By Joe Dysart
Securing the Cloud
Key Contract Provisions
While untold numbers of businesses are saving money by moving to the cloud, IT experts say that these companies need to ensure that their cloud contracts include ironclad security protections or they’ll suffer an uncertain future.
“Look at the news on any given day,” said Ron Zalkind, chief technology officer at CloudLock, a service provider that helps companies secure public cloud accounts, such as Google Apps and Sales Force. “You’ll clearly see that the number of risks and data breaches is accelerating.” Moreover, getting from “uncertainty” to “protected” can be more difficult than you might expect, given that many providers of cloud services are reluctant to put their security assurances in writing.
“We continue to see frustration among users of cloud services over the form and degree of transparency they are able to obtain from prospective and current service providers,” said Alexa Bona, a managing vice president at Gartner, a market research group.
Not surprisingly, the cat-and-mouse game between users and cloud providers is taking a toll. Many companies are simply delaying a move to the cloud due to their concerns over security, according to a 2014 study released by Bitglass, a cloud security firm. Specifically, Bitglass researchers found that more than half of large companies (52%) and approximately one-third of small- to medium-size companies (33%) cite security as their primary concern when it comes to cloud-based IT. Plus, the percentage of companies concerned about cloud security is increasing, according to the survey. While 25% of companies expressed security concerns in October 2011, the figure increased to 42% in July 2013, according to Bitglass researchers.
Fortunately, federal governments are stepping in to help assuage concerns. For example, EU regulators are aggressively pushing for more-detailed cloud security agreements between providers and companies and rolled out a set of guidelines in 2014. They worked out the guidelines with key global cloud service providers, such as IBM, SAP and Microsoft.
“A competitive digital single market needs high standards of data protection,” said Viviane Reding, vice president of the European Commission. “The new guidelines are a step in the right direction.”
Similar efforts are underway at the U.S. National Institute of Standards and Technology. Essentially, the standards—which will apply to cloud service providers doing business with the federal government—are expected to serve as best-practice cloud security contract templates for all of industry in the United States.
Of course, despite hoped-for government protections, it’s always good business sense to make sure that provisions for the security of your data are made explicit before you ink any cloud contract. Here’s what cloud security experts recommend (consult with your attorney before implementing any):
- Be sure that there are limitations on where your data will be geographically located. Nail this down, or your company’s data could end up on a server in Iran.
- Be sure that you have a detailed exit strategy from your cloud-services provider. Should you decide to move on to another provider, you’ll want to be sure that there is a clear pre-agreement on the transition. Specifically, nail down how you’ll move your data and in what format your data will be sent to you for the transition. You’ll also want in writing the kind of cooperation your old provider will give you and the amount of time you’ll have to secure your data. Otherwise, with nothing in writing, you could simply lose all of your data with a move.
IBM’s cloud center in Beijing.
Beware of cloud providers that insist on the unilateral right to change contract terms. This right can give your cloud service provider a blank check to make changes to your contract terms on a whim and leave your data in the lurch. If the provider refuses to budge, be sure you can live with this provision.
- Get documentation on how your provider will secure your data. Any decent cloud provider will have internal protocols in place designed to safeguard your data and your company’s privacy. Get those protocols in writing. And get a guarantee that your provider’s security standards will be certified annually.
- Get documentation that your provider is aware of all local, regional, national and international laws regarding the security and privacy of your data. And get documentation and descriptions of the systems your provider has in place to comply with those laws. Also, make sure get similar documentation that your provider is aware of and can comply with such laws that are specific only to companies in
- Ensure that your provider will be able to provide usable data should your institution be faced with an e-Discovery request during litigation against your institution. Your attorney should know how to ensure that this request is properly fulfilled.
- Ensure that the cloud contract clearly states that your company retains ownership over all its data and that the cloud-services provider has no right to use your data. Otherwise, the cloud provider may try to resell your data to third parties.
- Ensure that your legal agreements extend to the subcontractors hired by your cloud provider. This is an easy provision to overlook and could wreak havoc on your contract with your provider if forgotten.
- If possible, ensure that your IT director will be able to meet with the cloud security chief to evaluate the provider’s security protocols. Also ensure that your IT director will get immediate notice when any changes are made to those security protocols.
- Ensure that you will be notified if your cloud provider suffers a security breach or is hacked in any way. As we’ve all discovered the hard way, companies are often reluctant to inform clients that they’ve been breached.
- Ensure that you’re able to encrypt your data before it leaves your company’s computers. This provision can save untold headaches. Once encrypted, your data becomes much less of a problem for you in the cloud, no matter what goes on there.
- Ensure that your data will be wiped clean from servers and other computerized storage devices that are taken out of service by your cloud provider. Otherwise, a server or external hard disk with all your company’s trade secrets could pop up on eBay and be sold to a pimply faced 15-year-old—or a competitor.
- Secure a detailed agreement with your provider on how a system crash involving your data will be handled. Also secure an agreement on how a security breach of your data will be handled. Don’t assume that your cloud provider will be diligent.
For the latest ideas and developments in cloud security, monitor the Cloud Security Alliance. Its specific mission is to work on establishing international standards for security and privacy in cloud service agreements.