Okay, so you've finally selected a public cloud service that seems like a good match for your business computing requirement and needs — taking advantage, perhaps, of agile computing, reduced time-to-market, or even your long awaited escape route from CAPEX to OPEX - reducing your IT overhead costs.
Now, before you sign up, have you taken the time to closely scrutinize your cloud service contract to avoid legal pot holes? Have you negotiated the right information security contract clauses that closely match your business needs?
Below is a brief outline of what you should consider including in a service contract to address legal challenges that are prevalent in public cloud services:
- Ownership of data
- Is your digital intellectual property protected wherever it is stored, processed and transmitted on public cloud provider's service network?
- Compelled disclosure of data to federal governments and how would you be notified of such disclosures?
- Data privacy and security
- What is the minimum set of data security requirement syou expect from a cloud service? E.g. compliance with security standards such as ISO27001, PCI-DSS
- Will your data breach notification requirements and responsibilities be adequately supported?
- Physical Location of data
- The ‘physical location' of data raises the question of legal governance over the data
- If your organization is required to comply with regulations restricting physical storage location of data, such as EU data privacy directives, are there provisions to support this requirement from your service provider?
- How quickly can the service provider respond to your own e-discovery requests?
- Governing laws and jurisdictions
- In situations where a conflict arises between you and the cloud service provider, which country's court system will settle the dispute?
- Forensics and criminal investigations
- Digital forensic and investigation is notoriously difficult to achieve in a dynamic multi-tenancy computing environment such as the public cloud service. Very few service providers have the capability to support collection of legally admissible evidence. If this is important to you, ask questions of your service provider's provisions.
- Your responsibility for data security
- Your own data security responsibility and that of your cloud service provider must be well defined, understood, and communicated to all parties involved.
- Your right to audit information security practices
- Do you have a right to commission independent information security audits of cloud providers (including sub contractors)?
- Would you have access to independent audit reports such as Statement on Accounting Standards (SAS) 70 type II or new Statement on Standards for Attestation Engagements (SSAE) No. 16, (SSAE 16) equivalent? And you must check that the SAS70 report actually meets your own security requirement.
- Service Level Agreements (SLA) - including penalties / compensation
- Are the service availability, service quality, and incident response times you really need for your business clearly defined?
- What exactly does service outage mean for both customer and service provider?
- Are your SLAs enforceable, stating specific remedies & compensations for service failure?
- Do you have visibility of sub-contracted services which support services delivered to you?
- Insurance and liability
- In the event of a natural disaster, are you are indemnified by the service provider's insurance company for losses suffered by your business?
- If a privacy breach occurs due to a fault of cloud service provider, is there any liability coverage policy taken up by the service provider?
- If the data centre gets hacked, can you make claims against the service provider for damages to your business?
- Exit terms and conditions of cloud services
- Data security - How can you gain assurance all your intellectual property (IP) will be returned at termination of contract or when you decide to exit from the cloud service?This can actually help to decide what type of data you should / shouldn't put in a public cloud and what additional compensating controls will be needed.
- Would you have support to repatriate your data back in-house?
- Avoiding vendor lock-in - If moving to another service provider, what support would you have to export your data to another service provider?
I'm certain you can think of other legal and contractual issues which require special attention when using the public cloud.
Now, what does an information security contract clause actually look like?
An example of information security contract clauses is the model contractual clauses developed by the European Council (EC). It governs security of personal data when transferred outside the European Economic Area (EEA). These clauses offer an alternative means of fulfilling adequacy requirements, such as consent by data subjects for compliance with the EU data privacy directive. Businesses can develop similar contract clauses when negotiating contract terms for public cloud services.
The legal minefield of cloud computing is far more complex than the traditional third party hosting service. To protect your business interest, negotiate with your service provider to include information security contract clauses which adequately meet your security needs. Lastly, cloud customers are strongly advised to seek legal counsel from specialists in this area to avoid major surprises.
Tajudeen (Taj) Abubakr (CISSP, CISM, CISA, SABSA) is a certified information security manager with broad consulting experience in Security programmes delivery management, cloud computing, enterprise IS governance, risk & compliance (GRC). He is currently employed as Information security specialist for a global financial services organization in the UK.