Cloud contracts and security considerations: 5 questions to ask

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Jayne Friedland Holland
 

Connecting state and local government leaders

By Jayne Friedland Holland

|

When it comes to the cloud, state and local governments would do well to read the fine print.

When it comes to contracts, you’ve heard people say, “Check the fine print” and “The devil is in the details.” These words of caution also apply in connection with evaluating a cloud services agreement.

Since the first federal public information service was placed in the cloud more than five years ago, federal government agencies have been cautiously but steadily migrating to the cloud. In 2014, the Government Accountability Office reported that federal agencies were spending an estimated $529 million on the cloud, and a January 2015 industry survey found that 20 percent of respondents delivered at least 25 percent of their agencies’ IT services in the cloud.

What does this shift mean in terms of security? Both the CIA and the Department of Homeland Security have moved data to the cloud, where the CIA has said it believes data will be as safe as or safer than it was on the agency’s internal systems.

Agencies may not realize, however, that the first risk they may face in moving to the cloud could be found in the terms and conditions of the cloud provider’s agreement. And while federal agencies now have the Federal Risk and Authorization Management Program (FedRAMP) framework to help ensure needs are met, state and local governments are still largely on their own. 

Without a clear understanding of each party’s responsibilities, agencies can find themselves in an unfortunate situation, including having limited access to their own data and little or no recourse for poor performance.  So if your agency is considering moving data to the cloud, here are five things to ask the cloud service provider when evaluating its agreement:

1. Where will the agency’s data reside?

Contracts often are silent on where an agency’s data will be located, leading you to assume that your data will be located within the United States. However, some providers store data outside the country. Ask and understand where all data is physically stored. Also ask how the cloud provider protects data and applications from others using its services. Make sure the agreement is clear about how your data is protected.

2. Who can access the agency’s data?

Some providers allow subcontractors to access data. Be sure your contract stipulates who can access your data, when it can be accessed, what type of background checks, if any, the provider performs on individuals with data access, how it monitors access to data and what types of logs are maintained. It is also critical to understand whether you will have constant access to your data or whether your agency can be cut off from accessing its own data. If you are not comfortable with how these issues are handled in the agreement, you may want to consider an alternative provider.

3. Does the cloud provider have key certifications?

It’s important to ascertain whether the provider can meet relevant data protection legislation or industry standards that apply to your agency’s business. Where appropriate, confirm if the cloud provider has key certifications, such as Statement on Standards for Attestation Engagements (SSAE), the standard for reporting on controls at service organizations. Also check for compliance with the Payment Card Industry’s Data Security Standards, the Health Insurance Portability and Accountability Act and other federal regulations. A reputable and experienced cloud provider will agree to meet the most stringent security requirements.

4. What can an agency expect if there’s a security incident or outage?

When evaluating a cloud service contract, consider the worst-case scenario – a security breach. The agreement should set forth the protocol for notifying your agency and how and when your agency can access data if a breach occurs. Confirm whether your agency will be able to access log files to help determine what transpired. Typically, with cloud services, you should expect that your agency will lose its ability to independently address security breaches and perform its own forensic investigations.

In addition, because your agency is sharing resources with cloud services, use of the cloud may increase susceptibility to a single point of failure. Because outages are completely out of your agency’s control, make sure you understand the provider’s business continuity and disaster recovery practices. There should be a contingency plan for these events.

5. What protections should an agency request?

Often, cloud providers present customers with form contracts that are not negotiable. Before executing anything, your agency should discuss preferred terms with the cloud provider and try to reach an agreement that offers acceptable protections. In addition to the items already mentioned, your agency should try to include in the agreement appropriate protections for any sensitive data, indemnification clauses (for breach of IP infringement, data protection, applicable law, etc.) and liability for damages and performance warranties. The agreement also should clarify who is responsible for regular system updates and necessary patches. If the provider is responsible, the agreement should confirm that updates and patches will be implemented in a timely fashion.

If your agency is considering moving to the cloud, ask these important questions and understand the details of your agreement. Contracting with a cloud provider without careful consideration of the agreement’s terms and conditions can be very risky. If you can’t secure satisfactory answers to your questions from a cloud provider, it may be premature to move to the cloud. Remember, the devil is in the details.

NEXT STORY: How to reduce risk in data center design and maintenance

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.