Cloud Computing:

Risk Mitigation Strategies from a Contracting Perspective

By: Kathy English

AP Supervisor: Dr. Anshuman Khare

April 2015

  1  
 ABSTRACT

Cloud computing services have become one of the top technology trends and the
industry continues to evolve at a fast pace. Organizations should take advantage
of the lower costs, efficiency and scalability of cloud computing where it is a fit for
their business. Prior to moving to a ‘cloud’ environment, organizations need to
understand the business and legal risks associated with cloud computing services
and have strategies in place to mitigate those risks.

The purpose of this conceptual paper was to identify risk mitigation strategies for
organizations entering into contracts with cloud services providers. This
conceptual paper is a comprehensive review of secondary sources of literature
and begins with a brief background and current status of cloud contracting in
Canada and the US, followed by a review of the rewards and risks of cloud
computing and then it identifies risk mitigation strategies thru negotiation of key
contract terms and customer-focused SLAs. The intent of the research was to
identify critical contract clauses and terms needed to mitigate risks as
organizations move to a cloud environment.

The research confirmed there are many risks associated with cloud computing,
particularly with respect to data security and privacy risks and regulatory and
privacy compliance. This paper analyzed the critical risks associated with cloud
computing and identified and presented a framework of key contract terms and
SLA metrics organizations should negotiate and incorporate into the overall
contract with SaaS cloud service providers to mitigate these risks. The
framework of key terms provides organizations a checklist of cloud specific
clauses to include in the contract in order to protect their interests from a
business and legal contracting perspective. The majority of current contracts are
the cloud provider’s standard agreements therefore, negotiations are essential for
cloud computing contracts. This paper also explored management themes
important for successful negotiation of cloud services contracts, which included:
governance and SaaS strategy, project management, purchasing best practices,
and vendor performance management.

Organizations can mitigate the risks associated with contracting for cloud
computing services. Key findings identified from the research included:
1. IT and Purchasing should perform due diligence to mitigate the risks at the
pre-contract stage,
2. Cloud specific contract terms and SLA metrics should be incorporated into
cloud services contracts and a recommended framework of key cloud
specific contract terms and SLA metrics was presented and;
3. Purchasing, Legal and IT need to negotiate the key contract terms and
clauses. Providers are becoming more willing to accept some of the risks
and are starting to work with organizations to negotiate mutually
acceptable contract terms.

  2  
 TABLE OF CONTENTS
Acronyms

1.0 INTRODUCTION 5

1.1 Background & Significance 5

1.2 Research Design 6

2.0 RESEARCH PURPOSE AND QUESTONS 8

2.1 Audience 8
2.2 Purpose 8
2.3 Assumptions 8
2.4 Research Questions 9

3.0 LITERATURE REVIEW 14

3.1 Background of Cloud Computing 14

3.2 Cloud Computing Rewards 16
3.3 Cloud Computing Risks 18
3.4 Summary of Main Rewards and Risks 23
3.5 Risk Mitigation from IT, Legal and Purchasing Perspectives 24
3.6 Key Contract Terms & SLA Metrics to Mitigate Risks 29
3.7 Negotiation 37
3.8 Themes For Successful Contracting 38
3.9 Literature Review Summary 43

4.0 ANALYSIS 44

4.1 Resources 44
4.2 Current State of Government Cloud Contracting in Canada 45
4.3 Overview of Resources 46

5.0 RECOMMENDATIONS & CONCLUSION 47

5.1 Recommendations 47
5.2 Conclusion 53

6.0 REFERENCES 55
APPENDIX A: SAMPLE CLAUSES 62
APPENDIX B: FRAMEWORK FOR SECURITY MECHANISMS 64
FOR CLOUD SLA’s

  3  
ACRONYMS

Cloud and cloud computing are used interchangeably

CSP - Cloud Service Providers- the business that offers cloud services

CSA - Cloud Security Alliance

CSCC - Cloud Standards Customer Council

CSM - Cloud Services Metric

Elastic - indicates the scaling can be done rapidly in response to changes in

demand (Bradshaw, Millard & Walden, 2011)

FIPPA - Freedom of Information and Privacy Protection Act

IaaS - Infrastructure as a Service

ISO - International Standards Organization

ISO 27001 - defines specific information security requirements that apply to

providers and flow down to their sub-contactors.

KPIs - Key Performance Indicators

NIST - National Institute of Standards Technology

Organization and/or Customer - the business that is purchasing cloud services

PaaS - Platform as a Service

SaaS - Software as a Service

SAS70 - Statement on Auditing Standards

SSAE16 - Statement on Standards for Attestation Engagements (Update to SAS

70 Auditing requirements)

Scalable/Scalability - amount of computing capacity that can be varied according

to customers needs

  4  
 1.0 INTRODUCTION

1.1 Background & Significance

Many organizations are moving from in-house, on premise, computer services
and systems to ‘renting’ computer hardware, data storage space and software on
a ‘cloud’ environment. The characteristics of cloud computing include:
• Delivery of services over the internet,
• Software, platform, infrastructure resources provided as services (SaaS,
PaaS and IaaS),
• Scalability on-demand and;
• Utility or subscription billing (e.g. payment based on actual usage),
(Kalyvas, Overly, Karlyn (2013).

As per Carcary, Doherty and Conway (2013), by 2011, cloud computing was the
main technology priorities for organizations. Gartner (2014) recently identified
cloud computing as one of the ‘Top 10 Strategic Technology Trends for 2015’.
Gartner, as cited by Kalyvas, Overly and Karlyn (2013), predicted cloud
computing revenue would surpass $14 billion by 2013 (p. 7).

Amazon describes cloud services as, ‘on-demand delivery of IT resources and

applications via the Internet with pay-as-you-go pricing’. (Amazon Web Services
(AWS), 2015). Cloud services are sometimes described as being similar to
electricity where the services are considered pooled resources. Customers pay,
as the services are needed (Bean, 2009; Freeman & Gervais, 2011). The main
pressures to move IT environments are reduced cost and increased efficiencies
of using on demand delivery of IT services (Shaw, 2011).

However, there are many risks associated with moving to a cloud environment.
In cloud computing, data is placed online, in the hands of third parties, and this
leads to security, governance, lack of control over service availability and privacy
risks (K.B. Green & B.P. Green, 2014; Aleem & Sprott, 2013).

IT environment changes are taking place at a fast-pace and there is a lack of

maturity in the market due to this newer service model and not many providers
(Betcher, 2010). Organizations lack experience incorporating cloud environments
from both a technology and a contracting perspective. Organizations, both
private and public, need to review the risks and mitigate as many risks as
possible.

Cloud service providers are unwilling to accept many of the risks; therefore many
current contract templates are provider focused. (Feedman & Gervais, 2011;
Goudreault, 2014; K.B. Green & B.P. Green, 2014). Aleem and Sprott (2013)
concluded “SLAs weigh heavily in favour of cloud providers” (p. 15, para 3).

  5  
Organizations might mitigate risks thru negotiation of contract clauses and service
level agreements (SLA) and enforcement of the same (Shaw, 2011). The SLA
should be the mutually agreed (or minimum expected) service levels from the
cloud service provider to the organization. IT, Legal and Purchasing managers
and staff need to work collaboratively toward contract risk mitigation.

Note: If organizations already have cloud agreements in place, lessons learned

could be applied to future cloud contract negotiations and key contract clauses be
identified and modified where appropriate.

1.2 Research Design

1.2.1 Conceptual Paper
This conceptual paper was a comprehensive review of literature on ‘cloud’
computing for SaaS, its rewards and risks and risk mitigation thru key contract
terms negotiation and customer-focused SLAs. The research was from an IT
system, infrastructure perspective, including security and data breaches and
performance risks, with the main focus being on risk mitigation from a Purchasing
and Legal contract perspective. Cloud computing technology is a newer service
offering in an emerging market and therefore, the literature review covered the
last 5 years.

This research paper focused on the key risks and risk mitigation for delivery of
cloud software services (SaaS) from a contracting perspective. The resulting
recommended checklist/framework of contract terms and SLA metrics should be
considered when negotiating the final contract with the cloud services provider.

Management themes important for successful negotiation and implementation of

cloud computing contracts were also explored, including: governance, SaaS
strategy, project management, purchasing best practices and vendor
performance management. In addition, knowledge, trust, human capital and
communication were reviewed.

1.2.2 Key word search included:

Cloud Computing
-Business risks,
-Legal risks,
-Risks vs. rewards,
-Risk Mitigation (mitigating risks),
-Security Breaches,
-Service Level Agreements (SLAs), and
-Contract terms and vendor management.

1.2.3 Information and Sources of Data included:

Websites:
• Google Scholar,
• Athabasca Library –ABI/Inform and Business Source sites,

  6  
 • IT Industry standard websites, such as, CSCC, CSA, NIST.
• Legal standards/Law society of BC,
• Provincial and Federal Government websites,
• White papers: Deloitte, Forrester and KPMG- consulting/research firms,
• Cloud related blog, posts, and
• Amazon/Microsoft – Review of provider’s service level agreements.

Other sources: Company documents/papers:

• WorkSafeBC’s SaaS procurement guidelines document,
• Public Procurement Managers group - As part of regular business practice,
BC public entities (provincial government and crown corporations) meet
quarterly and share information. The quarterly meeting was not held
during the research review therefore, information from this group was not
included in this paper.

The secondary sources of data analyzed included; the literature review, (journals,
articles, books), consulting and research advisory white papers, IT industry
standard websites, cloud computing related magazine articles and blogs,
government and legal standards websites and company documents.

1.2.4 Management Models/Frameworks

This research paper primarily fits in the, operations management, project
management and supply chain management/purchasing domains. These
domains are covered in Section 3.8 Themes for Successful Contracting.

  7  
 2.0 RESEARCH PURPOSE AND QUESTIONS

2.1 Audience
Cloud computing is an organization strategy that impacts a large number of
stakeholders that may be directly involved in, or will be affected by, this newer
service model. There needs to be an overall governance document and internal
end users will need to be trained and be made aware of the risks associated with
cloud computing. In addition to governance and training, organizations need to
mitigate risks associated with moving IT services to a cloud environment cloud.
The focus of this paper is on mitigating risks from a contracting perspective;
therefore the immediate audience is Purchasing, Legal and IT Managers.

2.2 Purpose
The goal of this applied project is to:
a) Identify key risks of moving to a cloud environment for Software as a
Service (SaaS),
b) Summarize the key contract terms/clauses and SLA metrics that might
mitigate those risks,
c) Develop a proposed checklist or framework of key contract terms/clauses
and SLA metrics for use by organizations and;
d) Highlight any other themes important for successful contracting.

The checklist or framework of contract terms/clauses and SLA metrics will

highlight the key clauses and SLA metrics organizations need to consider in
contracts with cloud providers. Organizations need to understand the importance
of including cloud specific terms to contracts with cloud service providers. The
contract must protect the organizations best interests from a business and legal
contracting perspective. The recommendation will be a result of the literature
review and from personal experience and observations.

The purpose of this conceptual research paper is to:

• Explain what cloud computing is,
• Review the relevant literature regarding the rewards and risks of moving IT
systems to a cloud computing environment for software services,
• Focus on key contract terms/clauses and SLA specific literature (past 5-7
years) related to mitigating those risks and;
• Identify themes important for successful contracting.

As per Wiseman (2014), “Provincially and municipally, there have been a few
examples of adoption of cloud services” in Canada (para. 6). Therefore, the
research will include public organizations outside of Canada and private
organizations within and outside of Canada.

2.3 Assumptions
For the purposes of this research, the assumption is made that organizations
have made the decision to move to cloud computing services; Cloud computing is

  8  
included in the organization’s overall strategic plan and aligned with IT and
Purchasing department’s objectives. Therefore, only the critical risks will be
analyzed and the focus of this research will be risk mitigation from a contracting
perspective.

2.4 Research Questions

The following questions explore cloud computing and key risk mitigation
strategies from a contracting perspective.

2.4.1 What is cloud computing?

.1 One of the most cited definitions is from Mell and Grance, (2011) of The
National Institute of Science and Technology (NIST) who define cloud computing
as: “….. a model for enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction” (p.2).

Another common cited definition is from Gartner (2010) who stated, “Cloud is a
style of computing where scalable and elastic IT-related capabilities are provided
as a service to external customers using Internet technologies.” The definition
then expands to include the rewards and risks associated with cloud computing.

As per Freedman and Gervais (2011), “cloud computing is a new strategic

technology opportunity for business” (para. 1).” Organizations can outsource
their IT function and focus on their core competencies. Cloud computing is
similar to outsourcing; IT processes are handed over to a third-party service
provider.

.2 Service models: There are three types of infrastructure service models for
cloud services, namely, Software as a Service (SaaS), Platform as a Service
(PaaS) and Infrastructure as a Service (IaaS). These service models have
different strengths and are chosen by organizations based on their business
objectives. As per Mell and Grance (2011, p. 2) the service models are described
as follows:

“SaaS: The capability provided to customers to use the provider’s applications

running on a cloud infrastructure. The applications are accessible from various
client devices such as a Web browser or program interface. The consumer does
not manage or control the underlying cloud infrastructure in based email), or a
program interface network, servers, operating systems, storage, or even
individual application capabilities, with the possible exception of limited user
specific application configuration settings.

PaaS: The capability provided to customers to deploy onto the cloud

infrastructure, consumer created or acquired applications, created using

  9  
programming languages and tools supported by the provider. The customer
does not manage or control the underlying cloud infrastructure including
network, servers, operating systems, or storage, but has control over the
deployed applications and possibly application hosting environment
configurations.

IaaS: The capability provided to customers to provision processing, storage,

networks, and other fundamental computing resources where the consumer is
able to deploy and run arbitrary software, which can include operating systems
and applications. The consumer does not manage or control the underlying cloud
infrastructure but has control over operating systems, storage, deployed
applications; and possibly limited control of select networking components (e.g.,
host firewalls)” (p.2). This paper will focus on a SaaS service delivery model.

.3 Deployment models: There are four cloud deployment models, which are,
Private, Community, Public, and Hybrid. As per Mell and Grance (2011, p. 3) the
deployment models are described as follows:

“Private cloud. The cloud infrastructure is for exclusive use by a single

organization. It may be owned, managed, and operated by the organization or a
third party, and it may exist on or off premise.

