guide onCOMPLIANCEand CLOUDSECURITY

contentsCompensating Controls CanHelp Boost Cloud Compliance

The SAS 70 Report andCloud Service Providers

Managing PCI DSS RequirementsWhen Moving to the Cloud

Cloud Computing Legal Considerations

Developing Cloud Computing Contracts

technicalS E AR C H C LO U D S E C U R IT Y.C O M

2 S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

insight

contentsSEARCHCLOUDSECURITY.COM presents a comprehensive guide to compliance andcloud security. Our experts cover all the angles in order to help clarify securityand compliance issues associated with cloud computing.

Compliance and Cloud SecurityCloud computing promises IT flexibility and cost savings, but thereare also security and compliance implications that CISOs need tounderstand as organizations consume cloud offerings.

Compensating Controls and Cloud ComputingCOMPENSATING CONTROLS The benefits of cloud computing are often at odds with anenterprise’s compliance efforts. BY CHENXI WANG

The SAS 70 Report and Cloud Service ProvidersSAS 70 Providers are judged via the SAS 70, but the report has weaknesses that undercutits value. BY JOSEPH GRANNEMAN

Managing PCI DSS Requirements When Moving to the CloudPCI AND THE CLOUD Organizations can maintain PCI DSS compliance through carefulanalysis and strategic planning. BY ED MOYLE

Cloud Computing Legal ConsiderationsLIABILITY Do your due diligence before signing with a cloud service provider.BY FRANCOISE GILBERT

Developing Cloud Computing ContractsCONTRACTUAL ISSUES Learn critical considerations for cloud computing contracts in orderto protect your organization. BY FRANCOISE GILBERT

SPONSOR RESOURCES

The UlTimaTe enTerprise ThreaT and risk managemenT plaTform.The ArcSight ETRM Platform is the world’s most advanced system for safeguarding

your company against data theft, complying with policies and minimizing internal

and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight

ETRM Platform gives you better visibility of real-time events and better context for

risk assessment, resulting in reduced response time and costs.

ArcSight Headquarters: 1-888-415-ARST | © 2011 ArcSight. All rights reserved.

Learn more at www.arcsight.com/etrm

Compensating Controls CanHelp Boost Cloud Compliance

The benefits of cloud computing are often at odds withan enterprise’s compliance efforts. BY CHENXI WANG

4

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

iIN THE CURRENT economic climate, many of today’s organizations are facingaggressive cost-cutting and efficiency pressures that are driving businesses to considercloud sourcing.While many properties of cloud services, such as elasticity, low-entrycosts and faster time-to-market ratios, are well suited to support a wide range of busi-ness functions, compliance has been a difficult proposition when considering movingto the cloud. As a result, leveraging the benefits of the cloud and maintaining compliancecan be at odds with each other.

One reason behind this clash stems from the implication that the “cloud” isomnipresent and accessible anywhere. But, take note, although a cloud service may beaccessible anywhere, it is far from omnipresent. In fact, Forrester Research Inc. recentlydiscovered that many Infrastructure as a Service(IaaS) clouds use a traditional IT outsourcingmodel: They provision services from specificdata centers from specific geographic regions.Although there are true global clouds (likeGoogle), in the Software as a Service (SaaS)segment, many vendors use what are ultimatelylocal clouds to deliver global services.

So why does a cloud service’s point of originmatter? There are several reasons, the first ofwhich is that regulations can affect cloud opera-tions so users of a localized cloud may find theirgoals at odds with the local laws and regulationsthat govern the cloud operation. Additionally,true geographic diversity and high availabilityonly comes with global clouds. This means if the cloud operation is restricted to a singlelocation or a small set of locations, the benefit of geographic diversity doesn’t apply,and in the final analysis, neither does high availability.

Most importantly, location matters; if you don’t know where your cloud provider’s

While many properties ofcloud services, such aselasticity, low-entry costsand faster time-to-marketratios, are well suited tosupport a wide range ofbusiness functions, compli-ance has been a difficultproposition when consider-ing moving to the cloud.

CO M PE N SATI N G CO NTR O LS

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

5

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

data center is, or where your data is, you have no means to evaluate whether yourdata would be subject to any local laws and regulations that may be in conflict withyour data privacy compliance goals. With the exception of the new HITECH Act forHIPAA, few laws and regulations in the U.S.have specifically included the role of a serviceprovider. This means that if found in violationof the compliance goal, it’s not the serviceprovider that will end up in court. If youdon’t know where your data resides, it’s timeto find out.

