Professional Documents
Culture Documents
(Khare, 2015) - Risk Mitigation Strategies From A Contracting Perspective
(Khare, 2015) - Risk Mitigation Strategies From A Contracting Perspective
(Khare, 2015) - Risk Mitigation Strategies From A Contracting Perspective
April 2015
1
ABSTRACT
Cloud computing services have become one of the top technology trends and the
industry continues to evolve at a fast pace. Organizations should take advantage
of the lower costs, efficiency and scalability of cloud computing where it is a fit for
their business. Prior to moving to a ‘cloud’ environment, organizations need to
understand the business and legal risks associated with cloud computing services
and have strategies in place to mitigate those risks.
The purpose of this conceptual paper was to identify risk mitigation strategies for
organizations entering into contracts with cloud services providers. This
conceptual paper is a comprehensive review of secondary sources of literature
and begins with a brief background and current status of cloud contracting in
Canada and the US, followed by a review of the rewards and risks of cloud
computing and then it identifies risk mitigation strategies thru negotiation of key
contract terms and customer-focused SLAs. The intent of the research was to
identify critical contract clauses and terms needed to mitigate risks as
organizations move to a cloud environment.
The research confirmed there are many risks associated with cloud computing,
particularly with respect to data security and privacy risks and regulatory and
privacy compliance. This paper analyzed the critical risks associated with cloud
computing and identified and presented a framework of key contract terms and
SLA metrics organizations should negotiate and incorporate into the overall
contract with SaaS cloud service providers to mitigate these risks. The
framework of key terms provides organizations a checklist of cloud specific
clauses to include in the contract in order to protect their interests from a
business and legal contracting perspective. The majority of current contracts are
the cloud provider’s standard agreements therefore, negotiations are essential for
cloud computing contracts. This paper also explored management themes
important for successful negotiation of cloud services contracts, which included:
governance and SaaS strategy, project management, purchasing best practices,
and vendor performance management.
Organizations can mitigate the risks associated with contracting for cloud
computing services. Key findings identified from the research included:
1. IT and Purchasing should perform due diligence to mitigate the risks at the
pre-contract stage,
2. Cloud specific contract terms and SLA metrics should be incorporated into
cloud services contracts and a recommended framework of key cloud
specific contract terms and SLA metrics was presented and;
3. Purchasing, Legal and IT need to negotiate the key contract terms and
clauses. Providers are becoming more willing to accept some of the risks
and are starting to work with organizations to negotiate mutually
acceptable contract terms.
2
TABLE OF CONTENTS
Acronyms
1.0 INTRODUCTION 5
2.1 Audience 8
2.2 Purpose 8
2.3 Assumptions 8
2.4 Research Questions 9
4.0 ANALYSIS 44
4.1 Resources 44
4.2 Current State of Government Cloud Contracting in Canada 45
4.3 Overview of Resources 46
5.1 Recommendations 47
5.2 Conclusion 53
6.0 REFERENCES 55
APPENDIX A: SAMPLE CLAUSES 62
APPENDIX B: FRAMEWORK FOR SECURITY MECHANISMS 64
FOR CLOUD SLA’s
3
ACRONYMS
CSP - Cloud Service Providers- the business that offers cloud services
4
1.0 INTRODUCTION
As per Carcary, Doherty and Conway (2013), by 2011, cloud computing was the
main technology priorities for organizations. Gartner (2014) recently identified
cloud computing as one of the ‘Top 10 Strategic Technology Trends for 2015’.
Gartner, as cited by Kalyvas, Overly and Karlyn (2013), predicted cloud
computing revenue would surpass $14 billion by 2013 (p. 7).
However, there are many risks associated with moving to a cloud environment.
In cloud computing, data is placed online, in the hands of third parties, and this
leads to security, governance, lack of control over service availability and privacy
risks (K.B. Green & B.P. Green, 2014; Aleem & Sprott, 2013).
Cloud service providers are unwilling to accept many of the risks; therefore many
current contract templates are provider focused. (Feedman & Gervais, 2011;
Goudreault, 2014; K.B. Green & B.P. Green, 2014). Aleem and Sprott (2013)
concluded “SLAs weigh heavily in favour of cloud providers” (p. 15, para 3).
5
Organizations might mitigate risks thru negotiation of contract clauses and service
level agreements (SLA) and enforcement of the same (Shaw, 2011). The SLA
should be the mutually agreed (or minimum expected) service levels from the
cloud service provider to the organization. IT, Legal and Purchasing managers
and staff need to work collaboratively toward contract risk mitigation.
This research paper focused on the key risks and risk mitigation for delivery of
cloud software services (SaaS) from a contracting perspective. The resulting
recommended checklist/framework of contract terms and SLA metrics should be
considered when negotiating the final contract with the cloud services provider.
6
• IT Industry standard websites, such as, CSCC, CSA, NIST.
• Legal standards/Law society of BC,
• Provincial and Federal Government websites,
• White papers: Deloitte, Forrester and KPMG- consulting/research firms,
• Cloud related blog, posts, and
• Amazon/Microsoft – Review of provider’s service level agreements.
The secondary sources of data analyzed included; the literature review, (journals,
articles, books), consulting and research advisory white papers, IT industry
standard websites, cloud computing related magazine articles and blogs,
government and legal standards websites and company documents.
7
2.0 RESEARCH PURPOSE AND QUESTIONS
2.1 Audience
Cloud computing is an organization strategy that impacts a large number of
stakeholders that may be directly involved in, or will be affected by, this newer
service model. There needs to be an overall governance document and internal
end users will need to be trained and be made aware of the risks associated with
cloud computing. In addition to governance and training, organizations need to
mitigate risks associated with moving IT services to a cloud environment cloud.
The focus of this paper is on mitigating risks from a contracting perspective;
therefore the immediate audience is Purchasing, Legal and IT Managers.
2.2 Purpose
The goal of this applied project is to:
a) Identify key risks of moving to a cloud environment for Software as a
Service (SaaS),
b) Summarize the key contract terms/clauses and SLA metrics that might
mitigate those risks,
c) Develop a proposed checklist or framework of key contract terms/clauses
and SLA metrics for use by organizations and;
d) Highlight any other themes important for successful contracting.
As per Wiseman (2014), “Provincially and municipally, there have been a few
examples of adoption of cloud services” in Canada (para. 6). Therefore, the
research will include public organizations outside of Canada and private
organizations within and outside of Canada.
2.3 Assumptions
For the purposes of this research, the assumption is made that organizations
have made the decision to move to cloud computing services; Cloud computing is
8
included in the organization’s overall strategic plan and aligned with IT and
Purchasing department’s objectives. Therefore, only the critical risks will be
analyzed and the focus of this research will be risk mitigation from a contracting
perspective.
.1 One of the most cited definitions is from Mell and Grance, (2011) of The
National Institute of Science and Technology (NIST) who define cloud computing
as: “….. a model for enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction” (p.2).
Another common cited definition is from Gartner (2010) who stated, “Cloud is a
style of computing where scalable and elastic IT-related capabilities are provided
as a service to external customers using Internet technologies.” The definition
then expands to include the rewards and risks associated with cloud computing.
.2 Service models: There are three types of infrastructure service models for
cloud services, namely, Software as a Service (SaaS), Platform as a Service
(PaaS) and Infrastructure as a Service (IaaS). These service models have
different strengths and are chosen by organizations based on their business
objectives. As per Mell and Grance (2011, p. 2) the service models are described
as follows:
9
programming languages and tools supported by the provider. The customer
does not manage or control the underlying cloud infrastructure including
network, servers, operating systems, or storage, but has control over the
deployed applications and possibly application hosting environment
configurations.