Community cloud. The cloud infrastructure is shared use by a several

organizations that share common concerns- a community of consumers that
shared concerns (e.g., mission, security requirements, policy, and compliance
considerations). It may be owned, managed, and operated by the organizations
or a third party, or combination of them, and it may exist on or off premises.

Public cloud. The cloud infrastructure is made available for use by the general
public and is owned by an organization selling cloud services and its resources
are sold to the public. It exists on the premises of the cloud provider.

Hybrid cloud. The cloud infrastructure is a composition of two or more cloud

infrastructures (private, community, or public) that remain unique entities, but are
bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).”

  10  
 .
Figure 1. Visual Model of NIST’s Definition of Cloud Computing

2.4.2 What are the rewards and risks associated with the ‘cloud’?

The main rewards of moving IT environments to cloud based services include:

Lower costs, scalability (flexible capacity), and efficiency (Shaw 2011; NIST,
2011; Kalyvas, Ovderly and Karyn, 2013). Cloud computing allows organizations
to reduce costs. In a cloud environment organizations do not have to purchase
hardware of infrastructure to set up the IT systems and they do not have to pay
for software upgrades or maintenance fees. A cloud service provider’s goal is to
have a large pool of customers; to create economies of scale, which can allow
them to pass lower costs on to their customers (AWS, 2015).

Aleem & Sprott (2013) identified the top three (3) risks as:
security and privacy, lack of control of service availability (performance)
governance. Other important risks to consider are business continuity and
reputation risks. The following literature review will review risks using these
three (3) risk categories.

Many organizations are moving to, or are considering moving to cloud services to
take advantage of lower cost and service flexibility (Kalyvas, Overly and Karyn,
2013 p 9) however, organizations need to effectively balance the risks and
rewards.

2.4.3 How can risks be mitigated from IT, Legal and Purchasing
perspectives?

Risks can be mitigated during various stages from selection of the cloud service
provider, prior to signing the contract and post contract award.
• Due Diligence Stage (provider selection),

  11  
 • Business, Legal and Regulatory Risk Mitigation Stage (negotiation of
contract terms and conditions including SLA metrics), and
• Vendor Performance Management- on boarding, during and post contract
term, meetings for review of SLA metrics, audits, communication, change
in personnel (security checks).

2.4.4 What are the key contract terms and the SLA metrics organizations
should negotiate into agreements to mitigate risks?

This paper explores the key contract terms and SLA metrics that might mitigate
risks in contracting with cloud service providers. There are four (4) parts that
make up a cloud service agreement. They are; the standard terms and
conditions (standard contract template), the privacy agreement and user
acceptance policy (UAP), which are usually attached to the standard terms and
conditions, and the SLA.

.1 Standard Contract Templates

Many organizations have standard contract templates containing service terms
and conditions. Internal or external legal council have usually vetted standard
service terms and conditions. Existing contract template clauses need to be
reviewed and modified to be cloud service specific, where applicable. In addition,
new cloud specific clauses should be considered in order to protect the
organizations interests.

Service contracts usually include privacy agreements specific to the services

being provided and these are often a customized attachment to the main contract.
Most cloud contracts also include a User Acceptance Policy (UAP) as an
attachment to the contract. UAP’s detail the permitted (or the unacceptable) uses
of the service (Bradshaw, Millard & Walden, 2011, p. 192).

.2 Service Level Agreements (SLA)

Some researchers referred to the SLA as the contract while others refer to it as a
sub agreement to the main contact. For the purposes of this paper, the SLA will
be the service level agreement and it will be considered a sub agreement to the
main contract. As per Alhamed, Dhillon and Chang (2010), the SLA describes
the services, in a form of what can be measured and reported on, and is the
providers guarantee to deliver the services by the method and within the timelines
as promised. SLA’s should also include the steps and remedies if any service
level guarantee violations occur. Noble Foster (2013), advised that there are
many types of cloud SLAs in use and that only some have common elements,
measures or language among them.

Based on the research and analysis, a recommended contract terms checklist or

framework will be presented and intend to capture:
• Key standard contract terms/clauses that need to be customized/modified
to reflect cloud services,

  12  
 • New clauses that should be considered, and
• SLA metrics for SaaS contracts.

In addition, management themes important for successful contracting with cloud

service providers, pre and post contract execution, will be presented.

  13  
 3.0 LITERATURE REVIEW

The literature review will begin with the background of cloud computing and the
current state of Canadian and US government cloud computing contracting. The
review then examines three (3) areas; the rewards and risks associated with
cloud computing, risk mitigation strategies from IT, Legal and Purchasing
perspectives, and the key contract terms and SLA metrics to be considered when
negotiating contracts with cloud providers. The scope of the review focuses on
Software as a Services (SaaS) cloud computing.

3.1 Background of Cloud Computing

3.1.1 History
Cloud computing evolved from the implementation of mainframe computers in 1950,
followed by the use of PCs in 1960, private network services in 1990, IT outsourcing
and virtualization in 2000, to the concept of shared/utility computing and ‘as a
service’ models in 2010. The following visual model shows the evolution of cloud
computing:  

Figure 2. History and Evolution of Cloud Computing

In 1997 academics started using the term ‘cloud’ and in 2006 the cloud term
entered the public domain when used by Google’s CEO. (K.B. Green & B.P.
Green, 2014, p. 31). Cloud services initially started with small to medium size
organizations using public cloud services and its use has evolved to include
larger organizations over the last few years (Bradshaw, Millard & Walden, 2014).
Tufts and Weiss (2014) advised that cloud computing is becoming more common
for government and public sector entities (p. 9).

  14  
3.1.2 Estimated value and growth
Forbes (2014) advised that cloud computing is worth more than $13 billion a year
and that “total cloud infrastructure services market grew at a pace exceeding 45%
and that the leading cloud infrastructure providers growth by 2nd quarter of 2014
was as follows: Microsoft 164%, IBM 86%, Amazon Wed Services 49%,
Google 47%, and Salesforce 38%” (para. 9).

Woods, J (2010), as cited by Green and Green (2014), predict a 44% growth in
public cloud uptake between 2014 and 2019) and presented a table describing
the future of cloud computing (p. 31):

Figure 3. The Future of Cloud Computing, Statistics and Forecast

Gartner (2014), identified strategic planning assumptions for 2015 to 2017, some
of which included:
“By 2015, 50% of all new application independent software vendors will be pure
SaaS providers, 90% of private cloud deployments will be for infrastructure as a
service and 50% of large global enterprises will rely on external cloud computing
services for at least one of their top 10 revenue-generating processes,
By 2016, all large global enterprises will use some level of public cloud service
most SaaS contracts will include price escalation limitations and the ability to
terminate contracts.

By 2017, over 50% of large SaaS application providers will offer matching
business process services and an integrated platform as a service and 5% of all
IT job turnover will be fallout from poor risk decisions about the use of public,

  15  
By 2020, the most common use of cloud services will be hybrid model combining
on-premises and external cloud services” (para. 3).

3.1.3 Current state of government cloud contracting in Canada and the US

Canadian Government: The Government of Canada recently issued a Request
for Information (RFI) requesting cloud providers respond to questions regarding
strategies for adopting cloud solutions. The RFI closed January 30, 2015 and
responses are currently being reviewed. RFI responses will be used to formulate
a cloud computing strategy for Canada, including resulting contract terms and
conditions for cloud computing solutions (Sheppard, 2015). The RFI’s, Annex C -
Proposed Contract clauses, terms and conditions, invited respondents to review
proposed terms and provide comments and/or suggestions on the clauses
(Government of Canada, buyandsell.gc.ca).

Canada’s cloud computing strategy will be led by a steering committee that is

made up of Chief Information Officers, legal, communications, and procurement
experts.

US Government: The National Institute of Standards and Technology (NIST), an

agency of the US government, recently published a cloud computing technology
roadmap (NIST SP500-294, 2014). The NIST provides a technology leadership
role to “support accelerated US government adoption, as well as leverage the
strengths and resources of government, industry, academia, and standards
organization stakeholders to support cloud computing technology innovation” (p.
ix).

There are many different cloud working groups and standards organizations.
Aleem and Sprott (2013) advised that the Cloud Security Alliance (CSA),
European Network and Information Security Alliance (ENISA) and the NIST are
among the top cloud standards bodies.

The next section of the literature review looks at the rewards and risks of ‘cloud’
computing.

3.2 Cloud Computing Rewards

The main rewards of moving IT environments to cloud based services include
lower costs, scalability (flexible capacity), and efficiency (Shaw 2011; NIST, 2011;
Kalyvas, Overly & Karyn, 2013). Organizations can reduce costs because in a
cloud environment there is a reduction on capital expenditures: Organizations do
not have to purchase hardware of infrastructure to set up the IT system and they
do not have to pay for software upgrades or maintenance fees. Less equipment
means less physical space and personnel to operate the equipment. This means
lower costs related to purchasing, installing and maintaining the software and
hardware as well as less staff are needed to support the systems (Bradshaw,
Miller & Walden, 2011; Kalyvas, Overly & Karlyn, 2013).

  16  
A cloud service provider’s goal is to have a large pool of customers; to create
economies of scale, allowing them to pass lower costs on to their customers
(AWS, 2015). Gartner (2010) advised that organizations could save money by
“leveraging a provider’s elastically scalable, varied priced environment.” This pay
as you go model allows customers improved resource utilization (Bean, 2009) as
they can focus on their own core competencies (Freeman & Gervais, 2011).
Scalability allows customers to increase or decrease the IT resources of
hardware, software and platforms on an as needed basis confirming the resource
flexibility offered by cloud computing solutions.

In addition, to these rewards, Nanath & Pillai (2013) and McKendrick (2011), as
cited by Venters and Whitley (2012), mentioned cloud service’s contribution to
green IT. Bradshaw, Millard and Walden (2011), discussed the power efficiency
of the cloud model of one large data center compared to many single users and
computers, alluding to potential greening and energy savings (p. 189).

Cloud computing can be considered reliable and affordable technology within

most businesses reach (Aljabre, 2012). A cost-benefit analysis done by Nanath
and Pillai (2013) concluded that it is profitable for small to medium size
organizations to move to the cloud yet not for larger organizations. Aljabre
(2012) also reported that small businesses could ‘reap the most benefits’ based
on using Amazons’ cloud computing services. However, Green and Green
(2014) stated that many large organizations, including government entities, have
started using cloud services as well. They predicted a 44% growth in public cloud
models from 2014 to 2019. Wyld (2009), as cited by Tufts and Weiss (2014),
advised governments are investigating and are starting to implement ‘cloud
services’.

Forrester (2014), a leading global research firm, reported that business agility
was the ‘top driver for SaaS usage’ in their 2014 Q1 survey (p. 2, para. 4). SaaS
solutions allow organizations to have automatic access to software upgrades and
this enables IT departments to be more proactive than previous on premise
service models. Cloud services allow internal and external clients up to date
products and services more quickly. This business agility adds business value to
IT’s services and the organization as a whole. Zielinski (2009) reported that cloud
computing frees up internal resources time to allow them to spend time on
strategic rather than tactical issues.

In mid 2014 Forbes (2014) reported that IBM became the leader in private and
hybrid infrastructure services. In addition, Forbes (2014) advised that early
adopters of cloud services (pacesetters) use cloud services to connect with
customers in social ways creating customer interaction and feedback enabling
organizations to innovate their products and services more rapidly. This concept
of new service opportunities and markets aligns with the idea of offering
organizations time to focus on core competencies.

  17  
Further to idea of connecting with customers in social ways, the Cloud Standards
Customer Council (2015) recently published a paper speaking about social
business and social capabilities of the cloud. “Social business is the convergence
of social collaborative capabilities and enterprise business processes” (p. 5, para.
3). Organizations might consider extending the benefits from cloud and applying
them to their social business in the cloud. This would allow end users to interact
with each other as well as with their customers for improved business outcomes.

3.3 Cloud Computing Risks

Business and Legal Risks
Aleem & Sprott (2013) identified the top three (3) areas of risk as:
security and privacy, lack of control of service availability (performance) and
governance. In a cloud model, data is placed in the hands of third parties, which
raises issues of security and privacy, regulatory, compliance and creates risk
management issues (Belinsky, 2012). Noble Foster (2013) advised that the
critical areas of risk are data security, privacy and confidentiality. Organizations
basically give up control over their company’s information (K.B. Green & B.P.
Green, 2014). In addition to these risks, Freedman & Gervais (2011) identified
confidentiality (regulatory), reputation and liability (legal) risks.

The following risks have been categorized under headings based on the top 3
concerns identified by Aleem and Sprott (2013) and a 4th category of ‘other’:

3.3.1 Security and Privacy

Security, Data and Privacy Risks:
Organizations lose ‘control’ over their information (data, applications and
processing) and data, security and privacy breaches can occur. (Krutz, Vines &
Brunette, 2010; KPMG, 2014). KPMG’s report (2014) confirmed that the ‘cloud’
increases security risks so controls need to be in place and be aligned to this
“changing environment” (p.7, para. 4). Data may be stored on a server along with
another organization’s data creating increase risk of ‘unauthorized disclosure’
(Kalyvas, Overly & Karlyn, 2012, p. 1, para. 4).

As per a recent blog by Sarukkai, (February, 2015), as cited on the Cloud

Security Alliance’s website, a recent, high profile, security privacy breach
happened at Anthem Inc., a US health insurer. There was a “ breach of a
database with 80 million customer records” (para.1). The blog also mentioned
previous similar privacy breaches that happened to Target and Home Depot
where 70 million and 56 million customer records were stolen, respectively.

Security breaches can happen either by provider errors or be initiated by actions

of 3rd parties know as ‘hackers’. As per Noble Foster (2013) a 2012 survey of US
IT professionals revealed the “ frequency, severity and costs with hacking” (p. 5,
para. 1) incidents are on the rise. A recent survey revealed that 62 % of
corporate directors list ‘cyber security’ (data privacy and protection) as a top
concern (K.B Green & B.P. Green, p. 29).

  18  
Ouedraogo and Mouratidis (2013) reported that a cloud environment presents
more opportunities for cybercrime. They propose an approach to help
organizations make a better informed choice of provider and this model will be
explained under the risk mitigation section of this paper.