The economics of the cloud dictate that dataand applications are decoupled from infrastructureoperations. It’s this very notion that engenderstremendous operational and business efficiency while putting security and compliance atodds with these goals. Instead of waiting for the cloud industry to step up its supportfor regulatory compliance, security professionals need to look beyond their providers forcompensating controls to aid cloud sourcing. Here are a few compensating controls toconsider:

• Cleanse or anonymize private data whenever you can: Not all data needs tolive in the cloud in its clear text form. Cleansing or anonymizing private data may bethe cheapest way of attaining privacy control; therefore always consider this option first.

• Use cloud-independent encryption: As in the case of implementing HIPAAwith IaaS, encryption technologies can be used to protect data and applications outsidethe cloud. Emerging technologies that provide in-the-cloud encryption of either virtualmachines or data, with customers holding the key, have tremendous promise forenhanced data protection in the cloud.

• Pay more for higher confidence: If a provider doesn’t currently offer a specificcontrol that’s essential to achieving compliance, work with that provider to gauge thepossibility of attaining that control. Sometimes all it takes is a higher service price.Point out that it can potentially generate additional revenues from other clients andgain competitive benefits from implementing the additional control.

• Use a hosted private cloud: A hosted private cloud is a dedicated cloud infra-structure; in other words, a utility pricing model, accessible via standard Internetprotocols, and with automated workload distribution that is hosted by a third party.Because the infrastructure is dedicated to your organization, you have the option toimpose stringent security and privacy policies, even having the infrastructure certifiedby auditors for compliance purposes. The hosted private cloud requires a heftierupfront investment than a public cloud, but lower ongoing operational overheadand better control than a private cloud.

With the exception of thenew HITECH Act for HIPAA,few laws and regulationsin the U.S. have specificallyincluded the role of aservice provider.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

6

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

Whatever the control may be, it is ultimately the security professional’s responsibilityto attain cloud compliance. In the long term, compliance support and effectiveness willbecome differentiators in the cloud service industry and will likely help further driveadoption.Why? Because cloud services can spread out the cost of compliance supportover multiple clients while running more efficient processes that make the additionalinvestment worthwhile.w

Chenxi Wang is a principal analyst at Forester Research, where she serves security & risk professionals.She is a leading expert on content security, application security and vulnerability management.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

GlobalSCAPE4500 Lockhill-SelmaSuite 150San Antonio, Texas 78249210.308.8267800.290.5054

GlobalSCAPE Managed Information Xchange™ (MIX) enables your organization to securely exchange business-to-business data, including large files and sensitive data—efficiently and cost-effectively.

GlobalSCAPE’s MIX supports small, medium, and large enterprises seeking an alternative to on-premises MFT implementations for sensitive data exchange through a secure and scalable cloud-based infrastructure.

GlobalSCAPE’s Hosted and Managed Business Data Exchange:— Provides unparalleled security, reliability and performance— Deploys rapidly— Saves time by decreasing support workload— Reduces ongoing maintenance expenses

For more details about how our MIX solution can help you reduce costs and increase efficiencies, contact a GlobalSCAPE solution specialist.

GlobalSCAPE Has the Right MIX for Your Secure Business-to-Business Data Exchange

www.globalscape.com

The SAS 70 Report andCloud Service ProvidersProviders are judged via the SAS 70, but the report hasweaknesses that undercut its value. BY JOSEPH GRANNEMAN

8

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

tThe Statement on Auditing Standards No. 70 (SAS 70) has become the ubiquitousauditing report by which all cloud computing service providers are judged. So how didthis financial auditing report become the standard by which we scrutinize cloud serviceproviders? How much can we trust this report as a true representation of the securitycontrols in place? To answer these questions, let’s first review a little history of the SAS70 report.

Evolution of the SAS 70 reportThe SAS 70 report got its start in 1993 as a way to review the impact of third-partyservice organizations on the annual financial statements of a company. This becamenecessary as companies started to outsource key processes such as payroll, order fulfill-ment, manufacturing and other business processes to service organizations. A lack ofcontrols in any of these third-party services organizations could have a material effecton the annual financial statements. However, a comprehensive financial audit of everyservice provider for the company would be time consuming and cost prohibitive.

