“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today. This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.
If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.
We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:
- What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
- Which company owns the data placed in the cloud?
- If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
- Will company proprietary information be safe?
- Who has access to the data? Who should have access?
- Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
- Do we still need to maintain a back-up of data in the cloud?
- Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
- How big is the cloud? How much can we store?
- What if the cloud goes down? How do we get our data and access the applications needed to run our business?
- How do we move between clouds? Can our data be held captive when contract negotiations fall through?
- Can we put our clients’ data in the cloud? Do we have to tell them where it is?
- What happens to the data if the cloud service provider or the cloud customer goes out of business?
- Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?
Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.