> From: John Thompson > The company I work for is looking at a product that > stores a bunch of "our" sales data in the "cloud" > > Our internal legal person had a look at the contract > that the company is proposing and apparently it has a > little clause in their that they are not liable if the > data gets stolen. Is this standard with cloud products?
There is a separation of responsibilities that needs to be understood by everyone these days. We expect the data centers for cloud companies to be secure. Once we give them data we expect them to hold onto it. And if we are paying them to do something with the data, we expect them to do that with full reliability. That's Their responsibility. But we also pay these cloud services for increasing types of accessibility to our data. With more accessibility, there are more opportunities for data exposure. We cannot expect them to accept responsibility for vulnerabilies which we ourselves may create, which includes: - transport outside of a VPN - transport of plain text data - open transport of credentials (user/psw) - exposure of credentials whether on lost devices, stickynotes on the monitor, or a list in one's wallet And in this world of networked data we must understand that security is always a moving target. The environment that is secure today could be compromised tomorrow after a patch is applied or simply through the constantly improving skills of bad guys. It's very difficult for a company to accept responsibility for constantly changing details outside of their control. Sure, we expect that a cloud company will protect data on-site against theft or acts of nature, but in a networked environment there are points of exposure. They can strive to protect their systems and networks against hacks but this is a huge ongoing expense and it's an imperfect science where occasionally even the top professionals are caught unaware. They can strive to create a contract that explains how they will accept responsibility for their side of the environment while not being liable for damages due to issues outside of those definitions. But that leaves contracts vague and open to contention. It's better for them simply to say they're not liable for losses. Accept it or don't. There is also the question of what liability really is. Is a compromise of your data worth $100 or $1 Million? To avoid such evaluation in a claim, it's better to just get the issue waived up front. You can accept this or reject the premise and try to get someone else with an insurance company that will settle high-value claims. In a non-litigious world, the simplest and most honest contract might read "We really do the best job we can, and we think we do better than our competition, but if anything at all bad happens, we simply can't accept blame or pay any damages. Welcome to the modern world. If you accept this, we'd love to do business with you. If not, we're sorry, but we can't take a chance on going out of business for something that's not related to what we really do." For your part, when you do host data off-site, use every encryption and security mechanism available to protect your business outside of the scope of the services provided by the cloud host. This becomes your responsibility. Then you need to figure out how you're going to convey Your position on liabilities to Your clients. "We really do the best job we can..." So the bottom line here is that you get the best contract you can, and try to get clarifications or commitments in writing. But you also need to balance expectations with an understanding of the world we're living in, and cover for vulnerabilities with your own solutions where possible. T _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users