The SAS 70 report was created by the American Institute of Certified PublicAccountants (AICPA) to simplify these financial auditing requirements by limitingthe number of controls involved in the audit of these third-party organizations. Serviceorganizations could prepare this standard report for all of their customers at once,which would drastically reduce the costs compared with preparing separate reportsfor each individual customer. The standard allowed financial auditors to more quicklyreview and test the controls of different service organizations.

The Sarbanes-Oxley Act of 2002, passed shortly after Enron and other accountingscandals shook public confidence in corporate accounting and auditing methods,brought the SAS 70 to the forefront. The law provided oversight of financial auditorsand introduced many other changes to corporate accounting practices. The need tovalidate the impact of third-party organizations on corporate financial statementsbecame much more important; SOX required the pre-existing SAS 70 report to validate

SAS 70

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

9

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

the controls in place at a service organization. This simplified report quickly becamethe default audit for all service organizations, even though it was fundamentally flawed.

The rise of cloud computing pushed companies to search for a method to validatethese new types of services. Publicly traded companies that had to be compliant withSOX were already familiar with the SAS 70. It was a natural evolution to adapt the reportto auditing cloud computing service providers even though it was not originally intendedfor this purpose.

SAS 70 report flawsOne of the SAS 70 weaknesses is that it is not as robust as other security frameworks,such as ISO 27000 or the NIST 800 series. These frameworks take a broader approach toinformation security by reviewing the entire program from a riskmanagement perspective.In contrast, the SAS 70 is focused primarily on security controls and procedures sur-rounding the data center and financial implications. These controls and procedures areonly one part of a successful, risk-based information security program.

The SAS 70 report can be misleading to thecasual observer as it only focuses on controls andprocedures that are agreed upon before the auditby the auditor and the company being audited.This limits the SAS 70 to only a subset of con-trols and procedures that would ordinarily beincluded in a comprehensive security audit.There is no guarantee that just because a controlis absent from the audit that it doesn’t exist.However, since it wasn’t included in the SAS 70 report, there is no way to verify that itexists. This creates a level of uncertainty that undermines the validity of the SAS 70report.

SAS 70 Type I and Type IIIt can be easy to get caught up in the difference between SAS 70 Type I and SAS 70 TypeII audit reports. The Type I report only requires the auditor to make an opinion on theeffectiveness of the controls in place at the time of the audit. The Type II report takesthis a step further by requiring the auditor to test the controls as well as document hisopinion on their effectiveness. The description of the Type II audit sounds attractiveand is exactly what’s needed to verify the security controls of a service provider. However,it depends on whether the controls specified by the service provider to be included inthe audit are comprehensive. As mentioned earlier, this is not usually the case.

Another issue with relying on the SAS 70 report alone to validate potential cloud

One of the SAS 70 weak-nesses is that it is not asrobust as other securityframeworks, such as ISO27000 or the NIST 800series.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

10

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

service providers is much more controversial. The SAS 70 report is focused on accuratefinancial reporting so the auditors involved are typically from CPA firms. A CPA firmpossesses the education, training and experience to audit financial controls and mayeven have insight into other types of controls. However, the question becomes shoulda CPA be validating information security controls? If the auditor does not possessexpertise in information security, it will be very difficult to provide much insight intothe effectiveness of the controls. There will be technical areas that will get overlookedjust as a CISSP would not recognize inaccuracies in a financial audit. This seriouslylimits the credibility of the SAS 70.

Using the SAS 70 report for cloud evaluationsSo what good is the SAS 70? Should an organization interested in purchasing cloudrelated services even bother requesting this report from a prospective provider? TheSAS 70 can still be useful if the provider has tested more than the minimum numberof controls; however, a vendor that provides a SAS 70 will most likely only be focusedon areas of strength. A vendor that does not pro-vide a SAS 70 may or may not be serious aboutinformation security and protecting your data.

Therefore it is critical to develop your owntype of audit questions and due diligence proce-dure that focus on the controls that are impor-tant to your organization. Information securityframeworks like ISO 27000 or the NIST 800series can be extremely helpful in creating acustom due diligence procedure. The SAS 70 report is only the starting point of a soliddue diligence procedure with the prospective cloud service provider. The SAS 70 maybe useful but it should never be solely relied upon for validation and reassurance ofproper security mechanisms and controls.w

Joseph Granneman, CISSP, has more than 20 years in information technology and security with experiencein both health care and financial services. He has been involved in the Health Information Security andPrivacyWorking Group for Illinois, the Certification Commission for Health Information Technology(CCHIT) Security Working Group, and is an active InfraGard member.

