Cloud Security and Service Agreements

I saw this article by Caron Carlson in FierceCIO, which is written in regard to another article in Network World by Brandon Butler covering Gartner cloud security analyst Jay Heiser; both articles are re-posted below.

The reason I felt them worth re-posting is because security is often cited as a concern about moving to cloud services.

The tack of the original article is basically, “OK, cloud security, no problem: simply write the desired security parameters into the cloud service agreement. Done.”

Easier said than done, actually, but the topic is certainly worthy of strong consideration.

And while you’re at, I’d suggest taking things a step further by establishing a “present status” security baseline by surveying all of your existing parameters — both in-house and with your colocation provider(s) — for your non-cloud IT infrastructure to see how they compare.

In doing so, some companies find that what they expect from cloud services security actually far exceeds what they have in place for themselves with their current non-cloud services, which begs the question of whether the amplitude and volume of cloud security concern is truly “legitimate” or possibly a red herring in order to delay inevitable change.

Please feel free to contact AIS if you’d like to learn more about our own security and cloud service parameters; we’d be happy to talk with you and discuss them in as much detail as you need.

Emphasis in red added by me.

Brian Wood, VP Marketing

————

How to write security into a cloud contract

Enterprises have been loud and clear about ongoing security concerns regarding cloud computing, but by and large, vendors haven’t responded with robust service level agreements or any other reassuring controls, experts say. Customers should be on the lookout for nine controls that could relieve their concerns, reports Brandon Butler at Network World.

One of the most effective security provisions customers should ask for in a cloud contract is a certificate that shows data is deleted when the contract expires. This is not at all common, Butler notes, but it is legally defensible.

Other highly effective provisions would include a disaster recovery clause and a clause that establishes that the provider is responsible for the customer’s losses if a security breach occurs. Unfortunately, these provisions are also non-existent today.

Far more common are provisions that outline reimbursement for downtime and the customer’s right to evaluate a provider’s security measures. However, analysts don’t consider these measures very effective in protecting the security of the customer’s data. The same is true for hacking insurance, which is still rare but becoming more common. A more effective security provision would allow customers to audit the provider on demand, but this isn’t seen very often either.

As far as encryption is concerned, the effectiveness varies considerably among providers, who use a wide variety of methods. Experts advise that cloud customers be aware of the risks of encryption keys being lost when multiple copies are made. For large enterprises, there is always the possibility of paying for higher levels of security than everyone else.

http://www.fiercecio.com/story/how-write-security-cloud-contract/2012-11-28

————-

Nine security controls to look for in cloud contracts

Gartner says cloud SLAs are “weak but improving;” but just how effective are those controls?

To help ease the concerns of cloud security, which Gartner says is still a chief inhibitor to enterprise public cloud adoption, buyers are looking to contracts and service-level agreements to mitigate their risks.

But Gartner cloud security analyst Jay Heiser says SLAs are still “weak” and “unsatisfying” in terms of addressing security, business continuity and assessment of security controls.

“A lot of these things are getting a lot of attention, but we’re seeing little consistency in the contracts,” he says, especially in the infrastructure-as-a-service (IaaS) market. Software-as-a-service (SaaS) controls are “primitive, but improving.”

Below are some of the common and recommended security provisions in cloud contracts and how common and effective they are.

Customer audits on demand

These clauses allow customers to audit vendors.

Effectiveness: Partial, depending on how much the vendor allows the customer to inspect

How common? Sometimes

Data deletion certificate

Proof that data is deleted when service expires.

Effectiveness: High, legally defensible

How common? Never

Disaster Recovery

Many vendors claim cloud services, by their nature, equate to disaster recovery, but that cannot always be the case. If, for example, data is only stored in a single location of a cloud provider without an offline backup, that creates a single point of failure.

Effectiveness: High, but difficult to verify. While vendors may claim they have robust systems, they are often reticent to provide evidence, citing security concerns.

How common? Not typically in contract clauses.

Downtime credits

These provide the user credits or some sort of reimbursement in case of downtime.

Effectiveness: Partial. While a credit may be helpful, it is a post-factor remedy and does not prevent an outage from happening in the first place

How common? Often found in contracts

Encryption

Effectiveness: Varies. There are multiple encryption methods. If encryption is done by the vendor when the data reaches the provider’s cloud, it is less expensive and less secure compared to if the user encrypts the data before sending it to the cloud. Important factor is who stores and has access to the encryption keys. The more copies of the keys, the less secure it is. Beware of vulnerabilities related to losing keys.

How common? Varies by provider. Third-party tools can also be used to provide encryption as a service

Evaluations

Many buyers use third-party security services to verify their providers’ security controls, such as ISO27001 or SOC1 and SOC2 audits. But, a vendor simply reporting that it complies with these audits in many cases does not provide end users with the information they need to evaluate the provider’s system for their specific security needs.

Effectiveness: Believed insufficient

How common: Common

Full indemnification for security failure impact

In this situation, a contract would outline that if there is a security breach that the provider would be responsible for losses of the customer.

Effectiveness: Theoretically high

How common? Never

Hacking insurance

Insurance by a third party, or by the vendor could help displace costs resulting from a security or data loss issue.

Effectiveness: Potentially helpful, but like the downtime credits, does not necessarily create incentive for provider to avoid a breach

How common? Rare, but growing

Negotiate security clauses

These allow customers to negotiate higher levels of security for certain programs or data.