This article can also be found in the Premium Editorial Download "Information Security magazine: Outsourcing security services."
Download it now to read this article plus other related content.
Marcus Ranum: Randy, thanks for taking the time to talk. When I look at the list of stuff you’re involved in, it makes my head hurt. But whenever I hear about another big cloud service disruption, I think of you! I know that security people always say you’ve got to look carefully at service-level agreements [SLAs] and conditions, and we were saying that a long time before “the cloud” was cool. Are the requirements for these big SaaS [Software as a Service] and cloud deals getting sorted out to the point where it’s not a big headache? Are customers still dealing with a wilderness of negotiations, or the “you can have any color you want, as long as it’s black” kind of model?
Randy Sabett: Thank you for asking me to have a chat, Marcus. On this first question, though, you’re forcing me to start right off with the typical lawyer’s response, “it depends.” But, in this case, it really does.
If someone’s looking for a commodity service to cut costs and doesn’t care about security, they likely won’t have too many headaches. Think of the use case in which a company wants to offload some of its non-sensitive email or storage functions. If they’re looking for a secure offering, or have any specific requirements, however; it really will depend on their particular needs and the willingness of the cloud provider to work with them. Unfortunately, in many cases, customers aren’t prepared for the response: “Oh, you want that? That’ll cost you $xxx more per month.”
I also find that the out-of-the-box solutions vary widely and wildly. We did an exercise for a client in which we compared the standard service offerings (click-wrap) of six top cloud service providers. We had a list of 24 different aspects of the service, on which we rated the companies, solely from their standard agreement. These ranged from limiting the locations where data could be stored, to protection from third parties—including law enforcement—getting access to data, to indemnification, to data breach response assistance. The results were quite interesting. Some providers didn’t address certain areas at all. Others went overboard to the point of having URLs that led to additional terms, in which there were URLs to even more terms. I could make several lawyer jokes here, but I’ll refrain…
I am only aware of a couple of offerings that truly focus on security. We’re still not to the point where service providers see security as a significant differentiator. The main driver is still cost, and to keep that down, service providers can’t really offer a lot of bells and whistles.
Ranum: Other than the complexity on the legal side, are the contracts used in cloud and outsourcing becoming business as usual now? Or is it still case by case? For a long time, I’ve worried that a lot of the appeal of “cloud” is that its proponents sweep a lot of regulatory issues under the carpet, effectively, making them nobody’s problem. Is that still happening?
Sabett: In many cases, the carpet is getting pulled back to reveal the ugly padding underneath. As corporate customers get smarter and ask harder questions, more providers are forced to admit that they can’t necessarily stand behind their marketing hype, to make customers “XYZ standard compliant” or have “impenetrable security.” In some cases, they just get more creative with their claims, “we help you achieve XYZ compliance,” or they still make actual compliance claims, but then disclaim everything in the agreement.
In other cases, though, I think some problems stem from the corporate side. Because of the ease with which these services are provisioned, sometimes an IT manager—three-layers down from the person with acquisition authority—simply signs up for some service because it’s perceived to be immediately needed. That well-meaning IT manager goes ahead and provisions the needed service with his or her credit card by signing up via a standard click-wrap. This can lead to any number of potential problem scenarios.
Trying to deal with these types of situations is challenging, but it can be done. I know of one company that has a corporate policy that all online agreements must be submitted to the legal department. In order to make things workable, they use a priority system, and legal has committed to responding to legitimate requests within a specified timeframe.
I will wrap up with one other thought. Not all service providers either (a) have awful default terms, or (b) charge exorbitant fees to go from a standard service to a slightly better, but not ridiculously different service. In fact, in the last year or so, certain providers have stepped up with multiple tiers of service, security as a primary feature, or easily configured services with multiple options.
Ranum: What I fear is that organizations that have poor governance and weak IT staff are going to be the ones that just go with the default service-level agreement. And they may miss the proverbial fine print, although I suppose, nowadays, fine print is done with an obscure Web link instead of typography. The cost-conscious business is not likely to understand what they’re agreeing to, and could get surprised later. What should we do? Think of it as evolution in action?
