When weighing options for increasing enterprise computing capabilities or seeking ways to improve IT operational efficiency, the prevailing method is to integrate an external IT services vendor, commonly referred to as a cloud service provider or CSP, to supplement internal IT capacity or for completely outsourcing entire IT functions. While outsourcing has been shown as a valid approach for lowering the initial cost of deploying new IT-based services and shortening the time to which such investment yields tangible benefits, successfully mitigating or eliminating risks associated with this approach is proving to be more elusive. A proper risk assessment must be undertaken before concluding that outsourcing to a CSP will be advantageous over the long-term. This document is intended as an introduction to the basics of CSP risk for business managers considering or have already decided that utilizing cloud-based services, especially for departments with stringent privacy and security requirements, and offers guidance on recommended practices for integrating such vendors into the Harvard environment.
Needs and Gap Analysis. As a prelude to the formal risk assessment, prudent business and project management practice dictates that an organization first conduct a needs analysis to define business objectives, including:
- Short and long-term operational goals,
- Potential pathways toward achieving the desired end state,
- Financial resources required in support of those goals, and
- Appropriate metrics for ensuing implementation success.
If some portion of the preferred IT service model will remain the domain of an in-house team(s), the sourcing department’s project leader should clearly identify the roles and responsibilities of each team as part of the gap analysis to understand whether sufficient capacity and talent resides in the organization for executing those functions at the desired service level. Extra consideration should be given to areas of weak, unknown or non-existent capabilities for possible addition to the cloud provider’s scope of services, especially if a risk-inclusive financial analysis indicates that outsourcing would be more cost effective than developing the talent in-house.
Assess the Risk of Prospective Cloud Providers. Long before initiating any substantive contract negotiations or starting operational integration of a CSP, the sourcing department should evaluate the cloud provider’s competency and commitment to deliver the desired services over the target timeframe and meet the stipulated security and privacy levels. The cloud provider should be asked to demonstrate its capabilities and approach to security and privacy enforcement or undergo an independent, pre-hire evaluation of its installation and systems. When considering public-owned service providers, the sourcing department should request that the vendor supply a copy of their most current SSAE 16 SOC 2 report. This report, prepared by an independent auditing firm, provides valuable information regarding the service organization's controls and the effectiveness of those controls i.e. whether the controls were placed in operation, suitably designed, and operating effectively. Privately held companies that regularly compete against their publicly-owned counterparts may also voluntarily subject themselves to the same audit evaluation as a way to offer transparency into their internal control environment.
Ultimately, to thoroughly evaluate the prospective vendor’s service abilities, consideration should be given to the firm’s:
- Experience and technical expertise of key personnel
- Governance and compliance policies and practices including the vetting process all new personnel undergo
- Quality and frequency of security and privacy awareness training provided to personnel
- Account management practices and accountability
- Adoption rate of new technologies
- Change management procedures and processes
- The underlying mechanisms used to assure privacy and security standards/ commitments are being achieved
- The ability of the cloud provider to meet the sourcing organization’s declared security and privacy policies, procedures, and regulatory compliance obligations.
For those CSP candidates successfully navigating this initial screening process, the next step, whose importance cannot be understated as a critical risk mitigation measure, is to ensure that a comprehensive, written contract is in place between the sourcing department and the CSP finalist which codifies all applicable service level expectations and other important duties each party must effectively perform.
Establish Minimum Service Expectations and Contractual Obligations. The organization should ensure that all performance requirements are explicitly stated in the service agreement, including privacy and security provisions. The agreement should clearly define both the organization’s and the cloud provider’s roles and responsibilities. The organization should also make certain that any compensating controls needed to reduce risk to an acceptable level can be carried out within the terms of the agreement. It is strongly recommended that all CSP service agreements include the following items:
- A detailed description of the service environment, including facility locations and applicable access control requirements
- Predefined service levels (i.e. required ‘up-time’ percentage minimums) and associated costs, including non-negotiable taxes, levies, and fees imposed by the provider or any government agency.
- Specific remedies for specific harm caused or resulting from any non-compliant activities by the cloud provider
- The period of performance and due dates for any deliverables
- The cloud provider’s points of interface with the organization
- The sourcing organization’s responsibilities for providing relevant information and resources to the cloud provider
- Procedures, protections, and restrictions for co-locating or commingling organizational data and for handling sensitive data
- Procedures dealing with system access and data availability with respect to electronic discovery
- The process for assessing the cloud provider’s compliance with the service level agreement, including independent audits and testing
- The cloud provider’s obligations upon contract termination, such as the process for returning and/or permanently expunging of organizational data.
If the Harvard sourcing department will be especially reliant on the service provider for mission critical IT functionality, the terms of the service agreement should have extreme clarity in the following areas to minimize potential problems:
- Ownership rights over data;
- Location of organizational data within the cloud environment addressing jurisdictional implications;
- Security and privacy performance visibility;
- Service availability and contingency options;
- Data backup and recovery;
- Incident response coordination and information sharing;
- Disaster recovery
Privacy regulations may be interpreted differently by an organization’s legal and privacy officers than by a cloud provider. The sourcing department must take due care when reviewing the controls provided or negotiated in the cloud provider’s service agreement to identify and resolve inconsistencies between the organization’s and the cloud provider’s privacy policies. The department must also ensure the controls provided are adequate to protect the types of information being planned for deployment to the cloud environment.
