By: Matt Neely & Greg Stein
Recently, while working with a client on an assessment, we ran into an issue with their cloud provider. The client requested an annual Penetration Test on their environment that is hosted with a large cloud provider. SecureState has routinely provided this report for our client; however, this year, the cloud provider changed their Terms of Service agreement. The hosting provider no longer allowed outside vendors to scan the environment. Instead, they offered a vendor of their choosing to preform penetration tests and would provide you the report.
Changes within terms of service are becoming more prevalent. As with any agreement, it is important to understand what your rights are. SecureState works with experts in the area and contacted Greg Stein, an attorney in the Intellectual Property Group of Ulmer & Berne LLP. Greg focuses his practice on counseling clients on data privacy and security laws and negotiating technology transactions. We asked Greg to explain the importance of contracts with cloud providers. Below is his response:
A cloud environment is an extension of a company's internal infrastructure. Although companies are outsourcing capabilities to cloud providers, that does not necessarily shift responsibility for liability from the customer to the provider for the management of the stored data. Accordingly, a company that uses a cloud service provider must seek to assess the service in the same way that it would analyze its own internal structure because it needs to be confident that a cloud service provider can adequately protect its data.
The contract between the cloud provider and a customer establishes the terms of the relationship. For this reason, it is critical to read the contract before signing it. Do not assume that the contract includes some protection that you discussed with a sales representative or that it includes features mentioned on the corporate website. For example, a contract may be silent about whether a third-party can perform an assessment of the cloud facilities. If the contract does not expressly provide that a customer has a right to perform a third-party assessment of the facilities, a provider may refuse to permit such an assessment.
Below are a few of the issues you want to consider when reviewing an agreement with a cloud provider:
Not all cloud service provider agreements will be negotiable. It will depend on the circumstances. When a customer is not able to negotiate a cloud agreement, understanding the terms of the agreement are equally important because it will allow a customer to mitigate the risk to the extent possible. If a cloud service provider is only liable for $100 of damages no matter what happens, a customer may buy insurance to cover the risk, only store the least sensitive types of data, or opt to find a different provider. The key is that by reading a contract a customer will understand the customer's potential risk of using a cloud service and will not be caught off guard with unexpected surprises.