Key points of the analysis:
– Applications and Internet services have become necessary to the communication and the management of ongoing business activity. The news regularly show how difficult it is for managers and top executives to measure the risks on cloud computing offers for their company.
– A cloud contract is no longer about providing hardware resources, but about providing a service without even mentioning the underlying means. The novelty in cloud computing is the assembling of contractual terms allowing to manage the commitments and risks implied by the service. A company proposing a service which contract would only define the commitments without defining who is supporting the risks and what should be their management, is taking undefined risks possibly higher to those it can afford. The same is true for the customer company.
– The NSA through its Prism programs and Aurora Gold project destroyed for a long time the technical possibility of security for communications and Internet infrastructure.
– Since the revelations about Prism, it is no longer possible to ignore that the nine big services companies (Microsoft, Yahoo, Google, Facebook, Paltalk, YouTube, AOL, Skype and Apple) deliver users information, some of it about confidential business (trade secrets and sensitive information, that is to say, the added value and core assets of companies), to the NSA, which in turn delivers it to other federal agencies, and then to foreign agencies and competitors.
– Competitor companies can get access to confidential data through their states’ eavesdropping.
– A Cloud service provider cannot any longer guarantee the confidentiality, availability and integrity of its clients’ data. In the case of a confidentiality breach, it would rightly be sued by its customers, and then have to take responsibility on the consequences, among them loss of activity damages, which may be greater than what the company is able to support.
– Currently, only companies offering services based on cloud computing are making money, not those offering cloud computing services directly.
– Potential customers may not enter into contracts with companies using the services and equipments of these nine companies, because it would jeopardize their business data.
– It is now necessary to repair our operations to return to a standard level of exploitation. This implies to finally study and measure the risks related to the services contracts. It is then possible, advisable and in some cases mandatory to set aside provisions, deductible from taxable income.
– A company must implement a legal and technological watch concerning its service (evolution of behaviors, scandals, technological breaches of security, Law and judges decisions). Companies offering or accepting cloud services must have adequate processes to adapt continuously their contracts. It is imperative for those evolutions to be accepted to explain them in intelligible plain language.
– In the current environment, companies offering or accepting cloud services must limit their risk for each core element of the contract. This implies to create the necessary tools to measure the respect of the obligations (confidentiality, availability, integrity).
– The common security concept is directly related to the local country risk culture. Cloud service providers must thus measure the risks related to their services to operate, sometimes simultaneously, with different, sometimes contradictory, regulations.
Cloud computing analysis.