To understanding and appreciating cloud computing contracts has long been the duty and focus of procurement and legal functions.
Whether it is related to the single cloud computing contracts of personnel, roles, functions, or entire business functions, these have been availed and utilized globally to maximize cost benefits, plug skills gaps, and ultimately ensure that entities run as smoothly and efficiently as possible.
What does all this entail?
In short, it entails a complete understanding of the reasons, rationale, requirements, business drivers, and potential impacts that moving to cloud based services will bring.
It also entails the ability to coordinate, communicate, and interpret the challenges that lie ahead when moving toward cloud computing.
Historical cloud computing contracts may have involved a set of key departments or practitioners, but the cloud amplifies that significantly even more than traditional IT cloud computing contracts .
Acting as the informed advisor coordinating this throughout the business leads to a far smoother and more efficient process, where risks and issues can be highlighted at the outset, as opposed to when you least expect them or as a result of an unforeseen event or incident.
Before entering into a contract with a cloud supplier, your enterprise should evaluate its specific needs and requirements that form the basis and foundation of the organizational cloud strategy.
To develop a cloud strategy, the key organizational assets need to be agreed upon and assessed for adequacy or suitability for cloud environments.
Do not forget that not all systems and functions may be cloud-ready.
As part of this process, suitable and potential business units or functions should be defined as in scope, while outlining a phased or potential phased approach to your cloud journey.
Any exceptions, restrictions, or potential risks should be highlighted and documented.
This process should also list regulatory and compliance components that need to be addressed and satisfied (whether that will be by the provider or a joint approach).
These stages enable you to shape and begin reviewing potential solutions or cloud services.
Given the plethora of cloud computing contracts professionals currently offering services, it is likely that more than one provider will be positioned to provide the services based on your cloud strategy and business requirements.
Where an up-to-date business continuity and disaster recovery (BCDR) plan is available, this will more often speed up the process.
Given that the plans and associated documents should capture the key assets and business function, list the business and system interdependencies.
With the continued growth and significant financial sums being posted quarterly by many of the leading cloud computing security contracts professionals, some are describing cloud computing as the digital gold rush.
As with the gold rush, the arrival of many new players looking to harness a portion or share of cloud gold is increasing in rapid numbers.
This is leading to a fiercely competitive pricing battle as the cloud computing security contracts professionals battle for crucial market share.
Well, for the moment, it means lower costs, increased competition, better offers, and generally good value for customers.
The challenge becomes real as many of the providers fail to grab sufficient market share or ultimately make enough penetration as a cloud computing security contracts professional .
Some of these will cease cloud services (due to lack of profitability) or will change direction in their service offerings.
Understanding Your Risk Exposure
What risk does this present to you or the organization? How can you address these risks with the view to understanding the risk posture?
The following questions should form the basis in understanding the exposure before any services engagement:
- Is the provider established for technology?
- Is this cloud service a core business of the provider?
- Where is the provider located?
- Is the company financially stable?
- Is the company subject to any takeover bids or significant sales of business units?
- Is the company outsourcing any aspect of the service to a third party?
- Are there contingencies where key third-party dependencies are concerned?
- Does the company conform?
- Is the company certified against relevant security and professional standards and frameworks?
- How will the provider satisfy relevant regulatory, legal, and other compliance requirements?
- How will the provider ensure the ongoing AIC of your information assets is placed in the cloud environment (where relevant)?
- Are adequate BCDR processes in place?
- Are reports or statistics available from any recent events or incidents affecting cloud services availability?
- Is interoperability a key component to facilitate ease of transition or movement between cloud computing security contracts professionals?
- Are there unforeseeable regulatory-driven compliance requirements?
These queries should directly influence your decision in terms of cloud services and cloud computing security contracts professionals.
Additionally, efforts made to determine the requirements upfront will directly reduce the efforts in defining and selecting the appropriate cloud computing security contracts professionals and negotiation times and ensuring that the required security controls are in place to meet the organization’s needs.
Accountability of Compliance
It is not the cloud computing security contracts professionals role to determine your requirements and to have a fundamental understanding and appreciation of your business.
The role of the cloud computing security contracts professionals is to make services and resources available for your use, not to ensure you are compliant.
You can outsource activities and functions; however, you cannot outsource your compliance requirements.
You must remain accountable and responsible, regardless of any cloud services used.
The organization will be the one affected by the negative outcomes of any violations or breaches of regulatory requirements, not the provider.
Common Criteria Assurance Framework
The Common Criteria (CC) is an international set of guidelines and specifications (ISO/ IEC 15408-1:2009) developed for evaluating information security products, with the view to ensuring they meet an agreed-upon security standard for government entities and agencies.19
The goal of CC certification is to ensure customers that the products they are buying have been evaluated and that the vendor’s claims have been verified by a vendor-neutral third party.
CC looks at certifying a product only and does not include administrative or business processes.
Although it views these as beneficial, there are dangers of relying only on technology for robust and effective security
Given the distinct lack of cloud-specific security standards and frameworks and the growing requirement for such standards and frameworks to be adopted by cloud computing security contracts professionals, the CSA launched the STAR20 initiative at the end of 2011.
The CSA STAR was created to establish a “first step” in displaying transparency and assurance for cloud-based environments.
