Cloud contracts and security considerations: 5 questions to ask

When it comes to contracts, you’ve heard people say, “Check the fine print” and “The devil is in the details.” These words of caution also apply in connection with evaluating a cloud services agreement.

Since the first federal public information service was placed in the cloud more than five years ago, federal government agencies have been cautiously but steadily migrating to the cloud. In 2014, the Government Accountability Office reported that federal agencies were spending an estimated $529 million on the cloud, and a January 2015 industry survey found that 20 percent of respondents delivered at least 25 percent of their agencies’ IT services in the cloud.

What does this shift mean in terms of security? Both the CIA and the Department of Homeland Security have moved data to the cloud, where the CIA has said it believes data will be as safe as or safer than it was on the agency’s internal systems.

Agencies may not realize, however, that the first risk they may face in moving to the cloud could be found in the terms and conditions of the cloud provider’s agreement. And while federal agencies now have the Federal Risk and Authorization Management Program (FedRAMP) framework to help ensure needs are met, state and local governments are still largely on their own. 

Without a clear understanding of each party’s responsibilities, agencies can find themselves in an unfortunate situation, including having limited access to their own data and little or no recourse for poor performance.  So if your agency is considering moving data to the cloud, here are five things to ask the cloud service provider when evaluating its agreement:

1. Where will the agency’s data reside?

Contracts often are silent on where an agency’s data will be located, leading you to assume that your data will be located within the United States. However, some providers store data outside the country. Ask and understand where all data is physically stored. Also ask how the cloud provider protects data and applications from others using its services. Make sure the agreement is clear about how your data is protected.

2. Who can access the agency’s data?

Some providers allow subcontractors to access data. Be sure your contract stipulates who can access your data, when it can be accessed, what type of background checks, if any, the provider performs on individuals with data access, how it monitors access to data and what types of logs are maintained. It is also critical to understand whether you will have constant access to your data or whether your agency can be cut off from accessing its own data. If you are not comfortable with how these issues are handled in the agreement, you may want to consider an alternative provider.

3. Does the cloud provider have key certifications?

It’s important to ascertain whether the provider can meet relevant data protection legislation or industry standards that apply to your agency’s business. Where appropriate, confirm if the cloud provider has key certifications, such as Statement on Standards for Attestation Engagements (SSAE), the standard for reporting on controls at service organizations. Also check for compliance with the Payment Card Industry’s Data Security Standards, the Health Insurance Portability and Accountability Act and other federal regulations. A reputable and experienced cloud provider will agree to meet the most stringent security requirements.

4. What can an agency expect if there’s a security incident or outage?

When evaluating a cloud service contract, consider the worst-case scenario – a security breach. The agreement should set forth the protocol for notifying your agency and how and when your agency can access data if a breach occurs. Confirm whether your agency will be able to access log files to help determine what transpired. Typically, with cloud services, you should expect that your agency will lose its ability to independently address security breaches and perform its own forensic investigations.

In addition, because your agency is sharing resources with cloud services, use of the cloud may increase susceptibility to a single point of failure. Because outages are completely out of your agency’s control, make sure you understand the provider’s business continuity and disaster recovery practices. There should be a contingency plan for these events.

5. What protections should an agency request?

Often, cloud providers present customers with form contracts that are not negotiable. Before executing anything, your agency should discuss preferred terms with the cloud provider and try to reach an agreement that offers acceptable protections. In addition to the items already mentioned, your agency should try to include in the agreement appropriate protections for any sensitive data, indemnification clauses (for breach of IP infringement, data protection, applicable law, etc.) and liability for damages and performance warranties. The agreement also should clarify who is responsible for regular system updates and necessary patches. If the provider is responsible, the agreement should confirm that updates and patches will be implemented in a timely fashion.

If your agency is considering moving to the cloud, ask these important questions and understand the details of your agreement. Contracting with a cloud provider without careful consideration of the agreement’s terms and conditions can be very risky. If you can’t secure satisfactory answers to your questions from a cloud provider, it may be premature to move to the cloud. Remember, the devil is in the details.