Meera Kaul, profile picture
Uploaded byMeera Kaul
731 views

Cloud computing contracts

Cloud computing contracts often contain complex terms and conditions that govern the relationship between the customer and cloud service provider. These contracts frequently give broad rights to the cloud provider to access, use, and share customer data in ways that the customer may not expect. They also typically disclaim responsibilities of the provider for securing customer data and limit the provider's liability. It is important for customers to carefully review cloud contracts to understand their rights and the obligations of the provider.

Embed presentation

Meera Kaul 2013
 The use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet).  There are three types of cloud computing: Infrastructure as a service (IaaS),  Platform as a service (PaaS), and  Software as a service (SaaS).   Using software as a service, users also rent application software and databases. The cloud providers manage the infrastructure and platforms on which the applications run.  End users access cloud-based applications through a web browser or a light-weight desktop or mobile app while the business software and user's data are stored on servers at a remote location. Proponents claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance, and enables IT to more rapidly adjust resources to meet fluctuating and unpredictable business demand.  Cloud computing relies on sharing of resources to achieve coherence and economies of scale similar to a utility (like the electricity grid) over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services.
— The Risks — Security, Privacy and Compliance Process — Contracting — Contracting lifecycle — Key cloud contracting issues – “Bill of Rights”
 The Benefits  Control Risk  Security Risk  Privacy Risk  Compliance Risk  Subcontractors
What kind of data will be in the cloud?  Where do the data subjects reside?  Where will the data be stored?  How is the data secured?  Where are the servers?  Will the data be transferred to other locations and, if so, when and where?  Will the data be commingled?  Can certain types of data be restricted to particular geographic areas?  Is there a compliance plan for cross-border data transfers? 
Cloud Relationships  Who will be actually storing, processing or transmitting Customer data?  Does the Cloud provider have rights in its subcontracts to permit compliance with the Customer’s contract?  Does the Cloud provider impose obligations on its subcontractors identical or similar to those imposed on it in the direct contract?  How strong is the Cloud provider’s vendor management program/controls? Security Assessment  Written vendor management program/process  Security as extension of internal security (e.g. matching controls; compliance with internal policies)  “Reasonableness” (foreseeability and risk reduction)  Compliance with standards (e.g., general standards; industry & peer standards; internal policies)
Geography  Where is the data being stored/processed?  Legal obligations triggered based on residency of data subjects/location of data Privacy and Security Legal Compliance  Who “owns” the data? How can it be used?  What laws apply?  Do the cloud provider’s practices, policies and systems  comply with applicable laws?  Who has the obligation to incur the expense to comply?
System and Data Availability  Business continuity/disaster recovery plan  Impact to Customer if Cloud unavailable  Scalability (if Customer’s processing needs increase or surge) Data Retention  Backups and recovery  Records retention  Litigation holds  Secure return/deletion
Incident response  Provider incident response plan  Notice of a breach  Cooperation and support  Access and forensic assessment rights  Documentation and reporting from provider Electronic Discovery/Electronic Evidence  “Searchability” and availability of data in cloud  Forensic assessment (identifying, collecting and preserving data) in cloud context  Electronic evidence: data integrity issues; authentication  Metadata
RFP Phase (competition over terms)  Security, Privacy and Compliance due diligence  Contract drafting  Contract negotiation  Contract enforcement  Contract review and renegotiation
Definitions Preventative Contract Terms  Controls in place to prevent data breach  “Reasonable security” – Is the security implemented “legally defensible”?  Specific controls Audit and Enforcement Terms  Assessment/scanning rights  Non-compliance reporting  Credits/damages Incident Response Contract Terms Risk of Loss Contract Terms
Article I – Data Location Transparency  Cloud service providers shall reveal the physical location of the servers that will be processing their cloud customers’ data, and shall provide reasonable advance notice if those physical locations change; cloud service providers shall coordinate with their customers to assure compliance with local laws and any applicable restrictions on the transfer of certain categories of data from one jurisdiction to another
Article II -- Security Transparency  Cloud service providers shall provide full information and access to documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments and obtain relevant security-related information and documents from the service provider; this information and documentation should address data integrity and availability as well as the confidentiality of customer data.
Article III -- Subcontractor Transparency  Cloud service providers shall provide cloud customers with notice as to which third parties will have the ability to access customer’s data and for what purposes, including subcontractors, subcontractors of subcontractors and so on.
