Once an enterprise decides to use cloud computing services, the next consideration is the cloud contract. Many enterprises underestimate the contractual and legal ramifications of using cloud computing services. Responsibility,
Cloud computing contracts: Security, privacy and compliance
Regulatory, security and compliance issues can hinder implementation of cloud solutions. How much responsibility will the service provider accept? What happens if the requirements are not met? Is it the responsibility of the enterprise or the provider?
Incorporating these issues into a cloud contract can be complex. In my opinion, these contracts are further convoluted by service providers that try to script the contract in their favor, absolving themselves of as many liabilities as possible.
Security and cloud computing services is a hot-button topic. Some pundits argue security is a resolvable issue, while others are more cautious in their recommendations. To best protect your organization in the cloud, the first step is to determine the risk associated with moving functions to a cloud-based service. Learn how to protect your company’s sensitive data, resources and applications in the cloud.
Issues with cloud computing security are being addressed by the Cloud Security Alliance (CSA). The mission statement for the CSA is:
“To promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.”
In December 2009, the CSA published Security Guidance for Cloud Areas of Focus in Cloud Computing V2.1. For those new to the cloud services, the CSA’s security guide for cloud computing has an excellent introduction (see section I., Cloud Architecture). The 17-page introduction covers the entire set of cloud/hosting considerations and how they operate. Mapping the cloud model for compliance is shown to be a subset of the security control model. Learn more about assessing security risks with CSA’s cloud control matrix.
Clarifying cloud computing contracts
The legal implications of cloud computing services can be daunting, thus negotiating a cloud contract should include your legal department or those with sufficient legal competency.
Cloud computing contracts detail security, compliance and/or regulatory requirements, so read the fine print. Your legal team must be very critical and precise in their review of the service provider’s responsibilities and liabilities and the liabilities not accepted by the provider.
With regards to compliance, plan accordingly to avoid any legal surprises. Should all users have access to all features and functions, for example? I have one client that decided to limit unified communications (UC) availability to deal with compliance regulations. It’s my opinion that communications in any electronic form will be subject to e-discovery as well as other requirements.
Another issue is the ownership of the information resident at the hosting site. Enterprises often underestimate the ramifications of this issue. Most enterprises assume the information passed through the cloud site is their information and not owned by the cloud provider. Here are some questions to consider:
- Is the information stored inside or outside the U.S.?
- Note: In a virtualized environment, the location of stored data could change constantly.
- Is there is a requirement for forensic analysis? If so, how will this be achieved? Read about the unique forensic challenges of cloud computing.
- Is the cloud computing service provider required to adhere to U.S. governmental regulations or those of another country?
- What happens if the service provider loses information or releases information without the enterprise’s permission?
- What are the issues and implications for e-discovery with cloud computing?
- How is the enterprise protected from fines and/or sanctions and other problems stemming from the cloud services provider?
- How is the information of the individual users protected and used by the provider?
- How is the traffic information that is sent and received being handled?
- If presence is involved, can that presence information be sold to others?
- Will the provider use its access to the enterprise’s users to send out information created by third parties for the sale of products or services?
- Would the provider be able to sell profile information of the enterprise’s users?
The provider will set the Acceptable Use Policies (AUP). The AUP will favor the provider’s business model and revenue. To get an idea of the unbalanced arrangements that favor service providers, read your AUP.
Performance considerations for cloud computing contracts
The service-level agreement (SLA) for cloud services will be measured over a long period of time, possibly weeks. Of course the SLA will be met when no one is using the service. The SLA is most important during peak usage. The SLAs of MPLS services are another example of biased arrangements that clearly need to be renegotiated to satisfy the busy- hour performance.
Most cloud computing services SLAs cover reliability and availability. Enterprises want 99.99+% availability. Keep in mind that this is for the cloud site and does not include the network access or the devices at the enterprise’s location, so 99.99+% will not be the level of availability experienced by the enterprise user.
Want to know the truth about five nines availability in unified communications networks?
The demarc for accessing the cloud service may be much further away than the enterprise expects. A distant demarc means that the provider is not responsible for meeting the SLA at or near the customer premises or desktop.
Moving to the cloud is a form of outsourcing. Make no mistake -- you are trusting another organization with your operations and information. Study the legal and contractual arrangements and negotiate a fair and equitable cloud services contract before you implement.
About the author: Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia and Asia.
This was first published in February 2011