Kalyvas, Overly and Karlyn (2013) described risks from the view of both
availability and security failures. In 2011, cloud service availability and security
failures occurred with providers, Amazon and Microsoft. In April 2011, some of
Amazons services were down for several days and some of their customers’ data
was permanently lost (para. 4). In September 2011, some of Microsoft’s cloud
based software services were down for several hours. These examples of lost
data and customer downtime created security risk and productivity losses to
organizations (para. 5). Kalyvas, Overly and Karlyn (2013) advised that nearly
half of companies surveyed in 2013 identified some form of data security issues.
Another security/privacy issue that organizations need to consider is the security
of the provider’s physical location where the data is being stored (Tufts and Weiss
(2013, p. 7).

Zissis and Lekkas (2010, p. 587) provided a visual of the different categories of
threats that could occur in a SaaS cloud environment. They noted ‘malicious
insiders’ but ‘outside hacker attacks’ could also be added to their model.

Figure 4. Categorization of Threats. Security threats to SaaS environments.

Tong, Nguyen, Jaatun (2012) identified cloud risks with respect to:
• Resource location - the providers physical location and the local laws and
legislation that applies in that country,
• Multi-tenancy - challenges relating to protecting unauthorized access of
users accessing each others information as they use the same ‘physical’
servers,

  19  
 • Authentication and trust of acquired information - potential issues with
changing data without an organizations permission,
• System monitoring and logs - logs may contain private/confidential
information creating a need to monitor who accesses the logs, and
• Cloud standards. - There is a large number of standards bodies and
working groups with different interests. “Will there be one dedicated
standards organization in the future?” (p. 50).

Privacy/Regulation compliance:
Cloud services may include storing an organizations sensitive data, which creates
unique security issues. A provider’s servers might be physically located in
various locations/countries and data hosted in the cloud is subject to foreign laws.
As per Gilbert (2010), the flow of data and locations of the providers (or 3rd
parties) servers is unique to cloud computing. Providers sometimes use 3rd
parties to host the data and this creates less control over the data and overall
performance of the services. Depending on the type of date being stored
organizations may only want to contract with providers whose servers are located
in their jurisdiction(s).

Privacy legislation involves the location of the customer as well as the service
providers physical location where the data is being stored therefore, there may be
overlapping access and/or privacy regulations. Depending on the jurisdiction and
type of information, the data center and information itself must be physically
located in Canada in order to be in compliance. In addition, customers choose
from one of three infrastructure/operating models of private, public or hybrid.
Public cloud models are the most cost effective, however, they offer a lower
security and control over data so may not be a suitable choice for public agencies
and their customer’s personal data (Blinsky, 2013; Aleem & Sprott, 2013).

Customers and cloud service providers must be in compliance with all privacy
legislation that is applicable to the customer’s data that is being considered for
storage on the cloud (Krutz, Vines, & Brunette, (2010). For the purposes of this
research, the regulatory compliance is will be in relation to British Columbia’s
Freedom of Information and Protection Privacy Act (FIPPA).

In BC, public bodies that store personal information must comply with FIPPA. As
per the Office of the Information & Privacy Commissioner (OIPC, June 2012),
“Public bodies must protect personal information by making reasonable security
arrangement against such risks as unauthorized access, collection, use,
disclosure or disposal” (p. 5). In addition, FIPPA states that personal information
can only be stored in and be accessed from within Canada. Cloud service
providers in BC must comply with FIPPA.

  20  
3.3.2 Lack of Control and Service Availability
Access and Performance Issues
Organizations become fully dependent on their cloud service provider. Green
and Green (2014) stated that if there is an outside hacker attack, the system
could run very slow and it may take longer to get running again using a 3rd party
provider compared to in-house IT employees. In-house systems and employees
have more knowledge, control and communication of systems, system access
and availability. If a provider (or 3rd party) hires new employees, the employees
need to be trained and made aware of privacy policies relating to the
organizations data. Controls need to be in place to verify employees are trained
and agree to comply with all policies and procedures.

SLA’s provide a form of control to ensure the services are provided as the
provider has promised. A study of 5 major cloud providers SLA’s done by Baset
(2012) concluded that the lack of standards among providers makes it difficult to
compare offerings and is very confusing for organizations. The study also
revealed that the SLA’s are written such that the burden of proof for any violation
to service guarantee levels rests with the customer. (p. 65). SLA’s are needed to
report and track control issues, service availability and performance levels (Rose,
2011).

SLA measures can be considered performance auditing (Rose, 2011). For

example, customers should expect an availability uptime of 99% and this needs
to be tracked and measured. In addition to availability, uptime and downtime also
need to be measured for reliability and performance. SLA’s should also include
penalties for missed targets due to issues with uptime, security breaches, and not
meeting promised scalability targets. Noble Foster’s (2013), survey of IT
professionals rated SLAs as one of their top ten contract concerns, 18% of those
surveyed agreed with this view.

3.3.3 Governance
Strong governance is needed in order to identify, assess, and mitigate risks
related to cloud computing. Paquett, Jaegar and Wilson (2010) and KPMG
(2014) reported the need for access governance, controls, security audits and
management sponsorship of cloud related training programs. Organizations need
to ensure controls and processes are in place prior to contracting with a cloud
provider (Bean, 2009). As per Paquett et all (2010), “a key determinant in the
success of cloud computing” is the ability to manage the risks (Introduction, para.
2).

  21  
3.3.4 Other Risks
.1 Business Continuity/Reputation Risks
Organizations open themselves up to new reputation risks with moving to a cloud
environment. If there is disruption in the service, downtime or a service failure,
this could result in financial loss to customer and its customers. If a provider goes
bankrupt it is difficult for customers to change providers quickly (K.B. Green &
B.P. Green, 2014). The cloud service provider may expose the customer to
claims/liabilities and may “tarnish the customer’s reputation” (Freedman &
Gervais, 2011, Liability/reputation, para. 1).

.2 Legal Challenges
There have been few cloud related legal challenges to date and almost no case
law therefore legal council and internal auditors need to be aware of any potential
issues related to security breaches, intellectual property, trade secrets and
release of data to 3rd parties (Bean, 2009). Cloud services involve data being
transformed by a 3rd party. One party may receive the initial data and another
party adds a tool and updates the data. If the contract does not clearly state who
owns the data and at what point in time, this could create confusion and generate
more lawsuits in a cloud environment (Gilbert, 2010).

A survey done by Bradshaw, Millard and Walden (2011) highlighted the need to
carefully review all contract terms and conditions, even clauses that might appear
to be standard. Many providers include disclaimers for any liability or warranty
and for any issues related to the services actually performing as promised. For
example, many providers SLA’s “exclude the majority of causes of cloud service
outage” and the only rectification of a credit for future services (p. 221, para. 5).

Depending on the type of cloud services, some cloud providers may offer all, or
portions of, their contract in the form of an online agreement, sometimes referred
to as a ‘click wrap’ agreement. Hon, Millard and Walden (2012) referred to this as
the ‘click-through trap’. Click wrap cloud agreements request customers to
accept all terms ‘as is’ with no opportunity to negotiate any of the terms. Cloud
providers contracts are structured to protect the provider and customers do not
have much bargaining power (Foster Noble, 2013). Many providers will not
modify any of their terms (Kalyvas, Overly & and Karlyn, 2013; Gilbert, 2010).
However, organizations should attempt to negotiate contract terms in all type of
cloud agreements in order to balance the risks.

.3 Cost as a Risk
A blog by Gupta, (2011) identified the top five (5) cloud concerns as, vendor
assessment (adequate security controls), data protection (format and
accessibility), reputation (background check), data sensitivity (sensitive data
protection) and cost. Four of the five concerns are included in evaluation of risks
identified in other papers however, cost as a risk, was not identified in all of the
articles. The majority of articles identified cost savings and only some authors

  22  
raised the issue of ‘security costs’ offsetting any perceived savings of going to a
cloud environment. Security breaches can be considered hidden costs that can
be hard to estimate. Noble Foster, 2013, advised that any savings might “quickly
evaporate with a single hacking incident, a cloud providers unexpected
interruption of service or sudden lack of accessibility to data due to power outage
or natural disaster (p.17, para. 3). Data breaches can be very costly to
organizations. A study conducted in 2009 disclosed that 45 organizations
experienced breaches with “an average cost of $6.7 million, ranging from
$750,000 to almost $31 million…with data breaches costing an average of $204
per compromised record.” (Karlyvas, Overly & Karlyn p. 19, para. 3.)

Summary of Risks
There are challenges for both organizations and providers with issues related to
security and privacy, such as unauthorized access, loss of privacy, data
replication and regulatory violation including the provider’s physical location.
Organizations also have to deal with risks related to loss of control (governance),
availability (access), performance and potential business continuity and
reputation risks as well as legal risks (liability and intellectual property issues.
Cost has also been identified as a risk.

3.4 Summary of Main Rewards and Risks

A high level summary of the main rewards and risk is as follows:

Rewards Risks

Efficiency Security – security, data & privacy

Scalability (flexible capacity) Regulatory & Privacy Compliance (incl. physical
location)
Lower upfront costs Cost (service availability issues and security
(affordable technology) breach related costs)
Green IT Governance- lack of governance, controls (audits)
Business Agility Lack of Control/Service Availability– access &
performance
Focus - Core Competencies Business Continuity/Reputation
more time for innovation)
Social Business – Provider’s lack of ownership for liability issues and
collaboration among end intellectual property issues.
users & customers

Table 1. Rewards & Risks for Cloud Computing

The main benefits/rewards of cost reduction and service flexibility are driving
organizations toward cloud solutions (Kalyvas, Overly & Karlyn, 2013). Tufts and
Weiss (2013) reported that cloud computing offers government entities cost-
effective ways to deliver IT solutions, however in order to realize the benefits “it is

  23  
particularly important to concentrate on the establishment, negotiation and
management of high-quality cloud computing contracts” (p. 8, para. 3).

3.5 Risk Mitigation from IT, Legal and Purchasing Perspectives

Before looking at ways to mitigate risks, organizations need to ensure they
understand the main risks and at what stage they might be mitigated. Cloud
computing environments present new data security issues to customers. The
approaches that enable customers to achieve scalability and flexibility and lower
costs, the rewards, are the same approaches that can increase risks to
organizations.

Organizations need to review the type of risks that may occur, particularly from an
e-security failure perspective. As per Slack (2010), “any advance in processes or
technology creates risk. No real advance comes without threats or danger” (p.
577). This applies particularly to e-business. From a risk management
perspective, organizations need to ensure to include contingency and business
continuity planning with safeguards set in place for internal and external systems
(English, 2012).

Research suggests that risks can be mitigated during various stages from
selection of the cloud service provider to the contract award as follows:

3.5.1 Due Diligence

a) Due Diligence –Cloud Investigation Stage (IT):
Kalyvas, Overly and Karlyn (2013) proposed organizations evaluate the risks
associated with cloud computing by looking at:
a) “The criticality of the business process being supported by the cloud
solution, and
b) The sensitivity of the data that will be stored on the cloud (p. 19, para.5).”

When an organization is contemplating a cloud solution they should evaluate the

overall exposure and risk to the organization. Kalyvas, Overly and Karlyn (2013,
p. 11) developed a ‘Cloud Computing Risk’ assessment graph that could be used
to plot the: a) criticality of the business process and b) data sensitivity to see the
‘overall risk profile’ (low, medium or high risk) of implementing a cloud solution.
The following graph is a helpful tool for organizations to determine and view of the
risk level prior to a cloud services solution decision is made:

  24  
Figure 5. Cloud Computing Risk Assessment Approach

Gartner (2010) suggested there are five (5) initial phases IT should follow when
an organization is considering cloud computing. These phases or steps are:
• Build a business case - Ensure the ‘key initiative’ is linked directly to
business objectives and gain senior leader support,
• Develop a strategy that aligns with the organizations overall strategy,
• Assess readiness by developing a total cost of ownership framework and
policies/procedures to assess and manage risks and governance,
• Pilot a mini project and incorporate results/lessons learned,
• Gain approval by updating the business case with results of pilot and
present to senior management for buy-in.

In addition, IT needs to ensure contingency and business continuity plans are in

place prior to moving to a cloud environment.

b) Due Diligence –Vendor Selection Stage (Purchasing, Legal and IT):

Risks associated with cloud services could be mitigated during the procurement
and vendor selection process. The KPMG (2014), Freedman and Gervais (2011)
and Kaylvas, Overly and Karyln (2013) articles mentioned due diligence. Based
on their observations and procurement best practices, prior to selecting a cloud
provider organizations must assess;
Total cost of ownership,
Confirm the potential cloud service provider’s experience/background including:
• Number of years in business,
• References,
• Financial viability (including any 3rd party sub-contractors they depend on),

  25  
 • Providers physical site (inspection), and
• Feedback from other organizations, user groups and industry forums.

As part of their proposal to provide cloud services, potential providers should

provide a sample of their SLA and log files (type of data recorded), reports and
information regarding their auditing practices, authentication and authorization
processes (Krutz, Vines & Brunette, 2010),
In addition, organizations should ask potential provider(s)/vendors:
• Is the cloud provider’s data center/operation avail for physical inspection?
• Has the vendor had any security breaches? Potential checking can be
done via an internet search (Blinsky, 2013),
• Does the vendor have a governance process with their providers?
• Does the vendor have a standard- phased implementation plan/model?
• Is the provider willing to negotiate?

Green and Green (2014) mentioned potential concerns with a small provider
being sold to a larger organization. Organizations need to consider how this
might affect the services and protection of data. Annual audit and financial
checks may be a proactive approach to address this concern.

IT needs to become familiar with, and understand all industry specific terms and
standards that relate to third party cloud service audits, such as ISO 27001 and
SAS 70 (K.B Green & B.P. Green, 2014), and SSAE 16 (Goudreault, 2014). This
includes independent certifications to ensure providers meet all of the industry
standards (Hon, Millard and Walden, p. 112). IT and Purchasing employees
involved in any existing or anticipated cloud initiatives should be aware of cloud IT
terms and the potential providers full range of services offered as well as clearly
understand their own organization’s cloud SaaS strategies.

