Most companies today use some form of cloud computing whether through software-as-a-service, platform-as-a-service, or infrastructure-as-a-service. Cloud computing’s cost-effective scalability can offer significant advantages to an organization, but it can also raise significant security concerns. Although many cloud providers offer assurances that their systems are secure, many are also unwilling to contractually guarantee the security of data placed in the cloud and are unwilling to fully indemnify a company in the event that the cloud provider’s system is breached.1 The following provides a snapshot of information concerning cloud computing.
Percentage of those enterprises that used a cloud service in 2016.2
Percentage of eCommerce sites that relied on cloud computing in 2014.3
Percentage of companies that view data security as a concern in moving services to the cloud.4
To minimize data security risks companies should evaluate the following as they consider cloud service providers:
- Does data need to be stored in a specific jurisdiction? Some jurisdictions require that data remain within their borders and by utilizing an open cloud environment, where data is transferred freely across borders, a company could inadvertently violate prohibitions concerning the cross-border transfer of data.
- Does the cloud service provider agreement set forth whether the vendor is dedicating hardware to the customer? Absent express language, the vendor is likely providing shared hardware to the customer.
- Does the agreement clearly explain who has rights to the data stored using the cloud service? Depending on the underlying service, some agreements grant the vendor limited rights.
- To what extent is cryptography used? Is each separate record in the cloud encrypted, or does all data use the same encryption key? The value of these approaches vary based on the sensitivity of the data and the processing costs.
- Who is responsible for backing up data and at what frequency?
- Does the agreement set forth standards for how the customer can export its data from the vendor? A customer may want to switch from one cloud vendor to another or may simply want to proceed in a different technological direction.
- Are the appropriate licenses in place to execute software in a cloud computing environment? For example, some software is priced based on the type of server on which it will be run. Meanwhile, the execution of the software in a cloud (or networked) environment may trigger additional considerations.
- Does the agreement give the customer sufficient flexibility to expand or contract the extent to which it uses the cloud services? One of the advantages of cloud computing is the idea that use can be scaled to match a customer’s needs.
- Are the agreement’s terms sufficiently defined to avoid ambiguities over what the vendor has contracted to provide the customer? Trending technology terms often must be defined to ensure all parties perceive them the same way.
- Does the agreement guarantee to maintain any current APIs or features, or does it promise to evolve to provide future functionality? Depending on the circumstances, schedules can be a useful way to ensure certain necessary functionality remains in the service or developed in the future (i.e., provision of advanced AI functionality).
- Will the network connections between the vendor and the customer provide sufficient resources, and if not, what contractual recourse does the customer have? Although cloud computing is seen as ubiquitous, engineering realities may curb its availability. Customers should consider that risk when contracting and request adequate service level compensation.
- Does the agreement require that the vendor maintain any customer industry-specific needs or regulations? Depending on the sensitivity of the data, the customer may be required to certify that the cloud vendor adheres to certain data security standards.
- Does the agreement give the customer the ability to delete data stored by the vendor and confidence that such deletion can be achieved? For some categories of data, customers must ensure that data is completely removed from the servers.
- Does the agreement clearly set forth how the parties should communicate in the event of a data breach or service outage? Similarly, does the agreement contain adequate representations about the vendor’s steps to prevent either event and whether the vendor will indemnify the customer against any damages should either event occur?
- Does the cloud vendor have adequate liability coverage? Does the agreement contain carve outs to the limitation of liability for a breach of the data security obligations? Although no one wants the agreement to reach that point, it is important to understand the extent to which the cloud provider is willing to absorb a loss that might impact many (or all) of its customers simultaneously.