Article IV -- Subcontractor Due Diligence and Contractual Obligations  Cloud service providers shall conduct reasonable due diligence and security assessments of subcontractors or other third parties that will have access to customers’ data or systems, and shall enter into contracts with such third parties that hold those third parties to substantially similar obligations as in their cloud agreements with their customers; cloud service providers shall manage and similarly limit the ability of their subcontractors to utilize other subcontractors.
Article V – Customer Data Ownership and Use Limited to Services  Cloud customers shall have the right to solely “own” the data they put into a cloud service provider’s cloud, and cloud service providers shall use their customers’ information solely for the purposes of providing services to the customer, unless otherwise explicitly agreed.
Article VI – Response to Legal Process  Cloud service providers shall provide notice (within hours, not days) of the service of any subpoena or other legal process seeking their customers’ data, and shall assist and cooperate with their customers in responding to such legal process
Article VII -- Data Retention and Access  Cloud service providers shall reveal their data search, retention and destruction practices to their cloud customers; and shall develop and enable data search, retention and destruction capabilities in order to allow their customers to implement their own data retention programs, efficiently effectuate litigation holds, and locate, collect and preserve relevant data, including metadata; cloud service providers shall build in processes and controls that allow for the efficient authentication of data (e.g. accurate time-stamping; metadata; chain-ofcustody indicators, etc.)
 Article VIII -- Incident Response In the event a cloud provider suffers a security breach, cloud providers shall provide prompt notice of the security breach to their affected cloud customers, shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach, and shall allow their cloud customers to conduct their own forensic assessment and investigation of the security breach
Article IX – Indemnification and Limits of Liability  Cloud service providers shall engage their customers in meaningful discussions and negotiations around indemnification and limitations of liability arising of security breaches, including consideration of exceptions to limits of liability for security breaches suffered by the cloud service providers.
 Client Access  Password Security  Data  Shared Responsibilities (With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure.)
 Research has highlighted that cloud contracts are often governed by the Terms and Conditions (T&Cs) of how the service will be delivered. Interestingly, more often than not it is a set of documents containing the terms that govern the relationship between the customer and the Cloud service provider. These can be relatively short and simple, or lengthy, complex and split over several documents. Generally T&Cs are made up of common documents like Terms of Service (ToS), Service Level Agreement (SLA), Acceptable Use Policy (AUP), Privacy Policy or a mixture of these components.  Once the following statements from leading cloud service providers are examined, the reason for ensuring you truly understand cloud contracts becomes clear.  Cloud Contract -- Facebook "We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."  Cloud Contract -- Amazon Web Services "...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."  Cloud Contract -- Amazon Web Services "In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination under Section 3.4.1, (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval."
Cloud Contract -- SQL Azure, Microsoft "Upon the expiration of the term or any termination or cancellation of this agreement, your rights to access or use the Services immediately cease, and you must promptly remove from the Services any data, software programs or services (if any) used in connection with your access to or use of the Services. If you do not remove such data, software programs or services from the Services, we reserve the right to remove them in accordance with our normal business practices for the Services." "Upon cancellation, suspension or any termination, your right to use the Services stops right away and you must immediately remove your Data and applications from the Services. You are responsible for taking the steps necessary to back up your Data. Upon any termination of this agreement, all other rights granted to you by this agreement will also automatically terminate."  Cloud Contract -- GoGrid, Microsoft "You bear sole responsibility for any and all data used in connection with the development, operation or maintenance of any software programs or services that you use in connection with your access to or use of the Services, including without limitation taking the steps necessary to back up such data, software programs or services."  Cloud Contract -- DropBox "Dropbox reserves the right to terminate Free Accounts at any time, with or without notice. Without limiting the generality of the foregoing, and without further notice, Dropbox may choose to delete and/or reduce: (i) any or all of Your Files if your Free Account is inactive for 90 days; and (ii) previous versions and/or prior backups of Your Files." 
Cloud computing contracts