.3 Deployment models: There are four cloud deployment models, which are,
Private, Community, Public, and Hybrid. As per Mell and Grance (2011, p. 3) the
deployment models are described as follows:
Public cloud. The cloud infrastructure is made available for use by the general
public and is owned by an organization selling cloud services and its resources
are sold to the public. It exists on the premises of the cloud provider.
10
.
Figure 1. Visual Model of NIST’s Definition of Cloud Computing
2.4.2 What are the rewards and risks associated with the ‘cloud’?
Aleem & Sprott (2013) identified the top three (3) risks as:
security and privacy, lack of control of service availability (performance)
governance. Other important risks to consider are business continuity and
reputation risks. The following literature review will review risks using these
three (3) risk categories.
Many organizations are moving to, or are considering moving to cloud services to
take advantage of lower cost and service flexibility (Kalyvas, Overly and Karyn,
2013 p 9) however, organizations need to effectively balance the risks and
rewards.
2.4.3 How can risks be mitigated from IT, Legal and Purchasing
perspectives?
Risks can be mitigated during various stages from selection of the cloud service
provider, prior to signing the contract and post contract award.
• Due Diligence Stage (provider selection),
11
• Business, Legal and Regulatory Risk Mitigation Stage (negotiation of
contract terms and conditions including SLA metrics), and
• Vendor Performance Management- on boarding, during and post contract
term, meetings for review of SLA metrics, audits, communication, change
in personnel (security checks).
2.4.4 What are the key contract terms and the SLA metrics organizations
should negotiate into agreements to mitigate risks?
This paper explores the key contract terms and SLA metrics that might mitigate
risks in contracting with cloud service providers. There are four (4) parts that
make up a cloud service agreement. They are; the standard terms and
conditions (standard contract template), the privacy agreement and user
acceptance policy (UAP), which are usually attached to the standard terms and
conditions, and the SLA.
12
• New clauses that should be considered, and
• SLA metrics for SaaS contracts.
13
3.0 LITERATURE REVIEW
The literature review will begin with the background of cloud computing and the
current state of Canadian and US government cloud computing contracting. The
review then examines three (3) areas; the rewards and risks associated with
cloud computing, risk mitigation strategies from IT, Legal and Purchasing
perspectives, and the key contract terms and SLA metrics to be considered when
negotiating contracts with cloud providers. The scope of the review focuses on
Software as a Services (SaaS) cloud computing.
In 1997 academics started using the term ‘cloud’ and in 2006 the cloud term
entered the public domain when used by Google’s CEO. (K.B. Green & B.P.
Green, 2014, p. 31). Cloud services initially started with small to medium size
organizations using public cloud services and its use has evolved to include
larger organizations over the last few years (Bradshaw, Millard & Walden, 2014).
Tufts and Weiss (2014) advised that cloud computing is becoming more common
for government and public sector entities (p. 9).
14
3.1.2 Estimated value and growth
Forbes (2014) advised that cloud computing is worth more than $13 billion a year
and that “total cloud infrastructure services market grew at a pace exceeding 45%
and that the leading cloud infrastructure providers growth by 2nd quarter of 2014
was as follows: Microsoft 164%, IBM 86%, Amazon Wed Services 49%,
Google 47%, and Salesforce 38%” (para. 9).
Woods, J (2010), as cited by Green and Green (2014), predict a 44% growth in
public cloud uptake between 2014 and 2019) and presented a table describing
the future of cloud computing (p. 31):
Gartner (2014), identified strategic planning assumptions for 2015 to 2017, some
of which included:
“By 2015, 50% of all new application independent software vendors will be pure
SaaS providers, 90% of private cloud deployments will be for infrastructure as a
service and 50% of large global enterprises will rely on external cloud computing
services for at least one of their top 10 revenue-generating processes,
By 2016, all large global enterprises will use some level of public cloud service
most SaaS contracts will include price escalation limitations and the ability to
terminate contracts.
By 2017, over 50% of large SaaS application providers will offer matching
business process services and an integrated platform as a service and 5% of all
IT job turnover will be fallout from poor risk decisions about the use of public,
15
By 2020, the most common use of cloud services will be hybrid model combining
on-premises and external cloud services” (para. 3).
There are many different cloud working groups and standards organizations.
Aleem and Sprott (2013) advised that the Cloud Security Alliance (CSA),
European Network and Information Security Alliance (ENISA) and the NIST are
among the top cloud standards bodies.
The next section of the literature review looks at the rewards and risks of ‘cloud’
computing.
16
A cloud service provider’s goal is to have a large pool of customers; to create
economies of scale, allowing them to pass lower costs on to their customers
(AWS, 2015). Gartner (2010) advised that organizations could save money by
“leveraging a provider’s elastically scalable, varied priced environment.” This pay
as you go model allows customers improved resource utilization (Bean, 2009) as
they can focus on their own core competencies (Freeman & Gervais, 2011).
Scalability allows customers to increase or decrease the IT resources of
hardware, software and platforms on an as needed basis confirming the resource
flexibility offered by cloud computing solutions.
In addition, to these rewards, Nanath & Pillai (2013) and McKendrick (2011), as
cited by Venters and Whitley (2012), mentioned cloud service’s contribution to
green IT. Bradshaw, Millard and Walden (2011), discussed the power efficiency
of the cloud model of one large data center compared to many single users and
computers, alluding to potential greening and energy savings (p. 189).
Forrester (2014), a leading global research firm, reported that business agility
was the ‘top driver for SaaS usage’ in their 2014 Q1 survey (p. 2, para. 4). SaaS
solutions allow organizations to have automatic access to software upgrades and
this enables IT departments to be more proactive than previous on premise
service models. Cloud services allow internal and external clients up to date
products and services more quickly. This business agility adds business value to
IT’s services and the organization as a whole. Zielinski (2009) reported that cloud
computing frees up internal resources time to allow them to spend time on
strategic rather than tactical issues.
In mid 2014 Forbes (2014) reported that IBM became the leader in private and
hybrid infrastructure services. In addition, Forbes (2014) advised that early
adopters of cloud services (pacesetters) use cloud services to connect with
customers in social ways creating customer interaction and feedback enabling
organizations to innovate their products and services more rapidly. This concept
of new service opportunities and markets aligns with the idea of offering
organizations time to focus on core competencies.
17
Further to idea of connecting with customers in social ways, the Cloud Standards
Customer Council (2015) recently published a paper speaking about social
business and social capabilities of the cloud. “Social business is the convergence
of social collaborative capabilities and enterprise business processes” (p. 5, para.
3). Organizations might consider extending the benefits from cloud and applying
them to their social business in the cloud. This would allow end users to interact
with each other as well as with their customers for improved business outcomes.
The following risks have been categorized under headings based on the top 3
concerns identified by Aleem and Sprott (2013) and a 4th category of ‘other’:
18
Ouedraogo and Mouratidis (2013) reported that a cloud environment presents
more opportunities for cybercrime. They propose an approach to help
organizations make a better informed choice of provider and this model will be
explained under the risk mitigation section of this paper.
Kalyvas, Overly and Karlyn (2013) described risks from the view of both
availability and security failures. In 2011, cloud service availability and security
failures occurred with providers, Amazon and Microsoft. In April 2011, some of
Amazons services were down for several days and some of their customers’ data
was permanently lost (para. 4). In September 2011, some of Microsoft’s cloud
based software services were down for several hours. These examples of lost
data and customer downtime created security risk and productivity losses to
organizations (para. 5). Kalyvas, Overly and Karlyn (2013) advised that nearly
half of companies surveyed in 2013 identified some form of data security issues.
Another security/privacy issue that organizations need to consider is the security
of the provider’s physical location where the data is being stored (Tufts and Weiss
(2013, p. 7).
