Cloud adoption is on the rise: According to International Data Corporation (IDC)’s “Nine Ways to Maximize the Value of Cloud Contracts,” 52 percent of all companies are currently using cloud-based delivery models and an additional 27 percent have firm plans to implement cloud solutions within the next 12 months. However, despite the interest in moving to the cloud, companies still struggle with negotiating contracts for cloud-based services. A lack of transparency and formally defined accountability for security from cloud vendors contributes to customer anxiety.
One of the key challenges for cloud computing customers is to ensure that contracts include provisions for an appropriate level of security. Increased use of cloud services drives a heightened need for cloud vendor contracts to include basic security requirements. Any omission of security-related cloud vendor contract terms can expose your company to avoidable risks.
As Forrester noted in its “Smart Cloud Contract Negotiation Strategies” report, leading cloud vendors typically provide better security than a customer can on its own, but not always. Standards such as SOC 2 and ISO20018 are common, but not everywhere. Therefore, you must implement sufficient contractual protections.
Cloud Contract Checklist: What Should Your Vendor Agreement Cover?
Cloud vendor contracts cannot totally safeguard against risks to the confidentiality, integrity and availability of your company’s data, but they can offer an additional layer of protection within the cloud. All cloud security requirements possess a certain level of importance based on risk, and most have applicability regardless of the cloud vendor or service.
Although cloud vendor contracts can be complex, there are certain practical security requirements that your company should take into account. What should a cloud agreement include? Use this cloud contract checklist to ensure you’ve covered all the necessary security elements in your vendor agreement.
Audits and Assessments
- Require the right to audit and assess as part of the cloud vendor contract or, minimally, request security audit and assessment reports conducted by reputable third parties.
- Contractually require the cloud vendor to provide regular reporting on their security status and posture, such as security incident and intrusion detection/prevention system (IDS/IPS) log reports.
- Clarify what the cloud vendor defines as downtime and ensure it is scheduled contractually, aligns with your company’s availability requirements and does not conflict with your business hours.
- Confirm what type of service monitoring and alerts are available, and include the ability to terminate the entire agreement without further liability if uptime fails over a particular period of time (e.g., if uptime drops X amount over X number of rolling days).
- Include language that affirms the cloud vendor’s business continuity plan, specifying redundancy requirements to contain, at a minimum, data backup and recovery methods/infrastructure/processes.
- Require the cloud vendor to certify that it will participate with your company in disaster recovery testing at specific time intervals, such as once every two years, without charge.
- Address the various security requirements necessary to comply with applicable laws (e.g., SOX, HIPAA), and security standards (e.g., PCI DSS, ISO 27002) when processing, storing, transmitting or maintaining confidential company data.
- Restrict the moving of company assets to areas known to meet applicable regulations, standards and security requirements.
- Specify data access policies, procedures and standards, including technical standards for encryption and transmission, access controls at cloud vendor locations, and background and/or security check protocols for cloud vendor resources that access confidential company data.
- Confirm how data access will be limited, including a review of the different user permission roles offered, the various accessibility parameters for each role and the administrator’s access rights (i.e., ensure all user actions can be tracked).
- Forbid the cloud vendor from sharing confidential company data with anybody other than approved third parties that are required to provide services, and require that the vendor notifies and secures the approval of your company.
- Ensure your company is able to access its data at any time on demand, ideally on a self-service basis, format-specified and free of charge to include attachments, metadata and images.
- Remove any competitive gatekeeper clauses so other cloud vendor users (viewed as competitors by the cloud vendor) are not prohibited from using company assets in scope.
Data Breach or Loss
- Require the cloud vendor to inform your company immediately if a potential or actual data breach has occurred.
- Include language regarding who bears the risk for loss of data in transit or storage.
- Provide appropriate and timely support for computer forensic investigations and analysis as part of the contract.
- Ensure the cloud vendor is capable of responding to and complying with paper and e-discovery requests, mandatory disclosures and obligations.
