Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
The Cloud Computing Contract Playbook: Contracting for Cloud Services
1. The Cloud Computing
Contract Playbook -
Contracting for Cloud Services
June 23, 2015
Paul Armitage*, Partner
* Law Corporation
Doc #1761319
2. 2
The Cloud is Everywhere
The cloud is everywhere and for anything
• SaaS (applications)
• Customer accesses and uses cloud provider’s applications
running on cloud provider’s infrastructure (e.g., Salesforce.com)
• PaaS (platform)
• Customer deploys and controls own (developed/licensed)
applications running on cloud provider’s infrastructure (e.g., IBM
Smartcloud, and also Salesforce.com!)
• IaaS (infrastructure)
• Customer deploys and controls applications, operating systems,
storage, and networking components running on cloud provider’s
infrastructure (e.g., AWS)
3. The Cloud is Everywhere
Expanding use of the cloud – from consumer to the
enterprise
• The cloud is no longer just for free or low-cost consumer offerings
• Mission critical functions: finance, billing, database storage,
networks
• Regulated industries (e.g., financial institutions, healthcare)
3
4. The Irresistible Force of the Cloud
• Significant cost reductions
• Lower total cost of ownership: no servers or licenses to be bought
– just pay as you go
• Cheaper to implement, customize and configure
• No upgrade fees for ongoing maintenance to stay current with
latest versions of the software and operating systems
• Cost certainty
• Predictable fees based on metrics (e.g., per user, log-in, record,
device)
• Renewal pricing: TIP - contractually ensure cost certainty on
renewal!
4
5. The Irresistible Force of the Cloud
• Speed of delivery
• Greatly reduces time required to implement, customize and
configure the solution, and to train users
• Scalable and elastic (metered, on-demand service)
• Increased connectivity and solution mobility (accessible
anywhere and by any Internet enabled device)
• Can allow an organization to achieve security standards
which are difficult or expensive to achieve in-house (e.g.,
diversity or disaster recovery requirements)
5
6. We’re Moving Everything to the Cloud - Not so Fast!
• OSFI, Guideline B-10: requires (among other things)
federally-regulated financial institutions (FRFIs) to
impose standards on the service provider in the areas of:
(1) confidentiality, (2) security, (3) data segregation
• OSFI, February 29, 2012 Memorandum: “New
technology-based outsourcing arrangements”
“Information technology plays a very important role in the financial
services business and OSFI recognizes the opportunities and
benefits that new technology-based services such as Cloud
Computing can bring; however, FRFIs should also recognize the
unique features of such services and duly consider the associated
risks.
As such, and in light of the proliferation of new technology-based
outsourcing services, OSFI is reminding all FRFIs that the
expectations contained in Guideline B-10 remain current and
continue to apply in respect of such services.”
6
7. We’re Moving Everything to the Cloud - Not so Fast!
• B.C. Privacy Commissioner, June 2012: “Cloud
Computing Guidelines for Public Bodies”
“Public bodies must consider s. 30.1 of FIPPA when making
decisions about whether to store personal information in the
cloud. With limited exceptions as set out in FIPPA, personal
information, including information in computer logs and on backup
tapes or drives cannot be stored or accessed outside of Canada.”
7
8. What’s Different about Contracting for Cloud Computing?
“Cloud” solution
• No on-premises installation at customer
• No license to the solution
• Instead, customer gets a subscription to access and use someone
else’s solution, on someone else’s computer, hosted somewhere
else, i.e., in the cloud
• In lieu of an in-house IT department where you can structure your
computing environment and know first-hand what security
safeguards are in place, you now have… a contract with your
cloud provider
8
9. Storing Personal Information in the Cloud
• Storing personal information in the cloud is generally
speaking permitted, so long as:
• Socio-economic and legal environment of the hosting jurisdiction,
and sensitivity of the information are taken into consideration
• Individuals are provided with notice of the cloud storage, and that
while their information is stored outside Canada it may be
accessed by foreign courts, law enforcement and security
authorities
• The cloud provider is contractually required to safeguard the
personal information against unauthorized use, access, collection,
disclosure, copying modification, and destruction, having regard to
the sensitivity of the information, and providing a comparable level
of protection to (a) if processed in-house, and (b) as is legally
required in Canada
9
10. Storing Personal Information in the Cloud
• Additional Alberta requirements
• Alberta Personal Information Protection Act:
• An organization must have policies about its use of “service
providers” (includes contractors and affiliates) outside of
Canada to process personal information, including as to (a)
which countries, and (b) the purposes of processing, and must
make its policies available on request
• An organization must, before or at the time of collecting or
transferring the information outside Canada, notify the
individual of (a) how to obtain information about the
organization’s policies on use of service providers outside of
Canada, and (b) the contact information of the person at the
organization who is able to answer questions about those
policies
10
11. Storing Personal Information in the Cloud
• Exceptions:
• B.C. public bodies - FIPPA, s. 30.1
• Personal information in the custody or control of a public body
must be stored in Canada and accessed only in Canada,
unless one of the following applies: (a) individual consent, (b)
allowed under FIPPA (including by ministerial order), or (c) in
connection with payments to or by a public body
• Similar restrictions exist for Nova Scotia public bodies
11
12. Know Your Cloud Provider
• Due diligence on cloud provider
• Review financial statements / regulatory filings (SEC 10K)
• Financial performance (look for positive growth) and self-
disclosure of risks by cloud provider
• Data security measures – look for (and include in the contract) the
following types of protections:
• Physical, e.g. restricted access to data centres
• Organizational, e.g. security clearances, background checks,
privacy and security policies, training
