8/30/2016
Is the Cloud Right for You?
Joe Dysart
While untold numbers of green businesses are saving money by moving POS systems to the cloud, IT experts say these businesses need to ensure their cloud contracts include ironclad security protections—or they’ll suffer an uncertain future.
Unfortunately, getting those protections can be more difficult than you might expect, given that many cloud services providers are reluctant to put security assurances in writing. Not surprisingly, the cat-and-mouse game between user and cloud provider is taking a toll. Many businesses are simply delaying a move to the cloud due to their concerns over security, according to a recent study released by Bitglass, a cloud security firm.
Improved Safety Standards
Fortunately, federal governments worldwide are trying to assuage those concerns. The U.S. National Institute of Standards and Technology, for example, has released new standards for any cloud service provider looking to do business with the federal government.
Essentially, the standards are expected to serve as best practice cloud security contract templates for the entire U.S. industry. And they’ll also be a godsend to the millions of green businesses and other businesses eyeing POS cloud technology.
“We’re looking into it—we’re trying to streamline our computing,” says Steve Chepurny, owner of Beechwood Landscape Architecture & Construction in Southampton, New Jersey. “We think the cloud could be easier and less expensive.”
Indeed, a recent Forrester report found that 77% of businesses across a spectrum of industries worldwide say they’re either already relying on the cloud for at least a part of their operations or they plan to within the next two years. And 70% of businesses are looking to work with a cloud services provider that offers a single point of accountability.
What You Need to Know
If you count your business among those interested in running a POS system in the cloud, here’s what cloud security experts recommend you include in the contract with your service provider. (Of course, consult with your attorney before implementing any of these suggestions.):
• Be sure there are limitations on where your business’ data will be geographically located. Nail this down or—incredible, but true—your business data could end up on a server in Iran.
“Anytime you are talking about ‘your data’ being stored, the first thing to remember is that it is yours,” says Leigh Geschwill, owner of F&B Farms and Nursery in Woodburn, Oregon. “Our business puts a great deal of effort into storing our data in such a way that it is accessible and secure.”
Adds Andre W. Ahern, CEO, Ahern & Associates, a business consulting firm: “You should stipulate certain countries you do not want your data to pass through—i.e. data cannot pass through HUAWEI routers, the Chinese equivalent to Cisco—as certain governments can seize property whenever they like.”
• Be sure you have a detailed exit strategy from your cloud services provider. Should you decide to move your green business’ applications and data to another provider, you’ll want to be sure there’s clear pre-agreement on how your business will easily make that transition, experts say.
Specifically, nail down how you’ll move your data. And nail down the data format that your service provider will use to send your data to you for the transition. You’ll also want in writing the kind of cooperation your service provider will give you to transition to a new provider. And you’ll want in writing the amount of time you’ll have to secure your data for transition purposes. Otherwise, with nothing in writing, you could simply lose all of your data with a move to a new cloud service provider.
• Beware of cloud providers that insist on the unilateral right-to-change contract terms. Essentially, this right can give your cloud service provider a blank check to make changes to your POS cloud contract terms on a whim—and leave your data in the lurch.
• Get documentation on how your provider will secure your data against hackers. Any decent cloud provider will have internal protocols in place designed to safeguard your data and your business’ privacy. Get those protocols in writing. And get a guarantee that your provider’s security standards will be certified annually.
• Get documentation that your provider is aware of all local, regional, national and international laws regarding the security and privacy of your data. And get documentation and descriptions of the systems your provider has in place to comply with those laws. Also, get similar documentation that your provider is aware of and can comply with such laws that are specific only to companies in the green industry.
• Ensure that your provider will be able to provide usable data should your business be faced with an e-Discovery request during litigation against your business. Your attorney should know how to ensure this request is properly fulfilled.
• Ensure that the POS systems cloud contract clearly states that your business retains ownership over all its data and that the cloud services provider has no right to use your data. Otherwise—again, incredible but true—the cloud provider may try to resell your data to third parties.
• Ensure that your legal agreements extend to the subcontractors hired by your cloud provider. This is an easy provision to overlook—and could wreak havoc on your contract if missed. For example, your provider could have stellar security, but its subcontractor could have nonexistent security.
• If possible, ensure the person tasked with handling computers at your business will be able to meet with the cloud security chief to evaluate the provider’s security protocols. Also ensure that person will get immediate notice when any changes are made to those security protocols.
• Ensure that you’ll be notified if your cloud provider suffers a security breach or is hacked in any way. As we’ve all discovered the hard way, service providers that suffer breaches are often reluctant to inform clients that they’ve been hacked.
• Ensure that you’re able to encrypt your data before it leaves your POS system computers. This provision can save untold headaches. Once encrypted, your data becomes much less of a problem for you in the cloud, no matter what goes on there. “Adding an extra encryption on your data is a good precaution,” Andre says. “What is more important is that the cloud provider’s data centers are SOX and SSEA 16 compliant; these are regulations which stipulate certain security measures for cloud servers.”
• Ensure your data will be wiped clean from servers and other computerized storage devices that are “retired” by your cloud provider and sometimes sold off to third parties. Otherwise, a server or external hard disk with all your business’ trade secrets could pop up on eBay and be sold to a pimply faced 15-year-old—or a competitor.
• Secure a detailed agreement with your provider on how they will handle a system crash involving your business’ data. Also secure an agreement on how a security breach of your data will be handled. Don’t assume your cloud provider will be diligent.
GP
Joe Dysart is an Internet speaker and business consultant based in Manhattan. He can be reached at joe@joedysart.com, www.joedysart.com or by phone at (646) 233-4089.
The Cloud Security Alliance
For the latest ideas and developments in cloud security, monitor the Cloud Security Alliance, an industry group, at cloudsecurityalliance.org. Its specific mission is to work on establishing international standards for security and privacy in cloud service agreements.