Cloud computing is no longer a mere buzzword; as noted by ITProPortal, 93 percent of organizations now run at least one app in the cloud or are experimenting with Infrastructure as a Service (IaaS). Public clouds remain the most popular choice with 88 percent of enterprises opting for a shared resource model over private server stacks. And while this growing market bodes well for innovation, business agility and continuity, a new concern has emerged: Cloud ethics. How do companies protect themselves, their data and their customers in the cloud?
With many companies still figuring out exactly how to maximize cloud resources and improve ROI, it’s no surprise that ethics haven’t taken center stage. According to the American Bar Association, states have begun defining cloud responsibilities in a legal framework with most opting for a standard of “reasonable care.”
While this varies across state lines, there are several common elements such as the need for security measures including passwords and encryption, data confidentiality, and ensuring that providers have enforceable obligations to meet the terms of service level agreements (SLA). So how does this play out when applied to specific business needs?
One key component of many cloud-based networks is storage; flexible on-demand solutions allow companies to both store massive amounts of data and prepare it for use with analytics tools. But as pointed out by Louisiana Legal Ethics, this easily available storage also comes with ethical concerns. To minimize the chance of legal challenges, law firms should take “reasonable precautions to assure that the vendor will maintain the confidentiality and integrity of the data.” The same holds true for enterprises: Storage vendors must be assessed on their ability to hold, secure and transmit data safely.
Third and First-Party Access
Along the same track as storage is third-party access. To remain above board when it comes to ethical practices in the cloud, companies need to know who’s accessing data, when, and for what purpose. This starts with providers: Service level agreements (SLAs) should spell out exactly who among provider staff can access company data and include provisions for an auditable trail in case of legal challenges. In addition, businesses must ensure that cloud access is intelligently provisioned to employees and executives, especially those who handle consumer data. Limiting access to “need” rather than “want” can help limit the risk of ethical missteps.
No cloud is complete without security controls, but to ensure the highest ethical standards are maintained, these controls must be periodically examined and updated to meet evolving cloud requirements. This takes two forms. First, as noted by Data Center Knowledge, providers must be upfront with businesses about potential security flaws and any security failures — to do otherwise is unethical. Second, companies must conduct their own, in-house reviews of cloud security controls as part of due-diligence strategies. This avoids the problem of “gaps” in security knowledge, which could form the basis of a legal challenge.
Ultimately, cloud ethics are fluid principles, which change along with emerging technologies. A paper from the University of Delft, The Ethics of Cloud Computing, suggests making use of the “precautionary principle”, which focuses on anticipating consequences without limiting investment. The principle can be applied to storage, access, security or any number of cloud concerns, and forms the basis of cloud spend moving forward: Ethics need not hamper innovation.