A customer's approach to the cloud - ensuring consistency in security

Intellectual Property & Technology partner, Duncan Pithouse, and senior associate, Roxanne Chow from law firm DLA Piper, outline what firms should consider when looking to use cloud services

As businesses increasingly turn to the cloud for their IT solutions, a key battleground in negotiations areas in cloud contracts relates to security.

Many customers are procuring mix and match solutions, using different clouds or different aspects of the cloud (as infrastructure, as platform, as software, etc.), and there is often little consistency as to the level of security provided with each.

Moreover, the contract, by virtue of the solution being offered, itself may not offer the same kinds of commitment that a customer might have expected in an outsourcing context, and this can give rise to a mismatch in approach and clashes as to how much responsibility the supplier should contractually take with regards to security

With data breaches at the forefront of every CIO's and CEO's mind, getting security protection and management right is absolutely crucial. There is often a perception that the customer may then incur significant legal and administrative costs during lengthy contract negotiations over security issues, where either the cloud provider refuses to make alterations to its commoditised product, or where its costs for doing so is commercially unpalatable.

Computing's Enterprise Security & Risk Management Live will be held on Wednesday 21st November in Central London

So what can customers do to make the contracting process easier for themselves, to avoid unexpected costs, and yet not compromise on its security requirements?

1. The customer must develop a set of security standards applicable across the organisation's systems which meets both its best practice and regulatory requirements. Having a set of universal standards means that for each cloud product it procures, it can tailor the security requirements for that cloud product within the parameters of the organisation's overall security map. This will reduce the likelihood of having an unintended security gap and the need to find alternative solutions to patch such gap, and help the customer to ensure a consistent approach to security is applied for all cloud products and services it procures.
2. The customer should set out its specific security requirements for the particular cloud services in question, given the functionality, the type and sensitivity of the data that will flow through it, and the interfaces between that cloud and the customer's other applications and systems. This will better inform the customer's discussions with the cloud provider such that both parties will be better able to reach a resolution.
3. The customer should do the gap analysis between its security requirements and the level of security the cloud provider can provide. The customer should be asking the cloud provider questions at a level of detail sufficient for the customer to decide where the cloud provider's security processes fall short of the customer's needs, and for both parties to then discuss how this can be overcome.
4. The customer's inquiries should separately consider what security must be applied during data transfer and what applies during data storage, as the requirements may be different for each. It is unlikely there is a one size fits all approach. For example, the customer may find that less security is needed from the cloud provider if the customer will be encrypting the data before initiating the transfer, but the cloud provider will need to put more stringent protections in place at the point the data is decrypted and stored at the cloud provider's data centres. In this case, the customer will need to consider the physical security requirements, such as the location of the data centres, the quality of the data facility, the provider's access protocols and its staff vetting policies.

This does not mean that the customer should be prescribing how these data centres should be constructed. By adopting a cloud solution the customer should be purchasing a functionality that is secure, but it need not dictate what the provider should do to make it secure.

There are maybe apocryphal stories of customers spending weeks debating with the cloud provider about where the paper disposal units should be located within the provider's data facility, where perhaps they could have been better served by focussing commitment that the manner of disposal would maintain confidentiality in the materials, and that such disposal will be performed in line with local occupational safety standards.

[Turn to next page]

A customer's approach to the cloud - ensuring consistency in security

Intellectual Property & Technology partner, Duncan Pithouse, and senior associate, Roxanne Chow from law firm DLA Piper, outline what firms should consider when looking to use cloud services

One key area customers should pay particular attention to is on specifying its rights when the provider's systems are compromised, or if there is a security breach in its contract with the cloud provider. For example:

• How quickly will the customer be notified of a breach, and what steps must the provider take to mitigate the impact of the breach?
• If needed, can the customer easily access a back up copy of the data in order to continue operations?
• Does the customer have the right to step in or terminate the contract in such circumstances?
• Can the customer claim against the provider for losses due to the provider's loss or corruption of data? Often we see the provider expressly excluding data loss from its liability, but this may not be acceptable if the services the provider are performing are critical to the customer's business.
• Can the customer conduct a security audit if required?

All these questions should be explored and the resolution set out in the contract.

It is unlikely that the cloud provider can deliver a solution that meets all best practice protocols at a bargain price, so the customer should be realistic when assessing the security risks and consider the suitability of a cloud solution for the required service, relevant data, and potential customer impact.

For any remaining security gaps the customer will need to be pragmatic about what steps the provider will take and how much it will cost, and consider whether it would be more cost effective for the customer to do such work itself or use another supplier to do so. While compromises may need to be made, these should not be to a level where the customer is unable to meet its regulatory requirements with respect to the handling of data, particularly of personal data.

For the cloud provider, the key thing it can do is recognise that most customers are unused to relinquishing control and letting someone else take over on security. Understandably the cloud provider will not want to disclose the details of its security processes, but it should be willing to disclose the types of activities it undertakes to maintain its security levels at a level of detail which enables the customer to monitor performance, but without having to disclose sensitive proprietary information.

As many customers still treat the cloud as a black box, whatever the cloud provider can do to demystify this will help move its discussions with the customer about the cloud and security forward.