Driving a Hard Bargain: Cloud Computing Contracts

By Jason Hicks ·

A common trait of any contract, or service agreement, is the responsibilities of all parties to that contract. One of the major challenges in dealing with contracts related to cloud computing – whether public, private or a hybrid – is what can be easily omitted. Yet the delineation of responsibilities should be written with clarity and foresight. Otherwise, when issues such as data loss, security incidents or distributed denial of service attacks arise, a lack of contractual responsibility can spell trouble for any company.

Having a clear Cloud Security Program is a good place to start the process. As the “Guidelines on Security and Privacy in Public Cloud Computing” from the National Institute of Standards and Technology (NIST) states, “Understanding the policies, procedures and technical controls used by a cloud provider is a prerequisite to assessing the security and privacy risks involved.”

Cookie-cutter contracts, a.k.a. predefined non-negotiable agreements, from cloud providers are becoming less common as businesses demand to have more of a say in what they’re getting for their investment. Instead, negotiated service agreements are increasingly common to ensure an organization’s requirements will be met by the provider. 

If you don’t have the expertise or staff within your own organization to confidently negotiate with providers, your Legal Team can hire specialized outside counsel and information security experts to help with the negotiations and to set up a comprehensive Cloud Security Program.

Here are some of the areas that NIST, along with FishNet Security, believes should be clearly covered through negotiated contracts:

- Vetting of the provider’s employees
- Backup, monitoring, incident response and electronic discovery responsibilities
- Data encryption and segregation
- Tracking and reporting service effectiveness
- Transparency of processes, procedures and relevant records
- Details about communication with customers about incidents and configuration changes
- Details about the use of subcontractors
- Details about exit strategies with the provider
- Options (including possible termination) with your contract if the provider suffers a breach
- Who owns and controls the data center(s)
- Access to systems and data for your own incident response/forensics team
- Any special stipulations based on your regulatory requirements
-The ability of your staff or selected service provider to perform Vulnerability Scans and Penetration Tests.
- Compliance with laws and regulations
- The use of validated products and operations that meet state, federal or national standards
- Documentation that demonstrates your requirements are being met
- The degree to which the provider will accept liability for exposure of data under its control
- Service Level Agreements

It’s important for clients to use contract provisions when dealing with cloud service providers to ensure you have access to system logs and low-level information stores. If there’s a security incident, you need to have access to these repositories so that you can fix the issue and prevent it from happening in the future. Your contract may not provide for you to have access to these repositories or even require that your provider provide this information to you when requested.

Also, you may not have permission to perform vulnerability scanning or analysis. If someone is buying infrastructure as a service, the provider probably will not allow you to scan their system(s), so you may need to simply take their word for it that their systems are safe, which can be a scary prospect. Establishing rights to perform technical testing in a contract can help. It’s hard to do this after a contract is signed, so make sure this is done during the negotiating phase of the contract.

FishNet Security recommends that you have a provision in your contract related to incident response, establishing roles and responsibilities during an incident. Try to get the strongest language possible around vulnerability analysis as well.  Is the client going to do the analysis and then provide you with a report or will they let you do it? At what intervals?

Unfortunately, some providers will not allow any additional concessions beyond their standard contract language and relationship leverage often determines negotiating power.. Companies need to determine what is acceptable. You should take a risk based approach to deciding if an application or function is appropriate to place in the cloud. You should also assess the risk of your prospective provider’s stance on information security and the amount of access they are willing to give you. Then you will be able to make an informed decision on whether to utilize a particular service provider, or push a particular service to the cloud.