If you are reading this, you are likely a small business owner, an influencer of small business IT decisions or just someone curious about cloud services for small businesses. I’m going to venture a guess that you are not a lawyer who is well-versed in the legal information you agree to when using cloud services.
Neither am I, but I have read much on this subject and hope to share with other novice lawyers a description of what you are reading, what it means, and what you should look out for when considering cloud services.
When you find a compelling cloud service, and you want to use it now, it is very easy to click through the Terms of Use, Security Policy, and Privacy Policy. After all, if it is out there on the internet, it must be fine, right? Let’s first briefly review the role each of the above play.
Terms of Service
(AKA Terms of Use, Terms and Conditions, EULA) This document lays out the groundwork for what you are using, what you might be paying for, any service level agreements that are in place and as the legal rights you have to exercise.
All the details of what happens while you use this service, and what happens after you cancel, are in this document. Terms of service also describe the ways your service could be cancelled for abuse, breach, and how you are charged for the service.
Image courtesy of xkcd
Privacy Policy
For free services, you are giving up something to get something. Most web based services like Google, Facebook, and Twitter, among others, are using your information to make money. This information is your profile demographics, your behavior online while using the service, or details about the content you have on the service.
For example, if you use Gmail, Hotmail, or Yahoo, your email is scanned for keywords that are used to send you targeted ads. Sending an email to a friend commenting on how much you like the new iPhone Angry Birds application will likely result in advertising for similar iPhone games.
This behavior is separate from your profile and demographics, which contain your name, age and other specific information about you. Marketing companies buy this information to then send you relevant offers, deals, or advertisements. It is extremely rare that a cloud provider would combine internet behavior and profile information, as most people would find this very invasive and they would not use the service.
But "rare" does not mean that it never happens.
Security Policy
All cloud services hold data about you or data owned by you. A service’s security policy is extremely important because it defines how this data is secured in two important ways: during transmission to and from you and the data center providing the service; and while the data is stored at the service provider.
During transmission of sensitive data (user name, password, credit card information, contracts, business plans, etc.), you will want your data secured using SSL for web traffic (HTTP) or a virtual private network (VPN) for all other traffic.
This information should also be encrypted when it is stored on the cloud service provider’s systems. AES (Advanced Encryption Standard) is the most popular security with three different levels (128 bit, 192 bit, and 256 bit) depending on the level of security you need to meet business or compliance requirements. AES 192 and AES 256 are sometimes called “military grade” encryption since the National Security Agency (NSA) has deemed them sufficient to protect classified, top-secret information.
What does all this mean to me?
The recent dustup over Dropbox terms of service has taught us that it is important to pay attention to all three of these documents. In a nutshell, the popular cloud file storage and sharing service changed the language of its Terms of Service to protect itself and clarify the conditions under which it can access any files and content entrusted to it. The result was much fear, uncertainty and doubt about Dropbox, and other cloud storage / backup services.
Fortunately, someone was paying attention, noticed the changes and brought them to light for a wider audience. You might not be as lucky next time. So here are some pointers and best practices that I recommend applying to all cloud services.
- If you are using a cloud service for mission-critical or sensitive data, read all policy documents very carefully and have a lawyer review them to ensure compliance with your company policies.
- Talk to other providers of technology that you currently use. This could be your system administrator, managed service provider, cloud aggregator, systems integrator (disclaimer: Verecloud is a cloud brokerage offering some of these services).
- Ensure that the service Privacy Policy does not allow combining user behavior and profile information for marketing or any other purposes.
- Protect yourself. If you are storing sensitive information, add your own encryption to ensure only you can see your data. Here is a good example of how to do this with DropBox.
- Be mindful of when your cloud provider changes a policy or terms and reassess to ensure you are protected and receiving the services you expect
- Find some trustworthy online sources that discuss your specific cloud service ToS and security. I use Spiceworks, StackExchange, Life Hacker and ReadWriteWeb as reputable discussion forums and information sources. Obviously, SmallCloudBuilder is a great place for this information as well.
Keep in mind that some will scream that the sky is falling for any change that reads too heavy on the legal, while other comments will be well informed opinions. - Trust your gut. If something does not seem right, find another service provider.
Next time, we’ll look at whether your data is safer in the cloud than on your own servers.
Disclosure – Russell Wurth is Vice President of Product Management at Verecloud, a reseller of cloud services.