Sabett: You’d be surprised, Marcus. It’s not just the mediocre organizations that run with default agreements. Even sophisticated, well run, strongly staffed organizations can miss the fine print. Fortunately, the days of egregious click-wrap EULAs [End User License Agreements] are pretty much behind us. The Federal Trade Commission and the courts have been fairly consistent with enforcing click-wraps, which clearly present terms to users, but not enforcing obscure, misleading, or overly vague terms. What we should do is hire more lawyers! OK, so that was self-serving—and completely in jest.
Actually, fewer lawyers would be needed if the appropriate levels of corporate education were conducted, and a process enforced that leads to review of all agreements. In addition to the earlier example of the legal department committing to reviewing all click-wrap agreements; one other interesting trick I heard about involves a company that refuses to reimburse employees for any software or service purchases involving click-wraps, unless they have been reviewed by legal. To me, the specifics of the process are important, but even more important, is having a process in the first place.
Ranum: So I’m actually feeling better about the lawyer’s role in all this. If the problem is that we’re dealing with complexities and lack of comprehension that can lead to a disaster, you’re at least helping explain the complexities and making it more comprehensible. When you’ve got a client coming to you for advice on one of these projects, where do you start? Are the problems common, or is each case highly unique? I assume, maybe wrongly, that as uniqueness in a solution-space goes down, the problem is becoming more comprehensible, and standard offerings and approaches have begun to emerge. Are we at that stage, yet?
Sabett: The short answer is no. Because contracts are still written in a tailored fashion—and probably will be for a while still—they don’t lend themselves well to standard offerings and approaches. The project in which six cloud providers had radically different agreement approaches exemplifies this. Having said that, much of the analysis on the legal side of SaaS, or a cloud deal boils down to, maybe, four or five big issues, depending on the hot buttons of the organization and the urgency of the deal. Typical issues include location of the data; liability exposure, which encompasses issues like indemnities and caps on liability; access to the data by third parties including law enforcement; SLAs and termination. I’m not saying other issues aren’t important. It’s just that, in my experience these tend to be the ones on which the most time and effort is spent.
Prior to even looking at these issues, however, I like to find out the actual business goals of the client first. Trying to revise an agreement without such an understanding can waste time and even lead to a contract that doesn’t get the client what they want. So for me, often the best place to start is to talk to the business team—maybe even over a beer—and ask: What do you want to get out of this engagement? That will then feed into how the contract negotiation progresses.
Ranum: I still wonder if in the future, there will be a thriving industry around re-insourcing some of the services that have been pushed out into the cloud. In my darkest moments, I think, why does anyone think that the cost of cloud services will always remain inexpensive? It seems that once they’ve got all your data and are crucial to your business processes, it’s just like basing everything you do on Oracle or having everything on a mainframe: you’ve eliminated the competition, the prices go up. There is a huge potential for things to get “interesting” there. Do you think that’s a potential outcome once the competition is gone?
Sabett: I do agree that there are several possible future paths where things could definitely get interesting. Your idea of re-insourcing could easily happen as competition is eliminated. In addition to the consolidation or quasi-monopoly scenarios, though, you have situations where the liability concerns associated with sending everything to the cloud become so great that companies resist even the initial urge to deploy to the cloud. Combine the two, and you may have certain companies keeping at least a subset of functions in-house.
Carrying it to a more granular level, imagine if one of the giant cloud providers were to experience a problem with security. Several folks might get so concerned that they decide to bring the functions in-house. There could also be a trend by all providers toward greater security, whether by market force or by mandate. If that type of reality plays out, you might actually find a greater tendency to go to the cloud, provided that a lot of different concerns get addressed, not just the cost calculus. I just hope we get to see that day, although, I think the first scenario would likely create more work for me.
Ranum: Randy, thank you so much for your time. I know how busy you are!
About the authors:
Marcus J. Ranum, Chief Security Officer of Tenable Security, Inc., is a world-renowned expert on security system design and implementation.
A former cryptographic engineer with the National Security Agency, Randy Sabett has served as counsel at ZwillGen PLLC since 2011. He is focused on a broad range of cyber topics including identity management, active defense, intellectual property protection and data security.
Send comments on this column to firstname.lastname@example.org.
This was first published in February 2013