Risks of cloud computing
Before considering cloud computing technology, it is important to understand the risks involved when moving your business into the cloud. You should carry out a risk assessment process before any control is handed over to a service provider.
The Australian Government has published a comprehensive guide on cloud computing security considerations. Although this is aimed at government agencies, the guidelines and information are relevant to businesses.
You should consider the following issues:
Privacy agreement and service level agreement
You will need to have suitable agreements in place with your service providers before services commence. This will safeguard you against certain risks and also outline the responsibilities of each party in the form of a service level agreement (SLA). You should read the SLA and ensure that you understand what you are agreeing to before you sign. Make sure that you understand the responsibilities of the service provider, as well as your own obligations.
Security and data protection
You must consider how your data will be stored and secured when outsourcing to a third party. This should be outlined in the agreement with your service provider, and must address mitigations to governance and security risks. It must cover who has access to the data and the security measures in place to protect your data.
Location of data
Cloud computing service providers are often located outside Australia. Before committing, you should investigate where your data is being stored and which privacy and security laws will apply to the data.
Legislation and regulation
You will need to be aware of Australian legislative and regulatory requirements when storing personal data (e.g. the Privacy Act 1988 and the Archives Act 1983 (Cwlth) will apply). If the data is being stored outside of Australia (e.g. if your business uses an overseas service provider), you will also need to be aware of the legislation and regulation requirements in that geographic location.