Zissis and Lekkas (2010, p. 587) provided a visual of the different categories of
threats that could occur in a SaaS cloud environment. They noted ‘malicious
insiders’ but ‘outside hacker attacks’ could also be added to their model.
Tong, Nguyen, Jaatun (2012) identified cloud risks with respect to:
• Resource location - the providers physical location and the local laws and
legislation that applies in that country,
• Multi-tenancy - challenges relating to protecting unauthorized access of
users accessing each others information as they use the same ‘physical’
servers,
19
• Authentication and trust of acquired information - potential issues with
changing data without an organizations permission,
• System monitoring and logs - logs may contain private/confidential
information creating a need to monitor who accesses the logs, and
• Cloud standards. - There is a large number of standards bodies and
working groups with different interests. “Will there be one dedicated
standards organization in the future?” (p. 50).
Privacy/Regulation compliance:
Cloud services may include storing an organizations sensitive data, which creates
unique security issues. A provider’s servers might be physically located in
various locations/countries and data hosted in the cloud is subject to foreign laws.
As per Gilbert (2010), the flow of data and locations of the providers (or 3rd
parties) servers is unique to cloud computing. Providers sometimes use 3rd
parties to host the data and this creates less control over the data and overall
performance of the services. Depending on the type of date being stored
organizations may only want to contract with providers whose servers are located
in their jurisdiction(s).
Privacy legislation involves the location of the customer as well as the service
providers physical location where the data is being stored therefore, there may be
overlapping access and/or privacy regulations. Depending on the jurisdiction and
type of information, the data center and information itself must be physically
located in Canada in order to be in compliance. In addition, customers choose
from one of three infrastructure/operating models of private, public or hybrid.
Public cloud models are the most cost effective, however, they offer a lower
security and control over data so may not be a suitable choice for public agencies
and their customer’s personal data (Blinsky, 2013; Aleem & Sprott, 2013).
Customers and cloud service providers must be in compliance with all privacy
legislation that is applicable to the customer’s data that is being considered for
storage on the cloud (Krutz, Vines, & Brunette, (2010). For the purposes of this
research, the regulatory compliance is will be in relation to British Columbia’s
Freedom of Information and Protection Privacy Act (FIPPA).
In BC, public bodies that store personal information must comply with FIPPA. As
per the Office of the Information & Privacy Commissioner (OIPC, June 2012),
“Public bodies must protect personal information by making reasonable security
arrangement against such risks as unauthorized access, collection, use,
disclosure or disposal” (p. 5). In addition, FIPPA states that personal information
can only be stored in and be accessed from within Canada. Cloud service
providers in BC must comply with FIPPA.
20
3.3.2 Lack of Control and Service Availability
Access and Performance Issues
Organizations become fully dependent on their cloud service provider. Green
and Green (2014) stated that if there is an outside hacker attack, the system
could run very slow and it may take longer to get running again using a 3rd party
provider compared to in-house IT employees. In-house systems and employees
have more knowledge, control and communication of systems, system access
and availability. If a provider (or 3rd party) hires new employees, the employees
need to be trained and made aware of privacy policies relating to the
organizations data. Controls need to be in place to verify employees are trained
and agree to comply with all policies and procedures.
SLA’s provide a form of control to ensure the services are provided as the
provider has promised. A study of 5 major cloud providers SLA’s done by Baset
(2012) concluded that the lack of standards among providers makes it difficult to
compare offerings and is very confusing for organizations. The study also
revealed that the SLA’s are written such that the burden of proof for any violation
to service guarantee levels rests with the customer. (p. 65). SLA’s are needed to
report and track control issues, service availability and performance levels (Rose,
2011).
3.3.3 Governance
Strong governance is needed in order to identify, assess, and mitigate risks
related to cloud computing. Paquett, Jaegar and Wilson (2010) and KPMG
(2014) reported the need for access governance, controls, security audits and
management sponsorship of cloud related training programs. Organizations need
to ensure controls and processes are in place prior to contracting with a cloud
provider (Bean, 2009). As per Paquett et all (2010), “a key determinant in the
success of cloud computing” is the ability to manage the risks (Introduction, para.
2).
21
3.3.4 Other Risks
.1 Business Continuity/Reputation Risks
Organizations open themselves up to new reputation risks with moving to a cloud
environment. If there is disruption in the service, downtime or a service failure,
this could result in financial loss to customer and its customers. If a provider goes
bankrupt it is difficult for customers to change providers quickly (K.B. Green &
B.P. Green, 2014). The cloud service provider may expose the customer to
claims/liabilities and may “tarnish the customer’s reputation” (Freedman &
Gervais, 2011, Liability/reputation, para. 1).
.2 Legal Challenges
There have been few cloud related legal challenges to date and almost no case
law therefore legal council and internal auditors need to be aware of any potential
issues related to security breaches, intellectual property, trade secrets and
release of data to 3rd parties (Bean, 2009). Cloud services involve data being
transformed by a 3rd party. One party may receive the initial data and another
party adds a tool and updates the data. If the contract does not clearly state who
owns the data and at what point in time, this could create confusion and generate
more lawsuits in a cloud environment (Gilbert, 2010).
A survey done by Bradshaw, Millard and Walden (2011) highlighted the need to
carefully review all contract terms and conditions, even clauses that might appear
to be standard. Many providers include disclaimers for any liability or warranty
and for any issues related to the services actually performing as promised. For
example, many providers SLA’s “exclude the majority of causes of cloud service
outage” and the only rectification of a credit for future services (p. 221, para. 5).
Depending on the type of cloud services, some cloud providers may offer all, or
portions of, their contract in the form of an online agreement, sometimes referred
to as a ‘click wrap’ agreement. Hon, Millard and Walden (2012) referred to this as
the ‘click-through trap’. Click wrap cloud agreements request customers to
accept all terms ‘as is’ with no opportunity to negotiate any of the terms. Cloud
providers contracts are structured to protect the provider and customers do not
have much bargaining power (Foster Noble, 2013). Many providers will not
modify any of their terms (Kalyvas, Overly & and Karlyn, 2013; Gilbert, 2010).
However, organizations should attempt to negotiate contract terms in all type of
cloud agreements in order to balance the risks.
.3 Cost as a Risk
A blog by Gupta, (2011) identified the top five (5) cloud concerns as, vendor
assessment (adequate security controls), data protection (format and
accessibility), reputation (background check), data sensitivity (sensitive data
protection) and cost. Four of the five concerns are included in evaluation of risks
identified in other papers however, cost as a risk, was not identified in all of the
articles. The majority of articles identified cost savings and only some authors
22
raised the issue of ‘security costs’ offsetting any perceived savings of going to a
cloud environment. Security breaches can be considered hidden costs that can
be hard to estimate. Noble Foster, 2013, advised that any savings might “quickly
evaporate with a single hacking incident, a cloud providers unexpected
interruption of service or sudden lack of accessibility to data due to power outage
or natural disaster (p.17, para. 3). Data breaches can be very costly to
organizations. A study conducted in 2009 disclosed that 45 organizations
experienced breaches with “an average cost of $6.7 million, ranging from
$750,000 to almost $31 million…with data breaches costing an average of $204
per compromised record.” (Karlyvas, Overly & Karlyn p. 19, para. 3.)
Summary of Risks
There are challenges for both organizations and providers with issues related to
security and privacy, such as unauthorized access, loss of privacy, data
replication and regulatory violation including the provider’s physical location.
Organizations also have to deal with risks related to loss of control (governance),
availability (access), performance and potential business continuity and
reputation risks as well as legal risks (liability and intellectual property issues.
Cost has also been identified as a risk.
