Cloud Adoption: Managing the Legals Richard Kemp and Deirdre - - PowerPoint PPT Presentation

Breakfast seminar

Cloud Adoption: Managing the Legals

Richard Kemp and Deirdre Moynihan 27 June 2018

09.00-09.05: Welcome, Richard 09.05 - 09.15: Context: the cloud at scale – legal and regulatory issues, Richard 09.15 - 09.40: Current cloud contracting issues, Deirdre 09.40 – 09.55: Coffee/networking 09.55 – 10.20: Towards a legal checklist for cloud contracting, Richard 10.20 – 10.30: Q&A/discussion

Agenda

$0 $200 $400 $600 $800 $1,000 $1,200 $1,400 $1,600

2017 2018 2019 2020 2021 2022 2023 2024 2025 2026

Traditional Application Software & Support Enterprise Operational IT Staff Public Cloud - SaaS Public Cloud - IaaS Private Cloud

Enterprise Cloud

(10% in 2017, Projected 45% in 2026)

‘Traditional’ Enterprise IT

(90% in 2017, Projected 55% in 2026) Traditional Infrastructure Services

Public Cloud - PaaS

Traditional Hardware (+ Software & Support)

Context: Enterprise IT – Segment Projections (2017-2026, $bn)

Source: Wikibon

Context: enterprise cloud service continuum

Traditional enterprise Private/public cloud

• As IT workloads migrate to the cloud, the benefits must be weighed and managed against the risks
• The security of data in the cloud remains the central preoccupation of both cloud service providers

(CSPs) and their customers

• NCSC – cyber threat to UK business, 2017-2018 report (10 April 2018):

“Only 40% of all data stored in the cloud is access secured, although the majority of companies report they are concerned about encryption and security of data in the cloud. As more organisations decide to move data to the cloud (including confidential or sensitive information) it will become a tempting target for a range of cyber criminals. They will take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored”

• IDC’s Data Age 2025 White Paper (2017) – the role of data and the cloud will intensify:

“All this data from new sources open up new vulnerabilities to private and sensitive information. There is a significant gap between the amount of data being produced today that requires security and the amount of data that is actually being secured, and this gap will widen — a reality of our data-driven world. By 2025, almost 90% of all data created in the global datasphere will require some level of security, but less than half will be secured.”

Context: security of data in the cloud – the key issue

Context: cloud security – legal and regulatory aspects

5 Applicable cloud duties

• 4. Cloud/data

governance framework

• 3. Cloud security

principles

• 2. Other CSP

documents

• 1. CSP

Contract Ts&Cs

Cloud/data security: the legal, technical,

• perational and governance controls that an
• rganisation puts in place to ensure desired

security outcomes … more than just papering … Structured approach: 1. CSP contract Ts & Cs 2. Other CSP documents 3. Cloud security best practices and principles 4. Cloud/data governance framework 5. Applicable cloud security duties

Context: a structured approach to managing cloud security risks

Current Cloud Contracting Issues

Due Diligence/Pre- Contractual Considerations Access Rights/Scope of License Pricing Data Security & Integrity CSP Relationships with Suppliers Remedies if things go wrong Performance Standards & Compliance Issues CSP Legal Terms Access Rights/Scope of License Pricing & Liability Data Security (ATOMs) Relationships with suppliers and customers Step- In/Escrow/Exit Performance Warranties & Compliance Issues

Current Cloud Contracting Issues – Considerations when moving from on-premise

Advantages Disadvantages modern/state of the art assets underpin the cloud scalable, durable – easier to deal with spikes in processing power/data storage infrastructure costs are lower if opting for a multi-tenant solution generally cheaper than on premise solution more agile – easier to move suppliers and data (?) analytics services

loss of control over underlying infrastructure/assets concerns about data integrity and security concerns about what happens if things go wrong or if the CSP fails inability to control updates/upgrades limited/no input into service design and

• ffering, beholden

to CSP’s terms

Current Cloud Contracting Issues – Considerations when moving from on-premise license to a SAAS solution

Set-up Costs & Costs of Running Cloud and On- Prem in parallel

• 2x fees during

transition?

