SAN FRANCISCO -- What do you do if your cloud provider is breached? Well, hopefully you’ve already planned for it ahead of time in your cloud contract.
At the RSA Conference 2012 on Tuesday, a session offered advice to cloud users on how to plan for cloud computing breaches in their cloud computing contracts. Contracts “are an important initial line of defense in dealing with breaches in the cloud,” said James Shreve, an attorney in the Washington, D.C. office of BuckleySandler LLP.
Organizations should make sure their cloud contracts cover costs to the business from a breach such as data corruption, and also have a requirement that the cloud provider notify them of a possible breach, he said. A cloud user needs the capability to determine whether a breach has actually occurred and whether customers need to be notified.
“Your ability to meet your own obligations is related to what [breach information] they give you,” Shreve said.
He advised cloud users to have a separate incident response plan to handle cloud computing breaches. Breach notification laws have varying rules for when affected individuals must be notified, and the cloud lengthens that process, he said.
It always takes time to unearth what happened in a breach – a process that becomes even more complicated with a cloud provider, said Christopher Pierson, chief compliance officer and CSO at LSQ Holdings LLC. “The issue of time will become more crucial,” he said.
Pierson, who is also an attorney, stressed the importance of due diligence before entering into a cloud contract. “Kick the tires at the front end, when everyone is very pleasant… and when law enforcement isn’t involved.”
Organizations should go beyond the SAS 70 report, SSAE16 or SOC reports a cloud provider offers, Pierson said. “A SAS 70 is something to look at, but it may not match all your goals,” he said. “No one document will be enough.”
Companies should also consider downstream risks – what contracts a cloud provider might have with other cloud providers, he said. They should also consider the impact of European privacy laws on those downstream risks.
Typically, cloud contracts are short – around six pages with just a quarter of a page devoted to security, Shreve said. “It’s a good idea to have your own attachment ready… rather than amending cursory language,” Shreve said.
Cloud computing contracts: The due diligence process
Performing due diligence before signing on with a cloud provider was also a topic at another RSA Conference 2012 session on cloud privacy issues. During the panel discussion, Nils Puhlmann, CSO at Zynga, said security teams need to understand technically what they’re getting into with a cloud provider and ensure the provider has the security controls they need.
The due diligence process isn’t easy, though. He said he’s had cloud service providers respond to questions about security with answers like, “You need to trust us,” or “Nobody else has asked this.”
The goal of a security department is not to ensure “nothing happens” but to manage risks appropriately, Puhlmann said. The cost savings is luring companies to the cloud but they need to factor in the risk, he said. Security pros need to analyze the residual risk and the cost of managing the risk to a reasonable level before contracting with a cloud service. “Does it still make business sense?” he asked.
Puhlmann also advised security pros to be reasonable when considering cloud services and data security. “Not everything needs the same level of protection.”
View all of our RSA 2012 Conference coverage.