Cloud security is becoming a big deal as more data and applications are being hosted by third-party providers. Unfortunately, many companies aren’t fully using their greatest weapon to help protect their information: cloud computing vendor contracts.
When companies implement cloud services, they sign a vendor contract with the cloud computing provider. In addition to setting the terms of payment and other responsibilities for the customer, that agreement should also assign responsibilities to the vendor.
That includes setting up-time guarantees, as well as requirements for security controls and consequences in case there’s a security breach.
Unfortunately, most cloud computing contracts are more favorable to the vendor than to the customer, according to a recent Gartner report. Those vendor contracts are often vague about how data will be protected, and don’t require meaningful compensation for the customer if a vendor mistake leads to data being compromised.
Negotiate with providers
Part of the problem, Gartner says, is that the recent wave of cloud computing adoption is relatively new, and customers have yet to negotiate for stronger security controls in their vendor contracts.
That could begin changing soon, though. According to the report, the majority (80%) of organizations are unhappy with their vendor contracts, and Gartner predicts that dissatisfaction will continue through 2015.
To avoid getting stuck in a frustrating and potentially risky cloud agreement, companies should carefully look over those vendor contracts and try to negotiate more favorable terms. Here are some of the provisions experts say companies should pay more attention to:
1. Audits and testing
Companies need to evaluate what security controls a cloud vendor has in place before signing up for a service. But beyond that, the organization needs to make sure the system is actually secure and stays that way.
That’s why vendor contracts with cloud providers should allow for regular security audits and vulnerability testing. Customers should be able to have a third party conduct the audit at least annually and certify that the service meets security requirements.
The contract should also give the company the option to break the agreement if the vendor fails to meet those measures.
2. Security controls
While companies should know what security precautions a cloud vendor uses before signing a contract, it is also a good idea to get the most critical precautions described in writing as part of the vendor agreement.
That will guard against changes the vendor might make in the future that could make the company’s data more vulnerable to security attacks. The company should at least be able to get out of the contract if the security environment changes significantly.
For example, the vendor contract might say that customers’ data will be kept separate from each other, that data will be encrypted, etc.
Many cloud vendor contracts fail to mention compensation in the case of security breaches, lost data or other problems, Gartner says. The reason is that since cloud providers offer services to many customers, any problem that occurs could leave them on the hook for a lot of money. Often the only penalty awarded is a deduction from the costs of the service.
However, the research firm says that shouldn’t stop companies from trying to negotiate for greater penalties. For example, if a contract offers a reduction in fees for 12 months, companies can ask for that to be raised to 24 or 36 months.
4. Data recovery
An important goal of cloud computing security is keeping information out of the hands of the wrong people. But some experts say an even bigger threat is that a cloud service will go down, resulting in lost data and lost business.
Cloud contracts should include up-time guarantees to make the sure the company is at least compensated if the service is unavailable for significant periods of time.
Those agreements should also include clauses about recovering data after an incident — for example, guarantees saying how long it will take to recover data and how much data will be recovered. And again, there should be meaningful penalties if those objectives aren’t met.
A key part of keeping data safe in the cloud is being aware of the threats a cloud service faces. That’s why companies must be promptly notified of any incident involving their cloud computing vendors.
By default, many vendors only notify customers when their own data is breached. But companies should argue to be made aware any time the vendor is attacked, regardless of whose data is affected.
6. Exit strategies
One of the keys to negotiating is to have leverage — that means companies must make sure there’s a way out of their cloud computing contracts. That way if they’re unhappy with a current vendor they can renegotiate or leave the contract.
Along with getting contracts that allow for termination if key security terms aren’t met, companies should also look out for agreements with automatic renewals and make sure the contract specifies that all data will be returned after the arrangement ends.