To ensure adoption and use throughout the cloud-computing industry, the CSA made the STAR a publicly available and accessible registry that provides a mechanism for users to assess the security of the cloud security provider.
Additionally, STAR provides granular levels of detail, with controls specifically defined to address the differing categories for cloud-based services.
The use of STAR enables customers to perform a large component of due diligence and allows a single framework of controls and requirements to be utilized in assessing CSP suitability and the ability to fulfill CSP requirements.
At a glance, CSA STAR is broken into three distinct layers, all of which focus on the AIC components.
- Level 1, Self-Assessment: Requires the release and publication of due diligence self-assessment, against the CSA consensus assessment initiative (CAI) questionnaire or CCM
- Level 2, Attestation: Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO27001:2013 or AICPA SOC2
- Level 3, Ongoing Monitoring Certification: Requires the release and publication of results related to security-properties monitoring based on the cloud trust protocol (CTP)
These levels look to address the various demands and requirements based on the levels of assurance.
A self-assessment may be sufficient, but others may require third-party verification or continuous assessments and independent verification.
Cloud Computing Certification
According to the ENISA, the Cloud Certification Schemes List (CCSL) provides an overview of different existing certification schemes that might be relevant for cloud computing customers.
CCSL also shows the main characteristics of each certification scheme. For example,
CCSL answers questions like these:
- Which are the underlying standards?
- Who issues the certifications?
- Is the CSP audited?
- Who audits it?
The schemes that make up the CCSL are listed here:
According to ENISA, the Cloud Certification Schemes Meta framework (CCSM) is an extension of the CCSL that provides a neutral high-level mapping from the customer’s network and information security requirements to security objectives in existing cloud certification schemes.
This facilitates the use of existing certification schemes during procurement. The first version of the CCSM was approved and adopted in November 2014.
The online version of the CCSM tool can be accessed at link.
The tool lists 27 CCSM security objectives and then allows the customer to select which ones he wants to cross-reference against the certifications listed in the CCSL. Consider a sample of what the resulting comparison matrix looks like.
A key and fundamental business activity, amplified by the significant outsourcing of roles and responsibilities, contract management requires adequate governance to be effective and relevant.
It involves meeting ongoing requirements, monitoring contract performance, adhering to contract terms and managing any outages, incidents, violations, or variations to contractual obligations.
The role of cloud governance and contract management should not be underestimated or overlooked. So where do you begin?
As the first port of call, consider the initial review and identification of the CSP’s ability to satisfy relevant requirements, initial lines of communication, clear understanding and segregation of responsibilities between customer and provider, and penalties and ability to report on adherence and violations of contract requirements.
If at this point they are not understood and clearly defined, problems are likely to arise. Remember, the contract is the only legal format to be reviewed and assessed as part of a dispute between the cloud customer and the CSP.
Importance of Identifying Challenges Early
Any challenges or areas that are unclear must be raised and clarified before engagement and signing of contracts between the customer and provider.
Why is this important?
- Understanding the contractual requirements forms the organization’s baseline and checklist for the right to audit.
- Understanding the gaps allows the organization to challenge and request changes to the contract before signing acceptance.
- The cloud computing security contracts professionals has an idea of what she is working with and the kind of leverage she will have during the audit.
Documenting the requirements and responsibilities makes it possible to utilize technological components to track and report adherence and variations from contractual requirements.
This provides an audit output (report) and allows you to approach the CSP with evidence of variations and violations of the contract.
Before signing acceptance of the relevant contracts with the CSP, appropriate organizational involvement across several departments is most likely required.
This typically includes compliance, regulatory, finance, operations, governance, audit, IT, information security, and legal. Final acceptance typically resides with legal but may be signed off at an executive level from time to time.
Key Contract Components
Depending on your role, inputs, and current focus, the following items usually form the key components of cloud contracts.
Given that contracts vary significantly between various CSPs, not all of these may be captured or covered.
This constitutes a typical illustrative list, as opposed to an exhaustive list:
- Expected performance and minimum levels of performance
- Incident response
- Resolution timeframes
- The maximum and minimum period for tolerable disruption
- Issue resolution
- Communication of incidents
- Capturing of evidence
- Forensic and e-discovery processes
- Civil and state investigations
- Tort law and copyright
- Control and compliance frameworks
- PCI DSS
- Safe Harbor
- U.S. Patriot Act
- Priority of restoration
- Minimum levels of security and availability
- Communications during outages
- Data access requests
- Data protection and freedom of information
- Key metrics and performance related to QoS
- Independent assessments and certification of compliance
- Right to audit (including period or frequencies permitted)
- Ability to delegate third parties to carry out audits on your behalf
- Penalties for nonperformance
- Delayed or degraded performance penalties
- Payment of penalties (supplemented by service or financial payment)
- Backup of media, and relevant assurances related to the format and structure of the data
- Restrictions and prohibiting the use of your data by the cloud computing security contracts professionals without prior consent or for stated purposes
- Password and account management
- Joiner, mover, leaver (JML) processes
- Ability to meet and satisfy existing internal access control policies
- Restrictions and associated NDAs from the CSP related to data and services utilized
- Any other component and requirements deemed
Failing to address any of these components can result in hidden costs being accrued by the cloud customer in the event of additions or amendments to the contract.
Isolated and ad hoc contract amendment requests typically take longer to address and may require more resources to achieve than if they are addressed at the outset. necessary