More Related Content

PPT
Legal issues in cloud computing
byRitambhara Agrawal
 
PPT
Legal And Regulatory Issues Cloud Computing...V2.0
byDavid Spinks
 
PPT
Understanding Minimizing And Mitigating Risk In Cloud Computing
byJanine Anthony Bowen, Esq.
 
PPTX
Is There Sun Behind Those Clouds
byJanine Anthony Bowen, Esq.
 
PPTX
Cloud Security Mechanisms
byMohammed Sajjad Ali
 
PDF
Legal ethics & cloud computing
byPatrick Fowler
 
PPT
Cutting To The Chase: Cloud From A Customers Perspective
byJanine Anthony Bowen, Esq.
 
PPT
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
byBrian Miller, Solicitor
 
Legal issues in cloud computing
byRitambhara Agrawal
 
Legal And Regulatory Issues Cloud Computing...V2.0
byDavid Spinks
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
byJanine Anthony Bowen, Esq.
 
Is There Sun Behind Those Clouds
byJanine Anthony Bowen, Esq.
 
Cloud Security Mechanisms
byMohammed Sajjad Ali
 
Legal ethics & cloud computing
byPatrick Fowler
 
Cutting To The Chase: Cloud From A Customers Perspective
byJanine Anthony Bowen, Esq.
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
byBrian Miller, Solicitor
 

What's hot

PDF
Law Practice Management in the Cloud
byCourtney Fisk
 
PPTX
Moving to the Cloud When & Where
byMohammed Sajjad Ali
 
PDF
internal-cloud-audit-risk-guide
bySatchit Dokras
 
PDF
California Consumer Privacy Act (CCPA)
byHappiest Minds Technologies
 
PDF
Guardians of Trust: Building Trust in Data & Analytics
byEryk Budi Pratama
 
PDF
Cloud Information Accountability Frameworks for Data Sharing in Cloud
byIOSR Journals
 
PPTX
Procurement Of Software And Information Technology Services
byPeister
 
PDF
iaetsd Shared authority based privacy preserving protocol
byIaetsd Iaetsd
 
PDF
A study on_security_and_privacy_issues_o
byPradeep Muralidhar
 
PDF
Trust Your Cloud Service Provider: User Based Crypto Model
byIJERA Editor
 
PDF
Securing data in the cloud: A challenge for UK Law Firms
byCloudMask inc.
 
PPT
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
byguestd7fc9c
 
PPT
Contracting in the Cloud by Tammy Bortz
byitnewsafrica
 
PPT
Security Problem With Cloud Computing
byMartin Bioh
 
PPTX
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
byTom Kulik
 
PDF
A Survey on Different Techniques Used in Decentralized Cloud Computing
byEditor IJCATR
 
PDF
Asset 1 security-in-the-cloud
bydrewz lin
 
PPTX
Sookman law society_6_min_business_law
bybsookman
 
PDF
Achieving Secure, sclable and finegrained Cloud computing report
byKiran Girase
 
PDF
Perspec sys knowledge_series__solving_privacy_residency_and_security
byAccenture
 
Law Practice Management in the Cloud
byCourtney Fisk
 
Moving to the Cloud When & Where
byMohammed Sajjad Ali
 
internal-cloud-audit-risk-guide
bySatchit Dokras
 
California Consumer Privacy Act (CCPA)
byHappiest Minds Technologies
 
Guardians of Trust: Building Trust in Data & Analytics
byEryk Budi Pratama
 
Cloud Information Accountability Frameworks for Data Sharing in Cloud
byIOSR Journals
 