To ensure they are making an informed choice of cloud providers, IT’s risk
assessment could follow CSA’s Security Guidance for Critical Areas of Focus in
Cloud Computing (v. 3.0, 2011) and/or Ouedraogo and Mouratidis, (2013), C.A.R.E.
(Complete-Auditable-Reportable approach) to determine and select a trusted
cloud service provider. CSA’s website has many resources for risk mitigation,
such as, ensuring providers meet CSA’s Cloud CERT – Security and Knowledge
program requirements and are listed or not listed in CSA’s STAR- Trust and
Assurances registry.

IT needs to perform a risk analysis to analyze the data security risks prior to
launch of moving confidential data on the ‘cloud’ (Sangroya, Kumar, Dhok, &
Varma, 2010). Organizations should perform a Privacy Impact Assessment (PIA)
as well as use a Plan, Do Act Control (PDAC) model to ensure rewards outweigh
the risks (Aleem & Sprott, 2013, Migration on the cloud, para.1). In addition, IT
could perform pre-contract security penetration testing to check for “security
issues such as integrity and robustness of the providers security policy and

  26  
information technology systems, and how the users’ data are separated from
other users data” (Hon, Millard & Walden, 2012, p. 113, para. 3).

3.5.2 Business, Legal and Regulatory Risk Mitigation Stage

As per KPMG’s, Top 10 Internal Audit Considerations for Technology Companies
report (2014), “the greatest opportunity to mitigate or remediate risks lies with
proactive involvement of the IT team” (p.9. para. 2). Purchasing best practices
need to take this one step further and ensure proactive involvement of
Purchasing and Legal as well.

Cloud service providers must comply with FIPPA and depending on jurisdiction
and type of information, the data center and information itself must be physically
located in Canada (OIPC, 2012). Customers need to have controls in place to
ensure regulatory and policy compliance is enforced. The cloud provider should
provide potential customers a copy of their security policies and how they will
meet organizations privacy and confidentiality policies and regulations.

Bean (2010), and KPMG (2014) provide suggestions from internal auditors
perspectives. They believe internal auditors need to develop their knowledge
base on cloud computing and that more stringent security measures should be
applied to cloud services compared to what is applied to internal IT services.
Aleem and Sprott (2103) confirm that IT audits should be part of an overall cloud
strategy.

Green and Green (2014) discussed the critical risks and need for strong
encryption and they write from a business, rather than technical, perspective.
Krutz, Vines, and Brunette’s, book, Cloud Security: A Comprehensive Guide to
Secure Cloud Computing (2010), offers a good starting point for organizations
considering going to a cloud environment. Chapter 8: Useful Next Steps and
Approaches, contains a list of questions to ensure due diligence by customers,
and also includes a reference tool for cloud providers.

A new book, by Samani, Reavis and Honan (2015), CSA Guide to Cloud
Computing: Implementing Cloud Privacy and Security is a great resource for IT
managers on how to integrate security planning into cloud initiatives and how to
deal with the implications of privacy in different geographic regions. The book’s
introduction advised it “is intended to present the research within the multitude of
CSA working groups, as well as incorporate the research and findings across
other relevant sources. It should be used as a reference for CSA research and
also a broader cloud security reference guide” (p. 17-20).

The Law Society of BC published a Cloud computing checklist for lawyers

considering moving their firm’s data to the cloud (Blinsky, 2013). The checklist is
a great risk assessment tool; it offers a series of questions that cover a range of
issues that organizations should consider before engaging with a cloud service
provider.

  27  
Tufts and Weiss (2013) identified legal and regulatory challenges and the need to
negotiate cloud contracts. They developed a contract assessment framework
and negotiation strategies aimed at government agencies considering moving IT
services to the ‘cloud’. The framework will be presented at the end of Section 3.6
of this paper.

3.5.3 Risk Mitigation Categories

Starting with the top three (3) risk categories outlined by Aleem and Sprott (2013),
and the 4th category of other, research suggests the following contract terms
and/or areas be considered in order to mitigate risks associated in contracting
with cloud service providers:

.1 Security and Privacy

• Strong data encryption (source code),
• Compliance with privacy regulation(s),
• Security monitoring and security audits,
• Data breach notification & plan for security/privacy breaches, and
• Back up of data.

.2 Lack of Control of Service Availability- (SLA’s)

Ensure inclusion of a cloud service specific SLA to control, monitor and measure
performance and availability of services.

.3 Governance
Ensure there is organizational governance in place as well as program and
project governance, including, controls and decision-making processes and
accountability.

.4 Other
a) Standard contract clauses to be customized for cloud services include:
• Services (definition for cloud services),
• Pricing Protection,
• Dispute Resolution,
• Liability/Indemnification,
• Insurance (see new clause for cyber insurance)
• Intellectual Property Rights
• Disaster Recovery/Business Continuity plans,
• De-commissioning services – transitioning to another provider, and
• Termination clause (exit obligations/penalties).

b) New cloud specific contract clauses that should be considered include:

• Benchmarking/Vendor Performance Management (KPI/Scorecard),
• Cyber Insurance,
• Governance,
• Exclusivity,

  28  
 • Implementation, and
• Training.

3.6 Key Contract Terms and SLA metrics to Mitigate Risks

Overview
As identified in the previous section there are many business and legal
(regulatory) risks associated with moving to a cloud environment, therefore
organizations need to ensure their contract with cloud providers deal with the
above risks from IT, Legal and Purchasing perspectives. Current SLAs are
service provider focused and need to be more ‘customer centric’. (Stamou, Morin,
Gateau et all, 2012).

This section will begin with a review of security and privacy issues, SLAs, and
governance concerns followed by a review of standard contract clauses that
should be customized for cloud services, as well as, potential new cloud specific
clauses that should be negotiated into agreements to mitigate risks. Some
research articles highlighted the clauses/provisions that require close attention
and negotiation while other articles presented sample clauses authors proposed
customers consider adding into their cloud agreements.

This section will include a Cloud Computing Contract Assessment Framework

provided by Tufts and Weiss (2013). Based upon the literature review, additional
key contract terms and SLA metrics will be incorporated into an updated
framework, which will be presented in Section 5. Recommendations &
Conclusion. Section 3.6 will be followed by a literature review of negotiation
strategies for cloud contracts in Section 3.7 and end with a review of themes
important for successful contracting in Section 3.8.

Starting with the 4 categories identified in the previous section, research suggests
the following considerations, along with applicable measures and language be
added to contracts clauses, in order to mitigate the risks associated in contracting
with cloud service providers.

3.6.1 Security and Privacy

Several authors, (Bean, 2009; Freedman & Gervais, 2011; Gilbert, 2010; K.B.
Green & B.P. Green, 2014; Krutz, Vines & Brunette, 2010; Hon, Millard &
Walden, 2012), recommend similar measures to deal with security and privacy
issues in cloud contracts as follows;

• Data Security- Ensure there is strong data encryption and contract

language confirms the source code is provided,
• Compliance with Privacy regulation(s) – Ensure compliance with privacy
legislation by ensuring data segregation (add as an attachment to the
contract),

  29  
 • Security monitoring, security audits and audit rights - Establish process for
monitoring/auditing, e.g. how is it done, by whom and how often (by
customer, provider or by a 3rd party?)
• Data breach notification – Outline the method and timelines for breach
notification,
• Plan for security/privacy breaches – Outline steps to take when breach
occurs, and
• Back up data – Include details of how and when regular back up will occur.

Bradshaw, Millard and Walden (2011) analyzed and compared providers

standard contract terms and conditions that were made available on the
provider’s websites. The research provided a summary of the main terms
customers should keep in mind when reviewing contract terms and conditions.
In addition to data security, privacy and protection issues noted above they also
identified data integrity and preservation issues, as well as, resolution of disputes
(location for those disputes) and warranty, service and acceptance of liability
issues. Many providers want the contract to be enforceable in their jurisdiction
and try to exclude any warranty, service and acceptance of liability (p. 220).

Noble Foster (2013) identified key contract problem areas of data security,
privacy and confidentiality. He then reviewed these clauses in four (4) leading
cloud providers contracts and provided suggestions of how to modify the contract
clauses to mitigate risks to organizations in order that the contract terms are not
solely for the provider’s benefit (p. 8).

Kalyvas, Overly and Karlyn (2013, p. 20) proposed organizations include specific
contract clauses/provisions for data ownership, data security, redundancy and
conversion as follows:
• Data Ownership & Rights Provision related to ensuring standard data
ownership clauses clearly state “ that the customer owns all data stored by
the provider for the customer and that the provider is obligated to keep all
of the customers information confidential except for performance of the
services” (p. 3, para. 4),
• Data Security Provision related to general security, access and
maintenance of customer’s information, ensuring a secure environment
and security controls, and security audits at customers request,
• Data Redundancy Provision related to backing up of customer’s data,
including frequency and related reporting requirements, and
• Data Conversion Provision related to delivery of data at the start of the
services and the return, and destruction of data at the end of the contract
term.

Sample clauses for data security, redundancy and conversion proposed by

Kaylvas, Overly and Karyln (2013) are attached as Appendix A. Cloud specific
clauses are constantly evolving, however, these sample clauses are a good
starting point for organizations to consider incorporating into cloud contracts.

  30  
3.6.2 Lack of Control of Service Availability – (SLA’s)
Aleem and Sprott (2013), identified the SLA as “one of the most important areas
to consider when evaluating a cloud provider” (p.14). The SLA must include key
metrics that will measure and monitor services. Key metrics should include:
availability (scalability), performance (reliability), security, compliance, and data
retention and the target levels must be SMART! (Rose, 2011). Shaw (2011)
advises that SLA metrics need to be relevant to performance and not the
technology itself. Almathami (2012) suggests that metrics could also include
trust, violation ratio and elasticity. SLA’s should also include a metric for
customization, to allow for change in numbers, such as, the number of concurrent
users (Alhamed, Dillon and Chang, 2010).

Alhamad, Dillon and Change (2010, p. 4), suggested 5 common SLA metrics as
follows:
Metric (parameter) Description
Reliability (performance) Ability to keep operating in most cases
Usability Easy built-in user interface
Scalability Flexibility for number of users (individual or
large organizations)
Availability (uptime/downtime) Uptime of software users in specific time
Customizability Flexible to use with different types of users
Table 2.1 SLA Metrics

Tong, Nguyen and Jaatun (2012), advised the main SLA metrics are availability
and performance (reliability). They also suggested that SLA’s could measure
security performance levels by using confidentiality and integrity as metrics.
These metrics could measure the level of trust an organization has in the
provider’s ability to keep the data secure. These metrics could also be included
in SLA’s or alternatively, could be incorporated into a vendor management
performance scorecard:

Metric (parameter) Description

Performance Reliability from a performance perspective
Trust Trust in vendor – vendor management
perspective- the cloud vendor and 3rd party
provider- revealed from audit report (post)
Table 2.2 Additional SLA Metrics

The type of data that could measure the security of the customer’s data includes;
access control, audit verification and incident management and response.
Bernsmed et al, as cited by Tong, Nguyen and Jaatun (2012), offered a visual of
this concept, which is attached as Appendix B.

SLA metrics need to be meaningful, measured and reported on. Internal clients,
IT, Purchasing and Legal need to ensure metrics (and their underlying measures

  31  
p. 7) are well defined and understood in order to that reliable service measures
can be part of the contract deliverables. Salem (2012) suggested SLAs need to
include service guarantee metrics, time period, scale, and service guarantee
exclusions, as well as, a service credit if the guarantee is not met and how and
who is responsible to measure and report any service violations. Salem’s (2012)
article concluded with recommendations to cloud providers on how they might
improve their SLAs in future. SLA’s that share the risks more evenly may help
providers differentiate their service offerings from those providers unwilling to
make any changes to their contracts.

Hon, Millard and Walden (2012), advised that service credits may not be an
adequate deterrent and that providers might offer a money back guarantee.
Service guarantees could include nonfinancial remedies such as, for each service
failure-document how the provider might prevent reoccurrences (root cause
analysis), assurances the support team is adequate for service, and include
contract language that provider cannot bid on other opportunities if SLA metrics
not met (Shaw, 2011, p. 38).

NIST (2015) advised that SLA provides a measurement of the business level
objectives or its performance level (p. 8). NIST has a Cloud Computing Service
Metrics Description document (2015) currently being drafted by a working group.
The audience for the service metrics document is government agencies, auditors,
cloud customers and providers. The document provides a cloud service metric
(CSM) model that defines the elements needed to describe the metric itself, such
as, availability and performance, the parameter and the metric rule. IT manager’s
can use their expertise to lead the decision of the standard metrics and relevant
measurement (unit of measure and scale) to be used in the SLA.

Zielinksi (2009) suggested organizations also establish a service level agreement

with their internal IT team to clarify roles and responsibilities of IT help desks.
Laying out clear responsibilities between the cloud provider and internal IT will
allow end users to know who to turn to if they require technical assistance.
Instead of an SLA, a contract project charter, with a specific section detailing
technical assistance could be made available for internal staff as a help guide.

  32  
3.6.3 Governance
KPMG (2014) stressed the importance of aligning controls to the new cloud
environment by establishing clear roles and responsibilities between the cloud
provider and organization as well access governance program and process
documents. Paquet et all (2010) recommended IT specific governance including
oversight from a risk management perspective and decision making processes
and accountability thru a roles and responsibility document. This could be
accomplished by inclusion of a project charter as part of the contract. In addition,
Goudreault (2014) recommended a formal SaaS strategy be part of governance.
IT’s roles with respect to cloud services could also be outlined in an internal SLA
for the organization’s employees (Zielinksi, 2009).

3.6.4 a) Standard Form Contract Clauses to Customize for the ‘Cloud’

Standard form service contract clauses need to be customized to cover the
increased risks; to protect an organization’s needs and any specific legal
requirements as they move to a cloud services model (Goudrealt, 2014).
Tufts and Weiss (2013) discussed the importance of negotiating and managing
‘high-quality’ cloud computing contracts. They reported that organizations
sometimes sign master service agreements (MSA) or standard contract
documents ‘without properly reviewing, negotiating, and modifying the terms and
conditions’ of providers contract to meet the best interests of the organizations”
(p. 8, para. 2).