• is SAAS better value

for money longer term? Use Cases and Scope of License

• nature of user rights

needs to be the same as those available on prem

• no perpetual rights to

use software/service

• ffered by CSP
• license/access rights

typically cease on termination – can lead to lock-in/reluctance to switch providers Security & Data Integrity

• data transformation

and transfer – migration tools

• data security (during

transfer and once in the cloud) – ATOMS, certification, policies and CSP’s liability

• duration and cost
• responsibility/liability

for loss/damage

• back-up

Risk/Liability

• may be more reliant
• n CSP/SAAS provider

for support & maintenance

• what happens if

CSP/SAAS provider fails to perform? Step- in and Exit rights?

• CSP/SAAS provider will

generally seek to cap all liability (outside of what can’t legally be excluded and liability under its IPR indemnity

Current Cloud Contracting Issues – Considerations when moving from on-premise license to a SAAS solution

• Legacy Agreements
• Existing core terms and conditions with some cloud SAAS providers (e.g. Microsoft,

Oracle, SAP) may be in place for 10+ years

• Originally drafted for on premise offerings, not SAAS
• Need to consider whether legacy Ts&Cs are appropriate for SAAS or whether a move

to a new set of Ts&Cs is appropriate - this may lead to re-negotiation of existing agreements/terms

Perpetual Irrevocable Worldwide

Current Cloud Contracting Issues – Key Terms Overview

• Access Rights
• Authorised/Named User Access
• Access Hierarchies – different users can have different rights

and permissions (e.g., read, write)

• Cloud Platform accessed via the Internet “anytime” and

“anywhere”

• Scope of License & Pricing
• License typically non-exclusive & terminates on termination
• Authorised/Named User Charge
• Data Storage Charges
• Software Package Fees
• Process Charges (e.g., for performing calculations or for

communications from the cloud to other systems/software)

• Data Security & ATOMS
• CSPs offer standardised approach to security and apply the

same ATOMs to all customers

• Standards & certification increasingly common and usually

required by customers

• Performance Warranties, Compliance Issues & Audits
• Generally SLAs are linked to availability only
• Limited warranties given by CSPs
• CSPs generally resist customer drafted audit provisions
• Liability
• Generally capped at a percentage of fees
• 100% - 150% is usual
• Liability for data loss/damage, privacy/GDPR issues typically

subject to monetary cap

• Exit
• Post-termination assistance is unusual
• CSPs generally allow a short period post-termination for

customers to download data

• Escrow
• Typically not offered by CSP
• Can be used as a way to audit security

Current Cloud Contracting Issues – Customer Mandated Terms

Anti- bribery Audit Rights Confidentia lity Equality & Equal Treatment GDPR HR InfoSec Modern Slavery TUPE

• SAAS Provider standard terms v. Customer’s required terms
• limited scope/ability to negotiate with SAAS Provider
• SAAS Provider [somewhat] beholden to data centres’/hosting providers’ underlying terms
• GDPR
• Controller v Processor
• Article 28(3) clauses
• Data Transfers
• Policy Wars – last shot prevails? Or, say yes now and sort out any issues later?

Current Cloud Contracting Issues – Data Security & Integrity

• ATOMs (Appropriate Technical & Organisational Measures)
• Customers want transparency, detailed information about security and ATOMs, a data law compliant solution,

remedies for breach

• CSPs will:
• “implement reasonable and appropriate measures designed to help you secure Your Content against accidental
• r unlawful loss, access or disclosure” (AWS Ts&Cs)
• “maintain appropriate technical and organizational measures, internal controls, and data security routines

intended to protect Customer Data against accidental loss or change, unauthorized disclosure or access, or unlawful destruction” (Microsoft Azure Ts&Cs)

• What are “appropriate” TOMs and who decides?
• Due Diligence Key – security assessments, detailed description of ATOMs should be made available by CSP, pen

testing, BC/DR policies, standards & certification

Current Cloud Contracting Issues – Avoiding Lock-In

Fixed Price + Fixed Fee Increases (by reference to CPI/RPI) Access Rights Performance Warranties/SLAs Termination Rights Step-In Rights Exit Rights Data Return

Current Cloud Contracting Issues – Standards

• Standards & Audits
• ISO27000 family - information security

management systems

• NIST Standards
• SSAE 16 SOC Type 2 audit
• ISAE3402 audit
• GDPR audits?

