Published on February 19, 2014
Meera Kaul 2013
The use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). There are three types of cloud computing: Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS). Using software as a service, users also rent application software and databases. The cloud providers manage the infrastructure and platforms on which the applications run. End users access cloud-based applications through a web browser or a light-weight desktop or mobile app while the business software and user's data are stored on servers at a remote location. Proponents claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance, and enables IT to more rapidly adjust resources to meet fluctuating and unpredictable business demand. Cloud computing relies on sharing of resources to achieve coherence and economies of scale similar to a utility (like the electricity grid) over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services.
— The Risks — Security, Privacy and Compliance Process — Contracting — Contracting lifecycle — Key cloud contracting issues – “Bill of Rights”
The Benefits Control Risk Security Risk Privacy Risk Compliance Risk Subcontractors
What kind of data will be in the cloud? Where do the data subjects reside? Where will the data be stored? How is the data secured? Where are the servers? Will the data be transferred to other locations and, if so, when and where? Will the data be commingled? Can certain types of data be restricted to particular geographic areas? Is there a compliance plan for cross-border data transfers?
Cloud Relationships Who will be actually storing, processing or transmitting Customer data? Does the Cloud provider have rights in its subcontracts to permit compliance with the Customer’s contract? Does the Cloud provider impose obligations on its subcontractors identical or similar to those imposed on it in the direct contract? How strong is the Cloud provider’s vendor management program/controls? Security Assessment Written vendor management program/process Security as extension of internal security (e.g. matching controls; compliance with internal policies) “Reasonableness” (foreseeability and risk reduction) Compliance with standards (e.g., general standards; industry & peer standards; internal policies)
Geography Where is the data being stored/processed? Legal obligations triggered based on residency of data subjects/location of data Privacy and Security Legal Compliance Who “owns” the data? How can it be used? What laws apply? Do the cloud provider’s practices, policies and systems comply with applicable laws? Who has the obligation to incur the expense to comply?
System and Data Availability Business continuity/disaster recovery plan Impact to Customer if Cloud unavailable Scalability (if Customer’s processing needs increase or surge) Data Retention Backups and recovery Records retention Litigation holds Secure return/deletion
Incident response Provider incident response plan Notice of a breach Cooperation and support Access and forensic assessment rights Documentation and reporting from provider Electronic Discovery/Electronic Evidence “Searchability” and availability of data in cloud Forensic assessment (identifying, collecting and preserving data) in cloud context Electronic evidence: data integrity issues; authentication Metadata
RFP Phase (competition over terms) Security, Privacy and Compliance due diligence Contract drafting Contract negotiation Contract enforcement Contract review and renegotiation
Definitions Preventative Contract Terms Controls in place to prevent data breach “Reasonable security” – Is the security implemented “legally defensible”? Specific controls Audit and Enforcement Terms Assessment/scanning rights Non-compliance reporting Credits/damages Incident Response Contract Terms Risk of Loss Contract Terms
Article I – Data Location Transparency Cloud service providers shall reveal the physical location of the servers that will be processing their cloud customers’ data, and shall provide reasonable advance notice if those physical locations change; cloud service providers shall coordinate with their customers to assure compliance with local laws and any applicable restrictions on the transfer of certain categories of data from one jurisdiction to another
Article II -- Security Transparency Cloud service providers shall provide full information and access to documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments and obtain relevant security-related information and documents from the service provider; this information and documentation should address data integrity and availability as well as the confidentiality of customer data.
Article III -- Subcontractor Transparency Cloud service providers shall provide cloud customers with notice as to which third parties will have the ability to access customer’s data and for what purposes, including subcontractors, subcontractors of subcontractors and so on.
Article IV -- Subcontractor Due Diligence and Contractual Obligations Cloud service providers shall conduct reasonable due diligence and security assessments of subcontractors or other third parties that will have access to customers’ data or systems, and shall enter into contracts with such third parties that hold those third parties to substantially similar obligations as in their cloud agreements with their customers; cloud service providers shall manage and similarly limit the ability of their subcontractors to utilize other subcontractors.
