Editor’s Note: This news story is part of SearchSecurity.com's "Eye on" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of June the series examines CISO management issues.
Cloud computing has put the spotlight on contracts and service-level agreements, along with security’s role in the contract process. There are many security provisions that need to be included in
“I strongly believe the security team needs to be involved,” said Alan Shimel, managing partner at the CISO Group LLC. “You absolutely need – and have the right and obligation – to cross-examine your cloud provider before you sign on the dotted line and move any of your data up there.”
One of the biggest barriers to cloud adoption is loss of control, he said. “Negotiating and being involved in the contract and SLA is a way of regaining that control, so why wouldn’t you want to do that?”
Data security is the toughest challenge with cloud computing, said Eugene Schultz, chief technology officer at Emagined Security, a consulting firm based in San Carlos, Calif. In addition to loss of control, multi-tenancy, virtualized environments, and audit difficulties pose security problems, he said.
At the same time, cloud computing is changing the role of the information security professional. The job of a security manager will shift from developing and implementing corporate security policies and standards to engaging in contract negotiations, “giving input to the legal and contract functions of organizations to ensure SLA provisions are adequate and enforced from a security standpoint,” Schultz said. To that end, he advises opting for MBA courses, especially contract law courses, instead of a master’s degree in computer science. “It’s becoming that necessary,” he added.
Key cloud computing contract provisions
There are many data security considerations in cloud contracts, but topping the list from an operational standpoint are the security controls the cloud provider implements for data storage and transmission, said Thomas Jackson, a partner and chair of the technology practice group at Phillips Nizer LLP, a New York, N.Y.-based law firm.
“The cloud provider needs to agree to use only secure methods to store, access and transfer data files,” he said. “And it should agree to a provision describing what the security protocols are.”
Jackson recommends cloud customers be specific in the security protocols they require, keeping in mind that they must be reasonable and within the cloud provider’s ability to implement. Schultz said organizations should insist on data loss prevention, but be prepared to pay more for it. Encryption is also important, but in the cloud is complicated, he added.
Security managers need to know what security technologies a cloud provider uses, including the type of firewall and how vulnerability management is handled, Shimel said. “I’ve seen too many cloud providers say, ‘Don’t worry about security, we’ve got it covered.’ When you peel the onion back, their stringent security measures are a Cisco ASA box in front of their virtual servers. That doesn’t cut it. You have a right to know what they actually deployed.”
Another key data security contract provision revolves around security breach notification. Cloud computing contracts should include compliance with data breach notification laws, a timeframe for customer notification, and what intrusion details the vendor is required to provide, Jackson said.
“The balance here is to obtain prompt notification and at the same time have an assurance there is an ongoing reporting obligation on the part of the vendor,” he said. “It may not be initially apparent who is responsible, or the extent of the loss or which customer’s data is compromised.”
Schultz said organizations might consider including penalty clauses for data security breaches in their cloud SLAs. Getting that requires a cloud provider serious enough about data security, he said. “It’s nice to get money back if you have a breach. It won’t cover your costs but you’re getting someone who invests skin in the game.”
A third key cloud computing contract consideration, Jackson said, is what happens to the data when the contract is terminated. The cloud provider must be obligated to return or destroy data as directed by the customer, and the contract should have a timeframe for accomplishing that. If data is returned to the customer, there should be provisions for how it’s formatted and secured, he said.
The ability for an organization to negotiate security provisions in its cloud contracts varies greatly and depends on a number of variables, including the cloud provider’s practices, the nature of the services being provided and size of the contract, Jackson said. He believes the cloud computing market is becoming more competitive, providing customers with more opportunities to focus on data security provisions.
“The security team needs to be given as expansive a role as possible,” he said. “That group has the day-to-day working knowledge of the needs of the enterprise and what measures are critical to the company in terms of entering into a contract for cloud services.”
Security not stepping up so far
While security is critical in the contract negotiation process, security teams don’t appear to be taking an active role. Shimel said an informal poll during a recent forum he attended indicated that many CISOs aren’t involved in cloud contract and SLA negotiations even though their companies are adopting the cloud.
Schultz said security professionals sometimes fail to realize that contracts or SLAs are being negotiated. “They need to become more aware of how things have changed in the IT organizations and insert themselves into the process,” he said.
But they may not always be given a chance to participate, Shimel said, citing a recent Forrester Research report. Forrester surveyed more than 1,000 companies in North America and Europe and found that most SaaS purchases are driven by groups outside of IT operations. For example, 56% of respondents reported that business groups drive horizontal SaaS purchases, such as a sales vice president buying Salesforce.com, according to Forrester.
The lack of opportunity for security teams to get involved in the cloud contract process also is the result of companies – especially financial firms and large public enterprises -- dabbling in cloud computing instead of diving into it, Shimel said.
“Once we start moving bigger chunks of our IT infrastructure to the cloud, these folks have to get involved,” he said.