In addition to the above security & privacy, SLA and governance concerns and
contract terms/clauses, several authors (Bean, 2009; Freedman & Gervais, 2011;
Gilbert, 2010; Goudreault, 2014; Hon, Millard & Walden, 2012 KPMG, 2014;
Zielinski, 2009) confirm the following standard clauses should also be negotiated
and customized for cloud services;

• Services- the description of the cloud services needs to be specific, yet

broad enough, to cover a potential issue (in case the provider states it was
out of contract scope). If the services require a phased pilot approach this
could be added to the services description section (Kalyvas, Overly and
Karlyn, 2013),
• Pricing/Fees - price flexibility if number of users increases or decreases as
well as pricing protection upon renewal term (e.g. not to exceed CPI),
(Zielinksi, 2009; Kalyvas, Overly & Karlyn, 2013),
• Dispute Resolution – develop a process for dispute resolution and state
where this would take place (Goudreault, 2014, Gilbert, 2010),
• Liability/Indemnification – Zielinski (2009) suggested an indemnification
clause that would fully protect the organization for any breaches while
Freedman & Gervais (2011) suggested a risk allocation approach and
Hon, Millard and Walden’s, 2012 study found that many providers cap
liability,

  33  
 • Intellectual Property Rights – important to include where property may
become a work product therefore needs definition (Bean, 2009; Hon,
Millard & Walden, 2012; Kalyvas, Overly & Karlyn, 2013),
• Disaster Recovery/Business Continuity plans- develop the plan and detail
what it includes e.g. complete restoration? How long? (Bean, 2009;
Freedman & Gervais, 2011). Hon, Millard and Walden, 2012 advised
some organizations recognized the need to have their own data back up
strategy,
• De-commissioning services – method to transition to another provider and
removal and Proof of removal of data (Kalyvas, Overly & Karlyn, 2013),
• Warranties – review warranty offer related to specific services provided
(Hon, Millard & Walden, 2012; Kalyvas, Overly & Karlyn, 2013), and
• Termination – Ensure no ‘vendor Lock in ‘ clauses exist and include a
transition plan and/or exit obligations by either party (Goudreault, 2014;
Hon, Millard and Walden, 2012).

3.6.4 b) New ‘Cloud’ Specific Clauses to Negotiating into Contracts

Organizations should negotiate new cloud specific clauses into agreements, such
as:
• Benchmarking – use of a scorecard/KPIs to assess providers overall
performance (Forrester, 2014; Goudreault, 2014),
• Cyber Insurance – specific insurance policy to cover for privacy and/or
security breaches (Scott, 2014; Noble Foster, 2013; Kalyvas, Overly &
Karlyn, 2013),
• Exclusivity – review providers clause to ensure no lock in (Kalyvas, Overly
& Karlyn, 2013),
• Implementation - phased pilot project approach- this could be its own
clause or be a sub-clause to Services (Kalyvas, Overly and Karlyn, 2013;
Krutz, Vines & Brunette, 2010),
• Training – sub-clause to Services (Kalyvas, Overly & Karlyn, 2013).

3.6.5 Cloud Computing Contract Assessment Framework

Tufts and Weiss (2013) developed a ‘Cloud Computing Contract Assessment
Framework’ with 12 key contract issues/areas and used this framework to assess
five (5) public sector cloud contracts (p. 9 & 10). Tufts and Weiss’s framework
created a ‘baseline’ that other organizations could apply when assessing cloud
contracts. The framework is as follows:

  34
 
 Major Issues for
Cloud Contracts
1. Pricing
2. Infrastructure Security/
Right to Audit and Inspect
3. Data Assurances
4. Governing Law,
Jurisdiction, and Forum
Selection
 
Table 1. Cloud Computing Contract Assessment Framework
Description of Specific Elements
• Pricing Caps (limit on pricing increase over time)
• Pricing Changes Notice (requirement to give notice prior to pricing
changes)
• Pricing Changes Time Frame Limitation (limitation on how many
pricing changes can occur within set time frame)
• Demand Pricing (requirement to match lower pricing offered to
other similar entities when quantities, services, etc., are
comparable)
• Costs for Special Services/Additional Quantities/Etc. (costs related
to items not specifically included in the original contract scope)
• Financial Audit/Review
• Performance Audit
• Infrastructure/Data/Security Assurances (broadly stated)
• Security Monitoring Practices (Logical and Physical)
• Data Segregation Practices
• Operations Management Requirements
• Employee Approval Processes for Sensitive Data
• Third-Party Audit and Inspection of Physical and Logical Security
• Review of Company Audit Logs, Event Logs, Testing Results
Related to Physical and Logical Security (including specifications
and topology diagrams)
• Forensic Access
• Data Ownership: data custody, intellectual property, exclusion of
data mining or selling, data processing ownership
• Access to Data: consent to access, government access and
retrieval at sole discretion, process for access/retrieval
• Disposition of Data Upon Request: destruction authority, audit
process
• Disposition of Data Upon Termination: data provision process,
obligation to transfer, common data format, destruction authority,
audit process
• Data Breaches: notification process, vendor obligations,
government obligations, indemnification, remediation/penalties
• Data Storage Location: Physical data storage requirements, data
segregation requirements
• Litigation Holds: metadata/imaging, legal cooperation clause, data
preservation/media preservation, cost allocation, redaction
process, data provision process
• Public Records Requests (FOIA Requests): data provision
process,
• Specified as North Carolina Pursuant to NC G.S.22B-3
35
 Major Issues for
Cloud Contracts
5. Service Level
Agreements (SLAs)
6. Outsourced Services
7. Functionality
8. Disaster Recovery/
Business Continuity
9. Mergers and
Acquisitions
10. Compliance with Laws,
Regulations, and Other
Standards
11. Terms and Conditions
Modification
12. Contract Renewal and
Termination
Table 3. Cloud Computing Contract Assessment Framework
 
Table 1. Cloud Computing Contract Assessment Framework
Description of Specific Elements
• Definitions
• Parameters/Performance Requirements
• Monitoring and Auditing for SLA Compliance
• Technical Support
• Acceptable Use
• SLA Violation or Non-Performance Penalties Notice
• Specification of Remediation and Penalties for Non-Compliance
• Requirement to Inform Customer of Outsourced Functions
• No Assignment of Contract without Express Written Permission
• Approval of Subcontractors
• Description of Functionality
• Notice of Substantive Changes
• Customer Right to Replace Product or Terminate Due to
Substantive Changes
• Minimum Requirements
• Notification Process
• Inspection and Audit (covered under Technical Audit/Inspection)
• Penalties (covered under SLAs)
• Notice of Pending M&A
• Assignment Rights
• Contract Binding Upon M&A
• Continuity of Service
• Specifications of Applicable Governing Laws
• Specifications of Applicable Regulatory Requirements
• Direct Liability
• Indirect Liability
• Limitations of Liability
• Warranties
• Indemnification
• Notice of Modification
• Renewal Options
• Obligation to Transfer
• Contract Release Without Show Cause
• Suspension of Services
• Non-Appropriation Clause
• Advance Notice of Contract/Service Termination by Vendor
• Escrow Language
36
The above Cloud Computing Contract Assessment Framework provided by Tufts
and Weiss (2013) was used as a starting point and based on the research
conducted, it was updated with recommended additional key contract
terms/clauses and is presented in Section 5. Recommendations & Conclusion.

3.7 Negotiation
3.7.1 Top 6 Terms to Negotiate
A qualitative research study by Hon, Millard and Walden (2012), identified the top
six (6) most negotiated terms: the providers standard cloud contract terms that
were not in the customers best interest. These terms were:
1. “exclusion or limitation of liability and remedies, particularly regarding
data integrity and disaster recovery;
2. service levels, including availability;
3. security and privacy,
4. lock-in and exit, including term, termination rights, and return of
data on exit;
5. providers’ ability to change service features unilaterally; and
6. intellectual property rights” (p. 83).

3.7.2 Tips to Successful Negotiation

Tufts and Weiss (2013) summarized their study with a lessons learned and best
practices guideline for negotiating cloud contracts.
A summary of the lessons learned included:
• “IT and Legal professions must work together to create a technically and
legally sound contract
• All contracts, including cloud contracts, are negotiations
• All contracts involve some form of risk calculation (p. 31).”

They also recommended six ‘Best Practices in Negotiating Cloud Computing

Contracts’ (p. 32) and of these six, the common approaches that apply to most
organizations include the need to:
• Identify the contract term must haves, the game changers, and have a
back up plan of a second choice vendor, if the provider won’t meet the
organizations terms,
• Take a team approach toward negotiation, include IT, Legal and
Purchasing, and
• Always take time to carefully review, negotiate and modify the contract
terms and conditions to meet the organizations needs.

Purchasing best practices include planning a negotiation strategy with internal

clients and IT (Goudreault, 2014; Deloitte, 2013). Forrester (2014) suggested,
“negotiation planning should balance price, flexibility and risk mitigation (p. 1,
para. 1).”

Negotiations have been initiated mainly by larger organizations (government or

financial institutions), due to their internal procedures, support from legal council

  37  
and their purchasing power (Hon, Millard & Walden 2012). Increased competition
in the marketplace may push providers to become more interested in negotiating;
to work with organizations proactively to share the risks with the ultimate goal to
secure contracts/business. As per Bradshaw, Millard and Walden (2011), “As the
cloud marketplace expands and matures terms will evolve and diversify to be
more closely reflect customer’s concerns and local legal framework under which
customers operate” (p. 223).

3.8 Themes (Management Models) for Successful Contracting

This section highlights important themes related to successful cloud computing
contracting including: governance and SaaS strategy, project management
techniques and tools, purchasing best practices and vendor performance
management. In addition, knowledge, trust, human capital and communication
are key to successful contracting.

3.8.1 Governance and SaaS Strategy

As part of governance, organizations need to have an overall SaaS strategy.
Forrester (2014) advised that most organizations have “a limited strategy for how
they can gain business benefits from SaaS” (p. 3, para. 2). Some organizations
have silos, divisions that would like to use Saas, and an overall long term SaaS
strategy has not been developed yet. IT needs to develop an overall cloud
strategy with a vision that aligns with core business objectives (Deloitte, 2013). In
order to stay on top of cloud trends, a SaaS strategy should be updated, as
required.

According to the OPMT-505 Study Guide (Athabasca University, 2012, Section 7:

Improvement, 7-10 Balanced Scorecard), "the Balanced Scorecard is a technique
for aligning organizational strategy, operations strategy, and stakeholders.” The
overall strategy is then translated into objectives and measures (KPI’s) for each
area of an organization. A specific scorecard with relevant KPI’s could be apart
of a cloud services contract as further described in 3.8.4 vendor performance
management, of this section.

3.8.2 Project Management

.1 Operations Improvement
As organization’s move from in house systems to cloud services, cloud computing
initiatives should be set up as a project incorporating:
Process mapping of current and proposed future state,
SMART Objectives: Specific, measureable, achievable, relevant and timely,
Risk management & readiness assessment tools,
Change Management for training of staff/change of job,
Continuous improvement models, such as, PDAC- Plan, Do, Act, Check,
(English, 2012)

  38  
.2 Project Planning
The project must be aligned to corporate objectives, has senior management
support, and overall governance must be in place. Governance will provide the
structure, the means of reaching the projects objectives and determine how to
monitor performance of the project (Muller, 2009). Projects themselves need to
be governed and the as per Muller (2009) the focus is on:
• “Ensuring effectiveness by doing the ‘right projects’ and
• Ensuring efficiency by doing ‘projects right” (p. 45, para. 2).
Moving IT systems to a cloud environment is a strategic initiative that affects
many areas of the organization so cloud projects need to be done right!

As per Slack (2010), the project planning steps should include:

1. Identify activities in the project and gather data,
2. Estimate time and resources,
3. Identify relationships (e.g. Purchasing, Legal and Information Systems) and
dependencies between activities. For cloud computing, it is imperative internal or
external Legal council review any legal issues/implications with contract clauses,
4. Identity any scheduling conflicts/issues and;
5. Adjust the schedule as necessary.

Cloud services might include significant implementation services, including a pilot

project in a test environment. This would allow for contingency and business
continuity planning and could be covered in a specific implementation contract
clause (Kalyvas, Overly & Karlyn, 2013; Krutz, Vines & Brunette, 2010).

.3 Continuous Improvement
Aleem and Sprott (2013) suggested Deming’s PDCA improvement cycle, ‘Plan,
Do, Check and Act’, could be used for initial risk assessment and during the
contract term to ensure there is continuous improvement in the process. (p. 18).
Forrester (2015) stressed the importance of including continuous improvement
(CI) in the actual cloud services contract and recommended linking CI within the
pricing and performance reporting (KPIs), for example, a price reduction for
improved efficiency for next renewal term. This would “transfer more
responsibilities to vendors and increase service delivery accountability” (p. 2).
This is discussed further under .4 vendor performance management.

A visual of a Continuous Improvement model is as follows:

  39  
Figure 6. Continuous Improvement

.4 Benefits realization
Benefits realization is an essential subcomponent of project and portfolio
management. As per Simon (2013), “Benefit realization entails establishing a
process and guidelines to measure actual financial and non-financial benefits of a
program or project” (p.1). A formal benefits realization can help manage change
and will confirm the value of the project to the organization, at project completion,
and during sustainment.

“To help move from an IT focus to a business focus, organizations need to

improve their communication and relationships (social capital). IT needs to build
effective relationships with all business units in order to truly understand the
business needs and the best measures to realize benefits during and post
project” (English, 2014).

3.8.3 Purchasing Best Practices

.1 Best Practices
Purchasing’s role is to perform due diligence, at all stages of contracting,
including: provider selection, negotiation of contract and SLA terms and costs,
implementation of services, during the contract term (contract &vendor
management) and at contract end (termination including transition of services).
Purchasing needs to lead ongoing contract & vendor management.

.2 Benchmarking Survey
Contract terms and SLA metrics could be shared among both private and public
procurement and IT groups. The organization’s Purchasing department could
survey other like entities to see if they currently use or are exploring using cloud
services and if yes, share contract clauses and lessons learned.
Questions that could be posed include:
• Do you currently use or are you planning to use cloud services?
• If yes, do you have a cloud contract and/or clauses to share?
• Did you perform a benefits analysis and if yes, can you share your
methodology?