Ø How do you get assurance from the CSP that it will meet its security commitments?

• The combination of [contractual commitment] + [standards certification] + [independent

testing] is emerging as market practice Ø What are the commonly used standards?

• ISO/IEC 27001 (information security management systems)
• SSAE 18, SOC 2 reporting (evaluates an organisation’s information systems relevant to

security, availability, processing, integrity, confidentiality/privacy) Ø What cloud/general standards are emerging?

• ISO/IEC 38500 on ICT governance for the organization;
• ISO/IEC 38505-1, applying ISO/IEC 38500 specifically to governance of data;
• ISO/IEC 29100 on a privacy framework for ICT security techniques;
• ISO/IEC 27018 on the protection of personally identifiable information in the pubic cloud;
• ISO/IEC 19944, addressing data categories, flows and use for cloud services and devices;

Current Cloud Contracting Issues – Standards

Ø What are the practical questions when using standards in cloud contracts?

• is the certifier (i) appropriately authorised and (ii) recognised in the enterprise’s country?
• If not, does the certificate demonstrate sufficient assurance of compliance?
• is the certificate current?
• when did the CSP carry out its last comprehensive audit (may operated a 3 year cycle) /

interim check- up (e.g. annually)?

• does the certificate cover (i) the relevant data centre, (ii) the relevant services
• will the CSP disclose to the enterprise for review the periodical long form report issued by

the certifier promptly when available?

Current Cloud Contracting Issues – Standards

Towards a legal checklist for enterprise cloud contracting

5 Applicable cloud duties

• 4. Cloud/data

governance framework

• 3. Cloud security

principles

• 2. Other CSP

documents

• 1. CSP

Contract Ts&Cs

• 1. Sector specific regulatory duties
• e.g. financial services, legal
• 2. Generally applicable security/data regulation
• Controller ATOM* duties
• GDPR Arts 5(1)(f), 24(1), 25(1), 28(1))
• CSP ATOM duties
• NIS Directive, CA 2003, PECR
• Data sovereignty – IPA 2016, etc
• Data residency
• UK criminal law – OSA, CMA, etc
• 3. Directors duties under CA 2006, etc

Sources of enterprise cloud security duties

* Appropriate technical and organisational measures

• 4. Negligence
• ATOM* emerging as ‘reasonable care’ standard?
• 5. General civil law liability
• breach of confidence, misuse of private information, conversion, trespass, etc
• 6. Contractual
• Enterprise – customers
• Enterprise – supply chain
• Enterprise – CSP
• CSP – supply chain
• 7. Enterprise Internal policies and procedures

Sources of enterprise cloud security duties

* Appropriate technical and organisational measures

• “Data classification provides one of the most basic ways for organizations to determine and assign relative

values to the data they possess. The process of data classification allows organizations to categorize their stored data by sensitivity and business impact in order to determine the risks associated with the data. After the process is completed, organizations can manage their data in ways that reflect its value to them instead of treating all data the same way. Data classification is a conscious, thoughtful approach that enables

• rganizations to realize optimizations that might not be possible when all data is assigned the same value.”

(Microsoft, Data Classification for Cloud Readiness, 2014)

• i.e. you’ll make savings when not all data is classified at the default (i.e. highest) level
• This will become more important as more enterprise IT workloads migrate to the cloud – and the savings from
• perating say a 3–level classification outweigh the costs of planning, implementing and governing it
• Cp HMG – the largest UK IT user - moving in 2013 to a 3-level classification [OFFICIAL→ SECRET → TOP SECRET]

from 5-levels [UNCLASSIFIED → RESTRICTED → CONFIDENTIAL → SECRET → TOP SECRET]

Cloud policy legal issues: (1) - data classification

• GDPR has paved the way for a more structured approach to data governance inside the

enterprise

• ISO/IEC standards are stating to set up frameworks for data governance and compliant use
• f personal data in cloud services
• Data governance
• ISO/IEC 38500 on enterprise ICT governance
• ISO/IEC 38505-1, applying ISO/IEC 38500 specifically to governance of data
• Use of data in cloud services
• ISO/IEC 29100 on a privacy framework for ICT security techniques
• ISO/IEC 19944, addressing data categories, flows and use for cloud services and devices

Cloud policy legal issues: (2) governance frameworks

All relevant data activities [A] are value, risk and constraint assessed [B] within a comprehensive data governance framework [C] that is constantly evaluated, directed and monitored [D]

Cloud/data governance framework – ISO/IEC 38505-1

• A Trust Framework is then built on this standards foundation, as the enabler for a particular

data sharing application.