Rewards Risks
The main benefits/rewards of cost reduction and service flexibility are driving
organizations toward cloud solutions (Kalyvas, Overly & Karlyn, 2013). Tufts and
Weiss (2013) reported that cloud computing offers government entities cost-
effective ways to deliver IT solutions, however in order to realize the benefits “it is
23
particularly important to concentrate on the establishment, negotiation and
management of high-quality cloud computing contracts” (p. 8, para. 3).
Organizations need to review the type of risks that may occur, particularly from an
e-security failure perspective. As per Slack (2010), “any advance in processes or
technology creates risk. No real advance comes without threats or danger” (p.
577). This applies particularly to e-business. From a risk management
perspective, organizations need to ensure to include contingency and business
continuity planning with safeguards set in place for internal and external systems
(English, 2012).
Research suggests that risks can be mitigated during various stages from
selection of the cloud service provider to the contract award as follows:
24
Figure 5. Cloud Computing Risk Assessment Approach
Gartner (2010) suggested there are five (5) initial phases IT should follow when
an organization is considering cloud computing. These phases or steps are:
• Build a business case - Ensure the ‘key initiative’ is linked directly to
business objectives and gain senior leader support,
• Develop a strategy that aligns with the organizations overall strategy,
• Assess readiness by developing a total cost of ownership framework and
policies/procedures to assess and manage risks and governance,
• Pilot a mini project and incorporate results/lessons learned,
• Gain approval by updating the business case with results of pilot and
present to senior management for buy-in.
25
• Providers physical site (inspection), and
• Feedback from other organizations, user groups and industry forums.
Green and Green (2014) mentioned potential concerns with a small provider
being sold to a larger organization. Organizations need to consider how this
might affect the services and protection of data. Annual audit and financial
checks may be a proactive approach to address this concern.
IT needs to become familiar with, and understand all industry specific terms and
standards that relate to third party cloud service audits, such as ISO 27001 and
SAS 70 (K.B Green & B.P. Green, 2014), and SSAE 16 (Goudreault, 2014). This
includes independent certifications to ensure providers meet all of the industry
standards (Hon, Millard and Walden, p. 112). IT and Purchasing employees
involved in any existing or anticipated cloud initiatives should be aware of cloud IT
terms and the potential providers full range of services offered as well as clearly
understand their own organization’s cloud SaaS strategies.
To ensure they are making an informed choice of cloud providers, IT’s risk
assessment could follow CSA’s Security Guidance for Critical Areas of Focus in
Cloud Computing (v. 3.0, 2011) and/or Ouedraogo and Mouratidis, (2013), C.A.R.E.
(Complete-Auditable-Reportable approach) to determine and select a trusted
cloud service provider. CSA’s website has many resources for risk mitigation,
such as, ensuring providers meet CSA’s Cloud CERT – Security and Knowledge
program requirements and are listed or not listed in CSA’s STAR- Trust and
Assurances registry.
IT needs to perform a risk analysis to analyze the data security risks prior to
launch of moving confidential data on the ‘cloud’ (Sangroya, Kumar, Dhok, &
Varma, 2010). Organizations should perform a Privacy Impact Assessment (PIA)
as well as use a Plan, Do Act Control (PDAC) model to ensure rewards outweigh
the risks (Aleem & Sprott, 2013, Migration on the cloud, para.1). In addition, IT
could perform pre-contract security penetration testing to check for “security
issues such as integrity and robustness of the providers security policy and
26
information technology systems, and how the users’ data are separated from
other users data” (Hon, Millard & Walden, 2012, p. 113, para. 3).
Cloud service providers must comply with FIPPA and depending on jurisdiction
and type of information, the data center and information itself must be physically
located in Canada (OIPC, 2012). Customers need to have controls in place to
ensure regulatory and policy compliance is enforced. The cloud provider should
provide potential customers a copy of their security policies and how they will
meet organizations privacy and confidentiality policies and regulations.
Bean (2010), and KPMG (2014) provide suggestions from internal auditors
perspectives. They believe internal auditors need to develop their knowledge
base on cloud computing and that more stringent security measures should be
applied to cloud services compared to what is applied to internal IT services.
Aleem and Sprott (2103) confirm that IT audits should be part of an overall cloud
strategy.
Green and Green (2014) discussed the critical risks and need for strong
encryption and they write from a business, rather than technical, perspective.
Krutz, Vines, and Brunette’s, book, Cloud Security: A Comprehensive Guide to
Secure Cloud Computing (2010), offers a good starting point for organizations
considering going to a cloud environment. Chapter 8: Useful Next Steps and
Approaches, contains a list of questions to ensure due diligence by customers,
and also includes a reference tool for cloud providers.
A new book, by Samani, Reavis and Honan (2015), CSA Guide to Cloud
Computing: Implementing Cloud Privacy and Security is a great resource for IT
managers on how to integrate security planning into cloud initiatives and how to
deal with the implications of privacy in different geographic regions. The book’s
introduction advised it “is intended to present the research within the multitude of
CSA working groups, as well as incorporate the research and findings across
other relevant sources. It should be used as a reference for CSA research and
also a broader cloud security reference guide” (p. 17-20).
27
Tufts and Weiss (2013) identified legal and regulatory challenges and the need to
negotiate cloud contracts. They developed a contract assessment framework
and negotiation strategies aimed at government agencies considering moving IT
services to the ‘cloud’. The framework will be presented at the end of Section 3.6
of this paper.
.3 Governance
Ensure there is organizational governance in place as well as program and
project governance, including, controls and decision-making processes and
accountability.
.4 Other
a) Standard contract clauses to be customized for cloud services include:
• Services (definition for cloud services),
• Pricing Protection,
• Dispute Resolution,
• Liability/Indemnification,
• Insurance (see new clause for cyber insurance)
• Intellectual Property Rights
• Disaster Recovery/Business Continuity plans,
• De-commissioning services – transitioning to another provider, and
• Termination clause (exit obligations/penalties).
28
• Implementation, and
• Training.
This section will begin with a review of security and privacy issues, SLAs, and
governance concerns followed by a review of standard contract clauses that
should be customized for cloud services, as well as, potential new cloud specific
clauses that should be negotiated into agreements to mitigate risks. Some
research articles highlighted the clauses/provisions that require close attention
and negotiation while other articles presented sample clauses authors proposed
customers consider adding into their cloud agreements.
Starting with the 4 categories identified in the previous section, research suggests
the following considerations, along with applicable measures and language be
added to contracts clauses, in order to mitigate the risks associated in contracting
with cloud service providers.
29
• Security monitoring, security audits and audit rights - Establish process for
monitoring/auditing, e.g. how is it done, by whom and how often (by
customer, provider or by a 3rd party?)
• Data breach notification – Outline the method and timelines for breach
notification,
• Plan for security/privacy breaches – Outline steps to take when breach
occurs, and
• Back up data – Include details of how and when regular back up will occur.
Noble Foster (2013) identified key contract problem areas of data security,
privacy and confidentiality. He then reviewed these clauses in four (4) leading
cloud providers contracts and provided suggestions of how to modify the contract
clauses to mitigate risks to organizations in order that the contract terms are not
solely for the provider’s benefit (p. 8).
Kalyvas, Overly and Karlyn (2013, p. 20) proposed organizations include specific
contract clauses/provisions for data ownership, data security, redundancy and
conversion as follows:
• Data Ownership & Rights Provision related to ensuring standard data
ownership clauses clearly state “ that the customer owns all data stored by
the provider for the customer and that the provider is obligated to keep all
of the customers information confidential except for performance of the
services” (p. 3, para. 4),
• Data Security Provision related to general security, access and
maintenance of customer’s information, ensuring a secure environment
and security controls, and security audits at customers request,
• Data Redundancy Provision related to backing up of customer’s data,
including frequency and related reporting requirements, and
• Data Conversion Provision related to delivery of data at the start of the
services and the return, and destruction of data at the end of the contract
term.
