Contracts aren’t fail-safe. Here’s how to guard your data as it travels among cloud providers and their subcontractors.
It’s 2 p.m. Do you know where your cloud data is? Really?
Executives at one large Fortune 500 company thought they knew, but a routine audit of their cloud provider uncovered a serious problem. “The cloud provider that we thought we had became merely a shell, and it outsourced the provision of the service to an offshore company that no one had even heard of,” recalls Brad Peterson, counsel for the company and a partner in the Chicago office of Mayer Brown.
Fortunately, the problem was discovered and there was no harm done, but there might have been serious consequences if it hadn’t been addressed. “We deal with companies with hundreds of thousands of customers. If a data breach can cost $400 to $500 (about Rs 20,000) per customer record and you lose 100,000 records, you’ve got a huge exposure,” says Peterson.
With some cloud computing providers outsourcing underlying parts of their services to subcontractors, who may in turn outsource to others, do you really know who has your company’s data? Industry insiders offer advice on how to ensure that every company in that daisy chain is protecting your information.
Security Haves and Have Nots
Major cloud computing providers, such as Google, Salesforce.com, Amazon, and Microsoft, know the data security requirements of large enterprises and are happy to oblige.
“Most of the larger cloud service providers have gotten SAS 70 audits and ISO 27001 [security] audits in response to large businesses,” says John Pescatore, an analyst at Gartner.
Google and others have even established dedicated US-based datacenters for government customers in order to comply with federal mandates that require government data to be stored domestically. The move helped Google win a contract to provide hosted e-mail service to the US General Services Administration; it was the first agency-wide federal cloud e-mail deployment.
Still, security and compliance concerns are the top two inhibitors to the use of cloud-based services, according to a 2010 Gartner study. Some 42 percent of survey respondents cited security, privacy and compliance as major concerns, though that’s down from 49 percent in 2009, Pescatore says.
Sophisticated providers of software-as-a-service (SaaS) have clauses dealing with data security in their contracts, Peterson says. “They understand customers’ needs and provide hybrid offerings to address security concerns better than you might be able to address them internally,” he says.
Contracts will usually give clients the opportunity to do the due diligence and spell out where data can be transferred and stored. Providers will give customers the right to approve subcontractors that will have access to their data and describe how they will respond to security incidents. They will also agree to give the customer the right to sign off on any changes before they are implemented, whereas a utility service provider may make changes and inform the customer afterward.
Cloud service providers will also have procedures for properly destroying data at the end of a contract. They will accept meaningful liability for their own breaches. Finally, the provider will give the customer audit rights “so they can verify that the provider is keeping its promises about your data,” Peterson adds.
That’s the best-case scenario. But what happens when a department within your company seeks cloud services on its own?
“There’s a tremendous amount of cloud outsourcing going on in major corporations where departments buy a cloud service over the Internet using a procurement card,” perhaps to test new applications, Peterson says. “That sort of sourcing may be the majority. In those cases, it may be an unsecure service [provider], but one hopes that central IT has categorized its data well enough that critical pieces are not going outside.”
In such cases, and in situations where a company is dealing with smaller or newer SaaS companies, “you still have [some vendors] who won’t tell you where your data is or who you’re subcontracting to,” Peterson says.
In the case of the Fortune 500 company, the fact that the vendor was outsourcing some services didn’t amount to a breach of contract because the cloud provider had cleverly stated that the services would be provided by it and its providers says Peterson.
There are ways to use less-expensive, consumer-grade cloud services and keep data safe, Pescatore says. For starters, companies are beginning to deploy cloud-based security-as-a-service offerings to add features such as encryption, Web access and authentication.
The Best Defense
Industry watchers agree that encryption is the best way to secure data no matter where it goes. Even the most sophisticated service providers can’t prevent attacks by determined hackers, but encryption could help.
Pescatore points to several recent incidents where hackers infiltrated servers and stole passwords and then tried those same passwords on Gmail accounts. “By hacking your password in one place, and [discovering that] people were using that same password in Google mail, they were able to publish tens of thousands of corporate e-mails on the Web,” he says.
“If I want to use Amazon’s cheap S3 storage service, but I don’t trust them to protect my data, I can feed my data through [a cloud security provider]. It’s encrypted in the cloud, and then it’s stored at Amazon in the cloud,” Pescatore says. “Amazon never sees the keys, and there’s no risk of the data ever being exposed at Amazon.”
When an employee leaves the company or a contractor’s engagement comes to an end, you need a way to completely discontinue their access to your data. New cloud-based identity and access management tools are designed to do just that.
Cloud-based services from vendors such as Okta and Symplified federate identities across all of an enterprise’s hosted services. If an access change is required, the service makes the change across all of the cloud providers. For example, these tools can be used to terminate Contractor A’s access and grant access to Contractor B.
In the near future, more and more cloud providers will offer this as part of their service, says Jonathan Penn, an analyst at Forrester Research. “Salesforce.com already allows you to encrypt certain columns of data, but they still aren’t managing that,” he says. “If you want to manage the keys, then that will be another level [of service].”
