Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

Similar documents
Information Security: Cloud Computing

How to ensure control and security when moving to SaaS/cloud applications

Legal Issues in the Cloud: A Case Study. Jason Epstein

Cloud Computing: Legal Risks and Best Practices

Cloud Computing Overview & Security Issues

Risk Management of Outsourced Technology Services. November 28, 2000

Software as a Service Decision Guide and Best Practices

Security & Trust in the Cloud

Contracting Guidelines with EHR Vendors

Auditing Cloud Computing and Outsourced Operations

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Cyber and Data Security. Proposal form

Technology Risk Management

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

24/7 Monitoring Pro-Active Support High Availability Hardware & Software Helpdesk. itg CloudBase

A Checklist for Software as a Service (SaaS) Vendors and Application Service Providers

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Schedule 5: SaaS Premium Service Level Agreement

Cloud Vendor Evaluation

Negotiating EHR Acquisition Contracts

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Assessing the Security Risks of Cloud Computing

Outsourcing Technology Services A Management Decision

Services Providers. Ivan Soto

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Norwegian Data Inspectorate

ISO COMPLIANCE WITH OBSERVEIT

Contracting for Cloud Computing

SELECTING AN ENTERPRISE-READY CLOUD SERVICE

Anatomy of a Cloud Computing Data Breach

Managed Security Services for Data

Contracting Guidelines with EHR Vendors

Top 10 Cloud Risks That Will Keep You Awake at Night

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY.

SAAS MADE EASY: SERVICE LEVEL AGREEMENT

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

INNOVATE. MSP Services Overview SVEN RADEMACHER THROUGH MOTIVATION

MOVING INTO THE DATA CENTRE: BEST PRACTICES FOR SUCCESSFUL COLOCATION

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

How To Choose A Cloud Computing Solution

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Information Technology: This Year s Hot Issue - Cloud Computing

HARNESSING THE POWER OF THE CLOUD

Disaster Recovery as a Service 2013

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Cloud Computing and Records Management

Attachment A. Identification of Risks/Cybersecurity Governance

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

The Difference Between Disaster Recovery and Business Continuance

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

White Paper on Financial Institution Vendor Management

How To Protect Your Data In The Cloud

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Cloud Computing in a Government Context

Top 10 Risks in the Cloud

Making the leap to the cloud: IS my data private and secure?

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Information Disclosure Reference Guide for Cloud Service Providers

Design of Database Security Policy In Enterprise Systems

VENDOR MANAGEMENT. General Overview

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

OUTSOURCING IT FUNCTIONS IN TIMES OF INCREASED REGULATION AND SECURITY CONCERNS In-House Counsel Conference

Cloud Services and Business Process Outsourcing

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

A Global IT Managed Service Provider

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY ( Exchange My Mail ).

CA API Management SaaS

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Healthcare Payment Processing: Managing Data Security and Privacy Risks

Company Overview. Enterprise Cloud Solutions

FOR THE FUTURE OF DATA CENTERS?

Vendor Management Best Practices

Enterprise Architecture Review Checklist

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Canvassing the Cloud. An Eversheds LLP and PA Consulting Group study into the adoption of Cloud technologies

security in the cloud White Paper Series

Cloud Computing in Vermont State Government

WHY YOU SHOULD CONSIDER CLOUD BASED ARCHIVING.

IBM Managed Security Services (Cloud Computing) hosted mobile device security management

Please read through these Terms and Conditions carefully, these Terms and Conditions apply to all services with us, unless otherwise stated.

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Additional services are also available according to your specific plan configuration.

The Data Melting Pot Computing in the Cloud. Becky Pinkard Manager, Security Operations Centres Research In Motion

By using the Cloud Service, Customer agrees to be bound by this Agreement. If you do not agree to this Agreement, do not use the Cloud Service.

How To Deal With Cloud Computing

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Cloud Computing and HIPAA Privacy and Security

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Transcription:

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

The dynamic provisioning of IT capabilities, whether hardware, software, or services from a third party over the network Accenture, 2009 Cloud computing may be viewed as outsourcing of these capabilities. Maintaining control over the unpredictability of the forecast. Should you stay indoors or venture out? 2

1. Security 2. Performance 3. Audit 4. Remediation 5. Mobility 3

First, consider the criticality of software, data, or services in question: 4 Non-core business tools or routine, non-sensitive data? Might make sense for looser contract terms, low cost Mission critical systems, regulated personal data, or sensitive business intelligence? Data ownership/security issues must be specified in contract Failure to do so could expose you to serious violations of applicable privacy and export laws Examples: private cloud, data encryption, geographic restrictions

Data should be replicated and continuously updated to be unaffected by outages or disasters Vendor should provide real-time data streams from intrusion detection systems If vendor has any kind of breach in its cloud, you should immediately receive notification Vendor s obligations should be specified in the event of a virus, hacking or denial of service attacks 5

7 Security Issues to Consider for Cloud Contracts: 1. Privileged User Access 2. Regulatory Compliance - Confidentiality 3. Data Location 4. Data Segregation 5. Recovery 6. Investigative Support 7. Long-Term Viability - Transition 6 - Gartner, 2008

1. Privileged User Access Get as much info as you can about the people who manage your data are they all in-house? Hiring and oversight of privileged administrators and the controls over their access 2. Regulatory Compliance 7 Vendor should comply with audits and security certifications. Is it SAS 70 / ISO 27001 certified? Are you licensing vendor software? Do you have permission to use?

