Cloud providers are more likely to use subcontractors to meet spikes in demand. Cloud-stored data often hops from country to country, some with weak IP laws or enforcement. "Similarly, if your provider uses personnel who can remotely access your data and IP from countries with weak IP laws, you may be putting your IP at risk of theft or misappropriation, with little recourse," explains Rebecca Eisner, partner in the privacy and security practice of Mayer Brown. Finally, because many cloud services have grown out of consumer offerings, their standard contracts are severely lacking. "A term in a contract that provides that the cloud vendor owns all content a customer may put on its systems may be okay if that content is a picture of your dog, but may not be so good if you're talking about your development environment," says Edward Hansen, partner and co-chair of the global sourcing practice at Baker & McKenzie.
As the name suggests, data and IP in the cloud may as well be floating in the ether minus any vendor obligations or controls introduced by the customer into the deal. "Typically, [customers] are focused on cost reduction and performance. Intellectual property issues are viewed as 'lawyer issues,'" says Mayer Brown's Eisner. "In reality, a cloud provider's ability to protect intellectual property rights should receive as much scrutiny as the information security, price and technical solution." "We are seeing some awareness dawning of how much weaker some cloud providers' contracts are in security terms," adds Slaby of HfS Research. "But the siren song of lower costs and greater flexibility is difficult to resist."
To you protect your corporate crown jewels in the cloud, here are nine steps to follow:.
Pick the right provider. Take due diligence seriously. "Given that the category and its players are still relatively new, consider how you'll extract yourself and your sensitive IP in the event that your cloud provider fails abjectly to live up to its contract, goes out of business, or is acquired by a competitor," advises Slaby. "Take a careful look under the hood at any prospective cloud provider's plans around disaster recovery." If you want sophisticated protection of trade secrets, seek out only providers that offer sophisticated solutions with higher-security requirements.
Select the right service. Do everyone a favor -- don't sign your first-ever cloud contract for a core business function. "Many clients looking for benefits of the cloud are purposely moving IP last," says Bell, testing the waters with commodity services like IT service management or QA on standard software. "It's a way to make sure they understand the nuances."