The Truth About Protection of Your Data in The Cloud
Plus a 3 Part Data Protection Negotiation Strategy
The cloud. It makes business life so much better. It allows for easy access to applications and for collaborating with distant co-workers. Organizations can focus more on their core business mission and less on the technology infrastructure on which that mission functions. Scale, reduced cost, business continuity, agility, maintenance efficiency, and reliability all represent reasons why people go cloud.
But the cornerstone ‘why’ behind the cloud is convenient access to data. So, it would stand to reason that those organizations responsible for housing your coveted data would also be responsible for the protection of that data, right? They work hard in assuring current and prospective customers about physical and virtual security, proactive hardware maintenance, redundancy and a host of other lengths which they take to protect your data while in residence in their cloud.
While all this is genuinely good (and expected), there’s an elephant in the room. According to The Truth in Cloud study...
- 69% of responders from 1,200 business and IT decision makers across the globe wrongly assume data protection, privacy, and compliance are the responsibility of the cloud provider.
- 83% of responders who use or plan to use Infrastructure-as-a-Service (IaaS) believe their cloud provider protects their data while in the cloud.
- 54% of responders believe the cloud provider is responsible for secure transfer of data between on-prem systems and the cloud.
And these are just a few highlights representing what is a clear misunderstanding in the market about who owns the security of data.
The fact is, the ‘cloud’ is about as nebulous as an actual cloud in the sky. You can see its form but securing, containing, or otherwise managing it is like chasing the wind. Still, 67% of responders use or plan to use two or more cloud providers.
So what do we do with this revelation?
First, ask yourself if you have a clearly defined, written cloud strategy. 32% of survey responders reported “lack of a clear strategy” as one of the barriers to using the cloud. If you have one, have you tested its merits? Specifically, with respect to your vendor agreements, what protections or exposure do these agreements contain with respect to your data in their care? In transit?
There are dozens of considerations in determining fair protection and security of your data depending on your business priorities, regulatory requirements, and vendor priorities. Whether in a renewal cycle or in a first-time evaluation of a cloud vendor, there are three critical terms to position that, together, represent a highly effective negotiation strategy for testing the mettle of any cloud vendor:
Attestations. There is no better visibility to the real secureness of cloud providers (SaaS, IaaS, PaaS, etc.) and/or those providing connection to them (ISP, telecom provider, etc.). Attestations (evidence) are the results from SOC 2, SAS 70, and Pen (penetration) Testing audits. Regularly performed by independent firms, these audits make use of an independent best practice standard for operating controls to test the viability of a company’s performance over time with respect to security and other relevant operational functions.
It is of paramount importance to include language requiring your cloud vendor to provide attestations as they are completed. They represent a look behind the curtain that either validates or exposes what has been communicated to you about the security of your partners in the cloud. Even just the act of requesting the attestations will tell you a lot based on their response to the request. Is the response transparent or heavily contextualized with obvious discomfort?
Your contract should similarly require that any material deficiencies identified by the audit be remedied within a specific time, based on their classification (i.e. critical, serious, etc.)
Serious questions should be asked about any vendor who is unwilling to contractually agree to providing attestations or remedying deficiencies in a reasonable time.
How to read the reports and use the information to assess the data protection capabilities of your vendor, well, that’s at the very least, another post.
Right to terminate. Aside from traditional reasons to terminate for cause, like general material, uncured breach, and the reasons specific to cloud services, such as failure to meet defined performance metrics, there are other reasons specific to data protection. With respect to attestations, it’s important to define the right to terminate the agreement based on either a failure to provide attestations, a failure to remedy deficiencies identified in those attestations, or if the vendor suffers a breach or the security of your data is otherwise compromised.
Again, just the act of proposing said termination rights will create insight to their integrity and capability as a vendor partner. This represents a valuable opportunity to pre-test the viability of an agreement before you sign on the dotted line. As we can all agree, better to truly know who you’re dating before you get married.
Transition assistance. With respect to termination, it’s important to consider protection for your priorities and the data (and software as applicable) that resides in a particular vendor cloud post termination. As we can all appreciate, extracting data and migrating between cloud locations (or bringing your applications or data back in-house) is no small thing. Who bears the cost of a migration if the vendor relationship is terminated for cause? How much time will be allowed for the transition? Is there price protection for the duration of the “wind-down” use of the cloud? These are just a few of the questions that need to be considered regarding transition.
We all believe data is an asset. So, protecting it is a priority that must carry beyond accepting the assurances a cloud vendor makes about themselves in a sales pitch. Put your cloud vendors to a valuable test before you agree to work with them. Make sure they are willing to put their money where their mouth is with respect to the terms of your agreement.
Have you seen the attestations of your cloud vendors? What data protection gaps do you have in your cloud vendor agreements? Currently (or preparing to) negotiating a cloud vendor agreement? For an independent perspective, check out seprio.com/cloud-score.