A vendor that does notprovide a SAS 70 may ormay not be serious aboutinformation security andprotecting your data.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

Build and secure complex network infrastructures in any hypervisor and in any cloud with the Vyatta Network OS. Enable complete Firewall, VPN, IPS, Dynamic Routing and more to connect and protect your applications in the cloud.

More information @ http://www.vyatta.com

from

HOW DO YOU PROTECT YOUR APPLICATIONS IN THE CLOUD?

Managing PCI DSSRequirements WhenMoving to the CloudOrganizations can maintain PCI DSS compliance throughcareful analysis and strategic planning. BY ED MOYLE

12

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

fFOR THOSE OF us chartered with ensuring that our business stays compliant withPayment Card Industry Data Security Standard (PCI DSS) requirements, migrationto the cloud can be a scary proposition. After all, depending on what’s moving, whereit’s going, and how our business will make use of it, there can be some pretty majorimpacts to our overall compliance efforts.

It’s not that vendors aren’t trying to reduce the anxiety that end users have. After all,more andmore cloud service vendors have started going through the process of becomingPCI compliant and certified.Most notably,AmazonWeb Services announced in December2010 that it achieved Level-1 PCI compliance and is now a validated PCI serviceprovider, but customers still have anxiety when the cardholder data environment(CDE) and the off-premises environments intersect. It’s like asking our friend to lookafter our pet; sure we trust our friend, but we don’t quite trust them as much as wetrust ourselves to do it right.

So how can compliance and security professionals reduce their anxiety?What can wedo to get a handle on cloud computing—and the impact to our compliance efforts withPCI DSS requirements—to make sure we’re prepared for the migration to the cloud?

Understand what data is movingFirst of all, it’s important to understand that not every cloud transition is going to havethe same impact on every organization.We need to honestly analyze and evaluate theproposed migration so we can evaluate the extent to which it’s even an issue from a PCIperspective. Moving to a cloud storage model? The impact will be much different ifwhat’s being stored includes cardholder data such as PANs. Moving an applicationto a hosted virtual platform? The impact will be different if it’s an application thatprocesses payment data.

P C I AN D TH E C LO U D

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

13

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

So it’s vital that we understand what will be moving—and where it’ll be movingto—in order to understand what the new cardholder data environment (CDE) will bepost-transition.We also need to understand how that technology is being used currentlyand how it will be used post-migration. Specifically, we need to know whether it stores,processes or transmits cardholder data currently, and whether it will continue to doso after it’s transitioned. This helps us put our arms around our new CDE and, mostimportantly, the degree to which it will or won’t intersect the hosted environment.

It’s important for us to figure the scope out asearly as possible in the migration cycle, since onestrategy we’ll want in our back pocket is to selec-tively minimize the CDE elements outside ourdirect control. A good way to accomplish this isby mapping out the data flows (particularly flowsof cardholder data) as they currently exist andthen updating those flows for the proposed post-migration infrastructure. Recall that for PCIDSS requirements compliance generally, we needto map and document the flow of cardholderdata (requirement 1.1.2), so doing this exercisefor the proposed post-transition environment will not be wasted effort. As we identifyareas that do store/process/transit the cardholder data, that can help shape either ourvendor selection, our migration strategy or both.

Reduce/eliminate off-premises cardholder dataIt goes without saying that it’s easiest for us to manage compliance when the entiretyof the CDE is within an environment that we manage and directly control. Note thatthis does not mean that vendors won’t have the same (or better) technical, physical oradministrative controls, just that it’s easier from a governance standpoint when wedirectly control the environment. Therefore, as we go through the transition effort,it’s helpful for us to try to architect in a direction that keeps cardholder data out ofvendor/partner control. There are a few strategies to do this.

The most direct strategy is to limit the flow of data to the service provider byrefraining from transitioning applications and devices that directly store, process ortransmit cardholder data. If we identify that a transition plan will impact a device thatperforms one of these functions, we can attempt to strategically re-architect how dataflows prior to the transition. For example, if we identify that cardholder data is relayedvia a particular server in the environment, potentially we can change the businessprocess so the server is no long involved; once we engineer this change and scrubthe server of any lingering data, we can scope that server out of the CDE.