30
3.6.2 Lack of Control of Service Availability – (SLA’s)
Aleem and Sprott (2013), identified the SLA as “one of the most important areas
to consider when evaluating a cloud provider” (p.14). The SLA must include key
metrics that will measure and monitor services. Key metrics should include:
availability (scalability), performance (reliability), security, compliance, and data
retention and the target levels must be SMART! (Rose, 2011). Shaw (2011)
advises that SLA metrics need to be relevant to performance and not the
technology itself. Almathami (2012) suggests that metrics could also include
trust, violation ratio and elasticity. SLA’s should also include a metric for
customization, to allow for change in numbers, such as, the number of concurrent
users (Alhamed, Dillon and Chang, 2010).
Alhamad, Dillon and Change (2010, p. 4), suggested 5 common SLA metrics as
follows:
Metric (parameter) Description
Reliability (performance) Ability to keep operating in most cases
Usability Easy built-in user interface
Scalability Flexibility for number of users (individual or
large organizations)
Availability (uptime/downtime) Uptime of software users in specific time
Customizability Flexible to use with different types of users
Table 2.1 SLA Metrics
Tong, Nguyen and Jaatun (2012), advised the main SLA metrics are availability
and performance (reliability). They also suggested that SLA’s could measure
security performance levels by using confidentiality and integrity as metrics.
These metrics could measure the level of trust an organization has in the
provider’s ability to keep the data secure. These metrics could also be included
in SLA’s or alternatively, could be incorporated into a vendor management
performance scorecard:
The type of data that could measure the security of the customer’s data includes;
access control, audit verification and incident management and response.
Bernsmed et al, as cited by Tong, Nguyen and Jaatun (2012), offered a visual of
this concept, which is attached as Appendix B.
SLA metrics need to be meaningful, measured and reported on. Internal clients,
IT, Purchasing and Legal need to ensure metrics (and their underlying measures
31
p. 7) are well defined and understood in order to that reliable service measures
can be part of the contract deliverables. Salem (2012) suggested SLAs need to
include service guarantee metrics, time period, scale, and service guarantee
exclusions, as well as, a service credit if the guarantee is not met and how and
who is responsible to measure and report any service violations. Salem’s (2012)
article concluded with recommendations to cloud providers on how they might
improve their SLAs in future. SLA’s that share the risks more evenly may help
providers differentiate their service offerings from those providers unwilling to
make any changes to their contracts.
Hon, Millard and Walden (2012), advised that service credits may not be an
adequate deterrent and that providers might offer a money back guarantee.
Service guarantees could include nonfinancial remedies such as, for each service
failure-document how the provider might prevent reoccurrences (root cause
analysis), assurances the support team is adequate for service, and include
contract language that provider cannot bid on other opportunities if SLA metrics
not met (Shaw, 2011, p. 38).
NIST (2015) advised that SLA provides a measurement of the business level
objectives or its performance level (p. 8). NIST has a Cloud Computing Service
Metrics Description document (2015) currently being drafted by a working group.
The audience for the service metrics document is government agencies, auditors,
cloud customers and providers. The document provides a cloud service metric
(CSM) model that defines the elements needed to describe the metric itself, such
as, availability and performance, the parameter and the metric rule. IT manager’s
can use their expertise to lead the decision of the standard metrics and relevant
measurement (unit of measure and scale) to be used in the SLA.
32
3.6.3 Governance
KPMG (2014) stressed the importance of aligning controls to the new cloud
environment by establishing clear roles and responsibilities between the cloud
provider and organization as well access governance program and process
documents. Paquet et all (2010) recommended IT specific governance including
oversight from a risk management perspective and decision making processes
and accountability thru a roles and responsibility document. This could be
accomplished by inclusion of a project charter as part of the contract. In addition,
Goudreault (2014) recommended a formal SaaS strategy be part of governance.
IT’s roles with respect to cloud services could also be outlined in an internal SLA
for the organization’s employees (Zielinksi, 2009).
In addition to the above security & privacy, SLA and governance concerns and
contract terms/clauses, several authors (Bean, 2009; Freedman & Gervais, 2011;
Gilbert, 2010; Goudreault, 2014; Hon, Millard & Walden, 2012 KPMG, 2014;
Zielinski, 2009) confirm the following standard clauses should also be negotiated
and customized for cloud services;
33
• Intellectual Property Rights – important to include where property may
become a work product therefore needs definition (Bean, 2009; Hon,
Millard & Walden, 2012; Kalyvas, Overly & Karlyn, 2013),
• Disaster Recovery/Business Continuity plans- develop the plan and detail
what it includes e.g. complete restoration? How long? (Bean, 2009;
Freedman & Gervais, 2011). Hon, Millard and Walden, 2012 advised
some organizations recognized the need to have their own data back up
strategy,
• De-commissioning services – method to transition to another provider and
removal and Proof of removal of data (Kalyvas, Overly & Karlyn, 2013),
• Warranties – review warranty offer related to specific services provided
(Hon, Millard & Walden, 2012; Kalyvas, Overly & Karlyn, 2013), and
• Termination – Ensure no ‘vendor Lock in ‘ clauses exist and include a
transition plan and/or exit obligations by either party (Goudreault, 2014;
Hon, Millard and Walden, 2012).
34
Major Issues for Table 1. Cloud Computing Contract Assessment Framework
Cloud Contracts Description of Specific Elements
35
Major Issues for Table 1. Cloud Computing Contract Assessment Framework
Cloud Contracts Description of Specific Elements
36
The above Cloud Computing Contract Assessment Framework provided by Tufts
and Weiss (2013) was used as a starting point and based on the research
conducted, it was updated with recommended additional key contract
terms/clauses and is presented in Section 5. Recommendations & Conclusion.
3.7 Negotiation
3.7.1 Top 6 Terms to Negotiate
A qualitative research study by Hon, Millard and Walden (2012), identified the top
six (6) most negotiated terms: the providers standard cloud contract terms that
were not in the customers best interest. These terms were:
1. “exclusion or limitation of liability and remedies, particularly regarding
data integrity and disaster recovery;
2. service levels, including availability;
3. security and privacy,
4. lock-in and exit, including term, termination rights, and return of
data on exit;
5. providers’ ability to change service features unilaterally; and
6. intellectual property rights” (p. 83).
37
and their purchasing power (Hon, Millard & Walden 2012). Increased competition
in the marketplace may push providers to become more interested in negotiating;
to work with organizations proactively to share the risks with the ultimate goal to
secure contracts/business. As per Bradshaw, Millard and Walden (2011), “As the
cloud marketplace expands and matures terms will evolve and diversify to be
more closely reflect customer’s concerns and local legal framework under which
customers operate” (p. 223).
38
.2 Project Planning
The project must be aligned to corporate objectives, has senior management
support, and overall governance must be in place. Governance will provide the
structure, the means of reaching the projects objectives and determine how to
monitor performance of the project (Muller, 2009). Projects themselves need to
be governed and the as per Muller (2009) the focus is on:
• “Ensuring effectiveness by doing the ‘right projects’ and
• Ensuring efficiency by doing ‘projects right” (p. 45, para. 2).
Moving IT systems to a cloud environment is a strategic initiative that affects
many areas of the organization so cloud projects need to be done right!
.3 Continuous Improvement
Aleem and Sprott (2013) suggested Deming’s PDCA improvement cycle, ‘Plan,
Do, Check and Act’, could be used for initial risk assessment and during the
contract term to ensure there is continuous improvement in the process. (p. 18).
Forrester (2015) stressed the importance of including continuous improvement
(CI) in the actual cloud services contract and recommended linking CI within the
pricing and performance reporting (KPIs), for example, a price reduction for
improved efficiency for next renewal term. This would “transfer more
responsibilities to vendors and increase service delivery accountability” (p. 2).
