5 Steps to Choosing a Trusted Cloud Provider

Editor’s Note: The author of this post is an assistant general counsel for Microsoft based in Chicago.

By Dennis Garcia, Assistant General Counsel, Microsoft Corporation

The high-profile data breach incidents that continue to occur highlights that companies will only use technology they can confidently trust. If your company is ready to reap the many well-documented benefits associated with cloud computing, it’s critical to select a “trusted cloud” provider.

While that sounds like a great idea, how does a company identify a trusted cloud provider?

Assemble Your Team

The first step is to assemble a team of stakeholders who will help your company conduct the necessary due diligence to select a trusted cloud provider.

Now, your team doesn’t need as many players as the recent 2015 Stanley Cup Champions Chicago Blackhawks ice hockey team. Instead your company’s senior business leaders should seek guidance from a “Core Four” set of empowered representatives from these groups within your company:

• Legal

• Chief Privacy Officer

• Chief Information Security Officer

• Risk Management/Compliance

Involve these representatives early and often in the evaluation process to maximize their value.

Once the “Core Four” are identified, your company is ready to conduct its thoughtful due diligence to evaluate a cloud provider.

It is important to use a meaningful evaluation framework to select a cloud provider. An example of such a framework is based on these four key principles (which I call “TPCC” for short): Transparency, Protect, Comply and Control. Let’s review these principles:

Transparency

Transparency is the foundation for any trusted cloud provider. Your company should select a cloud provider that provides complete clarity to the marketplace regarding its cloud practices. A cloud provider ought to provide transparency in these areas:

• Cloud contract terms that are clear and understandable

• Identification of subcontractors used to deliver cloud services

• Easy access to third party audit reports

• Location of “data at rest”

• Periodic reports detailing law enforcement requests for data

Protect

Data protection may be the most significant TPCC principle since your company is entrusting a third party cloud provider to secure its important data (which also includes the data of your employees, customers and partners).

A cloud provider’s contract should contain data processing terms that specifies the obligations taken by a cloud provider to protect your company’s data. Those terms should be aligned with the privacy laws of the European Union (EU) — which are some of the strictest privacy laws in the world — and contain the EU’s model clauses that helps enable compliance with the EU’s Data Protection Directive.

Make sure that a cloud provider has received written validation from the highly influential EU privacy regulator known as the Article 29 Working Party regarding its implementation of the EU’s model clauses in its cloud contract. Also ask a cloud provider about its capabilities to fight cybercrime since this is a top of mind issue for all companies.

My own company Microsoft has a dedicated Digital Crimes Unit (DCU) — a team of lawyers, investigators and data analysts who partner with public and private organizations to help protect the world from digital harm. Microsoft incorporates the cybersecurity insights and data from its DCU operations into its cloud solutions to make them even more secure.

Comply

It’s important to identify a cloud provider that complies with key standards or laws applicable to its cloud solutions.

For example, ISO 27018 (ISO is the International Organization for Standardization) is an important cloud computing standard that is the first international standard for the protection of personally identifiable information in a cloud environment. Your company should contractually require a cloud provider to comply with ISO 27018’s code of practice.

Control

Even though your company’s data is being stored off-premises in a cloud provider’s data center(s), your company still needs to remain in control of its data.

Be sure that a cloud provider agrees that your company retains ownership of its data, that a cloud provider can only use your company’s data to provide cloud services and that a cloud provider will not use your company’s data for any advertising or similar commercial purposes. In addition, in the post-Edward Snowden era a cloud provider needs to specify what it does when law enforcement seeks access to your company’s data. Finally ascertain whether a cloud provider is actively seeking the enactment of new legislative solutions like the Law Enforcement Access to Data Stored Abroad Act (the LEADS Act) in the United States and has taken legal action against the government to better enable customers to control its data in the cloud.

Try using the TPCC principles to help guide your company’s move to the cloud and best of luck in your journey.