At the RSA Conference last week I, like others, attended sessions and scouted what the established and new vendors offered on the trade show floor.  As with all RSA conferences, there was good content and fun all week.

I attended a session called "Cloud computing privacy and security - legal, ethical, and regulatory framework."  The panel was comprised of three distinguished lawyers who were specialists in legal issues related to cloud computing.  Judging from the fact that the room was packed, one can conclude that there is a tremendous amount of interest in this area.  It also validates the many surveys that have reported that security and compliance are the primary inhibitors of cloud adoption.

There was much discussion about the privacy of the client's data, especially considering the fact that not only is it often co-located with other client's data, but in many cases it might be located at data centers in distant locations.  And, the fact that it might reside in a country that is subject to European data privacy laws raises very significant compliance challenges.

All panel members emphasized that despite the complexity of data privacy challenges when using the cloud, ultimate responsibility to maintain customer privacy resides with the owner of that data, not the cloud provider.  This forces the client to ensure that the security controls of the provider meets the requirements for security and compliance of the client, whatever they may be.  This is a very complex problem because transparency of the provider's controls is not always what you would need it to be in order to reach an educated judgment as to their effectiveness.  Cloud systems need to have the same level of governance as on-premise systems do, but the lack of control that is inherent in using the cloud makes this very difficult.

A few other key points that the panel raised, particularly in relation to contractual issues, included:

• Auditability - the contract must allow the client to force the provider to have an independent audit of their security and compliance controls.  In some cases, the client themselves might want to do the audit.
• Secure destruction of data - make sure that it is clearly specified in the case of a contract termination.
• Avoid limited liability provisions (even though the provider will likely push back hard) - if the provider negligently exposes your private information, the reputational damage can be much greater than the actual expenses incurred.  Indemnification often includes a year or so of refunded fees, but in the case of a privacy breach, this is small potatoes.
• Automate continuous monitoring of processes and controls - essential for ensuring the ongoing effectiveness of security controls at the provider.  "Your controls are only as good as the last time you checked them." 

These are just some of the challenges in developing a contract for cloud services that will help you meet your compliance and governance requirements.  I covered a number of these issues in this mini-book:  http://www.itgovernanceusa.com/product/2125.aspx.