In a 2011 Forrester survey, more than 2,300 US and European companies were asked how they would prefer to handle data security for the cloud or SaaS. Some 29 percent of the respondents said they would prefer to have security embedded by the service provider, and 11 percent said they would prefer to seek an add-on service from a security-as-a-service vendor. And 24 percent of respondents said they would like security tools that they could implement themselves.
Many companies use multiple cloud service providers, and their employees and even customers may be able to access all of their data via browsers on their home PCs or smartphones—creating a potential security risk. Smaller vendors offer Web security in the cloud to control data access. These services sit in front of the cloud services a company uses. If an employee tries to access a SaaS site, the information flows through the Web security service, which authenticates it and can audit the data the user is sending out or retrieving. This type of service is becoming more common, says Pescatore.
Procurement costs may look lower when buying a commodity cloud service and then adding one or more security layers, but don’t forget to account for manpower and management time.
Gartner reminds its clients that procuring IT systems in the cloud involves many of the same challenges as any other method of acquiring IT tools. “The more vendors you have to manage, the more management time and mature management process you will need,” Pescatore says. “Many smaller organizations without mature vendor management processes are better off looking at a specialty provider than commodity storage. Your people time and management time are going to be lower with a specialized service provider.”
Finding a cloud vendor that can keep data secure doesn’t have to be a complex or expensive process. For instance, just look for a SaaS provider that has substantial assets or stands to lose a lot if its reputation is compromised, Peterson says. “At least they have a big name, and they care about their reputation,” he says.
You should also look for service providers that have security certifications such as SAS 70 or ISO 27001, Pescatore advises. Then ask questions to learn, for example, where they store data and where they keep backups of data.
And read the contract. “If it specifically disclaims things like ‘data security’ or makes specific statements such as ‘user shall not place highly confidential or private data on this system’… that means they’re not intending to protect it,” Peterson says.
Once the decision is made to use a hosted service, “be highly conscious of what data will be part of what you’re sending to the cloud provider,” he says. Don’t send test data to an unsecure provider and then add production data to the site without considering security.
Even with smaller vendors, it doesn’t hurt to ask for extra security guarantees. “If you have a sufficiently large deal, these contracts are negotiable and providers are willing, because they know it’s a key to greater revenue with large clients. Most are willing to offer valuable protection—but not all of them,” Peterson says. “Use [utility] service providers when it’s appropriate” for less sensitive data, “and pay a little extra for a service when a utility service is
Down the Road
As the cloud continues to mature, so too will security standards. New standards for cloud security are emerging with help from organizations like the nonprofit Cloud Security Alliance, ISO and other groups, Pescatore says. Gartner believes that by 2015, companies will start to see many more cloud services that are “business strength” and secure enough for the most regulated users, including government agencies and banks.
However, between now and 2013, Pescatore cautions, “any enterprise that’s putting customer, financial or other sensitive data out in the cloud is going to have to add some additional security capabilities to the mix or use some very specialized cloud service providers that offer that specialized cloud security.”
Forrester’s Penn offers some encouragement. “[SaaS providers] may not be perfect, but your own environment isn’t perfect. Let’s not try to compare it to the ideal but to reality,” he says. “We’re not outsourcing it specifically for security, although eventually I think that security will be a driver because those big providers are going to have better security than you have. We’re looking at a lot of other business drivers here—agility, flexibility in terms of TCO and pricing models. It’s a matter of understanding all the risks but also putting them in context to the business value.”
The Cloud Exit Strategy
Standard cloud service contracts often don’t require the vendor to return your data to you at the termination of the agreement, says attorney Brad Peterson, a partner in the Chicago office of Mayer Brown.
“If you rely on that data, it’s a real problem. If you think about some of these small companies [that run their entire IT systems in the cloud], they could go out of business tomorrow,” he says. And if a service provider goes bankrupt, “the courts could take months to decide whether to give back your data.”
Companies need to keep data secure—and accessible—until its exit from the service provider, whether planned or unplanned, say industry watchers.
“Some of the big cloud providers feel like once they ‘onboard’ you and they have your data, they kind of have you by the back of the neck,” says Lou Guercia, CEO of Scribe Software, a Manchester-based provider of hosted and on-premises data integration systems. “When it’s time to renew, that’s a piece of leverage that a service provider has—because they have your data.”
With data integration services such as Scribe’s, enteprise customers get local, real-time updated records of everything that’s happening in a cloud application.
To make it possible for users to see those records, cloud software vendors can write a “connector”—a task that should take one developer about a month. With a connector, “whatever data is running in their cloud can run on top of [the data integration service]—and get that local copy of their data regardless of the application,” Guercia says.
Today, vendors are more concerned about their reputations than they are about “squeezing a little revenue out of somebody” by holding data hostage, Peterson says. But that could change.
The cloud is a new phenomenon, and most contracts haven’t been up for renewal yet. “But as the industry matures and begins to consolidate,” says Peterson, “people might start to think they’ve got to grab every bit of revenue they can. It could get ugly.”