Cloud Contracts and Data Sovereignty

In a recent press release from Gartner, ambiguous contract language and protection relating to security was highlighted as concern to buyers of commercial cloud services, particularly software as a service (SaaS). So what specifically are these concerns and what can the CIO do to mitigate them?

Clearly then the concerns are widespread, but what specifically is giving CIOs the jitters?

I believe there are six key concerns:

1. Vague location creating vulnerability
   Moving documents to remote locations is easy and quick. But where is valuable IP and data really being kept? Not knowing the location, particularly if it is likely to change without notice, puts information in a compromising position.
2. Unauthorised access
   The US Patriot Act and the danger of data being accessed by governments and litigants without the client knowledge is an ongoing hot topic.
3. National laws and regulations
   With differing laws and regulations covering privacy across the globe, coupled with the data centres being housed in countries that offer cost efficient services to the cloud services company, can a CIO be sure that the laws and regulations in both territories are in harmony?
4. Varying security standards
   In the absence of a worldwide standard for data security, most vendors, according to Gartner, choose to commit as little as possible contractually.
5. Unfavourable contracts
   Australian technology lawyer Dudley Kneller points out that some cloud providers offer generic, off-the-shelf Service Level Agreements. This essentially means their solution is not likely to match all clients’ needs.
6. Data recovery
   Business continuity and compliance require fast access to data. In some cases, particularly following contract termination, this is poorly managed.

It is clear then that data sovereignty and business flexibility need to be balanced to ensure the business is not brought to a grinding halt.  CIOs can achieve this by ensuring they select the right vendor and negotiate the right contract. Obvious, but not always executed as pressures from the business mount up on the IT department.

Advice is available from all quarters, and it is consistent; for example, in a market overview by Forrester in February this year and in advice documents published by The Cyberspace Law and Policy Centre of the University of New South Wales, it is  suggested that in the first place a Cloud Service or SaaS provider’s background needs to be audited in terms of offering, financial position, infrastructure, data centre locations, security procedures, record of reliability, secure access maintenance, DR plans and insurance coverage.

At the contract stage Gartner suggests that: "...cloud services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools" - such as those offered to members of the Cloud Security Alliance[i].

The key is risk mitigation, and the contract should address all the concerns highlighted above - to include managing sensitive data, storage location, access by other entities, breach notification obligation, disaster recovery, monitoring and termination. A provider should share not just its data centre migration process, but also its method for 'off-boarding' customers.

Any CIO will welcome the opportunity to apply more energy to strategic matters, and with a careful approach to negotiating contracts, should also be able enjoy the comfort of full data sovereignty.