investigation rights,” and make sure there are contingency plans for data breach and disaster recovery.

“I am not suggesting that we bury our heads in the sand and accept that ‘privacy is dead,'” Friedman concludes. “Quite the opposite. We must become knowledgeable to the point of learning how to take advantage of the benefits of cloud computing while responsibly managing the risks that cloud computing entails.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now