This is discussed further under .4 vendor performance management.
39
Figure 6. Continuous Improvement
.4 Benefits realization
Benefits realization is an essential subcomponent of project and portfolio
management. As per Simon (2013), “Benefit realization entails establishing a
process and guidelines to measure actual financial and non-financial benefits of a
program or project” (p.1). A formal benefits realization can help manage change
and will confirm the value of the project to the organization, at project completion,
and during sustainment.
.2 Benchmarking Survey
Contract terms and SLA metrics could be shared among both private and public
procurement and IT groups. The organization’s Purchasing department could
survey other like entities to see if they currently use or are exploring using cloud
services and if yes, share contract clauses and lessons learned.
Questions that could be posed include:
• Do you currently use or are you planning to use cloud services?
• If yes, do you have a cloud contract and/or clauses to share?
• Did you perform a benefits analysis and if yes, can you share your
methodology?
40
The survey results and a summary of contract terms/clauses could be
summarized and shared with respondents and internal IT and Legal and be part
of a due diligence approach.
As per Forrester (2015), organizations sourcing priorities are moving from cost to
innovation.” (p. 1, para. 3). With less focus on cost savings, organizations can
spend more time and focus on “stronger business and customer alignment” (p. 1,
para. 4). They summarized the findings with a view that there will be a shift in
sourcing strategy.
41
which could be tied into a compensation model (e.g. a bonus for meeting or
exceeding one of the goals/objectives).
The organization and provider need to have the expertise and knowledge related
to the specific cloud services, understand the contract documents and relevant
terms, and there needs to be a level of trust around the relationship between
organization and the provider.
In contracting relationships, trust is gained when both parties believe each other
will behave as expected and deliver the services as required. Zisiss & Lekkas
(2010) viewed trust from an IT technical perspective and the need to deal with
trust (and a trust certificate) at every layer in the system requiring a security
guarantee. They proposed using a ‘trusted third party’ approach and cryptography
‘to ensure the confidentiality, integrity and authenticity of data and communication
(p. 585)” to address security concerns. Alhamed, Dhillon and Chang (2010)
suggested that successful negotiation could increase the trust level of the
provider-customer relationship.
42
Garrison, Kim and Wakefield (2012, p. 66) viewed trust from a vendor
management perspective and their research concluded that successful cloud
deployment can be achieved with a “user (customer) - vendor partnership”
approach. Rather than solely looking at the vendor’s capabilities, organizations
need to look at their own technical capabilities, management resources (training
and experience) and their ability to build trust with the cloud provider. These 3
areas contribute to successful cloud partnerships.
The literature review identified the main risks and key contract clauses and SLA
metrics to mitigate risks, revealed a cloud contract framework with key cloud
contract terms/clauses, confirmed the importance of negotiation in cloud
contracts, as well as, highlighted themes important for successful contracting.
43
4.0 ANALYSIS
4.1 Resources
4.1.1 Journal Articles/Academic Research Papers
The majority of the sources found are from an IT or legal perspective. For
example, many of the journal articles are from Legal council and IT
managers/professionals (IT technology groups/ associations). Some of the
research articles are from consulting firms (KPMG, Deloitte) or research advisory
firms such as, Forrester and Gartner.
4.1.2 Books
The research included a high level review of a few books. The books were
mainly from an IT cloud security perspective, however they also revealed useful
due diligence steps, as well as, questions that are helpful for organizations
considering entering info a cloud environment.
A new book, by Samani, Reavis and Honan (2015), CSA Guide to Cloud
Computing: Implementing Cloud Privacy and Security is a great resource for IT
managers on how to integrate security planning into cloud initiatives and how to
deal with the implications of privacy in different geographic regions. The book’s
authors have an impressive wealth of knowledge and experience. Samani, is
currently VP, Chief Tech Officer at McAfee and is Cloud Security Alliance CIO,
Honan is a recognized expert of IS in Europe, Ireland and provided advise to
European commission expert in ISO standards (wrote ISO 27001) and Reavis is
a writer, speaker, technologist and business strategist and is co founder and CEO
of the Cloud Security Alliance.
44
4.1.3 IT Industry Standards
The Cloud Standards Customer Council (CSCC), the Cloud Security Alliance
(CSA) and the National Institute of Standards and Technology (NIST) were
among the most cited standards and therefore, they appear to be the main
standards customers/organizations use. There are many cloud computing
standards bodies and currently there is no ‘one dedicated’ cloud standard. It
remains to be seen if this will be addressed in the future (Hon, Millard and
Walden, 2012; Tong, Nguyen, Jaatun, 2012).
The CSCC’s website advises they are an end user advocacy group
(http://www.cloud-council.org/about-us.htm) and their board of directors is made
up of a mix of providers and organizations. However, review of some of their
documents, in particular, Public Cloud Service Agreements; What to Expect and
What to Negotiate, reveals contract clause recommendations that are somewhat
provider focused (Appendix A - D; p. 25 to 29). In light of this potential conflict,
the documents the CSCC provides are very helpful for both organizations and
cloud providers in understanding cloud services, the related risks and areas to
consider for negotiation in cloud service agreements.
The CSA’s website advises they are a “not-for-profit organization with a mission
to promote the use of best practices for providing security assurance within Cloud
Computing, and to provide education on the uses of Cloud Computing to help
secure all other forms of computing”. The Cloud Security Alliance is led by
industry practitioners, corporations and associations.
The NIST is an agency of the U.S. Department of Commerce that works with
industry to develop and apply technology, measurements, and standards. The
NIST’s goals are to promote economic growth, science and information, and
environmental stewardship in the US. Their economic growth sub-goals include
innovation, entrepreneurship market development, commercialization, trade
promotion and compliance.
45
contract terms and conditions (Sheppard, 2015).
Canada has been slow to develop a cloud computing direction and cloud
computing contract documents and is lagging behind the US and. This may
hinder uptake by public organizations that are anxious to incorporate cloud
services. This can also affect cloud regulations and standards from moving
forward. The Canadian Governments goal is to have a strategy in place by this
summer, which remains to be seen.
Research revealed there are many risks associated with cloud computing and
that some of the risks might be alleviated thru contract negotiation and by
incorporating cloud specific clauses into the contract and SLA between the cloud
service provider and the organization. The following section provides
recommendations to organizations considering moving to ‘cloud’ services.
46
5. RECOMMENDATIONS AND CONCLUSION
5.1 Recommendations
5.1.1 Overview
There are many risks associated with cloud computing, however, as summarized
in section 3.4 of the literature review, organizations feel the rewards of lower cost
and service flexibility outweigh the risks of moving to a cloud environment. As per
section 3.6, some of the risks might be alleviated thru contract negotiation and by
incorporating ‘cloud’ specific clauses into the contract and SLA between the cloud
service provider and the customer/organization.
The final recommendations are a result of the findings from the literature review
and from personal experience and observations. The following cloud computing
risk mitigation contracting strategies will be presented in this section:
• IT and Purchasing should perform due diligence to mitigate the risks at the
pre-contract stage,
• Cloud specific contract terms/clauses and SLA metrics need to be
incorporated into cloud contracts to mitigate risks and a recommended
framework of key contract terms/clauses and SLA metrics will be
presented,
• Purchasing, Legal and IT need to negotiate the key contract terms/clauses,
and
• There are themes, management models that are important for successful
contracting.