It’s important for us tofigure the scope out asearly as possible in themigration cycle, since onestrategy we’ll want in ourback pocket is to selectivelyminimize the CDE elementsoutside our direct control.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

14

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

Another strategy is to utilize encryption as a means of scoping out portions of thetransition infrastructure. The PCI Security Standards Council has stated in the pastthat encrypted data can be “out of scope” of assessment efforts when the entity inpossession of it has no ability to decrypt it. So if we do need to store the data or allowit to traverse a vendor environment, encrypting that data can help us to consider it outof scope—provided we don’t share the encryption key with our cloud service providerand we validate that no data leakage occurs.

Of course, it will not always be possible tolimit the scope of what’s deployed. Sometimes,situations will occur that leave us in a position ofhaving our CDE extend beyond the infrastruc-ture and environments we manage. This could bebecause we identify cardholder data on devicesscheduled for migration (and we can’t change it)and other times we’ll discover cardholder dataon devices we didn’t know had it. For both setsof circumstances, it’s useful to start as early aspossible to ensure we’re prepared. That’s accom-plished first by selecting vendors who understand our PCI compliance challenges andthat have a reasonable, fact-based PCI “story;” ideally that involves some type of certi-fication. Second, we need to ensure we can (as much as possible) align the controls inthe vendor-managed environment with what we require internally for devices in theCDE (with the frank understanding from the get-go that we might not be able to getall the way there).

Realistically, there are quite a few challenges that result from the intersection ofPCI DSS requirements compliance and cloud computing, but with forethought anda workman-like approach, it’s really doesn’t have to be all that scary after all.w

Ed Moyle is a senior security strategist with Savvis as well as a founding partner of consultancy Security Curve.

The PCI Security StandardsCouncil has stated in thepast that encrypted datacan be “out of scope” ofassessment efforts whenthe entity in possessionof it has no ability todecrypt it.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

LogLogic.com/VMware

LogLogic uniquely pre-parses all the VMware log �les

LogLogic uniquely auto-maps your assets to PCI & ISO27002

LogLogic uniquely tracks user movement in your dynamic VMware world

LogLogic uniquely features in VMware’s Reference Architecture

Cloud ComputingLegal ConsiderationsDo your due diligence before signing with acloud service provider. BY FRANCOISE GILBERT

16

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

tTHE CHARACTERISTICS OF cloud computing—on-demand self-service, elasticity,metered service or ubiquitous access—make it look like a simple and casual operation.Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with yourcredit card. Attractive pricing structures are often justified by presenting cloud solutionsas a “one-size-fits-all” product where standardization is key to reduced cost.

Consistent with this model, which benefits from uniformity and standardization,many cloud services agreements are presented in the form of a click-wrap agreement,where no negotiation is possible, and the customer clicks on an “I agree” button toexpress consent to the terms. The apparent ease of entry into these contracts makesthe process seem as easy or inconsequential as purchasing a song from iTunes.

However, the fact that in most cases the purchaser of cloud services is pushed tointeract with vendors through websites and generic form agreements does not adequatelyreflect the unique complexity and importance of cloud-service contracts. Cloud com-puting relationships are extremely complex and fragile. They involve relinquishingcontrol over, and custody of, a company’s vital data, documents and applications to oneor more service providers with whom company executives may not have ever met, andwhich may be hidden or difficult to identify in the fog created by the so-called cloud.Cloud contracts, however, raise numerous complex technical, business and other issuesthat could create significant exposure to financial disasters, embarrassment and otherproblems if not attended to with sufficient precautions.

Cloud computing legal issues, in particular, abound. These issues include: ensuringaccess, availability and performance; customization and integration with existing tech-nologies; cost and pricing; compliance with regulatory requirements; ability to terminateand move to another service provider or take data in-house; and much more. Thesecurity measures used to protect the data entrusted to the vendor are crucial. It’s alsoimportant to define how liability for the loss of data will be allocated; or to address theextent to which the customer will be able to have access to the data or retrieve the datain case of termination.

Do not be fooled by the appearances; be careful when stepping in the cloud. In part

L IAB I L ITY

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

17

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

one of this two-part tip, we’ll review cloud computing legal considerations and the duediligence required before choosing a cloud service provider. Part two covers criticalsteps for developing, maintaining and terminating a cloud service provider contract.

