As we come towards the end of this series, let us put our focus on procedural and governance aspect of cloud security. We have discussed security controls in detail whether it is infrastructure, data or application security controls. Now, let’s move to the most important piece of the cloud governance, that is, contacts and SLAs.
But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud service agreement
Understand the security requirements of the exit process
We will discuss step 9 which is about managing security terms in cloud service agreements.
Let us first understand, what is a cloud service agreement? A cloud service agreement is a binding and documented set of specific perimeters and minimum level required for each element of service, as well as remedies for the failure to meet those requirements. It gives details of system architecture and security standards to be maintained by service provider, along with your right to audit their compliance. It mainly consists of two main documents – contract and a SLA. Cloud Security Alliance defines it as primary tool of governance.
In this article, we are going to look at cloud security aspect of cloud service agreement. What are the elements that should be included or which ones that a customer should be aware of when dealing with cloud service providers. You can also refer to ISO standard 19086-1 which talks in more detail about service level agreements in reference to cloud computing.
The most important aspect that should be in the clauses of cloud service agreement is shared security responsibility. I have been talking about this shared responsibility in every article, but this is the place where it should be documented. Shared security responsibility should be clearly documented in cloud service agreement.
Other key security aspects that should be considered when preparing cloud service agreements are:
Notification: Any breach of system, data or infrastructure should be reported by cloud service provider to the customer. Breach notification should have sufficient and relevant information so that customer can protect his assets and data.
Recovery: The cloud service agreement should also specify measures and remedial actions that CSP will take in case of security breach. How the access will be restored, and subsequent investigation process should also be part of the agreement.
Compensation: There should be a clause for compensation/ claim of damages for security negligence on part of the cloud service provider. Although, in reality, it is only limited to very small amounts of rent price etc., and therefore, customer should also look for alternatives like cyber insurance.
Roles and responsibilities: As I said in the beginning, shared security responsibility should be documented in cloud service agreement. Remember, shared responsibility will differ in different service models (IaaS, PaaS, SaaS) and therefore, service models should also be considered when drafting cloud service agreements.
Symmetrical obligations: It is often said, that, agreements are more biased towards cloud service providers and impose strict security obligations on the customer. However, cloud customer should also have recourse against unwarranted suspension of service and other remedies. Customer should enforce such remedies as part of cloud service agreements.
Metrics: This is one of the most important element of cloud service agreement and constitutes the Service level Agreement. Customer should document their prior in-house metrics, compare them with CSP provided metrics and determine how much change is accepted. ISO standard 27004 along with ISO 19086 can give good guidelines in defining SLAs. You can also refer to nist document 800-55 and CIS consensus security metrics.
Data protection and data residency: ‘Data is money’. Lack of protection of PII can have serious consequences. Data residency can also throw major challenges in cloud as different countries have different privacy laws. Therefore, clauses around data protection and residency should be part of cloud service level agreements.
Subcontractors: They are the third-party providers engaged by CSP in delivering cloud services. The security obligations of the sub-contractor should be equal to the primary provider, which means, they should be equally liable as primary provider for any loss or data breach.
Personnel: The employees of CSP should be vetted to the extent permitted by the employment laws. This is very important as those employees have privileged access to customer data (like passwords, databases)
Facilities: Physical security should also find its place in cloud service agreements as it is the facilities where customer’s sensitive data is stored (backups and logs).
Few other elements, which customers can look into for security assurance are – compliance to standards like ISO 27017 and ISO 27018. They can also look at Data compliance report of the cloud security provider.
Lastly, I would say that contracts and SLAs are as important as protecting data and applications. You, as a customer, should be extremely careful and thoroughly review cloud service agreements to protect your infrastructure and avoid any portability issue in future.