A recent Ponemon Institute study reports that a significant majority of 127 cloud-computing service providers surveyed believe it is their customers' responsibility to secure the cloud, not theirs.
Or, as Andrew Schrader, national sales director of e-mail hosting and services cloud provider AppRiver says more colloquially, when it comes to security, "the buck stops with you."
AppRiver is hardly unique. Amazon Web Service's Terms and Conditions, for example, state that it will "have no liability…for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."
"Cloud," says Bruce Lynne, managing partner of Financial Executives Consulting Group, "is just a fancy word for outsourcing." And, as smart CFOs know, when a company outsources, it sheds work, not responsibility.
But while the policy may be familiar, the ramifications could be huge. That's because the cloud — which enables companies to outsource everything from e-mail to ERP and then access it all through a browser — is inherently insecure. The same ease of access that makes it appealing also makes it vulnerable. Yet many non-tech-savvy buyers of cloud services are not adequately aware of the security issues, says James Reavis, director of the nonprofit Cloud Security Alliance.
"After the Amazon outage," recalls Reavis, referring to an incident in April in which a special promotion to download a new single by Lady Gaga resulted in more traffic than Amazon could handle, "I ran into a company that hadn't even checked the box to make sure it had the backup services it wanted."
That cloud disruption is just one in a series of recent incidents: the April breach of online marketing provider Epsilon that exposed e-mail addresses and customer names held by about 50 companies, including JPMorgan Chase, Citigroup, and Hilton Hotels; the April and May hacks of Sony's PlayStation Network; the May Microsoft BPOS (Business Productivity Online Services) hiccup that also shut down its Outlook portal. All of these problems vividly illuminate the vulnerability of cloud services.
That vulnerability extends to private clouds (in which servers remain in a company's possession) because having your data and apps on a virtualized platform means that, as McKinsey principal James Kaplan points out, when a hacker accesses one server, he accesses them all. If a server was attacked in precloud days, you simply shut it down. Today, with workloads distributed across many servers, there's a domino effect.
"The commingling of data in both private and public clouds is a fundamental change," says KPMG managing partner Brian Walker, resulting in an extraordinarily volatile environment. But Walker believes that no matter the risk, the economic benefits of cloud computing make it an "irresistible force" that will become the "default standard" over the next 2 to 10 years.
So the question for the CFO becomes: How can you protect your company in this new, risky business?
Negotiating in the Cloud
When RightNow Technologies CFO Jeff Davison went shopping for a cloud provider for his ERP system in 2009, he winnowed his choice down to NetSuite and Oracle. He went with NetSuite in part because he wanted a cloud contact's flexibility and not the perpetual license Oracle was offering at the time. Still, before signing, Davison's team sat down with NetSuite to negotiate, a process he describes as lengthy.
Because RightNow, as a provider of applications to B2C companies, handles those companies' customer data, Davison wanted RightNow's data segregated on dedicated servers within NetSuite's cloud, and he wanted to know where those servers were located geographically. He also wanted to make sure NetSuite would notify him in advance of planned upgrades, and how the firm would compensate RightNow for the downtime upgrades produce. He wanted a cash-back clause if NetSuite didn't meet SLA uptimes, an agreement he characterizes as unusual in the cloud. "You want your vendor to have skin in the game," he says.
Davison made sure NetSuite was SAS 70 certified, and looked into its disaster recovery processes. He may not have gotten everything he wanted, but at least he thought to ask. (Asking for what you need is important because cloud providers tend to guard their own interests by standardizing terms.) "Every customization creates complexity and reduces [the provider's] margin," says KPMG's Walker. But in the past nine months, Walker says he's seen more willingness among providers to bargain, especially with large customers. "Size matters in negotiating," he says.
Philippe Courtot, CEO of Qualys, one of the earliest software-as-a-service security vendors and a founding member of the Cloud Security Alliance, says that his biggest customers visit Qualys's data centers to check on security and examine its hiring practices to make sure it's doing background checks. "We're ready to go to the table and deal," Courtot says, "within reason."
Courtot continues: "Some customers say, 'If you shut down the server' — which happens — 'we would like indemnities,' and we say, 'No. We can't guarantee we won't crash one of your servers. There's a risk; it's not perfect; you make the decision.' There are requests for indemnification against data loss. [We say], 'No. We show you the way we secure your data; you decide.'"
On Advice of Counsel
Andrew W. Klungness, a partner at law firm Bryan Cave, estimates that 25% of his practice is devoted to cloud issues. He says that responsibility for mitigating cloud risk lives in the finance chief's office because "in many cases, cloud is a financial decision."
In terms of vetting cloud providers, Klungness advises CFOs to make sure their provider is solvent and carries insurance. "A financially sound vendor is likely to be there when you turn on the lights Monday morning," he says. "Check breach incidents and lawsuits against them, and ask for customer references."
And "make sure the contract provides for disaster recovery," adds Klungness. "If your provider goes down, you should have a plan for getting your data out, and a backup provider ready to go. Make sure the vendor is aware of your auditing obligations. Even if you're only hosting e-mail, if you mention Sarbanes-Oxley and get a blank stare, it's time to ask more questions. The more it's clearly documented that you're telling a vendor what to do, the better your position if a regulator starts asking questions. It shows good faith and due diligence."
Klungness also recommends that clients "get contracts where there are meaningful credits or refunds. If service goes down, you want to get a portion of your money back or a proration of your fees. On the other hand, it may be hard to get a vendor to compensate you for business loss. The risk-reward profile of that type of indemnification is very poor." In fact, he adds, "if a vendor is willing to stick its neck out to that extent, you may be dealing with an unstable vendor."
There is also another legal issue to consider. Daniel Garrie, managing director of ARC E-Discovery Dispute Resolution, and a court-appointed Special Master in governance and e-discovery cases, notes that, "global corporations have to deal with complex issues of data retention in the cloud. For example, how long do you have to keep e-mails? If you don't plan strategically for adopting cloud, you may fail to realize that they're keeping your e-mails for a year instead of, say, 90 days. Then you get sued and you have e-mails popping up you thought were gone. And then you have to provide them."
That can get very sticky. As Garrie explains, "Can you ask your provider for 20 million e-mail messages spread out over hell and gone? And what about the metadata [data about data; for example, the revision history, whether it was printed out, all the times it was viewed, and so on] coming with the e-mail? If the provider can't supply it, that could be a big problem. In adversarial litigation processes, destruction of metadata is considered spoliation of evidence, and you can't just say to the judge, 'The cloud ate my evidence.'"
Buyer Be Bold
Larry Ponemon, chairman of the institute that bears his name, has his own advice for CFOs negotiating to mitigate cloud risk. "First," he says, "make sure the provider has the right security environment in place. Do they have good data-loss prevention technology? How are encryption keys managed? Does the company vet its custodians? Does it do background checks? Does it train its employees in security, and what is that training? The vendor may think training is just sending out an e-mail. Find out what their training consists of.
"You should be able to audit your provider whenever, wherever," he says. "You should visit the data centers. If you see printouts scattered everywhere, that's not good. Find out who's in the cloud with you. If the provider has an insecure customer, that makes you less secure. If the provider has an insecure provider, that also makes you less secure." And bear in mind, he says, that "your provider should have written policies — a fire drill — for how they respond to a data breach, and how they inform you about one."
The cloud is new, and it's risky. But the very fact that it's new and risky, Ponemon believes, should give CFOs the upper hand in cloud negotiations — and the ability to walk away if they feel their needs are not being met.
"There are a lot of sellers of cloud services out there," says Ponemon. "It's a buyer's paradise."
David Rosenbaum is senior editor for technology at CFO.