Avoiding the storm clouds with good cloud-computing policies

Lisa R. Lifshitz
“We didn’t know that we had purchased these cloud services . . . we signed the wrong agreement.”

It’s fair to say that while cloud computing offers numerous advantages to organizations, it also exposes them to unique risks. As many cloud providers make it intentionally easy for individuals to sign up via one-click online agreements for their standard commodity services, companies without adequate controls in place may find themselves bound to unsuitable cloud services arrangements. Failure to establish adequate checks and balances may expose organizations to regulatory non-compliance, inappropriate business terms or worse.

To mitigate these concerns, organizations are increasingly proactively developing and implementing cloud-computing policies to oversee the adoption and implementation of cloud services and outline best practices and approval processes for using cloud services.

Anatomy of a cloud policy

A well-drafted cloud policy can be a useful governance tool to harmonize standards relating to the adoption of cloud services throughout an organization, promoting consistency and preventing unwelcome surprises. While the content of cloud policies varies, key areas typically include: (i) the purpose of the cloud policy; (ii) a description of the scope of the cloud policy; (iii) the actual procedures of the organization relating to cloud services, i.e., considerations and limitations; and (iv) compliance requirements for the employees/contractors of the organization, including potential sanctions. The cloud policy may also contain its approval and effective dates, its sponsors, responsible officers within the organization and the review cycle.

Purpose of the cloud policy

The stated purpose of a cloud policy can be a simple one-liner setting out the reasons for its establishment or it can be more extensive. Some entities set out in detail the perceived benefits of cloud computing specific to the organization that is driving the adoption of cloud services (i.e., flexibility, reduced costs, scalability) and then identify potential concerns/considerations relating to such adoption (i.e., data security, the classification of data and the suitability/appropriateness of cloud services to each classification; a desire to prevent the unauthorized adoption of cloud services by unauthorized employees, etc.). The key point is to succinctly articulate why the organization is establishing the cloud policy and the outcomes it hopes to achieve through its creation.

Scope

The cloud policy should also state the scope of its application to the activities of the organization. For example, does the cloud policy just cover software services or other cloud services, such as infrastructure, platforms, data backup, etc.? It is equally important to articulate what the cloud policy does not cover, i.e., social media, which may be discussed in another policy. Typically, the cloud policy will apply to the implementation of any cloud services made by or on behalf of the organization by any individual within the organization. 

Policies and procedures

The “procedures” section of the cloud policy establishes the guidelines for the actual acquisition of any cloud services. This section may cover overall concerns regarding cloud-computing services, such as the fact that many generic cloud agreements contain unclear or weak language regarding privacy and security protection, limited service levels, allow for secondary data usage and for the cloud provider to change key contract terms without notice.

The cloud policy should very clearly set out how the organization should procure cloud services (including, as applicable, how specific departments are to proceed on a step-by-step basis) and those internal groups that should be involved in any procurement (i.e., legal, IT). These procedures should incorporate any relevant existing organizational policies (such as a computer use or Internet use policy) and will endeavour to evaluate the risks and establish the acceptable standards for the adoption and use of cloud services by the organization. 

The policy should also outline the review process and the roles and responsibilities of key employees for the adoption and implementation of any cloud services. This could include designating an individual or department within the organization to oversee the negotiation and implementation of any cloud services prior to any acquisition.

The cloud policy may also set out additional institutional requirements and obligations (i.e., monitoring changes to the agreement, especially for privacy and security safeguards, ensuring destruction of data following contract termination, having clear termination/transition assistance/return of data provisions, etc.). It also doesn’t hurt to remind individuals that (1) using a third-party cloud provider does not absolve the organization from its legal/regulatory responsibilities to protect its own data and third-party data and ensure that such data is properly safeguarded; and (2) it will likely be necessary to negotiate a cloud provider’s standard agreement to ensure that these requirements are actually set out in the legal agreement.

Procedures regarding data

A large part of cloud policy is often devoted to the treatment of data, including data generated internally as well as data received from outside sources. The cloud policy may classify the various types of data collected and processed by the organization to (i) determine sensitivity (i.e., classifying highly sensitive data such as health information and financial information vs. business contact information), and (ii) confirm the suitability of prospective cloud services for each respective classification and any limitations.
When classifying such data, an organization must review applicable federal, provincial or other legislation, regulatory guidelines (i.e., OSFI B-10) and relevant industry requirements applicable to such data to ensure that the prospective contract contains adequate language to meet these obligations.

The cloud policy should also provide clear guidance on any restrictions on the acquisition of cloud services that are specific to an individual category of data. These restrictions could include geographic restrictions as to where data can reside or any restrictions regarding the selection of cloud deployment models, including determining if certain kinds of highly sensitive data are unsuitable for public cloud environments and require the use of a private cloud.

Additional areas
To ensure compliance, the cloud policy may also state the consequences for an employee’s/contractor’s failure to abide by the terms of the cloud policy, such as sanctions to include suspension or termination.

Why bother?
A well-drafted cloud policy can assist organizations in avoiding or reducing the risks that may arise in moving applications, processes and data over to cloud services. Prospective cloud users should carefully consider drafting a cloud policy that is not only customized to address their business needs but also addresses the unique legal issues that arise when adopting cloud-computing services.