  40  
The survey results and a summary of contract terms/clauses could be
summarized and shared with respondents and internal IT and Legal and be part
of a due diligence approach.

.3 Tactical to Strategic approach

Procurement, as a profession, has evolved from tactical to more strategic
approaches. As per BC government’s IM/IT Enablers Strategy (2012)
procurement methods have moved from “stated requirements and fixed price
contract to an iterative process to leverage expertise in the private sector and co-
develop solutions” (p. 2). Strategic relationships with IT vendors can develop
better services and increased innovation. Purchasing needs to include strategic
approaches to their procurement processes including tender specifications,
evaluation, vendor selection and contract negotiation processes.

As per Forrester (2015), organizations sourcing priorities are moving from cost to
innovation.” (p. 1, para. 3). With less focus on cost savings, organizations can
spend more time and focus on “stronger business and customer alignment” (p. 1,
para. 4). They summarized the findings with a view that there will be a shift in
sourcing strategy.

Purchasing best practices includes staying abreast of current contract

developments and any new clauses or modifications to existing cloud contract
clauses. This includes trends from government and industry regarding policies
and regulations with respect to data security and privacy issues, as well as, new
cloud service offerings. In addition, Purchasing needs to perform ongoing
contract & vendor performance management. Gilbert (2010) spoke to the
provider’s responsibility to treat data with a duty of care. This duty of care also
extends to the organization at the pre-contract, during negotiation and the
contract monitoring stages.

3.8.4 Vendor Performance Management

SLAs may not address an organization’s business needs as they focus on the
actual service measure and penalties, post service, versus improving the
services. Therefore, a separate scorecard with measures, KPIs, could focus
more on the relationship aspect of the contract (Forrester, 2015). Kalyvas, Overly
and Karlyn (2013) referred to this as “post-execution- ongoing provider
assessment” (p. 27, para. 3) while Forrester (2014) and Goudreault (2014),
referred to this as ‘benchmarking’. This provider benchmarking could be added
as a clause to the contract or as a scorecard (KPIs) which could be included as
part of the contract.

DeSilva (2013) confirmed that SLA’s focus on performance criteria from a

technical, tactical perspective and that a “smaller number of metrics…that reflect
the business objectives” with assigned weights and scores could be incorporated
into a balanced scorecard to track a provider’s performance. DeSilva (2013) also
advised that scorecards can be used as a governance tool or as an incentive,

  41  
which could be tied into a compensation model (e.g. a bonus for meeting or
exceeding one of the goals/objectives).

Figure 7. Balanced Scorecard

3.8.5 Communication, Knowledge and Trust

Other important elements for successful contracting include communication,
training, knowledge and trust. Employees must be kept apprised of new
initiatives and IT employees and internal clients (end users) must have the
capabilities (knowledge) to provide cloud services and organizations must match
supply and demand. Cloud initiatives affect many different areas of an
organization therefore, effective communication is important in creating a positive
organizational culture. Deloitte (2013) recommended ongoing change
management, training and communication for buy-in and continuous improvement
as key to the success of cloud services.

The organization and provider need to have the expertise and knowledge related
to the specific cloud services, understand the contract documents and relevant
terms, and there needs to be a level of trust around the relationship between
organization and the provider.

In contracting relationships, trust is gained when both parties believe each other
will behave as expected and deliver the services as required. Zisiss & Lekkas
(2010) viewed trust from an IT technical perspective and the need to deal with
trust (and a trust certificate) at every layer in the system requiring a security
guarantee. They proposed using a ‘trusted third party’ approach and cryptography
‘to ensure the confidentiality, integrity and authenticity of data and communication
(p. 585)” to address security concerns. Alhamed, Dhillon and Chang (2010)
suggested that successful negotiation could increase the trust level of the
provider-customer relationship.

  42  
Garrison, Kim and Wakefield (2012, p. 66) viewed trust from a vendor
management perspective and their research concluded that successful cloud
deployment can be achieved with a “user (customer) - vendor partnership”
approach. Rather than solely looking at the vendor’s capabilities, organizations
need to look at their own technical capabilities, management resources (training
and experience) and their ability to build trust with the cloud provider. These 3
areas contribute to successful cloud partnerships.

Figure 8. Model of cloud deployment success, relational (vendor/customer) trust.

3.9 Literature Review Summary

As per Section 2.2, the goal of this applied project was to:
• Identify key risks of moving to a cloud environment for Software as a
Service (SaaS),
• Summarize the key contract terms/clauses and SLA metrics that might
mitigate those risks,
• Develop a proposed checklist or framework of key contract terms/clauses
and SLA metrics for use by organizations, and
• Highlight any other themes important for successful contracting.

The literature review identified the main risks and key contract clauses and SLA
metrics to mitigate risks, revealed a cloud contract framework with key cloud
contract terms/clauses, confirmed the importance of negotiation in cloud
contracts, as well as, highlighted themes important for successful contracting.

  43  
 4.0 ANALYSIS

The following analysis is an overview and limitations of the review of type of

resources, industry standards organizations and websites used for this paper, as
well as, the current status of government cloud contracting in Canada.

4.1 Resources
4.1.1 Journal Articles/Academic Research Papers
The majority of the sources found are from an IT or legal perspective. For
example, many of the journal articles are from Legal council and IT
managers/professionals (IT technology groups/ associations). Some of the
research articles are from consulting firms (KPMG, Deloitte) or research advisory
firms such as, Forrester and Gartner.

None of the articles are strictly from a Purchasing perspective, however,

Purchasing works closely with Legal. Purchasing is more involved at the due
diligence stages of vendor selection, contract negotiation, and contract
management and performance management stages.

Some research articles appear to be sponsored by IT companies, such as, IBM

(Baset, 2012; Tufts & Weiss, 2013) and Microsoft or Oracle and/or some articles
reviewed cloud contracts offered from the big five (5) cloud companies, such as,
IBM, Microsoft, Amazon, Google or Salesforce. Provider sponsored articles
might minimize or play down the risks associated with cloud computing.

Tufts and Weiss (2013) contract assessment framework and negotiation

strategies was a great starting point for development of an updated
recommended checklist of terms/clauses organizations should consider when
moving to the ‘cloud’.

4.1.2 Books
The research included a high level review of a few books. The books were
mainly from an IT cloud security perspective, however they also revealed useful
due diligence steps, as well as, questions that are helpful for organizations
considering entering info a cloud environment.

A new book, by Samani, Reavis and Honan (2015), CSA Guide to Cloud
Computing: Implementing Cloud Privacy and Security is a great resource for IT
managers on how to integrate security planning into cloud initiatives and how to
deal with the implications of privacy in different geographic regions. The book’s
authors have an impressive wealth of knowledge and experience. Samani, is
currently VP, Chief Tech Officer at McAfee and is Cloud Security Alliance CIO,
Honan is a recognized expert of IS in Europe, Ireland and provided advise to
European commission expert in ISO standards (wrote ISO 27001) and Reavis is
a writer, speaker, technologist and business strategist and is co founder and CEO
of the Cloud Security Alliance.

  44  
4.1.3 IT Industry Standards
The Cloud Standards Customer Council (CSCC), the Cloud Security Alliance
(CSA) and the National Institute of Standards and Technology (NIST) were
among the most cited standards and therefore, they appear to be the main
standards customers/organizations use. There are many cloud computing
standards bodies and currently there is no ‘one dedicated’ cloud standard. It
remains to be seen if this will be addressed in the future (Hon, Millard and
Walden, 2012; Tong, Nguyen, Jaatun, 2012).

The CSCC’s website advises they are an end user advocacy group
(http://www.cloud-council.org/about-us.htm) and their board of directors is made
up of a mix of providers and organizations. However, review of some of their
documents, in particular, Public Cloud Service Agreements; What to Expect and
What to Negotiate, reveals contract clause recommendations that are somewhat
provider focused (Appendix A - D; p. 25 to 29). In light of this potential conflict,
the documents the CSCC provides are very helpful for both organizations and
cloud providers in understanding cloud services, the related risks and areas to
consider for negotiation in cloud service agreements.

The CSA’s website advises they are a “not-for-profit organization with a mission
to promote the use of best practices for providing security assurance within Cloud
Computing, and to provide education on the uses of Cloud Computing to help
secure all other forms of computing”. The Cloud Security Alliance is led by
industry practitioners, corporations and associations.

The NIST is an agency of the U.S. Department of Commerce that works with
industry to develop and apply technology, measurements, and standards. The
NIST’s goals are to promote economic growth, science and information, and
environmental stewardship in the US. Their economic growth sub-goals include
innovation, entrepreneurship market development, commercialization, trade
promotion and compliance.

4.1.4 Magazine articles and blogs

Google word searches revealed online blogs and magazine articles that provided
recent articles on the status of cloud computing, industry spend and cloud
trending, which is useful information particularly since cloud computing is
changing at such a fast pace. However, it is difficult to confirm the accuracy of
this type of information.

4.2 Current State of Government Cloud Contracting in Canada

The US federal government started a cloud strategy in 2011 and the NIST (2014)
recently published a US government cloud strategy direction document that lays
out a clear cloud strategy. As per Wiseman (2014), “the government of Canada
has yet to follow other countries in a national strategy for cloud computing” (para.
7). The Canadian Government is currently working on a cloud strategy and cloud

  45  
contract terms and conditions (Sheppard, 2015).

Canada has been slow to develop a cloud computing direction and cloud
computing contract documents and is lagging behind the US and. This may
hinder uptake by public organizations that are anxious to incorporate cloud
services. This can also affect cloud regulations and standards from moving
forward. The Canadian Governments goal is to have a strategy in place by this
summer, which remains to be seen.

4.3 Overview of Resources

The Athabasca Library, ABI/Inform and Business Source sites, and Google
scholar searches revealed the majority of the journal articles and academic
literature reviewed. Research also included articles from consulting and research
advisory firms, magazines, blogs, books, as well as, company and industry
standards websites. There currently are many industry standards, no one
standard, and it remains to be seen if one main standard will emerge. The
majority of the sources found were from an IT or legal perspective and there was
minimal literature specifically related to contracting for cloud services.

Research revealed there are many risks associated with cloud computing and
that some of the risks might be alleviated thru contract negotiation and by
incorporating cloud specific clauses into the contract and SLA between the cloud
service provider and the organization. The following section provides
recommendations to organizations considering moving to ‘cloud’ services.

  46  
 5. RECOMMENDATIONS AND CONCLUSION

5.1 Recommendations
5.1.1 Overview
There are many risks associated with cloud computing, however, as summarized
in section 3.4 of the literature review, organizations feel the rewards of lower cost
and service flexibility outweigh the risks of moving to a cloud environment. As per
section 3.6, some of the risks might be alleviated thru contract negotiation and by
incorporating ‘cloud’ specific clauses into the contract and SLA between the cloud
service provider and the customer/organization.

Currently, there are no comprehensive cloud contract templates or SLA standard

agreement templates that are customer focused; customers rely on the service
provider’s agreements therefore, a framework of cloud specific terms/clauses is
presented for use by both public and private organizations.

The final recommendations are a result of the findings from the literature review
and from personal experience and observations. The following cloud computing
risk mitigation contracting strategies will be presented in this section:
• IT and Purchasing should perform due diligence to mitigate the risks at the
pre-contract stage,
• Cloud specific contract terms/clauses and SLA metrics need to be
incorporated into cloud contracts to mitigate risks and a recommended
framework of key contract terms/clauses and SLA metrics will be
presented,
• Purchasing, Legal and IT need to negotiate the key contract terms/clauses,
and
• There are themes, management models that are important for successful
contracting.

Recommended cloud computing risk mitigation contracting strategies

include:
5.1.2 Due Diligence
As described in Section 3.5, Purchasing, Legal and IT must perform pre-
contractual due diligence. IT needs to perform a cloud risk and readiness
assessments and Purchasing needs to perform a thorough vendor selection
process and work with Legal to ensure local privacy and regulatory requirements
are met. IT, Purchasing and Legal must then work collaboratively to review all
business, legal and regulatory risks.

  47  
 5.1.3 Recommended Framework of Cloud Specific Contract Clauses

As identified in Section 3.6 of this literature review, organization’s standard

service contract clauses currently do not cover cloud service risks. Organizations
need to develop contract templates, or add risk-mitigating clauses to existing
templates. There is also a need to develop SLA metrics to monitor and measure
the cloud service provider’s performance in order to ensure successful
contracting partnerships (Rose, 2011; Freedman & Gervais, 2011; and
Goudreault, 2014).