47
5.1.3 Recommended Framework of Cloud Specific Contract Clauses
48
Major Issues for Recommended
Cloud Contracts Cloud Computing Contract Assessment Framework
Description of Specific Elements
& process, audit process
• Disposition of Data Upon Termination: data provision process,
obligation to transfer, common data format, data conversion,
destruction authority, audit process
• Data Breaches: notification process (method & timelines), vendor
obligations (steps if breach occurs), organization’s obligations,
indemnification, remediation/penalties
• Data Storage Location: Physical data storage requirements, data
segregation requirements
• Litigation Holds: metadata/imaging, legal cooperation clause, data
preservation/media preservation, cost allocation, redaction
process, data provision process
• Public Records Requests (FOIA Requests): data provision
process, - jurisdiction specific e.g. BC’s is FIPPA
49
Major Issues for Recommended
Cloud Contracts Cloud Computing Contract Assessment Framework
Description of Specific Elements
11. Terms and Conditions • Notice of Modification of any and all terms and conditions
Modification
50
Major Issues for Recommended
Cloud Contracts Cloud Computing Contract Assessment Framework
Description of Specific Elements
The SLA metric, parameter and metric rule should be customized for specific
cloud service being contracted. NIST’s Cloud Computing Service Metrics
Description document (2015) is currently being drafted and will be a great
resource for organizations.
5.1.5 Negotiation
Purchasing best practices include planning a negotiation strategy with internal
clients and IT (Goudreault, 2014; Deloitte, 2013). Tufts and Weiss (2013)
identified an approach to successful negotiations starting with the need for
organizations to identify the contract term ‘must haves' and having a back up plan
of a second choice vendor, in case the provider won’t meet the organization’s
needs. As competition in the marketplace increases, cloud providers are
becoming more willing to negotiate contract terms with organizations (Bradshaw,
Millard & Walden, 2011).
51
5.1.6 Themes for Successful Contracting
Organizations need to take advantage of management models that will lead to
successful contracting including:
Governance and SaaS strategies, project management techniques and tools
(continuous improvement), and purchasing best practices, including ongoing
contract and vendor performance management. In addition, knowledge, trust,
human capital and communication are key to successful contracting. These apply
to all contracts, not just cloud computing, and are necessary for successful
provider selection, contract negotiation and contract execution for ongoing service
delivery to meet the business needs of the organization. Section 3.8 provided
details on the various themes mentioned.
5.2 Conclusion
5.2.1 Relevance & goal of this applied project
The goal of this applied project was to:
a) Identify key risks of moving to a cloud environment for Software as a
Service (SaaS),
b) Summarize the key contract terms/clauses and SLA metrics that might
mitigate those risks,
c) Develop a proposed checklist or framework of key contract terms/clauses
and SLA metrics for use by organizations and;
d) Highlight any other themes important for successful contracting.
The research confirmed there are many risks associated with cloud computing,
particularly with respect to data security and privacy risks and regulatory and
privacy compliance. This paper analyzed the critical risks associated with cloud
computing and identified and presented a framework of key contract terms and
SLA metrics organizations need to negotiate into cloud contracts to mitigate these
risks. The framework of key clauses provides organizations with a checklist of
cloud specific clauses to include in the contract in order to protect their best
interests from a business and legal contracting perspective.
52
The paper also highlighted themes important for successful negotiation of cloud
computing contracts including: governance, SaaS strategy, project management,
(operations improvement, project planning, continuous improvement, benefits
realization), purchasing best practices, and vendor performance management. In
addition, knowledge, trust, human capital and communication are key to
successful contracting. These themes apply to all contracts, not only for cloud
services, and are necessary for successful provider selection, contract
negotiation and contract implementation for ongoing service delivery to meet the
business needs of the organization.
53
need to move to the cloud and collaborated their requirements to improve their
buying power.
Cloud computing technology is enabling a significant shift in an organizations
technology business model (Aleem & Sprott, 2012; Samani, Honan & Reavis,
2015). Cloud service offerings and the industry continue to evolve at a fast pace
and as per Aleem and Sprott (2013), “Cloud services are expected to drive IT
industry growth for the next 25 years” (p. 21). Garner (2014) reported that by
2015 50% of all new independent software vendors will be SaaS providers and
that by 2016 many organizations will be using some form of ‘cloud’ services.
Therefore, organizations need to stay on top of market trends, the type of model
in which services are being offered, any new ‘cloud’ market entrants and the
evolution of cloud standards, regulations, legislation and cloud specific contract
documents.
5.2.5 Limitations
Few articles researched spoke to ‘cloud’ specific procurement strategies and did
not reveal any recommended cloud contract templates. The majority of articles
were from an IT and Legal perspective. The suggested cloud contract terms
and/or clauses were from Legal firm’s perspective, with the exception of the
framework presented by Tufts and Weiss (2013). These authors are academics
with the University of Carolina and presented their recommendations from a
business view versus strictly a legal perspective.
Further research might reveal a similar framework of key cloud specific contract
clauses and SLA metrics that could be developed for IaaS and PaaS cloud
service models. In addition, organizations need to stay on top of recent
developments with respect to privacy legislation and/or regulations within their
jurisdiction and ensure cloud providers comply.
54
6.0 REFERENCES
Aleem, A., & Sprott, C. R., (2013). Let me in the cloud: Analysis of the benefit and
risk assessment of cloud platform. Journal of Financial Crime, 20(1), 6-24.
Retrieved from: http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1242242133?accountid=8
408
Alhamad M., Dillon T., & and Chang E., (2010), Conceptual sla framework for
cloud computing - Digital Ecosystems and Business Intelligence Institute (DEBII),
Retrieved from: http://dx.doi.org/10.1109/DEST.2010.5610586
Baset, S. A. (2012). Cloud SLAs: present and future. ACM SIGOPS Operating
Systems Review, 46(2), 57-66. Retrieved from: https://scholar.google.ca
Bean, L. (2009). Cloud computing: what internal auditors need to know. Internal
Auditing, 24(5), 34-38. Retrieved from ABI/Inform database (ProQuest document
ID 214387723) from: http://proquest.umi.com/pqdweb
Blinsky, D. (2013). Practice resource: Cloud computing checklist, the law society
of british columbia, Retrieved from: www.lawsociety.bc.ca
55
Bradshaw, S., Millard, C., & Walden, I. (2011). Contracts for clouds: comparison
and analysis of the terms and conditions of cloud computing services.
International Journal of Law & Information Technology, 19(3), 187-223.
Retrieved from http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=iih&A
N=64112914&site=eds-live
Carcary, M., Doherty, E., & Conway, G. (2013). The adoption of cloud computing
by irish SMEs - an exploratory study. Electronic Journal of Information Systems
Evaluation, 16(4), 258-269. Retrieved from http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1521023374?accountid=8408
Cloud Security Alliance (2011), Security Guidance for Critical Areas of Focus in
Cloud Computing v. 3.0, Retrieved from:
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Cloud Security Alliance (2015), Blogpage, Anthem’s breach and the ubiquity of
compromised credentials, Retrieved from:
https://blog.cloudsecurityalliance.org/2015/02/09/not-alone-92-companies-share-
anthems-vulnerability/
Cloud Security Alliance (2015), Blogpage, Top security questions to ask your
cloud providers, Retrieved from:
https://blog.cloudsecurityalliance.org/2014/02/06/top-security-questions-to-ask-
your-cloud-provider/
56
Forrester Research Inc. (2014), TechRadar: Software-as-a-services, Q1, 2014,
Retrieved from: WorkSafeBC’s intranet purchasing site.
Forrester Research Inc. (2015), Be aware of these sourcing trends for managed
services and cloud, Retrieved from: WorkSafeBC’s intranet purchasing site
Gartner (2014, October), Gartner identifies the top 10 strategic technology trends,
Retrieved from: http://www.gartner.co/newsroom/id/2867917
Gilbert, F. (2010). Cloud service contracts may be fluffy; selected legal issues to
consider before taking off. Journal of Internet Law, 14(6), 1-30., Retrieved from:
http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=bth&
AN=55528463&site=eds-live
Green, K. B., & Green, B. P. (2014). Reining in the risks of cloud computing.