• The Trust Framework is a commonly agreed set of standards and operating rules to be

followed by all with access to the data concerned (whether to receive, store or use).

• The Trust Framework consists of:

ØOperating Rules: generally captured in software functionality. The Operating Rules will address the preferences of the data provider and access rights of various types of data user; ØTechnical Specifications: address data sets, privacy, interfaces & validation techniques; and ØLegal framework: The enterprise will have a written agreement with all users sharing applications so that legal enforceability can therefore readily be assured

Cloud policy legal issues: (3) data trust frameworks

Cloud best practices: NCSC’s 14 cloud security principles

• 1. Data in transit protection: Is Enterprise data transiting networks adequately protected against tampering and

eavesdropping by the CSP?

• 2. Asset protection and resilience: Is Enterprise data, and the assets storing or processing it, protected against

physical tampering, loss, damage or seizure by the CSP?

• 3. Separation between consumers: Will a malicious or compromised service user be able to affect the service or

data of another user?

• 4. Governance framework: Does the CSP have a security governance framework which coordinates and directs

its management of the service and information within it. Are any technical controls deployed outside of this framework?

• 5. Operational security: Does the CSP operate/manage the service securely in order to impede detect or prevent

attacks? (Good operational security should not require complex, bureaucratic, time consuming or expensive processes).

• 6. Personnel security: Does the CSP screen/adequately train its staff?

(Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental

• r malicious compromise by service provider personnel.)
• 7. Secure development: Is the CSP’s service designed and developed to identify and mitigate threats to its

security? (Those which aren’t may be vulnerable to security issues which could compromise the Enterprise’s data, cause loss of service or enable other malicious activity.)

Cloud best practices: NCSC’s 14 cloud security principles

• 8. Supply chain security: Does the CSP ensure that its supply chain satisfactorily supports all of the security

principles which the service claims to implement?

• 9. Secure consumer management: Does the CSP make the tools available for secure management of the

Enterprise’s use of the CSP’s service? (Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of Enterprise resources, applications and data).

• 10. Identity and authentication: Is access to service interfaces limited to authenticated & authorised individuals?
• 11. External interface protection: Are all external or less trusted interfaces identified & appropriately defended?
• 12. Secure service administration: Do all administration systems for the CSP’s service have highly privileged

access to that service? (Their compromise has significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.)

• 13. Audit information provision to Enterprise customers: Does the CSP undertake to provide the Enterprise

with the audit records it needs to monitor access to the service and the data held within it? (The type of audit information available to the Enterprise will have a direct impact on its ability to detect and respond to inappropriate

• r malicious activity within reasonable timescales).
• 14. Secure use of the service by the Enterprise: The security of the CSP’s service and the data held in it can be

undermined if the Enterprise uses the service poorly. Does the Enterprise have to undertake reasonable, specific (so measurable) responsibilities when using the service so that the Enterprise’s data is adequately protected?

• Step 1: questionnaire for CSPs to

complete as a management record to evidence compliance, governance and e.g. cloud security principles/best practice

• map to internal processes & sign-off

Step 2: Security assessment questionnaire content

• CSP hosting details – where?
• Public/private cloud?
• CSP standards certification?
• Encryption - data in transit/at rest, etc
• CSP security: (i) operational, (ii) personnel, (iii) supply

chain, (iv) development, (v) customer management, (vi) service admin

• Identity/authentication, external interfaces,
• CSP governance/audit/incident management
• BC/DR
• Retention and data return

Security assessments for all CSPs

• Step 3: CSP assurance that it will meet its

security commitments obtained by the combination of [contractual commitment] + [standards certification] + [independent testing]

Richard Kemp richard.kemp@kempitlaw.com 020 3011 1670 Deirdre Moynihan deirdre.moynihan@kempitlaw.com 020 3011 1627

thank you