In my previous post I shared my experience negotiating Demand Pricing and Data Ownership concepts as part of contracting with a cloud provider. Today I’ll tackle what I consider one of the most difficult components of a cloud contract, Security. I’m hoping others will share their experience in this area, because I don’t believe anyone has the final answer for how to negotiate these complicated concepts, especially when one considers the myriad of types of cloud providers and services offered.
Thankfully for contract negotiators there already has been some standardization regarding contractual security requirements. One standard is the Statement of Accounting Standards number 70, or SAS70, report. Your contract should specify that you receive an annual copy of the vendor’s SAS70 report. It’s important to verify, prior to signing the contract that the vendor’s current SAS70 report covers the systems and processes for which you will be contracting. I know that sounds simple, but I’m always amazed to see SAS70 reports that cover processes and procedures, and even systems, that have no relation to what I’m purchasing.
Of course, for any vendor collecting or processing credit card information, the standard you should insist on is adherence to the PCI Data Security Standard (PCI DSS). To verify the vendor is in compliance, require them to send you their internal or external audit verification of their compliance on an annual basis, or just negotiate that they will maintain compliance with the latest published standard and notify you of any areas where they are out of compliance while specifying remediation plans and timelines for each out-of-compliance area.
For theft of your data, whether that data is managed in your data center, or your data is in the cloud, your company should have Privacy & Network Liability insurance. A key contractual clause in your insurance policy should state that the policy covers any contracted vendor who manages/hosts, or otherwise accesses your data. This will ensure you have insurance to help your company cover the cost of addressing a breach that occurs with your cloud provider.
There are too many areas of security to discuss in detail, so I’ll just highlight other areas you should ensure you cover, both in your due diligence and contract negotiations.
Encryption of your data in transit, and encryption of data you specify in storage and backup,
Your data should be treated as Confidential Information,
The cloud service will not contain or transmit malicious code,
Require the vendor to indemnify you against their unauthorized use of disclosure of your data caused by the vendor or a security breach of their service,
Vendor shall not access your customer data except for purposes of providing the service,
Vendor shall only use, access or permit access to your customer data in compliance with applicable laws and governmental regulations,
Require an SLA for the vendor to notify you of any security breach, even if they are not sure whether your customer data has been breached (you don’t want to find out about vendor security breaches in the press!),
Negotiate the ability to perform vulnerability scans on the vendor’s cloud service using your tools, and negotiate an SLA for the vendor to remediate any high and medium vulnerability findings; an alternative is for the vendor to share you with you on a periodic basis their own 3rd party vulnerability scan data and remediation efforts,
Ensure you have the right to conduct on-premise investigations at the cloud provider’s data centers and support locations if your data is breached.
I’d be interested in hearing other areas that all of you have included to protect the security of your data and services you perform in the cloud.
- Cloud Contracts – The Hidden Costs & Risks
- Steps to Digital-Enabled Contract Lifecycle Management
- Cloud Suitability and Transformation
- Part 3 Cloud Computing Service Level Agreements (SLA)
- Effective IT Contract Negotiations
- SLA Metrics: You Can’t Manage What You Don’t Measure
- So, you need to negotiate a contract with a Cloud provider?
- Managing Threats from Third Party Providers