Think before you clickFirst, do not rush into a cloud service agreement. Cloud providers have made it veryeasy to purchase their services on the Internet. It is almost as easy to purchase a bookfrom Amazon as it is to purchase a subscription to Amazon’s EC2 services.Wait! Donot click on the “I agree” button until you understand what you are getting, and moreimportantly, what you are not getting. Just because the service appears so easily avail-able from the vendor’s website does not mean it is the right service for you, or that theterms of the offering are fair and balanced.

Ensure there are no cloud computing legal obstaclesAre you sure that using cloud for the type of data and the types of services thatyou envision is legal? Companies are the custodians of the personal and other dataentrusted to them. This data is frequently protected by laws, regulations or contractsthat prohibit, restrict or limit the disclosure ortransfer of this data to a third party. For example,health information protected under HIPAA can-not be transferred to a third party or “businessassociate” without imposing specific obligationsto that business associate. Some U.S. state lawsrequire that Social Security numbers, driver’slicense numbers, financial information, andother similar information be encrypted beforebeing transferred to a third party. Other lawsrequire entering into a written agreement withthe service provider, with specific terms.

If your data originates in one of the 40-plus countries that have adopted compre-hensive data protection laws, it’s likely that the data may not be taken out of its countryof origin and transferred because the recipient country is probably not going to providethe adequate protection for the privacy rights of the individual to whom the datapertains unless specific contracts are signed or other specified arrangements are made.

Perhaps your company has signed a confidentiality agreement or a data-transferagreement with a third party from which it received sensitive data, such as personalinformation or trade secrets. In this case, this agreement probably prohibits you fromtransferring the data to a third party without the prior permission of the data owner.

Some U.S. state lawsrequire that Social Securitynumbers, driver’s licensenumbers, financial infor-mation, and other similarinformation be encryptedbefore being transferredto a third party.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

18

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

Thus, moving this data to a cloud without the prior permission of the data ownerwould breach this agreement.

Remember: Before exploring the cloud services offering, determine whether yourbusiness model and the contracts that bind your company allow for the use of theseservices, and under which conditions.

Due diligence questionsOnce you are confident that a particular application or database may be moved to thecloud without breaching any laws or existing contracts, you must investigate the vendor.Just because a service is attractive or works well for the company next door, does notmean that it is right for you.

Organizations should conduct a thorough due diligence of a proposed cloud serviceprovider in order to determine whether the services offered correspond to its needs.Myriad questions need to be asked and their answers carefully analyzed; for example:

• What services will be provided?• Will the service allow the company to fulfill its computing and access needs?• What are the vendor’s technical capabilities?• What are its financial capabilities? What is the likelihood that it will remain inbusiness for the next few years?

• What service levels will be offered? Is there any possibility of downtime?• How secure are its operations? What security measures are used?• Is the cloud vendor equipped to handle business interruption and disaster?• What support will be provided?• What will happen if there is a security incident?

Different methods may be used to conduct a due diligence. For example, you couldspeak with existing clients, send questionnaires and review the answers, review auditreports, and survey comments from current customers on listservs and other forumson the Internet.

Remember that this due diligence is necessary to understand and evaluate the entity towhich you will entrust important company information. It’s a well-known“best practice”and required by several laws. Skipping this important step would expose the company andits management to potential claims of negligence and breach of duty of care.w

Francoise Gilbert is the managing director of the IT Law Group, and serves as the general counsel of theCloud Security Alliance. She focuses on information privacy and security and data governance. Gilberthas been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field ofInformation Privacy and Security. US News has ranked the IT Law Group as one of the top law firmsin the Information Technology Law area.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

Whether you’re launching your agency into the cloud or shoring up your internal enterprise network, Nova Datacom has expert-Level engineers ready to help you meet your mission requirements. With industry leading expertise across a wide variety of vertical markets and across multiple vendors, we can provide unbiased designs and implementations.

Hand-in-hand with design capabilities, NDC’s implementation experience and expertise are di�cult to match with any other company. Discover today how NDC can bring a world-renowned engineering sta� to your projects. www.novadatacom.com

Developing CloudComputing ContractsLearn critical considerations for cloud computing contractsin order to protect your organization. BY FRANCOISE GILBERT

20

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

cCLOUD SERVICE RELATIONSHIPS are very complex. Numerous important issuesare at stake. In many cases, the use of cloud services may jeopardize an entity’s abilityto comply with the numerous laws to which it is subject. In addition, even if there areno specific legal compliance requirements, sensitive data and significant intangibleassets might be at risk. Thus, before venturing in the cloud, it is of utmost importancefor an entity to understand the scope and limitations of the service that it will receive,and the terms under which these services will be provided.