The Cloud Computing Contract Assessment Framework provided by Tufts and

Weiss (2013) was used as a starting point and based on the research conducted,
it has been updated with the following recommended framework.
The recommended new contract elements are bolded and noted in red:
 
Major Issues for Recommended
Cloud Contracts Cloud Computing Contract Assessment Framework
Description of Specific Elements

1. Pricing • Pricing Caps (limit on pricing increase over time)

• Pricing Changes Notice (requirement to give notice prior to pricing
changes)
• Pricing Changes Time Frame Limitation (limitation on how many
pricing changes can occur within set time frame)
• Demand Pricing (requirement to match lower pricing offered to
other similar entities when quantities, services, etc., are
comparable)
• Costs for Special Services/Additional Quantities/Etc. (costs related
to items not specifically included in the original contract scope)

Recommended New Elements:

• Price Flexibility up or down (number & type of users)
• Pricing Cap limited to Consumer Price Index (CPI)

2. Infrastructure Security/ • Financial Audit/Review – Annual status or as required

Right to Audit and Inspect
• Performance Audit & Security Audit
• Infrastructure/Data/Security Assurances (broadly stated)
• Security Monitoring Practices (Logical and Physical)
• Data Segregation Practices – with specific Encryption language
• Operations Management Requirements (provider’s governance)
• Employee Approval Processes for Sensitive Data
• Third-Party Audit and Inspection of Physical and Logical Security
• Review of Company Audit Logs, Event Logs, Testing Results
Related to Physical and Logical Security (including specifications
and topology diagrams) - reporting of same, as required
• Forensic Access

3. Data Assurances • Data Ownership: data custody, intellectual property rights,

exclusion of data mining or selling, data processing ownership
• Access to Data: consent to access, organizations access and
retrieval at sole discretion, process for access/retrieval
• Disposition of Data Upon Request: destruction authority

  48
 
 Major Issues for
Cloud Contracts
4. Governing Law,
Jurisdiction, and Forum
Selection
5. Service Level
Agreements (SLAs)
6. Outsourced Services
 
Recommended
Cloud Computing Contract Assessment Framework
Description of Specific Elements
& process, audit process
• Disposition of Data Upon Termination: data provision process,
obligation to transfer, common data format, data conversion,
destruction authority, audit process
• Data Breaches: notification process (method & timelines), vendor
obligations (steps if breach occurs), organization’s obligations,
indemnification, remediation/penalties
• Data Storage Location: Physical data storage requirements, data
segregation requirements
• Litigation Holds: metadata/imaging, legal cooperation clause, data
preservation/media preservation, cost allocation, redaction
process, data provision process
• Public Records Requests (FOIA Requests): data provision
process, - jurisdiction specific e.g. BC’s is FIPPA
Recommended New Elements:
• Data Security Provision – general safety, security, access and
maintenance of organizations information
• Data Redundancy – data back up plan (frequency & reporting)
• Data Compliance with organization/jurisdiction privacy
regulations/laws
• Specified as North Carolina Pursuant to NC G.S.22B-3
Recommended New Element
• Update to local law/jurisdiction – e.g. Province of BC
• Definitions
• Parameters/Performance Requirements (service guarantees)
• Monitoring and Auditing for SLA Compliance
• Technical Support (availability of support)
• Maintenance window (shut down time)
• Acceptable Use
• SLA Violation or Non-Performance Penalties Notice
• Specification of Remediation and Penalties for Non-Compliance
• (Service credits
Recommended New Elements:
• Cloud service specific SLA metrics, parameters and measures
e.g. Reliability (performance), Availability etc.
• Non Financial remedy for service failure, such as,
investigation and process to prevent re-occurrences
• Customization (flexibility to add up/down different types and
number of users)
• Requirement to Inform Customer of Outsourced Functions
• No Assignment of Contract without Express Written Permission
rd
• Pre-Approval of Subcontractors and/or 3 party providers
49
 Major Issues for
Cloud Contracts
7. Functionality
8. Disaster Recovery/
Business Continuity
9. Mergers and
Acquisitions
10. Compliance with Laws,
Regulations, and Other
Standards
11. Terms and Conditions
Modification
12. Contract Renewal and
Termination
 
Recommended
Cloud Computing Contract Assessment Framework
Description of Specific Elements
• Description of Functionality
• Notice of Substantive Changes
• Customer Right to Replace Product or Terminate Due to
Substantive Changes
Recommended New Elements:
• Dispute Resolution process and location for disputes
(Commercial Arbitration Act),
• Exclusivity
• Minimum Requirements
• Notification Process
• Inspection and Audit (covered under Technical Audit/Inspection)
• Penalties (covered under SLAs)
Recommended New Element:
• Data back up plan – provider’s and organization’s
• Notice of Pending M&A
• Assignment Rights
• Contract Binding Upon M&A
• Continuity of Service
• Specifications of Applicable Governing Laws
• Specifications of Applicable Regulatory Requirements
• Direct Liability
• Indirect Liability
• Limitations of Liability
• Warranties
• Indemnification to fully protect for any breaches
Recommended New Element:
• Cyber Insurance – consider option of specific Cyber
insurance
• Notice of Modification of any and all terms and conditions
• Renewal Options –ensure no Lock-In clause
• Obligation to Transfer
• Contract Release Without Show Cause
• Suspension of Services
• Non-Appropriation Clause
• Advance Notice of Contract/Service Termination by Vendor
• Escrow Language
Recommended New Element:s
• De-commissioning
• Severability,
• Transition Plan/Process (exit obligations)
50
 Major Issues for Recommended
Cloud Contracts Cloud Computing Contract Assessment Framework
Description of Specific Elements

13. Services Recommended New Elements:

• Definition: detailed description of the services, milestones
and what is in scope
• Definition of all contract terms
• Implementation Plan or Pilot, if applicable
• License grants & restrictions
• Training Plan and follow up as required (state method &
timeline)
• Governance – organizations governance (e.g. project charter)
and request copy of providers data governance process
• Data Conversion Plan –delivery of data at onset of services
• Vendor Performance Management Plan (KPIs)
• Warranty Commitment (may be in SLA)
Table 4. Recommended Cloud Computing Contract Assessment Framework

5.1.4 Recommended SLA Metrics

Research identified the top 3 SLA Metrics are performance, scalability and
availability as follows:

Metric (parameter) Description

Reliability (performance) Ability to keep operating in most cases

Scalability Flexibility for number of users (individual or

large organizations)
Availability (uptime/downtime) Uptime of software users in specific time
Table 5. Top 3 Recommended SLA Metrics

The SLA metric, parameter and metric rule should be customized for specific
cloud service being contracted. NIST’s Cloud Computing Service Metrics
Description document (2015) is currently being drafted and will be a great
resource for organizations.

5.1.5 Negotiation
Purchasing best practices include planning a negotiation strategy with internal
clients and IT (Goudreault, 2014; Deloitte, 2013). Tufts and Weiss (2013)
identified an approach to successful negotiations starting with the need for
organizations to identify the contract term ‘must haves' and having a back up plan
of a second choice vendor, in case the provider won’t meet the organization’s
needs. As competition in the marketplace increases, cloud providers are
becoming more willing to negotiate contract terms with organizations (Bradshaw,
Millard & Walden, 2011).

  51  
5.1.6 Themes for Successful Contracting
Organizations need to take advantage of management models that will lead to
successful contracting including:
Governance and SaaS strategies, project management techniques and tools
(continuous improvement), and purchasing best practices, including ongoing
contract and vendor performance management. In addition, knowledge, trust,
human capital and communication are key to successful contracting. These apply
to all contracts, not just cloud computing, and are necessary for successful
provider selection, contract negotiation and contract execution for ongoing service
delivery to meet the business needs of the organization. Section 3.8 provided
details on the various themes mentioned.

5.2 Conclusion
5.2.1 Relevance & goal of this applied project
The goal of this applied project was to:
a) Identify key risks of moving to a cloud environment for Software as a
Service (SaaS),
b) Summarize the key contract terms/clauses and SLA metrics that might
mitigate those risks,
c) Develop a proposed checklist or framework of key contract terms/clauses
and SLA metrics for use by organizations and;
d) Highlight any other themes important for successful contracting.

The research confirmed there are many risks associated with cloud computing,
particularly with respect to data security and privacy risks and regulatory and
privacy compliance. This paper analyzed the critical risks associated with cloud
computing and identified and presented a framework of key contract terms and
SLA metrics organizations need to negotiate into cloud contracts to mitigate these
risks. The framework of key clauses provides organizations with a checklist of
cloud specific clauses to include in the contract in order to protect their best
interests from a business and legal contracting perspective.  

The majority of current agreements are provider focused therefore, negotiations

are essential for cloud computing contracts (Tufts & Weiss, 2013). As
organizations look for opportunities to move to cloud services, in order to realize
the benefits, they need to ensure providers are willing to negotiate contract terms
and accept some of the risks. Increased competition and the purchasing power
of large organizations seem to be driving negotiations for contract terms that are
a win-win for both parties. The marketplace is maturing and contract terms will
eventually more closely reflect organizations concerns (Bradshaw, Millard and
Walden, 2011). As discussed by Hon, Millard and Walden (2012), “contract
terms for cloud computing services are evolving, driven by users' attempts to
negotiate providers' standard terms to make them more suitable for their
requirements” (p. 1, para. 1).

  52  
The paper also highlighted themes important for successful negotiation of cloud
computing contracts including: governance, SaaS strategy, project management,
(operations improvement, project planning, continuous improvement, benefits
realization), purchasing best practices, and vendor performance management. In
addition, knowledge, trust, human capital and communication are key to
successful contracting. These themes apply to all contracts, not only for cloud
services, and are necessary for successful provider selection, contract
negotiation and contract implementation for ongoing service delivery to meet the
business needs of the organization.

5.2.2 Main recommendations

The main recommendations to mitigate risks from a contracting perspective
include:
1. IT and Purchasing should perform due diligence to mitigate the risks at the
pre-contract stage,
2. There are key cloud specific contract terms and SLA metrics that
organizations should incorporate into cloud contracts. A recommended
framework of key cloud specific contract terms/clauses and SLA metrics
was presented in Section 5.1,
3. Purchasing, Legal and IT need to negotiate the key contract terms and
clauses. As the market evolves providers are willing to accept more of the
risks and are starting to work with organizations (customers) to negotiate
mutually acceptable contract terms and;
4. There are important themes (management models) that are key to
successful contracting with cloud providers.

5.2.3 Ideas for future consideration

There are several ideas organizations can explore or need to stay on top off in
order to improve successful ‘cloud’ contracting in the future. For example,
industry sectors could increase their buying power by forming buying groups.
Purchasing and IT professionals could form a cloud contract working group
(public and private sector) to share cloud contract knowledge, sample clauses,
issues and current risk mitigation ideas and to develop and maintain an updated
contract framework. In addition, cloud industry regulators could try to push
vendors toward addressing contract clause issues (Noble Foster, 2013, p. 18).
Lastly, governments need to become more involved and push legislation to deal
with customers privacy concerns.

5.2.4 Current and future state of cloud computing

Wiseman (2014) advised that there are not many examples of cloud services
adoption, provincially and municipally, in Canada (para. 6). The Canadian
government is currently reviewing responses to an RFI with the goal of
developing a cloud strategy by this summer and therefore will soon follow other
countries with a national strategy for cloud computing. Mechling (2014) of
Gartner Research, as cited by Wiseman (2014), stated that “cloud computing is
revolutionizing the world” and that in order to realize the benefits, governments

  53  
need to move to the cloud and collaborated their requirements to improve their
buying power.
Cloud computing technology is enabling a significant shift in an organizations
technology business model (Aleem & Sprott, 2012; Samani, Honan & Reavis,
2015). Cloud service offerings and the industry continue to evolve at a fast pace
and as per Aleem and Sprott (2013), “Cloud services are expected to drive IT
industry growth for the next 25 years” (p. 21). Garner (2014) reported that by
2015 50% of all new independent software vendors will be SaaS providers and
that by 2016 many organizations will be using some form of ‘cloud’ services.
Therefore, organizations need to stay on top of market trends, the type of model
in which services are being offered, any new ‘cloud’ market entrants and the
evolution of cloud standards, regulations, legislation and cloud specific contract
documents.

5.2.5 Limitations
Few articles researched spoke to ‘cloud’ specific procurement strategies and did
not reveal any recommended cloud contract templates. The majority of articles
were from an IT and Legal perspective. The suggested cloud contract terms
and/or clauses were from Legal firm’s perspective, with the exception of the
framework presented by Tufts and Weiss (2013). These authors are academics
with the University of Carolina and presented their recommendations from a
business view versus strictly a legal perspective.

5.2.6 Further research

Current research has limited scope from a Purchasing contracting perspective.
Ongoing analysis and research of cloud contract issues (lessons learned) is
needed, as well as, the need to maintain a current common framework and/or
checklist of contract terms/clauses and SLA metrics and be made available for
organizations as a shared resource. Purchasing and IT managers of public and
private organizations, provincially and nationally, could meet to share any cloud
contract templates they develop, to discuss ‘cloud’ contract issues and to discuss
performance issues with specific providers. Continued communication and
collaboration among Purchasing, Legal and IT professionals is imperative
particularly on breach and privacy issues.

Further research might reveal a similar framework of key cloud specific contract
clauses and SLA metrics that could be developed for IaaS and PaaS cloud
service models. In addition, organizations need to stay on top of recent
developments with respect to privacy legislation and/or regulations within their
jurisdiction and ensure cloud providers comply.

   

  54  
 6.0 REFERENCES

Aleem, A., & Sprott, C. R., (2013). Let me in the cloud: Analysis of the benefit and
risk assessment of cloud platform. Journal of Financial Crime, 20(1), 6-24.
Retrieved from: http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1242242133?accountid=8
408

Alhamad M., Dillon T., & and Chang E., (2010), Conceptual sla framework for
cloud computing - Digital Ecosystems and Business Intelligence Institute (DEBII),
Retrieved from: http://dx.doi.org/10.1109/DEST.2010.5610586

Aljabre, A. (2012). Cloud computing for increased business value. International

Journal of Business and Social Science, 3(1), n/a. Retrieved from
http://search.proquest.com/docview/913056373?accountid=8408
 
Almathami, M. (2012) SLA-based risk analysis in cloud computing environments.
Thesis. Rochester Institute of Technology. Retrieved from:
https://scholar.google.ca

Amazon Web Services. (2015). What is cloud computing? Retrieved on the

World Wide Web from: http://aws.amazon.com/what-is-cloud-computing/

BC Government (2015). Freedom of information and protection of privacy act of

BC, Queens Printer, Retrieved from:
http://www.cio.gov.bc.ca/cio/priv_leg/foippa/foippa_guide.page

BC Government (2012). IM/IT Enablers Strategy V1.5, Retrieved from:

http://www.cio.gov.bc.ca/local/cio/about/documents/it_strategy.pdf

Baset, S. A. (2012). Cloud SLAs: present and future. ACM SIGOPS Operating
Systems Review, 46(2), 57-66. Retrieved from: https://scholar.google.ca

Bean, L. (2009). Cloud computing: what internal auditors need to know. Internal
Auditing, 24(5), 34-38. Retrieved from ABI/Inform database (ProQuest document
ID 214387723) from: http://proquest.umi.com/pqdweb

Betcher, T. J. (2010). Cloud computing: Key IT-related risks and mitigation

strategies for consideration by IT security practitioners (Doctoral dissertation,
University of Oregon). Retrieved from: https://scholar.google.ca

Blinsky, D. (2013). Practice resource: Cloud computing checklist, the law society
of british columbia, Retrieved from: www.lawsociety.bc.ca

  55  
Bradshaw, S., Millard, C., & Walden, I. (2011). Contracts for clouds: comparison
and analysis of the terms and conditions of cloud computing services.
International Journal of Law & Information Technology, 19(3), 187-223.
Retrieved from http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=iih&A
N=64112914&site=eds-live

Carcary, M., Doherty, E., & Conway, G. (2013). The adoption of cloud computing
by irish SMEs - an exploratory study. Electronic Journal of Information Systems
Evaluation, 16(4), 258-269. Retrieved from http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1521023374?accountid=8408

Cloud Security Alliance (2011), Security Guidance for Critical Areas of Focus in
Cloud Computing v. 3.0, Retrieved from:
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

Cloud Security Alliance (2015), Blogpage, Anthem’s breach and the ubiquity of
compromised credentials, Retrieved from:
https://blog.cloudsecurityalliance.org/2015/02/09/not-alone-92-companies-share-
anthems-vulnerability/

Cloud Security Alliance (2015), Blogpage, Top security questions to ask your
cloud providers, Retrieved from:
https://blog.cloudsecurityalliance.org/2014/02/06/top-security-questions-to-ask-
your-cloud-provider/

Cloud Standards Customer Council (2015) website, Retrieved from:

http://www.cloud-council.org/about-us.htm

Cloud Standards Customer Council (2015) website, Retrieved from: http://cloud-

standards.org/wiki/index.php?title=Main_Page

Deloitte (2013), IT SaaS readiness assessment, WorkSafeBC, Retrieved from:

WorkSafeBC’s intranet purchasing site.