Procurement Of Software And Information Technology Services
byPeister
 
iaetsd Shared authority based privacy preserving protocol
byIaetsd Iaetsd
 
A study on_security_and_privacy_issues_o
byPradeep Muralidhar
 
Trust Your Cloud Service Provider: User Based Crypto Model
byIJERA Editor
 
Securing data in the cloud: A challenge for UK Law Firms
byCloudMask inc.
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
byguestd7fc9c
 
Contracting in the Cloud by Tammy Bortz
byitnewsafrica
 
Security Problem With Cloud Computing
byMartin Bioh
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
byTom Kulik
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
byEditor IJCATR
 
Asset 1 security-in-the-cloud
bydrewz lin
 
Sookman law society_6_min_business_law
bybsookman
 
Achieving Secure, sclable and finegrained Cloud computing report
byKiran Girase
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
byAccenture
 

Similar to Cloud computing contracts

PPT
Legal issues in cloud computing
bymovinghats
 
PPTX
NIST Cloud Computing Reference Architecture.pptx
byDevikaPalanisamy2
 
PPT
Cloud computing-security-issues
byAleem Mohammed
 
PPT
Cloud computing & service level agreements
byCade Zvavanjanja
 
PDF
Cloud Computing Architecture
byAnimesh Chaturvedi
 
PPTX
The Cloud Computing Contract Playbook: Contracting for Cloud Services
byThis account is closed
 
PDF
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
byChris Purrington
 
PDF
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
byThis account is closed
 
PPTX
1-Definition Characteristics-14-12-2024.pptx
bydhruvagarwal9427
 
PPTX
Cloud Security using NIST guidelines
bySrishti Ahuja
 
PPTX
Cloud computing architecture
bymeenalkakkar
 
PPTX
NIST CCRA.pptx for cloud computing and virtualization
bygmgkigaocwmxvbipfw
 
PPTX
Cloud Computing Security
byNithin Raj
 
PPTX
Cloud Security using NIST guidelines
bySrishti Ahuja
 
PPTX
Cloud computing and its security issues
byJyoti Srivastava
 
DOCX
A cloud provisioning contract is the fundamental agr.docx
bysleeperharwell
 
PPT
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
byDLA Piper Nederland N.V.
 
PPTX
Cloud Computing & IT in the Boardroom
byBrendon Noney
 
PPT
Cloud security
byAdeel Javaid
 
PPTX
Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manch...
byGlobal Business Events
 
Legal issues in cloud computing
bymovinghats
 
NIST Cloud Computing Reference Architecture.pptx
byDevikaPalanisamy2
 
Cloud computing-security-issues
byAleem Mohammed
 
Cloud computing & service level agreements
byCade Zvavanjanja
 
Cloud Computing Architecture
byAnimesh Chaturvedi
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
byThis account is closed
 
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
byChris Purrington
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
byThis account is closed
 
1-Definition Characteristics-14-12-2024.pptx
bydhruvagarwal9427
 
Cloud Security using NIST guidelines
bySrishti Ahuja
 
Cloud computing architecture
bymeenalkakkar
 
NIST CCRA.pptx for cloud computing and virtualization
bygmgkigaocwmxvbipfw
 
Cloud Computing Security
byNithin Raj
 
Cloud Security using NIST guidelines
bySrishti Ahuja
 
Cloud computing and its security issues
byJyoti Srivastava
 
A cloud provisioning contract is the fundamental agr.docx
bysleeperharwell
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
byDLA Piper Nederland N.V.
 
Cloud Computing & IT in the Boardroom
byBrendon Noney
 
Cloud security
byAdeel Javaid
 
Sam De Silva, Partner - Head of IT and Outsourcing Group at Penningtons Manch...
byGlobal Business Events
 

Recently uploaded

PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
API-First Architecture in Financial Systems
bycyy111112
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 

