Companies continue to flock to the cloud in great numbers as they recognize its economic benefits, but they should proceed cautiously in deciding what information they place within it, experts say.
Cloud computing economics “make the solution very compelling for many different organizations of all sizes, and we're still seeing a significant pace of adoption among companies for cloud-based solutions,” said Oliver Brew, New York-based vice president of technology and privacy for Liberty International Underwriters, part of Liberty Mutual Holding Co. Inc.
“It's still huge,” said Alan E. Brill, senior managing director of secure information services at New York-based Kroll Associates Inc. But “not in the sense of lemmings following each other over the cliff,” he said. “It's now much more nuanced. The companies are taking a much more careful look at what cloud computing can do to help them and what the risks are.”
Experts say that while cloud service providers may provide greater security than companies can get from their own systems, firms should nevertheless pause before they put any data in the cloud that is critical to their business, such as trade secrets, credit card information or information on mergers and acquisitions.
“The fundamental issue with the cloud is really not unique to the cloud; you're giving control of your data and your information to a third party,” just as to any vendor, said Nicholas Economidis, Philadelphia-based underwriter for professional liability and specialty lines at Beazley P.L.C.
The cloud could add some risks and mitigate others, said Tom Srail, Cleveland-based senior vice president of FINEX North America at Willis North America Inc. The question is whether companies are better off moving particular data into the cloud or keeping it in-house.
Once data is in the cloud, it is out of a company's control and could be stolen, disclosed or destroyed, fall between the cracks or lost entirely, said Tim Zeilman, Hartford, Conn.-based vice president at the Hartford Steam Boiler Inspection & Insurance Co., a unit of Munich Reinsurance Co. The organization also may not be sure of where the data ends up, Mr. Srail said.
The first thing an organization should do is conduct a full inventory of the company's information assets and classify them by critical importance, said Kevin Kalinich, global practice leader for cyber and network risk at Aon Risk Solutions.
After that, ask which assets are comparable to KFC's secret recipe or Pepsi's formula. “You don't want to put those out to some third party,” Mr. Kalinich said.
Conduct a risk analysis, said Philip L. Gordon, a shareholder with law firm Littler Mendelson P.C. in Denver. “The business should think through what would be the implications of a worst-case scenario — for example, if the cloud computing company goes out of business and it's difficult for the company to access the information.”
Companies “have to work backward at troubleshooting” to determine “what would be the impact on the organization's business if it were not able to get immediate access to the information that's been stored in the cloud,” Mr. Gordon said.
It really depends on the data involved, the industry and how the company intends to access the data, said Richard L. Santalesa, Fairfield, Conn.-based senior counsel at InfoLawGroup L.L.P. For instance, a company may want to keep credit information close to home, where it knows it is securely encrypted and can determine at any point in time where that data is, he said.
On the other hand “it makes perfect sense” to put old business records and noncritical data that takes up a lot of storage space into the cloud, he said.
“If you don't have the right protections in, you shouldn't store anything in the cloud you wouldn't want to be made publicly available,” said Robert J. Scott, managing partner with law firm Scott & Scott L.L.P. in Dallas.
“Cost is always a big element in putting data in the cloud,” said Robert Parisi, network security and privacy practice leader at Marsh Inc. in New York. The question is whether companies are gaining increased efficiencies in the cloud and is it helping them be “faster, stronger, and better-looking,” or is it simply cheaper to use?
Gene Spafford, director of the Center for Education and Research in Information Assurance and Security in West Lafayette, Ind., said there are regular cycles in information technology when outsourcing data is “economically sensible” because of costs savings and the availability of both components and people. “And then it tends to swing back” because issues of local control, convenience and security need more attention.
“In some sense, we're nearing, probably, the peak of where it makes sense to outsource and move some resources externally, because there are concerns about continuity, security and privacy,” Mr. Spafford said.