3. Data Location Private cloud? Is the vendor merely a subcontractor? Ask provider to commit to storing and processing data in specific jurisdictions Contractual commitments to obey local privacy laws 4. Data Segregation Vendor should provide evidence that encryption schemes are in place and tested 5. Recovery 8 Vendor should have ability to do complete restoration in case of disaster

6. Investigative Support Cloud services can be especially difficult to investigate Logging and data for multiple customers may be co-located and/or spread across an ever-changing set of hosts and data centers. Vendor should give you a contractual commitment to support specific forms of investigation. E-discovery may be important. If subpoenaed, how do I get the information to comply with the Court s order? 7. Long-Term Viability Transfer of Data 9 Verify that data will be transferred in the event your provider ceases to exist, is acquired or contract ends.

Seek a balance between importance of cloud resources and what you can afford for performance premiums Change Management processes to be described Service level requirements, performance metrics and thresholds should be stipulated in contract for business continuity: Average application response times, transactions per second, monthly downtime figures, vendor help desk support response time, hardware and software maintenance 10

Ask for customer references to gauge vendor s performance record Contract Example: City of Los Angeles Google services contract limits downtime to no more than 5 minutes per month before stiff penalties kick in for the vendor Set performance goals and clawback of fees if performance standards are not met. Is pricing clear? Based on usage or load, or both? 11

SLA - Downtime Severity Levels I-III: Define them so that you can understand what and when solutions will be offered in the event of: I. Halt in Business II. Business impacted, but workaround III. Non-critical Set Performance Standards: o Availability based on written criteria: the 9 s. Example: 99.9 % equates to 40 minutes down/month. 12

Demand transparency! Actively monitor your vendor s performance for glitches Vendors should document system uptime and processing rates via monthly reports or electronic dashboards 13

Vendor should authorize customer to audit its electronic and physical security practices: On-site visits, interviews with employees Ask questions about the qualifications of vendors architects, coders, operators Confirm vendor s risk-control processes, level of testing done to verify service is functioning as intended, and that vendor can identify vulnerabilities These audits are essential as the cloud becomes a part of customer s functional data center under government security regulations 14

Avoid contracts that lack consequences for vendors that don t meet their contractual obligation Be wary of a vendor who agrees to everything If penalty for failing to deliver is insignificant, can be cheaper for vendor to fail than to follow through Breakdowns like excessive downtime should incur monetary penalties Examples: refund for a portion of your service fees, service credits or days of free service added 15

Security violations should incur more serious consequences: termination/exit rights if provider fails to notify of security breach As is warranties? What is the vendor proposing it will do if there is a problem? Dispute Resolution procedures define them Contract Example: Los Angeles/Google apps contract entitles Los Angeles to minimum award of $10,000 if any data compromised with power to seek unlimited damages if violation egregious. 16

Lack of data compatibility standards can make it difficult to move data/applications from one provider to another 17 Contract should explicitly provide that you remain the sole owner of your data, no matter where it physically resides You should have ready and unlimited access to data You should have the right to get data back at any time You should be able to get data back without restrictions upon termination of agreement contract should have provision requiring vendor to provide termination assistance when contract ends

Movement of data may involve transfer from servers in one jurisdiction to servers in another Could invoke different jurisdictional-dependent discovery rules, privacy laws and data-transfer restrictions You may want to restrict/prohibit relocation of data to avoid exposure Overseas data storage can pose entirely different set of risks EU standards are higher than US s 18

19 Contract Example: Los Angeles/Google apps contract requires LA to receive its full storehouse of data within 5 days of request and data moved to any location of LA s choosing, including alternative vendor; data must also exist as standard format that wouldn t incur added costs to LA to store in environment other than Google s

Don t assume contract provides adequate customer data protection Ask tough questions! Consider getting a security or risk assessment from a neutral third party before committing to a cloud service provider Don t assume there s no room to 20 negotiate even with boilerplate contracts

Heartland Payment Systems 2007 security breach of Visa card issuers info settlements of $65+ million vs. City of Los Angeles & CSC s customized, five year contract of Google apps 21

Today s Forecast: Is bright and sunny, with an 80% chance that I m wrong. Thanks for tuning in. 22

Daniel T. Graham Clark Hill PLC 150 North Michigan Avenue Suite 2700 Chicago, Illinois 60601 dgraham@clarkhill.com 312.985.5945 23

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information