The Cloud – Buyer Beware!
While the Cloud has an amazing number of advantages, it is important to remember that it is hard to see inside a cloud and what you can’t see could hurt you.
I was recently involved in responding to a potential email compromise where the company was using cloud based email. While this cloud based email offered the company a lot of advantages, one thing that it did not give them was access to any forensics. This made our forensic process extremely difficult. And, the cloud provider had no liability in case of a breach.
So with that introduction, one of my favorite authors, Professor Daniel Solove of GWU School of Law wrote a great piece on the legal side of clouds the other day that I think is worthwhile mentioning here. If you are responsible for cloud services at your company, I recommend reading his article; it has a lot more information than I have room to put in this post.
The first thing to consider is this. When you sign up to use cloud services – and it doesn’t matter which cloud services – your use of those services is governed by an agreement that you may or may not choose to read. The fact that you may have chosen not to read it does not make it any less binding.
That company – for example, it could be Google, Microsoft or Amazon Web Services – probably has a lot of lawyers on staff, probably has been sued a lot of times and may well have spent more on the crafting of that legal agreement than the entire annual revenue of your company.
On top of that, Unless you are IBM, Nestles or Proctor & Gamble, you probably don’t have a whole lot of leverage to change that agreement. Some, but not an extreme amount.
Still, it is, none the less, important to understand what you are not getting and you could make the answers to some of these questions a factor in deciding what service to use. Certainly, smaller cloud service providers are more negotiable than some of the bigger ones.
And, to be clear, a cloud service provider or CSP is more than GMail. It could be a company that does background checks of employees that you interact with over the web. That expanded definition covers a LOT of businesses.
So, here goes!
Companies often use cloud services to store personal information of their customers. Their customers do not have an agreement with the cloud service provider and the cloud service provider’s terms of service do not extend to your customer. If your agreement with your CSP does not protect your customer’s data, then who is likely on the hook for damages is you.
If the CSP does not adequately protect your data and there is a breach, the FTC may pay you a visit and say that you are in violation of Section 5 of the FTC Act. Wyndham Hotels tried to fight this concept, but all they did was get the courts to validate that Section 5 can be used in this manner. Recently GMR Transcription Services got sideways with the FTC because they outsourced the actual transcription of their documents and the people and companies that they hired did not have good cyber security practices. Who the FTC whacked was GMR, not the people they hired. The FTC said that GMR failed to provide reasonable and appropriate security to protect personal information.
Professor Solove suggests a number of problems in the negotiation process for agreements.
One issue is lack of knowledge. If you have a purchasing agent reviewing the agreement, he or she may not have the needed knowledge to understand if the protections offered are adequate.
Another issue is, as I said above, lack of bargaining power. In that case, you at least need to understand what protection you do not have and then you can make a business decision if you can afford to take the risk.
Larger organizations may have both the knowledge and clout, but operate in a decentralized manner and therefore don’t take advantage of the opportunity that they have to negotiate a better deal.
There is a new ISO standard, ISO 19086, that provides guidance in negotiating these agreements. It appears that ISO 19086 will have at least 4 parts, but only the first part has been released so far. That part is called a service level agreement framework, part 1, overview and concepts. I think the subsequent parts are probably more important, but I am glad that someone is working on the problem.
In the meantime, you or your attorney should review these documents so that you understand exactly how much poop you could be standing in if something happens.
I will say that, pretty much universally, your service provider is not going to defend you.
I saw an agreement the other day that said that outsourcing to this provider would not put you out of compliance with FISMA or similar rules. Notice that it does not say that if you buy their service that you will be in compliance. There is big difference between the two.
I have had a number of “discussions” with CSPs who claim they are HIPAA or PCI compliant. If you have a sales person who says that they are, ask them if their company is willing to sign a document that says that if you buy their service, they will indemnify you if a government or other entity says that you were not compliant while using their service. I predict that they will not sign that document.
At this point, the cloud is definitely a buyer beware situation. While using cloud services can be very beneficial, it is totally up to you to make sure that your rear end is covered.
Information for this post came from Prof. Solove’s writings on Linkedin.
Information in ISO 19086 can be found here.