Skip to main content

Driving a Hard Bargain: Cloud Computing Contracts

January 22, 2013

A common trait of any contract, or service agreement, is the responsibilities of all parties to that contract. One of the major challenges in dealing with contracts related to cloud computing – whether public, private or a hybrid – is what can be easily omitted. Yet the delineation of responsibilities should be written with clarity and foresight. Otherwise, when issues such as data loss, security incidents or distributed denial of service attacks arise, a lack of contractual responsibility can spell trouble for any company.

Having a clear Cloud Security Program is a good place to start the process. As the “Guidelines on Security and Privacy in Public Cloud Computing” from the National Institute of Standards and Technology (NIST) states, “Understanding the policies, procedures and technical controls used by a cloud provider is a prerequisite to assessing the security and privacy risks involved.”

Cookie-cutter contracts, a.k.a. predefined non-negotiable agreements, from cloud providers are becoming less common as businesses demand to have more of a say in what they’re getting for their investment. Instead, negotiated service agreements are increasingly common to ensure an organization’s requirements will be met by the provider. 

If you don’t have the expertise or staff within your own organization to confidently negotiate with providers, your Legal Team can hire specialized outside counsel and information security experts to help with the negotiations and to set up a comprehensive Cloud Security Program.

Here are some of the areas that NIST, along with FishNet Security, believes should be clearly covered through negotiated contracts:

- Vetting of the provider’s employees
- Backup, monitoring, incident response and electronic discovery responsibilities
- Data encryption and segregation
- Tracking and reporting service effectiveness
- Transparency of processes, procedures and relevant records
- Details about communication with customers about incidents and configuration changes
- Details about the use of subcontractors
- Details about exit strategies with the provider
- Options (including possible termination) with your contract if the provider suffers a breach
- Who owns and controls the data center(s)
- Access to systems and data for your own incident response/forensics team
- Any special stipulations based on your regulatory requirements
-The ability of your staff or selected service provider to perform Vulnerability Scans and Penetration Tests.
- Compliance with laws and regulations
- The use of validated products and operations that meet state, federal or national standards
- Documentation that demonstrates your requirements are being met
- The degree to which the provider will accept liability for exposure of data under its control
- Service Level Agreements

It’s important for clients to use contract provisions when dealing with cloud service providers to ensure you have access to system logs and low-level information stores. If there’s a security incident, you need to have access to these repositories so that you can fix the issue and prevent it from happening in the future. Your contract may not provide for you to have access to these repositories or even require that your provider provide this information to you when requested.

Also, you may not have permission to perform vulnerability scanning or analysis. If someone is buying infrastructure as a service, the provider probably will not allow you to scan their system(s), so you may need to simply take their word for it that their systems are safe, which can be a scary prospect. Establishing rights to perform technical testing in a contract can help. It’s hard to do this after a contract is signed, so make sure this is done during the negotiating phase of the contract.

FishNet Security recommends that you have a provision in your contract related to incident response, establishing roles and responsibilities during an incident. Try to get the strongest language possible around vulnerability analysis as well.  Is the client going to do the analysis and then provide you with a report or will they let you do it? At what intervals?

Unfortunately, some providers will not allow any additional concessions beyond their standard contract language and relationship leverage often determines negotiating power.. Companies need to determine what is acceptable. You should take a risk based approach to deciding if an application or function is appropriate to place in the cloud. You should also assess the risk of your prospective provider’s stance on information security and the amount of access they are willing to give you. Then you will be able to make an informed decision on whether to utilize a particular service provider, or push a particular service to the cloud.

Related Blogs

December 01, 2016

Cloud Networking... The Preferred Choice for The Future

As our universe becomes more robust and, its inhabitants become increasingly more aware of the stability of WAN, it is most certain that the future wi...

See Details

February 03, 2014

What is the Cloud?

The cloud, aka cloud computing, has many different colloquial definitions, all of which seem to be somewhat different depending on who you are talking...

See Details

December 23, 2013

Are You On Cloud Nine Yet?

CIOs and CTOs looking to reduce costs, drive innovation and maintain a strategic advantage over their competitors can’t afford to overlook the cloud. ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.