- Confirm the cloud vendor possesses and maintains insurance that covers its ability to discharge its obligations to include cybersecurity insurance for any potential data breaches.
- Determine who owns new developments, modifications, enhancements or work products of your company’s intellectual property, including methodologies, technologies, software and documentation.
- Validate that your company has the right to use the cloud vendor’s proprietary intellectual property (IP) or IP licensed by the cloud vendor from a third party during the term and upon termination.
- Determine what your company’s rights are to require the cloud vendor to transfer knowledge (e.g., training, configuration designs) to your company or its designee during the term and upon termination.
- Determine what your company’s rights are to request copies of all work products and to request an inventory.
- Include any licensing arrangements in writing and set out the terms and conditions on which the intellectual property may be used.
Legal Transborder Requirements
- Consider regulations in other countries when storing or transmitting company data within the cloud vendor’s infrastructure to avoid committing any violation.
- Validate whether government entities in the cloud vendor hosting country require access to company data, with or without proper notification.
- Ensure your company’s data does not migrate beyond a defined geographical residency or location.
- Ensure the cloud vendor is capable of identifying, segregating and preserving data that is relevant to pending, threatened or reasonably foreseeable litigation, claims, investigations, or other legal proceedings.
- Ensure the cloud vendor can support litigation holds for a specific customer without freezing your company’s data or vice versa.
Roles and Responsibilities
- Clearly define the roles and expectations of the parties and allocate among them the many responsibilities that are assigned to protecting your company’s data.
- Include language that states who owns data during its life cycle, including when data is transferred or exchanged (data in transit) and during storage (data at rest).
- Escrow source code with an approved escrow agent and include the release conditions from the escrow to reduce risk exposure and regulate what happens to a cloud vendor’s source code if the vendor ceases operations. Keep it limited to bankruptcy, cession of operations or support of the product, or service line and other appropriate narrow conditions.
- Distribute software only in object code form. If object code distribution is not possible, consider using a source code obfuscator. In other words, scramble the symbols, code and data of a software, rendering it impossible to reverse engineer, while preserving the application’s functionality.
Termination and Disposal
- Confirm the cloud vendor is compliant with your company’s policy for data storage media disposal.
- Require the cloud vendor to apply a mandatory data wipeout and sanitization under your company’s review and approval upon contract expiration.
- Establish an exit strategy with terms that trigger the retrieval of your company’s assets and data in a specified time frame.
- Provide for all data to be returned in a predefined format within 30 days of termination and for the cloud vendor to maintain, back up and secure the data until it is returned.
- Negotiate terms that disallow terminations based solely on the cloud vendor’s convenience and, failing that, negotiate for at least six months’ notice for the cloud vendor to terminate.
- Require the cloud vendor to provide documentation of configurations, manuals, playbooks, procedures, passwords and security codes impacting the company’s data.
- Confirm which party owns which assets and how ownership was determined (i.e., under which contract provision).
Know Your Security Requirements to Protect Your Cloud Investments
Today’s consumer of cloud services has to be proficient not only in managing contracts, but also matching people, process and technology to security requirements. Prepare to negotiate and do not sign standard terms without careful consideration because they could expose your company to unforeseen risks. Do not assume negotiation is impossible simply because the cloud vendor states this to be the case.
Moving to the cloud is a paradigm shift as information and processes once under your company’s control move to cloud vendors. This changes your security posture, which creates a greater need for due diligence when it comes to your cloud agreement. Cloud vendor control over all or part of the IT infrastructure does not, in general, absolve companies from security responsibilities. Knowing what security requirements to include in your cloud vendor contracts will help maximize and protect your company’s cloud investments.
Virtual Private Cloud Security and Compliance Focal, IBM Cloud
Brian Evans is a Virtual Private Cloud Security and Compliance Focal with IBM Cloud Platform who assists in managing its business continuity, disaster recove...