Negotiating Cloud Service Provider Agreements. Before entering into the contract, it is advisable to have an experienced legal adviser review the terms in detail. The typical cloud service agreement negotiation process usually start with non-negotiable, ‘take-it-or-leave-it’ terms being offered by the vendor; the document slanted heavily in favor of the cloud provider. As drafted, most may prove to be impracticable for an organization with very strict operational and governance needs.
Reaching agreement on the terms of service of a negotiated agreement for public or private cloud services can be a complicated process fraught with technical and legal issues. If a negotiated service agreement is desired, a legal adviser should be involved, if not empowered, from the onset to deal with complicated legal issues that are likely to arise during negotiations. Regardless, it is strongly recommended that the sourcing department negotiating agreement terms with a cloud service provider insist that the contract contain the following risk management provisions:
- Non-disclosure agreement (NDA) – also known as a confidentiality agreement (CA) or confidential disclosure agreement (CDA), an NDA outlines confidential material, knowledge, or information that the parties to any contract wish to share with one another for certain purposes, but wish to restrict access to or by third parties. Due to the sensitive nature of data likely to be in the custody and/or under the control of the service provider, the CSP must execute an NDA that obligates them to keep confidential the existence and nature of the relationship with Harvard. Additionally, the vendor shall agree not to disclose any confidential data to third-parties, not disclose such data to their employees unless such employees need to have access to the data in order to fulfill the CSP’s obligations under the provider agreement, and will use the same degree of care and diligence to protect Harvard information from disclosure to others as the vendor employs to protect its own information of similar importance.
- Compliance – the CSP must assure that all systems and subsystems which will process, store or otherwise record protected information as defined and governed by any local, state, or national regulation such as FISMA, FERPA, PCI, HIPPA and the like, have necessary technical, physical, and procedural safeguards for controlling access to that information in accordance with those regulations.
- Electronic Discovery – electronic discovery involves the identification, collection, processing, analysis, and production of Electronically Stored Information (ESI) in the discovery phase of litigation. ESI is usually defined to include not only electronic mail, attachments, and other data objects stored on a computer system or storage media, but also any associated metadata, such as dates of object creation or modification, and non-rendered file content. All CSP’s shall be required to preserve and produce, at the University’s request, any ESI contained on their systems and networks. Additionally, the CSP shall also be required to produce on a timely basis any other electronic documents when needed for compliance with audit, investigatory and regulatory information requests.
- Data Ownership – the contract should state clearly that Harvard retains exclusive ownership over all its data; that the cloud provider acquires no rights or licenses through the agreement, including intellectual property rights or licenses, to use the data for its own purposes; and that the cloud provider does not acquire and may not claim any interest in the data due to security. Additionally, the terms of the data ownership in the agreement must not be subject to unilateral amendment by the cloud provider.
- Composite Services and Control over Subcontracting – cloud services themselves can be composed through nesting and layering with other cloud services and providers. For example, a public SaaS provider could build its services upon those of a Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) cloud. The level of availability of the Software as a Service (SaaS) cloud would then depend on the availability of those services. Cloud services that use third-party cloud providers to outsource or subcontract some of their services should raise concerns to the project manager involved in contract negotiations. Cloud service agreements proposed for use with any Harvard department should contain a clause that defines the scope of control over the third party, the responsibilities involved (e.g., policy and licensing arrangements), and the remedies and recourse available should problems occur. When the agreed services will be delivered via a composite arrangement using multiple subcontractors, the clause should also delineate which party holds ultimate liability, preferably being the prime CSP, for failure to satisfy applicable performance guarantees.
- Right to Audit – the sourcing department shall have the right to audit the CSP and any subcontractors for compliance with contractual obligations. Such right shall permit, at the sourcing department’s sole discretion, such audit be conducted by either the organization’s own staff or by a third party auditor under contract to the department. The right to audit should also grant full access to any vendor’s facilities, installations operations, documentation, databases, and personnel used in performance of the service agreement.
- Transparency and Cooperation – the transition to public cloud services entails a transfer of responsibility to the cloud provider for securing portions of the system on which the organization’s data and applications operate. To facilitate the implementation of continuous monitoring, the sourcing department is dependent on the cloud provider, whose cooperation is essential, since aspects of the computing environment are under the cloud provider’s effective control. Transparency in the way the cloud provider operates, including the provisioning of composite services, is a vital ingredient for effective oversight over system security and privacy by an organization. To ensure that policy and procedures are being enforced throughout the system, the cloud service agreement should include some means for Harvard to gain visibility into the security controls and processes employed by the cloud provider and their performance over time. Ideally, Harvard would be granted control over aspects of the means of visibility to accommodate its needs, such as the threshold for alerts and notifications and the level of detail and schedule of system status reports.
