Neustral says the policy might apply for a service like Google Translate, where the data has to be analyzed and even parsed for intended meaning, but not for cloud storage. That's a good lesson for CIOs who need to understand cloud storage policies--one size does not fit all.
Enterprise Cloud Storage: Read the Contract
That's why, for enterprise cloud storage, most experts say the most critical step with storage policies is to investigate the actual contract you have with the vendor. This might require scrutiny from a corporate attorney, and further investigations into such intangibles as how to retain data archives if a cloud storage vendor goes under and how to encrypt access to the cloud storage.
Ashley Podhradsky, the Assistant Professor of Computing and Security Technology at Drexel University has studied the security issues with cloud storage, and is also a member of the Cloud Security Alliance. She says one recent strategy with cloud storage is for the cloud infrastructure to integrate directly into an on-premise data center.
"This allows the corporations network administrators to control cloud access through services such as Active Directory and LDAP (Lightweight Directory Access Protocol, an Internet protocol for accessing data). The encryption keys are starting to be managed on the corporation side opposed to the cloud provider, which aims to include the corporation into more of the security practices," she says.
Thankfully, most cloud vendors have clear policies about who owns the data. Aaron Messing, a technology and information privacy attorney with Olender Feldman *** (), says there is not much debate about the fact that the enterprise owns the data. He says there are vagaries about how quickly data should be destroyed upon request (say, within a specific timeframe), or whether the vendor is blocked from sharing any data publically (such as e-mail addresses or customer lists).
Beyond studying the agreement with the vendor, and negotiating the terms that make sense for the type of data you will be storing, Messing says only certain types of data are appropriate for the cloud.
"We strongly recommend against storing any type of personally identifiable information, such as date of birth or social security numbers in the cloud. Similarly, sensitive information such as financial records, medical records and confidential legal files should not be stored in the cloud where possible," he says.
Messing also adds that, if a company does decide to store some financial data in the cloud, you should use strong encryption and keep a second local archive in order to mitigate risk.