LEGAL
As more businesses recognize the commercial value of "cloud computing" services, they increasingly turn to companies such as Amazon® Web Services (AWS) to manage those operations. Not many companies recognize, however, that the survival of their business may depend on their choice of cloud service provider. This point was dramatically illustrated by the recent experience of the company Code Spaces.
Cloud computing services consist of a range of information technology support operations. They include website hosting, data storage and processing, and software applications. Cloud services are offered by a variety of vendors, ranging from large, well-established providers such as AWS and Microsoft to numerous smaller operators.
Cloud services play a critical role in the business operations of many organizations. In many instances they are responsible for vital functions. They are commonly relied upon to store, process, and manage data, information, computer code, and other materials that are vital to businesses and their customers.
One of the most significant challenges currently faced by cloud service providers is security. They are responsible for mission critical digital content and computer operations. Accordingly, if cloud service vendors suffer service failures or computer security breaches, their customers may encounter devastating consequences.
The recent experience of Code Spaces highlights the serious vulnerability posed by cloud services. Code Spaces provided computer code hosting support for its customers. Code Spaces relied upon AWS to provide the cloud computing support necessary for its business. The company routinely stored the computer code of its clients on AWS servers.
A hacker executed a "distributed denial of service" attack on the Code Spaces website. The hacker attempted to extort money from Code Spaces in exchange for terminating the attack. When Code Spaces was slow to make payment, the hacker escalated the attack by hacking into the Code Spaces account at AWS.
After gaining access to the AWS account, the hacker deleted essentially all of the Code Spaces customer computer code stored on the AWS servers. The resulting damage to Code Spaces was profound. The hacker had caused devastating damage to the business operations and reputation of Code Spaces, and to all of Code Spaces' customers. The security breach forced Code Spaces to go out of business.
The experience of Code Spaces teaches a harsh and significant lesson. To the extent that enterprises rely on AWS and other cloud service providers for information technology support that is critical to their business, they are betting their business survival on the security capabilities of their cloud service vendors. If the security measures employed by the service provider fail or are breached, the survival of the business is threatened.
Accordingly, the selection of cloud service provider is a decision which affects the future survival of a business. When an enterprise chooses a cloud vendor, that enterprise is, in effect, betting its future on the security practices and procedures employed by the vendor. A bad choice could kill your business.
When selecting a cloud service provider, companies should focus careful attention on the terms of service offered by the service provider. Of particular significance are the terms associated with data security and information privacy. It is vital to understand thoroughly the security policies, practices, and procedures provided by the cloud vendor. That includes understanding the actions which will be taken by the vendor to prevent and to respond to any actual or perceived security threat or breach. It also includes understanding of the rights and obligations of both the cloud service provider and the customer with regard to security and security breaches.
Cloud service providers often provide varying levels of security at different prices. More secure services are often more costly. Businesses should consider the extent to which the higher prices associated with premium security services may be costs of business well worth paying.
Businesses should also implement effective back-up plans for use in the event of a significant security failure. All organizations must anticipate how they will act if a major cloud security breach results in loss or corruption of data and other content or if the breach makes access to the cloud system impossible. Each enterprise should provide for timely access to back-up service providers and content.
Insurance coverage is increasingly available to address a wide range of computer and data security risks. Organizations should carefully review and consider available insurance options. Investment in coverage providing protection against computer and data security threats may be prudent for some companies.
Finally, companies should carefully consider what materials, if any, may be too sensitive even to include in cloud computing systems. In some instances, certain content may be deemed to be too vital to put at risk through exposure in cloud networks. Organizations may choose to make those materials accessible only through computer systems they fully control.
Computer and data security failures and breaches are now, unfortunately, common aspects of business in the digital age. They are not rare occurrences. All organizations must assume that they will encounter multiple computer and data security problems in the course of their operations. You and your business must plan accordingly. As the experience of Code Spaces underscores, failure to plan effectively for the inevitable security challenges could kill your business.