Senior Cybersecurity Expert and The Millennium Alliance Advisory Board member, Rhea Siers, recently released the following article on cloud service agreements. Rhea Siers served for over thirty years in the US Intelligence Community including as Deputy Assistant Director for Policy at the National Security Agency (NSA). Rhea is on the faculty at both GWU and Johns Hopkins University where she teaches on intelligence, terrorism, and cybersecurity. She also served as Scholar In Residence at the Center for Cyber and Homeland Security at George Washington University (GWU).
Cloud service agreements often present customers with more questions than answers about security, data protection, IP rights and more. While smaller companies don’t always have the leverage to negotiate material changes to these agreements, customers of all sizes should have their questions and concerns addressed before signing a contract. Cloud service providers should give clear answers to a customer’s questions, and if they don’t, buyer beware, because it is imperative that a cloud service customer understands the responsibilities of each party before any issues arise, not after.
To ensure your organization’s data is protected, follow these best practices before entering into cloud service agreements:
● Any contract should require that your organization be promptly informed of any breach that may affect its data.
● To the maximum extent possible, limit access to (and use of) data by the cloud provider unless strictly required for the provision of the services, particularly if there are applicable data protection laws. The cloud provider should not be using the customer’s data unless specifically permitted by the customer.
● Agree on the location of the data, as location will determine which laws and regulations apply (such as the European Union’s GDPR). If the cloud provider transfers personal data to a server located in another country, the data will be subject to local laws and provisions, potentially limiting how personal data may be transferred out of that country.
● Know what it will cost if you decide to terminate the agreement. Be sure you review early termination fees and what will happen to the data—how can it be retrieved, in which form and format, and whether the service provider will be required to keep the data on its systems during the transition period. Ascertain whether the cloud provider has a retention period and a process for the removal of the data in a finite period after the conclusion of the contract.
● Scrutinize the cloud service provider’s ability to change the terms of the contract. Some cloud service agreements may allow the provider to make changes at any time and without advance notice to the terms, fees, rate structure or services. Your organization should understand these provisions, particularly the circumstances under which the provider can cancel the contract.
● Define when the service will be available, and when temporary interruptions are permitted or to be expected, through service level agreements (SLAs). Understand the provider’s liability if there are unexpected interruptions in service.
● Require IT operations, security and compliance reviews for all security-as-a-service (SaaS) contracts, services and applications. This is one way to ensure a more comprehensive and organization-wide review of services and helps other functional areas of the company understand potential impacts.
● For full visibility into a cloud provider’s security controls, ask to see that capability while explaining the specific security requirements of your organization during the negotiation phase.
● Understand who has IP rights and software ownership after the contract termination or transfer, which becomes particularly important if your organization requested changes or fixes.
By following these best practices when contracting with cloud service providers, you will help ensure your organization’s interests and data are protected.