De Silva, S. (2013). A beginner's guide to balanced scorecards. Supply

Management, 18(9), 38-40. Retrieved from: http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1472003141?accountid=8
408

English, K (2012), Operations process improvement proposal: electronic

contracting and signature authorization, operations management, OPMT-505, St.
Albert: Athabasca University, Faculty of Business.

English, K (2014), Project management; benefits realization individual

assignment, EPMG- 681, St. Albert: Athabasca University, Faculty of Business.

  56  
Forrester Research Inc. (2014), TechRadar: Software-as-a-services, Q1, 2014,
Retrieved from: WorkSafeBC’s intranet purchasing site.

Forrester Research Inc. (2015), Be aware of these sourcing trends for managed
services and cloud, Retrieved from: WorkSafeBC’s intranet purchasing site

Freedman B. J. & Gervais, B. L. (2011), Procuring cloud computing services in

Canada. Managing Intellectual Property, Retrieved from: ABI/Inform database
(ProQuest document ID 897000122): http://proquest.umi.com/pqdweb

Gartner, (2010, February). Cloud computing, key initiative, Retrieved from:

https://www.gartner.com/doc/1263918/cloud-computing-key-initiative-overview

Gartner (2014, April), Cloud computing innovation key initiative overview,

Retrieved from: https://www.gartner.com/doc/2718918/cloud-computing-
innovation-key-initiative

Gartner (2014, October), Gartner identifies the top 10 strategic technology trends,
Retrieved from: http://www.gartner.co/newsroom/id/2867917

Gilbert, F. (2010). Cloud service contracts may be fluffy; selected legal issues to
consider before taking off. Journal of Internet Law, 14(6), 1-30., Retrieved from:
http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=bth&
AN=55528463&site=eds-live

Goudreault, C (2014). WorkSafeBC’s saas procurement guidelines. Retrieved

from WorkSafeBC’s intranet purchasing site.

Government of Canada, Procurement tender notice for RFI (EN578-151297(B),

buyandsell.gc.ca website, Retrieved from:
https://buyandsell.gc.ca/procurement-data/tender-notice/PW-EEM-033-28243

Green, K. B., & Green, B. P. (2014). Reining in the risks of cloud computing.
Internal Auditing, 29(5), 29-35. Retrieved from ABI/Inform database (ProQuest
document ID 1626831802), from: http://0-
search.proquest.com.aupac.lib.athabascau.ca/docview/1626831802?accountid=8
408

Gupta, U (2011), Cloud Computing: 5 Topics for the Boss: Data Protection, Cost
are Two Key Items, Retrieved from http://www.inforisktoday.com/cloud-
computing-5-topics-for-boss-a-3554

  57  
Hon, W. K., Millard, C., & Walden, I., (2012) Negotiating cloud contracts - looking
at clouds from both sides now (May 9, 2012). 16 STAN. TECH. L. REV. 81
(2012); Queen Mary School of Law Legal Studies Research Paper No. 117/2012.
Retrieved from: SSRN: http://dx.doi.org/10.2139/ssrn.2055199

Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical
framework for managing cloud computing risk-part I. Intellectual Property &
Technology Law Journal, 25(3), 7-18,1. Retrieved from:
http://search.proquest.com/docview/1322734722?accountid=8408

Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical
framework for managing cloud computing risk--part II. Intellectual Property &
Technology Law Journal, 25(4), 19-27. Retrieved from: http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&AuthType
=url,ip,uid&db=iih&AN=86273408&site=ehost-live

KPMG’s Top 10 internal audit considerations for technology companies,

Retrieved from:
http://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/RiskNewslett
er/Documents/Top10InternalAudit.pdf

Krutz, R. L., Vines, R. D., & Brunette, G. (2010). Cloud security: a comprehensive
guide to secure cloud computing. Useful next steps and approaches, NJ, USA:
John Wiley & Sons. Retrieved from: Proquest e-brary database (ISBN
9780470921449) from: http://proquest.umi.com/pqdweb

Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud
computing-The business perspective. Decision Support Systems, 51(1), 176-189.
Retrieved from: https://scholar.google.ca

McKendirk (2014), IBM and Microsoft surge ahead of amazon in cloud revenues
analysts estimate. Forbes, Retrieved from:
http://www.forbes.com/sites/joemckendrick/2014/07/28/ibm-microsoft-surge-
ahead-of-amazon-in-cloud-revenues-analysts-estimate/

Mell P., & Grance T., (2011), The NIST Definition of Cloud Computing, Special P
80-145, Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-
145.pdf

Muller, R. (2009), Project Governance. Fundamentals of Project Management.

Surrey, English; Gower Publishing Ltd.

NIST Cloud computing synopsis and definitions, National Institute of Standards

and Technology, US Department of Commerce SP 800-146, Retrieved from:
http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf

  58  
NIST (2015), Cloud computing service metrics description, National Institute of
Standards and Technology, US Department of Commerce SP 500-307, Retrieved
from: http://www.nist.gov/itl/cloud/upload/RATAX-
CloudServiceMetricsDescription-DRAFT-20141111.pdf

NIST (2014), US government cloud computing technology roadmap, volume 1,

National Institute of Standards and Technology, US Department of Commerce SP
500-293, Retrieved from:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-293.pdf

Nanath, K., & Pillai, R. (2013). A model for cost-benefit analysis of cloud
computing. Journal of International Technology and Information Management,
22(3), 95-II. Retrieved from: ABI/Inform database (ProQuest document ID
1522799222) from: http://proquest.umi.com/pqdweb

Noble Foster, T., (2013), Navigating through the fog of cloud computing contracts,
ExpressO, Retrieved from: http://0-
works.bepress.com.aupac.lib.athabascau.ca/tnoble_foster/1

Office of the Information & Privacy Commissioner for BC (2012), Cloud computing
guideline for public bodies, Retrieved on the World Wide Web from:
https://www.oipc.bc.ca/search.aspx?SearchTerm=cloud

Paquette, S., Jaeger, P. T., & Wilson, S. C. (2010). Identifying the security risks
associated with governmental use of cloud computing. Government Information
Quarterly, 27(3), 245-253. Retrieved from: http://0-
dx.doi.org.aupac.lib.athabascau.ca/10.1016/j.giq.2010.01.002

Rose, F. (2011). SLAs: promises, promises. Information Week, (1304), 20-21.

Retrieved from ABI/Inform database (ProQuest document ID 878516004) from:
http://proquest.umi.com/pqdweb

Samani, R., Honan, B., Reavis, R., (2015), CSA Guide to Cloud Computing:
Implementing Cloud Privacy and Security, Science Direct, Syngress, an imprint of
Elsevier, 225 Wyman Street, Waltham, MA 02451, USA. Retrieved from:
doi:10.1016/B978-0-12-420125-5.09001-4

Sangroya A., Kumar., Dhok J., and Varma V., Toward analyzing data security
risks in cloud computing environments., Information Systems, Technology and
Management, 2010, Volume 54, (ISBN : 978-3-642-12034-3). Retrieved from:
https://scholar.google.ca

  59  
Scott, R. J. (2014). Contract corner. Licensing Journal, 34(2), 21-21. Retrieved
from: http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=bth&
AN=94445027&site=eds-live

Shaw, J. (2011). 4 steps to cloud quality. InformationWeek, (1311), 36-

36,38,40,42. Retrieved from: ABI/Inform database (ProQuest document ID
898969349) from: http://proquest.umi.com/pqdweb

Sheppard, D. (2015), Observations on the canadian government cloud rfi, IT

World, Retrieved from: http://www.itworldcanada.com/blog/the-canadian-
government-cloud-rfi-some-observations/102235

Simon, T. (2003). What is benefit realization? The Public Manager, 32(4), 59-60.
Business Insights: Essentials. Retrieved from: http://0-
bi.galegroup.com.aupac.lib.athabascau.ca/essentials/article/GALE%7CA1197442
07/60a5895fae2166b7070f555f401fee83?u=atha49011

Slack, N., Chambers, S., Johnson, R., (2010), Operations management. Essex,
England: Pearson Education Limited

Stamou, A., Morin, J. H., Gateau, B., & Aubert, J. (2012). Service level
agreements as a service-towards security risks aware SLA management.
Retrieved from: https://scholar.google.ca

Tong, C., Nguyen, St. T., R Jaatun, M. G., (2012), Beyond lightning: a survey on
security challenges in cloud computing, Computer & Electrical Engineering, V
39,(1), p. 47-54, Retrieved from: doi:10.1016/j.compeleceng.2012.04.015

Tufts, S. H., and Weiss, M. L., (2014). Cloudy with a chance of success :
Contracting for the cloud in government Center for The Business of Government.
Retrieved from: http://0-
search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=edsss
b&AN=edsssb.bkg00062755&site=eds-live

Tutorials website, Cloud Computing Overview page, Retrieved from:

http://www.tutorialspoint.com/cloud_computing/cloud_computing_overview.htm

Venters, W., & Whitley, E. A. (2012). A critical review of cloud computing:

Researching desires and realities. Journal of Information Technology, 27(3), 179-
197. Retrieved from: http://0-
dx.doi.org.aupac.lib.athabascau.ca/10.1057/jit.2012.17

Wiseman, R. (Oct 2014), Canadian Government Executive, Retrieved from:

https://cgexecblog.wordpress.com/tag/cloud-computing/

  60  
Zielinski, D. (2009). Be clear on cloud computing contracts. HRMagazine, 54(11),
63-65. Retrieved from: ABI Inform database (ProQuest document ID 205042081)
from: http://proquest.umi.com/pqdweb

Ouedraogo and Mouratidis, (2013), Selecting a cloud service provider in the age
of cybercrime, Retrieved from: http://0-
eds.b.ebscohost.com.aupac.lib.athabascau.ca/ehost/pdfviewer/pdfviewer?sid=2ef
5746a-9816-49b3-9edc-de8b5fc0a186%40sessionmgr115&vid=1&hid=117

  61  
 APPENDIX A - SAMPLE CLAUSES

DATA SECURITY, REDUNDANCY & DATA CONVERSIONCLAUSES

As per Kalyvas, Overly and Karlyn (2013) the following sample clauses are
recommended for managing cloud risk in the areas of data security, data
redundancy and data conversion (p. 20-22).

“Sample Data Security provision:

a. In General. Provider will maintain and enforce safety and physical security
procedures with respect to its access and maintenance of Customer
Information (1) that are at least equal to industry standards for such types of
locations, (2) that are in accordance with reasonable Customer security
requirements, and (3) which provide reasonably appropriate technical and
organizational safe-guards against accidental or unlawful destruction,
loss, alteration, or un authorized disclosure or access of Customer Information
and all other data owned by Customer and accessible by Provider under this
Agreement.

b. Storage of Customer Information. All Customer Information must be stored in a

physically and logically secure environment that protects it from
unauthorized access, modifi cation, theft, misuse, and destruction. In addition to
the general stan-dards set forth above, Provider will maintain an adequate level of
physical security controls over its facility. Further, Provider will maintain an
adequate level of data security controls. See Exhibit A for detailed information on
Pro-vider’s security policies protections.

c. Security Audits. During the Term, Customer or its third party designee may,
but is not obligated to, perform audits of the Provider environment,
including unannounced penetration and security tests, as it relates to the receipt,
maintenance, use, or retention of Customer Information. Any of Customer’s
regulators shall have the same right upon request. Provider agrees to comply
with all reasonable recommendations that result from such inspections, tests, and
audits within reasonable timeframes.

Sample Data Redundancy provision

Provider will: (i) execute (A) nightly database backups to a backup server, (B)
incremental data-base transaction log file backups every 30 minutes to a backup
server, (C) weekly backups of all hosted Customer Information and the default
path to a backup server, and (D) nightly incremental backups of the default path
to a backup server; (ii) replicate Customer’s database and default path to an off –
site location (i.e., other than the primary data center); and (iii) save the last 14
nightly database backups on a secure transfer server (ie at any given time).

  62  
 APPENDIX A - SAMPLE CLAUSES

DATA SECURITY, REDUNDANCY & DATA CONVERSIONCLAUSES

Sample Data Conversion provision

At Customer’s request, Provider will provide a copy of Customer Information to
Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM.
Upon expiration of this Agreement or termination of this Agreement for any
reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current
copy of all of the Customer Information in the form in use as of
the date of such expiration or termination and (b) completely destroy or erase all
other copies of the Customer Information in Provider’s or its
agents’ or subcontractors’ possession in any form, including but not limited to
electronic, hard copy, or other memory device. At Customer’s request,
Provider shall have its officers certify in writing that it has so destroyed or erased
all copies of the Customer Information and that it shall not make
any use of the Customer Information.”

  63  
 APPENDIX B

FRAMEWORK FOR SECURITY MECHANISMS FOR CLOUD SLAs

Bernsmed et al, (2011), as cited by Tong, Nguyen and Jaatun (2012), presented
a framework for security mechanisms in service level agreements in cloud
computing at an international conference on cloud computing and services in
2011.

  64