There are four key areas through which you can mitigate the risks of cloud computing:

1. The contract: make sure you have meaningful liability terms, with each party’s duties carefully articulated – otherwise the contract could prove ineffective.  The most important terms in contract are those which establish which party bears the loss if service provider suffers a security breach.   Ask the provider to indemnify you for losses as a result of a data security breach.  These costs might include breach notices, attorney fees, mailing costs, credit monitoring expenses and call center expenses. Look closely and modify if necessary clauses that limit the provider’s liability and consequential damage disclaimers.  The contract also needs clear exit terms in case of the provider becoming insolvent, with provision for you to get your data back or transferred to an alternative provider (including from third parties).

2. Due diligence: make sure your provider can deliver on their promises. The Cloud Security Alliance provides a framework of security concepts and principles designed to help you assess the overall security risk of a cloud provider.

3. Incident response procedures: try to lock your provider into incident response procedures that dovetail with your own.  Stipulate:

  1. immediate investigation after a breach
  2. mitigating, remediating and notifying you promptly
  3. providing written reports and status reports after breach
  4. retaining information relevant to the breach: logs, planning documents, audit trails, records and reports
  5. an obligation for the provider to preserve data (and initiate a ‘litigation hold’) and allow your own forensic investigation and preservation process; permission to conduct your own forensic assessment of a breach – or for them to undertake it, providing reporting and information
  6. limited use of third parties to handle data without your consent, and a requirement to conduct full due diligence on third parties and impose contract terms similar to your own terms with the provider.

4. Good insurance: the fourth emergency service is of course a good insurance policy: don’t under-estimate the costs associated with an incident such as a data breach.  The language used in policies varies widely – make sure yours covers your real exposures.

Buying cloud is a leap of faith.  Before making the decision to move your data to the cloud, work through the potential risks, and make sure you control the risks through the contract.  In choosing a provider you may be offsetting price against safety and control – so your choice will depend on the sensitivity of your data.