According to the Cloud Security Alliance (PDF), a lack of due diligence remains one of the top continuing threats to cloud computing. While businesses may have an awareness of the general nature of cloud technology and related security threats, many business undertake little due diligence about their cloud service providers (CSPs). Even basic due diligence, such as assessing the financial health of the CSP or determining the length of time the CSP has been in business, are frequently not considered.
Since less than 50 percent of new businesses survive more than 5 years and many cloud service providers (CSPs) are newer companies, there is good reason for businesses and their lawyers to pay more attention to due diligence in the area of cloud services — an increasingly important part of the business supply chain.
How deep to dive
Due diligence can involve a “deep dive” or a more limited look at specific areas of concern. The approaches vary depending on the scope of the cloud deployment and its materiality to the business. Since businesses and their lawyers often have limited time and resources to devote to cloud due diligence, developing a good roadmap and checklist for due diligence on a CSP is essential. Due diligence should involve a team approach, IT, legal, compliance and the appropriate business unit of the company.
Planning for due diligence of CSPs should include consideration of IT due diligence checklists, guidance from the Cloud Security Alliance and NIST, as well as internal control frameworks, such as those provided by the Institute of Internal Auditors, a global, guidance-setting body that provides publications that can be used to help ensure adequate scoping of due diligence review of CSP’s; the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence; or Control Objectives for Information and Related Technologies (CobiT), which also provides IT governance and control frameworks that can be used as a guide in the due diligence review of CSPs.
Due diligence must be tailored to the legal and regulatory compliance considerations of each business. There are some CSP due diligence inquiries that are common to a variety of cloud users such as consideration of any recent changes in the CSP’s regulatory or operating environment; new technology; new products and services adopted or offered by the CSP; and foreign operations by the CSP. New laws or changes to existing laws can significantly increase the legal risks to CSPs.
Within the cloud industry, mergers and acquisitions continue as companies compete to expand business offerings and customers through use of cloud services. Such organizational changes can have a significant impact on the CSP’s operations. New technologies adopted by CSPs may also create increased risks while the CSPs adapt their processes and procedures to these new technologies since business policies and internal security controls may not keep pace with the speed of these changes. Similar risks exist with new products and services adopted by a CSP since the CSP may lack with the new product or market. A CSP’s expansion into new foreign operations can present numerous legal and other business challenges.
Risk factors to consider
Further insights about the risks to consider in CSP due diligence can be gained from reviewing the “Risk Factors” sections of the Form 10-K Annual Reports filed by publicly-traded CSPs. In these SEC filings, the CSPs describe risks and vulnerabilities about their own businesses as well as the cloud marketplace generally. Risks identified have included:
Data loss or other security breaches. CSPs process, store and transmit large amounts of data, including personal information making them vulnerable to data loss and security breaches. Some CSPs have expressly acknowledged that they are a constant target of cyber-attacks of varying degrees on a regular basis and have encountered security breaches in the past. Complying with the applicable notice requirements in the event of a security breach could result in significant costs to a CSP and to its customers. Inquiry should be made about the CSP’s insurance and financial capacity to handle the response to a large scale breach.
Use of third-party technology. Both large and small CSPs use third-party technology and systems for a variety of reasons, including encryption and authentication technology, employee email, content delivery to customers, back-office support and other functions. The use of these third-party technologies and services creates expanded areas of risk which should be evaluated as part of the CSP selection process.
System interruption and lack of redundancy. Both large and small CSPs experience system interruptions and delays that make the cloud services unavailable or slow to respond and prevent the CSPs from efficiently fulfilling orders or providing services to their customers. Also noteworthy are disclosures that some CSP systems are not fully redundant, that CSP disaster recovery planning may not be sufficient and insurance coverage may be inadequate to compensate for any related losses.
Government litigation and regulatory activity. The government has closely scrutinized some CSPs under U.S. and foreign competition laws and imposed various constraints on these CSPs. These constraints on CSP operating system businesses create risks for cloud users that some cloud services may be unexpectedly curtailed or prohibited.
Physical infrastructure is concentrated in a few facilities. While data backup services and disaster recovery services are available as a part of many CSP hosting services offerings, many cloud customers do not elect to pay the additional fees required to have disaster recovery services store their backup data offsite in a separate facility, which could substantially mitigate the adverse effect to a customer from a single data center failure. Consequently, any failure or downtime in a CSP’s data center facilities could affect a significant percentage of a CSP’s customers. The total destruction or severe impairment of a CSP’s data center facilities could result in significant downtime of the CSP’s services and the loss of customer data.
Some questions to ask
In developing your cloud due diligence checklist, be sure to include questions about:
Encryption? Find out whether the CSP will encrypt your company’s data and whether it will be encrypted at rest and in transit.
Who owns the data? Be sure you understand and address ownership of your company’s data once placed into the CSP’s cloud service.
When and how will data breach notifications be handled? Ask how the CSP addresses data breaches and notifying your company and any affected persons of the breach.
Security and privacy? Are required security, privacy, monitoring and audit requirements explicitly stated in the contract/SLA with the CSP? Request details regarding security and privacy controls in the CSP’s environment as well as in the environment of any cloud service sub-providers.
What happens upon termination of the contract? Be sure to address the process for revoking all physical and other access rights assigned to the CSP upon termination. Confirm that any resources provided to the CSP are returned in a format that can be accessed by your company and that all of your company’s data has been properly expunged from the CSP’s environment.
How does the CSP handle business continuity and disaster recovery? Request a copy of the CSP’s Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and Incident Response Plan (IRP) and documentation of the associated processes and procedures. Ask whether the CSP’s BCP/DRP/IRP plans have been tested. Is the CSP willing to share documentation demonstrating successful testing and the extent of the testing? Ask how the CSP’s plan works for the disasters of multiple clients simultaneously.
Without a complete understanding of the CSP environment and operational responsibilities, such as incident response, encryption, and security monitoring, businesses are taking on unknown levels of risk in ways they may not fully understand and which may be quite different from their current risks. Lawyers can help assess and manage these risks by developing due diligence tools for this important part of the cloud services procurement process.