Many companies are considering using a Cloud Service Provider to host their environment or house their data. Because of this, it is important to have a Cloud Service Agreement in place that clearly defines the responsibilities of the Cloud Service Provider, compliance guaranties, steps taken in the event of a breach or incident, and a monitoring or audit clause. In this blog, each of these areas will be discussed and provide information to those who are looking to move their environment to the cloud.
Fundamental Components of a Cloud Service Agreement
When crafting a Cloud Service Agreement, it is imperative to add elements that protect the company and set expectations of what is expected from both a service and security point of view. These fundamental elements include the following:
- Required Services
- Confidentiality Agreement
- Violation and Compliance Guarantees / Notifications
- Monitoring and Audit Clauses
Keeping these items in mind is the first step to creating a comprehensive agreement. Each of these items will be further defined within this blog.
Step 1: Consider Company & Cloud Requirements
The first step to creating a comprehensive cloud service level agreement is to determine the service that is required to meet the needs of the company business objectives. Services can include a Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). If you are not sure which service is the right fit, check out my previous blog post, Climbing to the Top: Understanding Major Cloud Service Providers, for more information.
Once the required service has been determined, requirements such as service levels, up-time, redundancy, and recovery of information should be considered. Service levels requirements include needed processing power, data storage, and connectivity bandwidth. When determining these levels, it is also important to keep in mind anticipated growth so that can be incorporated into the agreement, if applicable.
Some other requirements to consider include maintenance and who is in charge for maintaining what, uptime targets, location of the data centers, and the need for power, network, or data redundancy.
Finally, users should be tuned into their needs for data recovery. Knowing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) is a good first step. The RTO is the determined of amount of time that can pass before access to IT and business processes should be backup and running. And the RPO is the amount of time that a company can lose data without damaging the function of the business between backups. Having an idea for these two objectives will help to insert company specific needs into the Cloud Service Agreement.
Step 2: Protecting Company & Client Information
Moving company and client information to the cloud can be a little nerve wracking because the company loses some control to keep the information confidential. Because of this it’s important to add language to the Cloud Service Agreement to help mitigate that risk.
First off, a Non-Disclosure Agreement (NDA) should be in place so that the CSP agrees to protect information and keep that information private. Another important facet to protecting client and company data is ensuring that no matter what, the company maintains ownership of the information and for no reason, can restrict access. This can be helpful in the case there ever becomes a strain in the relationship between the CSP and the company.
Next, any applicable laws and regulations should be considered. Regulations can include HIPAA, FedRAMP, FISMA, PCI, privacy, state laws, or contractual obligations. The restrictions created within these regulations should be explicitly identified so that the CSP understands the responsibilities they are expected to uphold. Additionally, these same restrictions should be passed down to any CSP they utilize. Finally, any violation of the NDA or regulation should result in an immediate notification to the company and include a penalty, when applicable.
Step 3: Outlining Violation & Compliance Guarantees…and Notifications that Follow
The best way to determine what violations exist is to first understand the controls in place to protect the company environment. Controls should focus on protecting the confidentiality, integrity, and availability (CIA) of information. These controls will be administrative, physical, and technical in nature. And overall, controls should be in place to support authentication into the network, ensure authorization measures in place for both physical and logical access, include multiple layers of security, track configuration management, and have a formalized change control process in place.
For more information around specific controls and details on how they are used to protect the CIA of company information, I have added links to other Linford & Company blog posts at the bottom of this post, for reference.
Determining whether or not a violation occurs generally takes three forms. Form one is internally as a result of security controls in place, form two is through vulnerability and security assessments performed by a third-party assessor or auditor, and the third form is through client monitoring, which will be discussed in the next section.
To help keep the monitoring completed by the client to an acceptable level, the Cloud Service Agreement can have details around having vulnerability assessments or audits done and the frequency in which they should be completed. For example, the agreement can require vulnerability assessments to be completed quarterly, penetration testing completed annually, and a third-party security audit completed annually. Having these frequencies outlined within the agreement allows the company to track violations more easily.
Once controls and audit assessment with frequencies have been identified, it will be easier to understand when a violation occurs. A violation should result in some type of penalty. Penalties can be anywhere from a fee or comp in payment to termination of agreement depending on the severity of the violation, which should all be detailed. Violations should be tracked and penalties enforced to ensure CSPs understand the risks and take security seriously.
In the event any violation of the controls and or breach of information which affects the company environment, there should be a requirement that a notification is immediately sent to the company point of contact. This will allow the company to be part of the remediation process and assess any penalties that may result.
Step 4: Determining Your Monitoring and Audit Process
The final element that will discussed in this blog is around including a stipulation around monitoring or including a right to audit clause within the Cloud Service Agreement. Real time access to the system to be able to monitor the activities and processing of information within the environment, movements of the administration staff, and their actions as custodians. Additionally, the right to perform on-site inspections should be added to ensure the CSP has effective physical access and environmental controls in place. The Cloud Service Agreement should also include a requirement for the CSP to provide metrics such as changes to policies and procedures, violations and remediations, up-time, changes, etc.
Moving your company’s environment to the cloud can feel like a major loss of control but does not have to. Taking time to create a detailed Cloud Service Agreement that outlines company requirements, confidentiality of information, outlining violations and penalties, and monitoring and audit clauses is a great first step to protecting company information.
Read more about controls to protect the CIA of your company’s information:
- Types of Controls
- Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (SOC for Cybersecurity)
- CSA Cloud Controls Matrix
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.