Internal Auditing, 29(5), 29-35. Retrieved from ABI/Inform database (ProQuest
document ID 1626831802), from: http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1626831802?accountid=8
408
Gupta, U (2011), Cloud Computing: 5 Topics for the Boss: Data Protection, Cost
are Two Key Items, Retrieved from http://www.inforisktoday.com/cloud-
computing-5-topics-for-boss-a-3554
57
Hon, W. K., Millard, C., & Walden, I., (2012) Negotiating cloud contracts - looking
at clouds from both sides now (May 9, 2012). 16 STAN. TECH. L. REV. 81
(2012); Queen Mary School of Law Legal Studies Research Paper No. 117/2012.
Retrieved from: SSRN: http://dx.doi.org/10.2139/ssrn.2055199
Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical
framework for managing cloud computing risk-part I. Intellectual Property &
Technology Law Journal, 25(3), 7-18,1. Retrieved from:
http://search.proquest.com/docview/1322734722?accountid=8408
Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical
framework for managing cloud computing risk--part II. Intellectual Property &
Technology Law Journal, 25(4), 19-27. Retrieved from: http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&AuthType
=url,ip,uid&db=iih&AN=86273408&site=ehost-live
Krutz, R. L., Vines, R. D., & Brunette, G. (2010). Cloud security: a comprehensive
guide to secure cloud computing. Useful next steps and approaches, NJ, USA:
John Wiley & Sons. Retrieved from: Proquest e-brary database (ISBN
9780470921449) from: http://proquest.umi.com/pqdweb
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud
computing-The business perspective. Decision Support Systems, 51(1), 176-189.
Retrieved from: https://scholar.google.ca
McKendirk (2014), IBM and Microsoft surge ahead of amazon in cloud revenues
analysts estimate. Forbes, Retrieved from:
http://www.forbes.com/sites/joemckendrick/2014/07/28/ibm-microsoft-surge-
ahead-of-amazon-in-cloud-revenues-analysts-estimate/
Mell P., & Grance T., (2011), The NIST Definition of Cloud Computing, Special P
80-145, Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-
145.pdf
58
NIST (2015), Cloud computing service metrics description, National Institute of
Standards and Technology, US Department of Commerce SP 500-307, Retrieved
from: http://www.nist.gov/itl/cloud/upload/RATAX-
CloudServiceMetricsDescription-DRAFT-20141111.pdf
Nanath, K., & Pillai, R. (2013). A model for cost-benefit analysis of cloud
computing. Journal of International Technology and Information Management,
22(3), 95-II. Retrieved from: ABI/Inform database (ProQuest document ID
1522799222) from: http://proquest.umi.com/pqdweb
Noble Foster, T., (2013), Navigating through the fog of cloud computing contracts,
ExpressO, Retrieved from: http://0-
works.bepress.com.aupac.lib.athabascau.ca/tnoble_foster/1
Office of the Information & Privacy Commissioner for BC (2012), Cloud computing
guideline for public bodies, Retrieved on the World Wide Web from:
https://www.oipc.bc.ca/search.aspx?SearchTerm=cloud
Paquette, S., Jaeger, P. T., & Wilson, S. C. (2010). Identifying the security risks
associated with governmental use of cloud computing. Government Information
Quarterly, 27(3), 245-253. Retrieved from: http://0-
dx.doi.org.aupac.lib.athabascau.ca/10.1016/j.giq.2010.01.002
Samani, R., Honan, B., Reavis, R., (2015), CSA Guide to Cloud Computing:
Implementing Cloud Privacy and Security, Science Direct, Syngress, an imprint of
Elsevier, 225 Wyman Street, Waltham, MA 02451, USA. Retrieved from:
doi:10.1016/B978-0-12-420125-5.09001-4
Sangroya A., Kumar., Dhok J., and Varma V., Toward analyzing data security
risks in cloud computing environments., Information Systems, Technology and
Management, 2010, Volume 54, (ISBN : 978-3-642-12034-3). Retrieved from:
https://scholar.google.ca
59
Scott, R. J. (2014). Contract corner. Licensing Journal, 34(2), 21-21. Retrieved
from: http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=bth&
AN=94445027&site=eds-live
Simon, T. (2003). What is benefit realization? The Public Manager, 32(4), 59-60.
Business Insights: Essentials. Retrieved from: http://0-
bi.galegroup.com.aupac.lib.athabascau.ca/essentials/article/GALE%7CA1197442
07/60a5895fae2166b7070f555f401fee83?u=atha49011
Slack, N., Chambers, S., Johnson, R., (2010), Operations management. Essex,
England: Pearson Education Limited
Stamou, A., Morin, J. H., Gateau, B., & Aubert, J. (2012). Service level
agreements as a service-towards security risks aware SLA management.
Retrieved from: https://scholar.google.ca
Tong, C., Nguyen, St. T., R Jaatun, M. G., (2012), Beyond lightning: a survey on
security challenges in cloud computing, Computer & Electrical Engineering, V
39,(1), p. 47-54, Retrieved from: doi:10.1016/j.compeleceng.2012.04.015
Tufts, S. H., and Weiss, M. L., (2014). Cloudy with a chance of success :
Contracting for the cloud in government Center for The Business of Government.
Retrieved from: http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=edsss
b&AN=edsssb.bkg00062755&site=eds-live
60
Zielinski, D. (2009). Be clear on cloud computing contracts. HRMagazine, 54(11),
63-65. Retrieved from: ABI Inform database (ProQuest document ID 205042081)
from: http://proquest.umi.com/pqdweb
Ouedraogo and Mouratidis, (2013), Selecting a cloud service provider in the age
of cybercrime, Retrieved from: http://0-
eds.b.ebscohost.com.aupac.lib.athabascau.ca/ehost/pdfviewer/pdfviewer?sid=2ef
5746a-9816-49b3-9edc-de8b5fc0a186%40sessionmgr115&vid=1&hid=117
61
APPENDIX A - SAMPLE CLAUSES
As per Kalyvas, Overly and Karlyn (2013) the following sample clauses are
recommended for managing cloud risk in the areas of data security, data
redundancy and data conversion (p. 20-22).
a. In General. Provider will maintain and enforce safety and physical security
procedures with respect to its access and maintenance of Customer
Information (1) that are at least equal to industry standards for such types of
locations, (2) that are in accordance with reasonable Customer security
requirements, and (3) which provide reasonably appropriate technical and
organizational safe-guards against accidental or unlawful destruction,
loss, alteration, or un authorized disclosure or access of Customer Information
and all other data owned by Customer and accessible by Provider under this
Agreement.
c. Security Audits. During the Term, Customer or its third party designee may,
but is not obligated to, perform audits of the Provider environment,
including unannounced penetration and security tests, as it relates to the receipt,
maintenance, use, or retention of Customer Information. Any of Customer’s
regulators shall have the same right upon request. Provider agrees to comply
with all reasonable recommendations that result from such inspections, tests, and
audits within reasonable timeframes.
Provider will: (i) execute (A) nightly database backups to a backup server, (B)
incremental data-base transaction log file backups every 30 minutes to a backup
server, (C) weekly backups of all hosted Customer Information and the default
path to a backup server, and (D) nightly incremental backups of the default path
to a backup server; (ii) replicate Customer’s database and default path to an off –
site location (i.e., other than the primary data center); and (iii) save the last 14
nightly database backups on a secure transfer server (ie at any given time).
62
APPENDIX A - SAMPLE CLAUSES
63
APPENDIX B
Bernsmed et al, (2011), as cited by Tong, Nguyen and Jaatun (2012), presented
a framework for security mechanisms in service level agreements in cloud
computing at an international conference on cloud computing and services in
2011.
64