Cloud computing contracts

  • 1.
  • 2.
     The use ofcomputing resources (hardware and software) that are delivered as a service over a network (typically the Internet).  There are three types of cloud computing: Infrastructure as a service (IaaS),  Platform as a service (PaaS), and  Software as a service (SaaS).   Using software as a service, users also rent application software and databases. The cloud providers manage the infrastructure and platforms on which the applications run.  End users access cloud-based applications through a web browser or a light-weight desktop or mobile app while the business software and user's data are stored on servers at a remote location. Proponents claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance, and enables IT to more rapidly adjust resources to meet fluctuating and unpredictable business demand.  Cloud computing relies on sharing of resources to achieve coherence and economies of scale similar to a utility (like the electricity grid) over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services.
  • 3.
    — The Risks —Security, Privacy and Compliance Process — Contracting — Contracting lifecycle — Key cloud contracting issues – “Bill of Rights”
  • 4.
     The Benefits  ControlRisk  Security Risk  Privacy Risk  Compliance Risk  Subcontractors
  • 5.
    What kind ofdata will be in the cloud?  Where do the data subjects reside?  Where will the data be stored?  How is the data secured?  Where are the servers?  Will the data be transferred to other locations and, if so, when and where?  Will the data be commingled?  Can certain types of data be restricted to particular geographic areas?  Is there a compliance plan for cross-border data transfers? 
  • 6.
    Cloud Relationships  Whowill be actually storing, processing or transmitting Customer data?  Does the Cloud provider have rights in its subcontracts to permit compliance with the Customer’s contract?  Does the Cloud provider impose obligations on its subcontractors identical or similar to those imposed on it in the direct contract?  How strong is the Cloud provider’s vendor management program/controls? Security Assessment  Written vendor management program/process  Security as extension of internal security (e.g. matching controls; compliance with internal policies)  “Reasonableness” (foreseeability and risk reduction)  Compliance with standards (e.g., general standards; industry & peer standards; internal policies)
  • 7.
    Geography  Where isthe data being stored/processed?  Legal obligations triggered based on residency of data subjects/location of data Privacy and Security Legal Compliance  Who “owns” the data? How can it be used?  What laws apply?  Do the cloud provider’s practices, policies and systems  comply with applicable laws?  Who has the obligation to incur the expense to comply?
  • 8.
    System and DataAvailability  Business continuity/disaster recovery plan  Impact to Customer if Cloud unavailable  Scalability (if Customer’s processing needs increase or surge) Data Retention  Backups and recovery  Records retention  Litigation holds  Secure return/deletion
  • 9.
    Incident response  Providerincident response plan  Notice of a breach  Cooperation and support  Access and forensic assessment rights  Documentation and reporting from provider Electronic Discovery/Electronic Evidence  “Searchability” and availability of data in cloud  Forensic assessment (identifying, collecting and preserving data) in cloud context  Electronic evidence: data integrity issues; authentication  Metadata
  • 10.
    RFP Phase (competitionover terms)  Security, Privacy and Compliance due diligence  Contract drafting  Contract negotiation  Contract enforcement  Contract review and renegotiation
  • 11.
    Definitions Preventative Contract Terms Controls in place to prevent data breach  “Reasonable security” – Is the security implemented “legally defensible”?  Specific controls Audit and Enforcement Terms  Assessment/scanning rights  Non-compliance reporting  Credits/damages Incident Response Contract Terms Risk of Loss Contract Terms
  • 12.
    Article I –Data Location Transparency  Cloud service providers shall reveal the physical location of the servers that will be processing their cloud customers’ data, and shall provide reasonable advance notice if those physical locations change; cloud service providers shall coordinate with their customers to assure compliance with local laws and any applicable restrictions on the transfer of certain categories of data from one jurisdiction to another
  • 13.
    Article II --Security Transparency  Cloud service providers shall provide full information and access to documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments and obtain relevant security-related information and documents from the service provider; this information and documentation should address data integrity and availability as well as the confidentiality of customer data.
  • 14.
    Article III --Subcontractor Transparency  Cloud service providers shall provide cloud customers with notice as to which third parties will have the ability to access customer’s data and for what purposes, including subcontractors, subcontractors of subcontractors and so on.
  • 15.
