Cloud Contracts and Data Sovereignty

In a recent press release from Gartner, ambiguous contract language and protection relating to security was highlighted as concern to buyers of commercial cloud services, particularly software as a service (SaaS). So what specifically are these concerns and what can the CIO do to mitigate them?

The Gartner report is supported by a survey conducted in June by Logicalis Australia. It found that, while CIOs acknowledge the benefits a cloud solution could present in terms of freeing up time to address strategy tasks, 70% of respondents cited data sovereignty as an issue. Price Waterhouse Coopers also found in a survey that 62% of respondents considered data security the biggest barrier to adoption.

Clearly then the concerns are widespread, but what specifically is giving CIOs the jitters?

I believe there are six key concerns:

  1. Vague location creating vulnerability
    Moving documents to remote locations is easy and quick. But where is valuable IP and data really being kept? Not knowing the location, particularly if it is likely to change without notice, puts information in a compromising position.
  2. Unauthorised access
    The US Patriot Act and the danger of data being accessed by governments and litigants without the client knowledge is an ongoing hot topic.
  3. National laws and regulations
    With differing laws and regulations covering privacy across the globe, coupled with the data centres being housed in countries that offer cost efficient services to the cloud services company, can a CIO be sure that the laws and regulations in both territories are in harmony?
  4. Varying security standards
    In the absence of a worldwide standard for data security, most vendors, according to Gartner, choose to commit as little as possible contractually.
  5. Unfavourable contracts
    Australian technology lawyer Dudley Kneller points out that some cloud providers offer generic, off-the-shelf Service Level Agreements. This essentially means their solution is not likely to match all clients’ needs.
  6. Data recovery
    Business continuity and compliance require fast access to data. In some cases, particularly following contract termination, this is poorly managed.

It is clear then that data sovereignty and business flexibility need to be balanced to ensure the business is not brought to a grinding halt.  CIOs can achieve this by ensuring they select the right vendor and negotiate the right contract. Obvious, but not always executed as pressures from the business mount up on the IT department.

Advice is available from all quarters, and it is consistent; for example, in a market overview by Forrester in February this year and in advice documents published by The Cyberspace Law and Policy Centre of the University of New South Wales, it is  suggested that in the first place a Cloud Service or SaaS provider’s background needs to be audited in terms of offering, financial position, infrastructure, data centre locations, security procedures, record of reliability, secure access maintenance, DR plans and insurance coverage.

At the contract stage Gartner suggests that: " services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools" - such as those offered to members of the Cloud Security Alliance[i].

The key is risk mitigation, and the contract should address all the concerns highlighted above - to include managing sensitive data, storage location, access by other entities, breach notification obligation, disaster recovery, monitoring and termination. A provider should share not just its data centre migration process, but also its method for 'off-boarding' customers.

Any CIO will welcome the opportunity to apply more energy to strategic matters, and with a careful approach to negotiating contracts, should also be able enjoy the comfort of full data sovereignty.

[i] The Cloud Security Alliance is a non-profit industry organisation with members such as Cisco, Amazon, AT&T, Google and HP.

Tags Data Protection and Privacy, Cloud Computing, Business Strategy