Article V – Customer Data Ownership and Use Limited to Services Cloud customers shall have the right to solely “own” the data they put into a cloud service provider’s cloud, and cloud service providers shall use their customers’ information solely for the purposes of providing services to the customer, unless otherwise explicitly agreed.
Article VI – Response to Legal Process Cloud service providers shall provide notice (within hours, not days) of the service of any subpoena or other legal process seeking their customers’ data, and shall assist and cooperate with their customers in responding to such legal process
Article VII -- Data Retention and Access Cloud service providers shall reveal their data search, retention and destruction practices to their cloud customers; and shall develop and enable data search, retention and destruction capabilities in order to allow their customers to implement their own data retention programs, efficiently effectuate litigation holds, and locate, collect and preserve relevant data, including metadata; cloud service providers shall build in processes and controls that allow for the efficient authentication of data (e.g. accurate time-stamping; metadata; chain-ofcustody indicators, etc.)
Article VIII -- Incident Response In the event a cloud provider suffers a security breach, cloud providers shall provide prompt notice of the security breach to their affected cloud customers, shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach, and shall allow their cloud customers to conduct their own forensic assessment and investigation of the security breach
Article IX – Indemnification and Limits of Liability Cloud service providers shall engage their customers in meaningful discussions and negotiations around indemnification and limitations of liability arising of security breaches, including consideration of exceptions to limits of liability for security breaches suffered by the cloud service providers.
Client Access Password Security Data Shared Responsibilities (With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure.)
Cloud Contract -- SQL Azure, Microsoft "Upon the expiration of the term or any termination or cancellation of this agreement, your rights to access or use the Services immediately cease, and you must promptly remove from the Services any data, software programs or services (if any) used in connection with your access to or use of the Services. If you do not remove such data, software programs or services from the Services, we reserve the right to remove them in accordance with our normal business practices for the Services." "Upon cancellation, suspension or any termination, your right to use the Services stops right away and you must immediately remove your Data and applications from the Services. You are responsible for taking the steps necessary to back up your Data. Upon any termination of this agreement, all other rights granted to you by this agreement will also automatically terminate." Cloud Contract -- GoGrid, Microsoft "You bear sole responsibility for any and all data used in connection with the development, operation or maintenance of any software programs or services that you use in connection with your access to or use of the Services, including without limitation taking the steps necessary to back up such data, software programs or services." Cloud Contract -- DropBox "Dropbox reserves the right to terminate Free Accounts at any time, with or without notice. Without limiting the generality of the foregoing, and without further notice, Dropbox may choose to delete and/or reduce: (i) any or all of Your Files if your Free Account is inactive for 90 days; and (ii) previous versions and/or prior backups of Your Files."
"Cloud computing” means accessing computer capacity and programming facilities online or "in the cloud". Customers are spared the expense of purchasing ...
Organizations must be careful with cloud computing contracts, according to a panel of lawyers at the RSA Conference 2011. Cloud computing contracts should ...
February 24, 2012 Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service A joint publication ...
Until only a few years ago, most of the software we purchased was installed on servers located in datacenters we owned. Sometimes we managed the software ...
Cloud Computing Contracts. For most people, cloud computing has now become a part of everyday life. This means that businesses are increasingly pressured ...
Contract terms for cloud computing services are ... very well explained in the paper on negotiating cloud contracts by Stanford Technology Law ...
Standard cloud computing contracts are one-sided documents that impose responsibility for security and data protection on the customer, disclaim all ...
Legal and Quasi-Legal Issues in Cloud Computing Contracts By Steve McDonald, General Counsel, Rhode Island School of Design The following is a brief ...
Learn about cloud computing contracts and 10 key provisions that companies should address. Companies should pay attention to contract terms, security ...
View 124 Cloud Computing Contracts posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn.