Companies have moved in droves to allow hosting partners to store their mission critical applications — along with valuable business information, trade secrets and customer data — in the cloud. Saving money is great, but do you know where all of your data is at all times, and, more importantly, how secure is it? Every cloud deployment should go “eyes-open” into the cloud. No matter where your data is, you are responsible for it and you will be held accountable for a breach in security of the data.
No company should enter into a contract without considering the following, at the very least:
1. Where is the data being stored, meaning where are the servers (computers) physically located?
This means, be specific in your contracts: “All Customer Data will be housed in Provider’s servers located in Columbus, Ohio” (or wherever your Provider tells you they are).
2. Does your provider use offshore (i.e. outside the continental United States) data centers, or does it access U.S. data centers from offshore?
You may wish to state in your contract that: “If Provider intends store any Customer Data or to provide any services under this Agreement from an offshore location or through offshore personnel, Provider will provide all relevant information to Customer and obtain Customer’s prior written approval.” Why is this? Is off-shore data less secure? Not necessarily, but it may not be possible to get your data back from an international location.
3. What measures does your provider take to keep data secure?
Cloud providers may be reluctant to fully share their procedures for their own security reasons, but providers should at least be prepared to give you some description of their security. If the provider doesn’t know what you are asking for or why, find another provider!
4. What insurance does your provider have to cover loss of data or data breach?
Unlike in the early days of data hosting, so called “cyber-liability” insurance policies are now widely available. Ask about it, and better yet, make it a contract requirement. An indemnity clause in a contract for data breach damages is only as good as the financial strength of the provider, and if the data breach is huge, it may put the provider out of business. Insurance can help mitigate the risks.
5. What audits does the provider undergo to ensure its security procedures are satisfactory, and, more importantly, does the provider have adequate controls in place that make sure it is actually following its own policies?
Companies moving data, especially personally identifiable information (“PII”) and protected health information (“PHI”), to the cloud can reduce some of the risks in cloud storage by making sure cloud contracts provide for security standards and audits. One such standard and audit procedure for nonfinancial reporting controls implemented by cloud computing service providers in U.S. locations is under standards known today as SSAE 16 (formerly known as SAS 70) promulgated by the American Institute of CPAs® (AICPA®) . Check with an auditing firm, but you’ll want to ask specifically about SOC 2® reports with respect to the security, availability, or processing integrity of a system, and/or the confidentiality and privacy of the information processed by the system. There are two levels of reports, Type 1 and Type 2. In a type 1 report, the auditor expresses an opinion as to whether the description of the security describes what actually exists, and whether the controls included in the description are suitability designed. In a type 2 report, the auditor’s report contains the same opinions that are included in a Type 1, but also includes an opinion on whether the controls were operating effectively.
6. Does your provider use subcontractors?
Your contract should cover this point. Know the “who” in all of your data storage as well as the “what.” Sure you can get a contract provision that states that “Provider will be fully liable for all the acts of its subcontractors,” but that doesn’t really suffice for good old-fashioned due diligence in knowing where your data is and who is seeing it.