    Article IV --Subcontractor Due Diligence and Contractual Obligations  Cloud service providers shall conduct reasonable due diligence and security assessments of subcontractors or other third parties that will have access to customers’ data or systems, and shall enter into contracts with such third parties that hold those third parties to substantially similar obligations as in their cloud agreements with their customers; cloud service providers shall manage and similarly limit the ability of their subcontractors to utilize other subcontractors.
  • 16.
    Article V –Customer Data Ownership and Use Limited to Services  Cloud customers shall have the right to solely “own” the data they put into a cloud service provider’s cloud, and cloud service providers shall use their customers’ information solely for the purposes of providing services to the customer, unless otherwise explicitly agreed.
  • 17.
    Article VI –Response to Legal Process  Cloud service providers shall provide notice (within hours, not days) of the service of any subpoena or other legal process seeking their customers’ data, and shall assist and cooperate with their customers in responding to such legal process
  • 18.
    Article VII --Data Retention and Access  Cloud service providers shall reveal their data search, retention and destruction practices to their cloud customers; and shall develop and enable data search, retention and destruction capabilities in order to allow their customers to implement their own data retention programs, efficiently effectuate litigation holds, and locate, collect and preserve relevant data, including metadata; cloud service providers shall build in processes and controls that allow for the efficient authentication of data (e.g. accurate time-stamping; metadata; chain-ofcustody indicators, etc.)
  • 19.
     Article VIII --Incident Response In the event a cloud provider suffers a security breach, cloud providers shall provide prompt notice of the security breach to their affected cloud customers, shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach, and shall allow their cloud customers to conduct their own forensic assessment and investigation of the security breach
  • 20.
    Article IX –Indemnification and Limits of Liability  Cloud service providers shall engage their customers in meaningful discussions and negotiations around indemnification and limitations of liability arising of security breaches, including consideration of exceptions to limits of liability for security breaches suffered by the cloud service providers.
  • 21.
     Client Access  PasswordSecurity  Data  Shared Responsibilities (With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure.)
  • 22.
     Research has highlightedthat cloud contracts are often governed by the Terms and Conditions (T&Cs) of how the service will be delivered. Interestingly, more often than not it is a set of documents containing the terms that govern the relationship between the customer and the Cloud service provider. These can be relatively short and simple, or lengthy, complex and split over several documents. Generally T&Cs are made up of common documents like Terms of Service (ToS), Service Level Agreement (SLA), Acceptable Use Policy (AUP), Privacy Policy or a mixture of these components.  Once the following statements from leading cloud service providers are examined, the reason for ensuring you truly understand cloud contracts becomes clear.  Cloud Contract -- Facebook "We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."  Cloud Contract -- Amazon Web Services "...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."  Cloud Contract -- Amazon Web Services "In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination under Section 3.4.1, (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval."
  • 23.
    Cloud Contract --SQL Azure, Microsoft "Upon the expiration of the term or any termination or cancellation of this agreement, your rights to access or use the Services immediately cease, and you must promptly remove from the Services any data, software programs or services (if any) used in connection with your access to or use of the Services. If you do not remove such data, software programs or services from the Services, we reserve the right to remove them in accordance with our normal business practices for the Services." "Upon cancellation, suspension or any termination, your right to use the Services stops right away and you must immediately remove your Data and applications from the Services. You are responsible for taking the steps necessary to back up your Data. Upon any termination of this agreement, all other rights granted to you by this agreement will also automatically terminate."  Cloud Contract -- GoGrid, Microsoft "You bear sole responsibility for any and all data used in connection with the development, operation or maintenance of any software programs or services that you use in connection with your access to or use of the Services, including without limitation taking the steps necessary to back up such data, software programs or services."  Cloud Contract -- DropBox "Dropbox reserves the right to terminate Free Accounts at any time, with or without notice. Without limiting the generality of the foregoing, and without further notice, Dropbox may choose to delete and/or reduce: (i) any or all of Your Files if your Free Account is inactive for 90 days; and (ii) previous versions and/or prior backups of Your Files." 