• Technological, e.g. (a) firewall, (b) encryption (consider three
data states for encryption: (1) at rest, (2) in transit, (3) in
process), (c) identity and access management (password
protection), (d) patch management and network maintenance,
(e) secure data deletion, (f) intrusion monitoring, (g) virus filters
12
13. Know Your Cloud Provider
• ISO 27001 standard for information security systems
• Certification to demonstrate industry-minimum cyber security
measures have been adopted
13
14. Know Your Cloud Provider
• ISO 27018 standard for protection of personally
identifiable information (PII) in the cloud
• Requires cloud provider to (among other things):
• Only process PII in accordance with the customer’s
instructions
• Only process PII for marketing or advertising purposes with the
customer’s express consent
• Disclose to the customer the identity of subcontractors and
locations where PII is processed
• Ensure that personnel who have access to PII enter into
confidentiality agreements and receive appropriate training
• Assist the customer in complying with notification obligations in
the event of a security breach
14
15. Know Your Cloud Provider
• PCI DSS (Payment Card Interface – Data Security
Standard) for (1) payment card processing, (2) securing
cardholder data (e.g., storage or encryption), (3)
cardholder data environment (e.g., infrastructure, data
centres), (4) application development with access to
cardholder information / data environment
• Standards for cardholder data security and consistent data
security measures
15
16. Data Security Clause
• Elements of a data security clause
• Data remains owned and under the control of the organization
while in the cloud provider’s possession
• Cloud provider must only use the data for the purpose of
performing its services
• Cloud provider must provide notice of any data breach
• Cloud provider must provide notice of any lawful access where
legally permitted
• Continued access to data is assured (restrict cloud provider’s
ability to cut-off or suspend access, e.g., for non-payment)
• Disaster recovery/business continuity plan to provide access to
data under adverse conditions
• Continued access to data for a period after subscription ends to
allow for transitioning to another provider or service repatriation
• Return of data on termination (specify cost and a format you can
use)
16
17. Specifications and Service Levels
• Specifications define what the cloud solution is supposed
to do
• A lot of cloud providers’ contracts don’t say anything about what
the solution does!
• Incorporate specifications and guard against future changes
• Service levels set minimum performance standards for
the cloud solution. Examples:
• 99.999% uptime – but what’s “uptime”?
• Time to perform a function
• Support call response
• Recovery time objectives
17
18. Audit
• Right to audit cloud provider by client (and by client’s
regulators if applicable)
• Third party auditors to ensure compliance with cloud
provider’s security program
• SSAE 16 (Type I or Type II)
18
19. Bringing Territory Back
The cloud is typically not tied to territory, but consider:
• Statutory prohibitions (e.g., FIPPA, s. 30.1)
• Sectoral laws requirements (e.g., Bank Act)
• Your own policies and contracts – have you committed to persons
that their data won’t be stored outside of Canada?
• Which laws you must comply with – are they also binding on the
cloud provider?
• Specify in the contract what laws must be complied with, e.g.,
Canadian laws for personal information protection
• Insurance – territorial limits on coverage
19
20. Bringing Territory Back
• Export controls – four areas of concern:
• US-origin technology (including technical data)
• Controlled technology: encryption, dual-use (civilian), military,
nuclear
• Cloud provider or user is located in sanctioned countries
• Designated persons subject to economic sanctions
20
21. Insurance Issues
Gaps in traditional policies - general liability and E&O do
not cover:
• Business interruption due to your cloud provider suffering an
outage as a result of computer or network security failure
• Indemnification for security breach notification costs (including
credit monitoring)
• Defence and indemnification for regulatory action due to a breach
of privacy laws
• Liability for disclosure of electronic data, confidential information,
and personal information
• Liability for economic harm suffered by others due to failure of
your computer or network security
21
22. Insurance Issues
• Cyber security & privacy liability insurance may be used
to fill-in these gaps. Conditions of coverage:
• Maintain same or better level of security as when coverage was
taken-out (may include audit of your and your cloud provider’s
systems and security)
• Compliance with legal regulations
• Notice of claims – therefore, must contractually require cloud
provider to provide notice of security breach
• There must have been a security failure (e.g., poor planning or
unforeseen usage levels are not covered)
22
23. Insurance Issues
• Cyber security & privacy liability insurance – yours or
your cloud provider’s?
• Will your cloud provider’s coverage be there to protect you?
• Cost of security breach based on number of records
compromised: 100,000 records - $8.6m* (if the cloud provider
has a 1,000 customers, that’s a $8.6b loss!)
* Marsh, “Cyber & Privacy Liability”
• Cloud provider business model is usually about reducing costs
– providers therefore may have low insurance, high
deductibles, and resist naming customers as additional
insureds
• Your insurance: covers data compromised in the hands of a cloud
provider (with insurer subrogation against cloud provider)
23
24. What Happens if your Cloud Provider Goes Out of
Business?
• Third party cloud continuity solutions – the new software
escrow
• Short term (e.g., 30 - 90 days) solution to keep your
cloud provider’s service running while you transition to a
new provider or repatriate the service
• Two main variations:
• Basic: escrow company contracts with cloud provider’s IaaS
hosting provider to allow escrow company to keep the solution
“up” if cloud provider goes out of business
• More advanced: escrow company runs a mirrored solution in its
own environment that can be cut-to as a fail-over if cloud provider
goes out of business (or just goes down – also a diversity service)
• May be coupled with traditional source code escrow
24
25. Thank You
montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london
Paul Armitage
Tel: 604-891-2779
Email: paul.armitage@gowlings.com
Doc # 1761319