Read Before You Sign: Negotiating the Right Cloud Contract

Posted by on Aug 14, 2013

As small businesses flock to the cloud, some have found themselves taken advantage of by shady contracts. While the cloud offers smaller businesses the chance to leverage the playing field on the global online market, many cloud service providers have sprung up, offering cheap storage and sync solutions with very little security precautions. When choosing a third party cloud service provider, businesses should be careful in reading the contract, making sure that security provisions are in place and that some measure of transparency are put in order. Many smaller companies couldn’t survive the devastation of a security breach. The good news is that private clouds offer a truly secure solution to protecting data while capitalizing on the latest technology.

Negotiating Cloud Contracts

Image courtesy of gmocloud.com

A recent cautionary tale of bad public cloud contracts can be found in the case of NASA. Around 75% of new NASA IT programs are scheduled to start in the cloud, while around 40% of legacy systems could also make the switch. A recent audit found that NASA’s Office of the CIO didn’t even have a grasp of the various public clouds employed through subsidiary offices. And while consolidating to a single private cloud service would add greater security, the audit also found that none of the five contracts reviewed “came close to meeting recommended best practices for ensuring data security.” The audit claims, “As a result, the NASA systems and data covered by these five contracts are at an increased risk of compromise.” If such a massive institution like NASA can get duped into accepting shady cloud contracts, it is no surprise that small businesses continue to come across unsafe third party cloud contracts.

NASA and the Cloud

Image courtesy of downloadsquad.switched.com

According to Alexa Bona, vice president at Gartner, “We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers.” Gartner predicts that around 80% of IT managers will be dissatisfied with their SaaS contracts due to security issues. To protect your data from being stored by a shady provider, be sure to clearly articulate your demands in the service-level agreement. According to Bona, “Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations. We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed.” You can’t rely on SaaS providers to offer high degrees of security, unless you make it clear that security is what you’re after. Especially in this unregulated cloud market, small businesses must be cautious when it comes to data protections.

The State of Cloud Contracts

Image courtesy of zdnet.com

Businesses should be sure that fee liability limits extend as long as possible, for 24 to 36 months, if it can be negotiated. Another tool for determining cloud security is that Cloud Controls Matrix, put out by the Cloud Security Alliance (CSA). This spreadsheet lists vital control objectives contributed by CSA members. Alexa Bona said, “It will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider.” Another thing to look for in cloud security is strong data encryption along with zero-knowledge storage. That way, even in the case of a breach, data would be protected as unreadable blocks.

Finding Integrity in the Cloud

Small businesses can find it hard to choose a truly protected third party cloud service as many “secure” services on the market have security gaps that leave business and consumer data wide open to hacking, leaks, and even governmental spying, as in the case of the NSA’s controversial PRISM program. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This cloud service provides small businesses with fully private data storage and syncing, featuring all of the benefits of the cloud along with 100% user privacy.

SpiderOak protects sensitive company data with 256-bit AES encryption so that files and user passwords stay private and protected. Authorized accounts and approved devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. Plaintext encryption keys are exclusively stored on approved user devices because SpiderOak never hosts plaintext data of any kind. So even if programs like PRISM continue unchallenged, customers can rest easy knowing that their privacy is protected while brands gain diehard loyalty by publically securing consumer information. SpiderOak’s cross-platform private cloud services are available for small businesses on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility in deployment.

Leave a Reply