Issue link: https://epubs.iltanet.org/i/45522
SAFER CLOUD, BETTER PRACTICE: TEN CLOUD-COMPUTING CONSIDERATIONS 8. What can my cloud provider do with my data? One of the substantial benefits associated with the cloud is your provider's ability to work with your data and present it in new, efficient and accessible ways (such as calendaring, billing and even document creation and management). To work with your data in this manner, the provider must typically have access to allow its software to "run" against the data. With few exceptions (such as when a provider allows you to lock them out with a separate password, which usually impedes the provider's ability to enhance the data, provide support, etc.), this means the cloud provider has access to data — and you need to understand what limitations the provider has when handling the data. These limitations are typically found in the ToS and privacy policies to which you agree to adhere when signing up for or using the service. In exchange for your promise to access the system in accordance with the terms, pay on time, and limit your damages, etc., your cloud provider should agree to limit their own (and any third parties') access to your data. Generally speaking, the provider should begin with a representation that your data are your data, and should never state or imply any ownership of your data. Secondly, the provider should agree to limit human encounters with your raw (unencrypted) data to two circumstances: your request (for diagnostic purposes, etc.), and to comply with applicable law (e.g., a valid subpoena from a court with proper jurisdiction). Otherwise, access to the data should be limited to programmatic (automatic, private, software- based) access only. However, even programmatic access to data stored in the cloud can result in certain potential issues for client data, including the potential scanning of content for the delivery of advertisements (e.g., with certain ad-supported email service providers). While such scanning alone might seem relatively innocuous, it is imperative to ensure that client data is not disclosed to additional third parties, and would not otherwise run afoul of various ethical rules regarding client property and confidentiality. On the other hand, certain types of deliberate and mutually acceptable third-party access (such as data escrow with a mutually agreeable third party) can be helpful in protecting against loss of access due to a single provider's failure. 9. What do I need to do locally to protect confidential data? No data system can ever guarantee 100 percent perfect data security, but since digital security is only as good as the weakest link in the chain, there are many steps users and providers can take to reduce points of weakness. Many cloud computing applications employ end-to- end encryption from a physically and logically secure cloud computing facility to an end- user's computer. The user's computer, however, is rightfully outside of the cloud computing provider's control; there is no way for the provider to enforce or guarantee security. Since most end users are not security experts, they are often the weakest link of the security chain. Adopting the following best practices will help ensure that you are addressing some of these more common weaknesses: When using cloud (or even local) resources, always use www.iltanet.org Risky Business 25