In this article, we review critical steps for developing, maintaining and terminatingcloud computing contracts.

Read and negotiate the contractOnce you have chosen one or several cloud vendors or cloud offerings, the next step isto enter into a written contract for these services. The contract is intended to accuratelydescribe the agreement and understanding of the parties. It should address the majorissues that are critical for the survival of your business.

Depending on the nature of the services, the volume of data, and the leverage ofthe company, the contract may be in the form of a click-wrap agreement, which isnot negotiated, or the parties may negotiate a more complex written document thatis tailored to the specific situation.

If only a click-wrap agreement is available, the contract is likely to be one-sided inthe favor of the service provider and to lack most of the warranties and protectionsthat a purchaser of the service would wish to receive. In this case, you should balancethe risks from foregoing negotiations and protections against the actual benefits,financial savings and ease of use promised by the cloud service provider.

If you have the ability to negotiate the cloud computing contracts, you may beable to add or modify provisions that address your company’s needs while defining theobligations of the parties both during the term of the contract and upon termination.Detailed, comprehensive provisions tailored to the unique risks of operating in a

CO NTRACTUAL I SS U ES

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

21

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

cloud environment should be negotiated.For example, it is important to know where the data will be stored or processed,

because the fact that the data is held on a server in a particular state or country is likelyto subject the data to the jurisdiction of the country where the server is located. Youmay want to look for guarantees with respect to the scope of the services, the prices, thesupport offered and the downtime. You should also seek commitment from the cloudvendor that it will protect your data with adequate security measures. You may also needto ensure the vendor will inform you promptly if a security incident has affected thedata that you placed in its custody. As the custodian of your employees’ or customers’personal information, you may have an obligation under U.S. state law to inform themof loss or compromise of their data.

Cloud computing contracts and terminationNumerous events may lead to the termination of cloud computing contracts and rela-tionships. The contract may expire at the end of its term and not be renewed. It maybe terminated for default or material breach, financial difficulties or bankruptcy. Eachsuch event raises the issue of access to, and ownership of assets; organizations mustplan to ensure they will be able to retrieve their data.

Keep in mind that your data will be the mostat risk upon termination of the contract. Thecloud vendor has no incentive to be nice to acustomer that is leaving.Worse, the cloud vendormay be experiencing financial difficulty, whichsignificantly increases the risk of loss and vulner-ability of the data. Provide for the proper—andsecure—winding down of the relationship inorder to ensure business continuity and to limitthe risk of loss or alteration of the data.

Plan for termination of the contract before signing it. Ensure the service agreementlays out whether and how the data will be returned to your company or destroyed,the cost associated with this return, and the procedures to be used in the event oftermination.

The volume of data to be returned might require planning and proper logistics. Thedata might have been commingled with other customers’ data to save space or for tech-nical reasons. This entanglement might make it difficult, time consuming, expensive orperhaps impossible to disentangle the data.

The cloud environmentmay create unique risks or enhanced exposure. The technologyused—i.e., a distributed computing environment—may make it difficult to locate thedata. The amount of data may be so large that practical difficulties in collecting the data

Provide for the proper—andsecure—winding down ofthe relationship in order toensure business continuityand to limit the risk of lossor alteration of the data.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

22

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

are very likely. Further, the parties are likely to be located in different jurisdictions, eachwith a different legal regime, which will increase the uncertainty and complexity.

Throughout the life of the relationship, keep monitoring the activities of the vendorto ensure the performance of the contract according to its terms. To the extent possible,monitor, test and evaluate the services provided in order to verify the required servicelevels are reached, the promised privacy and security measures are being used, and theagreed upon processes and policies are being followed.

Keep in mind also that further revisions to the contract might be necessary fromtime to time. They may be required by external or internal changes. For example, thecloud service provider may have to change its security practices and procedures in orderto address new security threats. It may have developed new products or applications thatare better suited to your company’s needs. Both the cloud service provider and thecustomer may need to adapt to new compliance requirements if new laws are passedor regulations are enacted during the term of the contract.

