With more companies looking to the cloud and moving business-critical applications and data there, the issue over who owns it once it's there is going to get thorny. Securicom - a specialist provider of managed IT security solutions - warns companies to clarify upfront who owns their data once it's housed in the cloud.
"If you're moving any information to the cloud, whether it's archived mails or ERP data, it is critical to read the fine print of your contact with the cloud service provider. The fact of the matter is that when you hand over your data to a cloud service provider and it resides on their infrastructure, your ownership rights could be at risk.
"Some providers build in clauses which lock in companies, preventing them from taking back their data unless they pay a fee, often in the hundreds of thousands of rands," warns the company's sales manager, Richard Broeke.
The issue of data ownership has always been a concern for companies considering the cloud, and quite rightly so. The UK's National Computing Centre recently found that IT decision-makers from both private and public sector organisations rank their largest concern when it comes to cloud security as "loss of control of data and loss of control over where data is held".
In the United States, Gartner says cloud users are entitled to "the right to retain ownership, use and control of one's own data", and that cloud providers must specify what they can do with customer data.
"In South Africa, where the cloud is still relatively immature, companies aren't aware of the potential risks associated with handing over data, and their rights in terms of ownership. A contract with a cloud service provider should specify who owns the data as well as prescribe restrictions on what the service provider is able to do with the data. Certainly, companies should specifically exclude the provider from mining their data.
"Unless you have a contract in place which affirms your ownership of the data, and clearly defines what your provider is able to do with it, you could find that your data has been accessed and used for their own purposes, or that you aren't able to retrieve your own data.
"Businesses should make absolutely sure that they are happy with the terms and conditions of their contracts with cloud service providers before they actually hand over their information," advises Broeke.
He also advises businesses to agree upfront on the terms and conditions of cancelling a contract with a cloud service provider, the process by which the data will be returned, as well as the timeframe that the provider will have to return the data. If there is to be a cost involved to export the data, this must be quantified upfront.
"Ideally, you should not have to pay a fee to have your data returned. But, if there is to be a fee to cancel the contract and get your data returned, you won't want any nasty surprises. Some unscrupulous providers impose huge, often unaffordable, fees on companies," he says.
He concludes saying that businesses should ascertain where their data will be housed. Choosing a provider that houses data in secure data centres in South Africa is always the safest bet. That way, companies don't run the risk of being tied in to data ownership legislations of foreign territories.
For most cloud service providers, says Broeke, the question over data ownership is a no-brainer - the customer owns it.
"Just make sure you don't sign up with a provider who thinks otherwise."
Share