Typically, providers have been more willing to take on responsibility for network integrity, while trying to steer clear of obligations in relation to security of the data itself.
However, over recent years, cloud service providers have been improving their privacy offerings. For example, there has been an increased willingness of providers to adopt the EU model clauses for data transfer.
In addition, many providers now offer European-based data centres, reacting to commercial pressures from Europe-based clients.
When evaluating cloud solutions:
• classify the data concerned (including its sensitivity), and consider what would happen if data was disclosed, lost or corrupted;
• consider what the business impact would be if you were unable to use the data;
• check whether the provider is compliant with ISO/IEC 27001/2 and, if a public cloud provider, ISO/IEC 27018; and
• ensure that your deployment of cloud will comply with applicable data protection law, taking into account all relevant regulatory guidance, e.g., the EU Data Protection Working Party 29's opinion on cloud, the EU Cloud Standardisation Guidelines and the ICO's guidance on cloud computing.
Cloud contracts: 4 - Performance commitments are hard to find
Ensure that you are comfortable with the level of service performance commitment offered by the cloud provider.
Most cloud contracts remain pretty light in terms of service levels, with availability being the typical measurement metric. Check the wording of the SLAs carefully - watch out for references to 'service levels designed to be available', 'target service levels', etc.
Also, identify the remedies available for service failure - it's common for providers to offer credit for additional services, despite the fact that it's hard to see 'more of the same' as a valuable remedy.
Cloud contracts: 5 - Regulators are taking notice
If you are a regulated entity, you will need to take account of relevant regulatory guidance. For example, the FCA published draft guidance on cloud computing in November 2015 (due to be published in final form this year). This high level guidance is aimed at ensuring regulated firms appropriately identify and manage risks relating to the deployment of cloud-based solutions. Issues identified in the guidance include:
- legal and regulatory considerations
oversight and audit
data privacy and security
Cloud contracts: Conclusion
Ultimately, you need to approach cloud transactions with a heavy dose of pragmatism, accepting that it may be very difficult to negotiate material changes to a cloud provider's terms.
You need to carry out a thorough risk/benefit analysis exercise in order to evaluate whether the particular cloud solution is right for your business. If you perceive the risks to be so great that significant contract negotiation seems essential before putting services in the cloud, it may be that cloud isn't the right solution for you after all.
Source: Computerworld UK
Sign up for Computerworld eNewsletters.