Addressing compliance requirements in cloud computing contracts

As CIOs look to cloud computing for data backup and storage, compliance requirements must be spelled out and met -- or the data brought back down to earth.

Companies looking to use cloud computing infrastructure for data backup and storage need to factor in the compliance requirements before contracts are signed.

In some cases, the cloud provider will be able to satisfy compliance requirements -- but often at a price, according to two market experts. Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud do not remove a company's responsibility for the legal, regulatory and audit obligations attached to that information.

CIOs should be ready with a list of compliance questions for  vendors before signing cloud computing contracts. But don't expect their answers to suffice. Indeed, Gartner Inc. published a report last month stating that security, privacy and compliance will prevent adoption of cloud computing in regulated industries and global companies through 2012.

Here are some guidelines and advice from Debra Logan, an enterprise content management analyst for Stamford, Conn.-based Gartner, and Tom McHale, vice president of product management for CA's GRC manager suite.

Who has access to sensitive data in the cloud?

The cloud centers often come with SAS 70 certification and some capability for auditing. The security at cloud data centers, especially perimeter security, is good most of the time. But there are a lot of people questions to answer.

Early adoption of cloud services will be significantly inhibited by cloud providers' failure to adequately address security, privacy and risk concerns, especially among highly regulated industries.
Debra Logananalyst, Gartner Inc.

"Although you are buying the infrastructure, you are still responsible for who is getting access to those applications, who is administering those applications, and the separation of duties of those people who are dealing with the data," McHale said.

Companies typically do regular background checks to ensure that their employees are certified and trustworthy, and they need to see what types of personnel processes their cloud vendor follows. McHale cautioned, however, that unless you are a very big customer, you won't have much luck prescribing personnel policy: e.g., requiring a drug testing every three months. "Your company may well have policies that are pretty restrictive for people handling sensitive data, in which case, this can be a challenge."

Data backup: How often, how long, how well?

CIOs should nail down how often their systems will be backed up and the vendor's windows for scheduled maintenance, when systems may not be available. "It may take them five or six hours to do the backup," McHale said.

Once the backup and maintenance schedule is determined, there are the privacy and security issues to consider: What exactly can administrators see when they start doing the backup? Do the administrators have to have access to the data? What tools are used to make sure the backup (or a copy of it) doesn't go on a CD or thumb drive but only through an approved system?

Gartner's Debra Logan recommends that you ask for a description of the infrastructure, the format in which the data is held, what happens to backup tapes, and whether or not you can have specific retention processes applied to your data.

How will you manage E-discovery requests and satisfy different retention laws?

Companies are subject to myriad laws or regulations that stipulate in what manner and how long data has to be kept, SOX being one. A number of countries -- Germany and the U.K., for example -- have specific regulations relating to email. The Federal Rules of Civil Procedure (FRCP) that U.S. lawyers must follow in civil cases require the disclosure of electronically stored information at an early stage of a case, Logan points out. These are matters that must be addressed with vendors.

"The process, costs and duties for discovery and preservation requirements need to be negotiated up front, and the appropriate protocols for maintaining attorney-client privilege should also be established at the outset," Logan advised in a May 29 note.

Logan lists questions for negotiating cloud computing terms:

  • What happens if I need to preserve data?
  • How is the data collection to be done if I need to produce data?
  • Who will do it?
  • What is the SLA, given that "preservation" kicks in almost immediately after getting a subpoena, and only 90 to 120 days are allowed for producing the data?
  • Which jurisdictions are your data centers in, and how is privacy protected in those jurisdictions?
  • How do you respond to governmental requests for information about your data?
  • In what format is it possible to export the data from the hosted service?
  • How can you ensure that cross-border legal limitations on storage of data are met?

If your company is in a heavily regulated industry, Logan is skeptical you'll be doing a lot of IT business in the cloud for the next few years. If legal departments are paying attention when companies are adopting cloud services, they will put the brakes on fast, she said.

"Early adoption of cloud services will be significantly inhibited by cloud providers' failure to adequately address security, privacy and risk concerns," she said, "especially among highly regulated industries."

Let us know what you think about the story; email Linda Tucci, Executive Editor.

Next Steps

Firm moves from tape backup to managed backup and recovery service

Looming questions for managing your data protection services

Dig Deeper on Contract negotiations and legal issues