Talk to your lawyer earlyIn most cases, entrusting your company’s data toa third party will be an important decision. Gethelp from experienced professionals. Do not waituntil the last minute to speak with your lawyer.The more you procrastinate, the more you exposeyour company to errors and failure. It’s like start-ing a game with part of the team missing, andwaiting until the last 10 minutes to bring in theremainder of the players. It may work occasion-ally, if you are lucky, but most of the time, playing with an incomplete team will causeyou to fail or take unnecessary risks. Your attorney will help you navigate the maze ofmultilayered cloud computing contracts, decipher obscure, complex, cloud agreements,identify what is missing, and see through puffing and other empty promises.w

Francoise Gilbert is the managing director of the IT Law Group, and serves as the general counsel of theCloud Security Alliance. She focuses on information privacy and security and data governance. Gilberthas been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field ofInformation Privacy and Security. US News has ranked the IT Law Group as one of the top law firmsin the Information Technology Law area.

Both the cloud serviceprovider and the customermay need to adapt to newcompliance requirementsif new laws are passed orregulations are enactedduring the term of thecontract.

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

23

CONTENTS

COMPENSATINGCONTROLS

SAS 70

PCI AND THE CLOUD

LIABILITY

CONTRACTUAL ISSUES

SPONSOR RESOURCES

S E A R C H C LO U D S E C U R I T Y. C OM Technical Guide on Compliance and Cloud Security

| CO M PL IAN C E AN D C LO U D S EC U R ITY

TECHTARGET SECUR ITY MEDIA GROUP

VICE PRESIDENT/GROUP PUBLISHERDoug Olender

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver

DIRECTOR OF MARKETING Kathleen Quinn

SALES DIRECTOR Tom Click

CIRCULATION MANAGER Kate Sullivan

PROJECT MANAGER Elizabeth Lareau

PRODUCT MANAGEMENT & MARKETINGKim Dugdale, Kevin Martin

SALES REPRESENTATIVESEric Belcher ebelcher@techtarget.com

Patrick Eichmann peichmann@techtarget.com

Sean Flynn seflynn@techtarget.com

Jennifer Gebbie jgebbie@techtarget.com

Jaime Glynn jglynn@techtarget.com

Leah Paikin lpaikin@techtarget.com

Jeff Tonello jtonello@techtarget.com

Vanessa Tonello vtonello@techtarget.com

George Whetstone gwhetstone@techtarget.com

Nikki Wise nwise@techtarget.com

TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENT Kevin Beam

CHIEF FINANCIAL OFFICER Jeff Wakely

EUROPEAN DISTRIBUTIONParkway Gordon

Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESJulie Brown

Phone 781-657-1336 Fax 781-657-1100

“Technical Guide on Compliance and Cloud Security ” is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111;Phone 617-431-9200; Fax 617-431-9201.

All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by anymeans without permission in writing from the publisher, TechTarget or SearchSecurity.com.

EDITORIAL DIRECTOR Michael S. Mimoso

SENIOR SITE EDITOR Eric Parizo

SITE EDITOR Marcia Savage

UK BUREAU CHIEF Ron Condon

NEWS DIRECTOR Robert Westervelt

SITE EDITOR Jane Wright

ASSISTANT EDITOR Maggie Sullivan

ASSOCIATE EDITOR Carolyn Gibney

ASSISTANT EDITOR Greg Smith

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

SPONSOR RESOURCES

See ad page 3

• SearchCloudSecurity.com Comprehensive Guide to Data Security in the Cloud

• Information Security Essential Guide to Compliance

• Log Management for Compliance E-Book

• Choosing a Cloud Provider with Confidence

• E-commerce 101: A Guide to Successful Selling on the Web

• Securing Multiple Domains with SSL

See ad page 7

• Reduce Costs And Increase Efficiencies With A Managed Information Exchange Solution

• EFT Server: A Proven Secure FTP Server Solution

• GlobalSCAPE’s Cloud-based Managed File Transfer Solution Can Help StreamlineYourGlobal Operations

Secure Information Exchange

SPONSOR RESOURCES

See ad page 15

• Taming the Cloud with VMware

• PCI Unleashed – Forrester Report

• LogLogic IT Data Management Strategy - Auditing Your VMware Automated Datacenter

See ad page 19

• Looking for a Value Added Partner? Discover the Nova Datacom Difference.

• Need to know how this applies to YOUR environment? Talk to one of our expert engineers

See ad page 11

• Vyatta Application Brief - Multi-Tenant Isolation & Protection

• Vyatta Application Brief - Datacenter to Cloud Migration

• Vyatta Application Brief - Virtual Firewall & Secure Gateway