- Indemnification and Limitation of Liability – though the proliferation of cloud service providers is creating sufficient leverage for knowledgeable buyers to obtain more agreeable contract terms, most agreements still contain one-sided clauses that deny indemnification to the sourcing department by the CSP, even for situations where the provider is solely negligent for an adverse event’s direct and/or consequential damages. In other less obvious instances, the provider, seemingly to create the impression of a more balanced agreement, may agree to indemnify the sourcing department for loss, damages, and expenses caused entirely or aggravated by the negligence of the provider. However, such relaxing of the ‘no liability’ position is often coupled with a limitation of liability that caps economic damages owed by the CSP to the sourcing department to no more than the notional value of the contract – such typically being a mere fraction of the potential total damages incurred by the sourcing department to resolve such matters. Therefore it is critical that the agreement not contain any language that eliminates or reduces the provider’s obligation to indemnify Harvard for loss or damage caused by its negligence nor contain language that caps or limits its obligations for the full financial liabilities arising out of such negligent act or action.
- Insurance – given that a significant percentage of cloud service providers have been in existence for less than 5 years and likely have minimal liquid assets buttressing their contractually assumed liabilities, relying on verbal promises to remedy or settling for extended service fee credits as compensation for a costly interruption in service or breach in privacy/security is unsatisfactory. Considering that the primary service provider and other providers under subcontract to them may very well be domiciled in a geographic area outside of the US court system’s ability to enforce a liability judgment, the sourcing department must consider more reliable source of funds for offsetting the cost of dealing with an outage or breach. Commercial insurance can serve that vital role in assuring the sourcing department will have access to financial resources needed to deal with the consequences of a casualty arising out of the CSP relationship. A clause should be included in the provider agreement that mandates the CSP maintain, as a minimum for the life of the agreement, a minimum amount ($3 million is considered commercially reasonable) of so-called cyber liability insurance in addition to the standard types and amounts of coverage required by the University of all other goods & services vendors. All or any of the noted insurance should be increased beyond minimum levels if the perceived nature and magnitude of risk associated with the given cloud deployment justify demanding additional coverage. Factors that may increase insurance requirements include access to large quantities of records or to particularly sensitive data, such as medical records (e.g. protected health information).
Assess Performance. Once the selected CSP has been incorporated into the IT environment, verifying their adherence to the terms of its provider agreement is the last component of basic cloud risk management. Continual assessment (CA), as permitted under the agreement’s 'Transparency, Cooperation, and Right to Audit' clauses, of the cloud provider’s performance and quality of services provisioned is an essential part of the risk management process to ensure all contract obligations and organizational requirements are being met. The sourcing department should analyze the state of the system regularly and as frequently as necessary to manage security and privacy risks adequately. Continual assessment allows the organization to take immediate corrective or punitive action for noted deficiencies and also provides a reference point or benchmark for improving the terms of the provider agreement. Use of dashboard type views may prove to be the most efficient way to create a CA environment such as monitoring compliance with the minimum ‘up-time’ percentage commitments.
Beyond the high-level CA process, usually focused on just basic performance and compliance, the sourcing department should make provisions for the regular auditing of more complex and less transparent practices which don’t lend themselves to dashboard type oversight. An provider audit should focus particularly on areas of critical importance, most notably those falling within the realm of information security. Any audit planned by the sourcing department must be conducted to ensure that each cloud service application is configured, deployed and managed in accordance with the University’s current minimum standards related to data security, privacy and performance. Unless sufficiently experienced and available resources exist within the sourcing department, it is best to seek external assistance with conducting the recommended audit work towards determining the status of the more critical aspects of the providers IT operational role. There are skilled teams within the University with the capability to execute all or pieces of such vendor assessment including HUIT, OGC, and RMAS. The sourcing department is advised to contact each of these groups during the initial phases of any cloud provider search to verify they are able to aid with accommodations being sought from the CSP, including later helping to assess provider performance.
Concluding Comments. Instituting a cloud-based IT strategy is a complex and speculative undertaking which introduces an additional set of risks, namely those of the CSP vendor(s), or amplifies preexisting ones into the organization’s ongoing due diligence duties. With an absence of comprehensive performance standards and prevailing disparity in vendor commitments vs. technical competence on top of a continually evolving business environment, the chance of operational failure remains substantial. It is hoped that this document will provide a business manager seeking to integrate cloud-based services a starting point on ways to attenuate some of those business risks. Regardless, even if the sourcing department performs a thorough evaluation of its own needs and the prospective vendor’s capabilities and adopts the noted risk control measures, the organization might still incur severe business interruption, including unexpected and material budget impacts to restart itself, due to a performance failure of their CSP. Departments should be mindful that the Harvard Central Administration does not maintain a dedicated reserve fund exclusively for mitigating the risks associated with adopting a cloud-based IT model. As such, each sourcing department must carefully weigh the financial and operational benefits of engaging a CSP against their particular risk tolerances and capabilities to fund negative outcomes. Provider agreements by themselves, no matter how solidly drafted or considerate to the underlying business risks, will do little to insulate the department from the financial and operational consequences if the vendor is unwilling or incapable of fulfilling its obligations.
*adapted from NIST Special Publication 800-144