Who can pry into your cloud-based data?

Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It's a good question, made all the more relevant by the revelations regarding the National Security Agency's Prism program. So how can you best address these issues in your contract with your cloud vendor?

With cloud computing, data access is inevitably a shared responsibility between the customer and the cloud vendor. Those shared responsibilities need to be addressed in the contract, and most cloud vendors' standard contracts leave something to be desired.

While the cloud vendor is responsible for providing the customer with access to its own data, the cloud vendor should also be contractually obligated to not share the customer's data with others, intentionally or not. This may seem obvious, but there are nuances to be addressed in the following areas:

Internal Access

In order to provide the service you contract for, some of the cloud vendor's employees will likely need to have access to your data. You want to ensure that this access is kept to the minimum degree necessary, so the contract should address:

* Which vendor employees will have data access.

* Whether access is on a "least-privilege" and "need-to-know" basis.

* Whether those privileges are promptly and adequately rescinded when employees leave the vendor or move into a different role at the vendor.

* The manner in which access is granted.

* Whether access is logged, monitored or analyzed.

Let's take a look at how one vendor addresses this issue by reviewing Dropbox's Terms of Service Security Overview. (I will use examples from Dropbox's standard contract, not to pick on that company, but because its terms are fairly representative of the industry. It's worth noting that Dropbox received the second-highest rating in the Electronic Frontier Foundation's 2013 "Who Has Your Back?" Report.) The overview states, in part:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances.

It would be better if Dropbox further detailed its "strict policy and technical access controls," but otherwise this seems like fairly reasonable language. But then the Dropbox Terms of Service Privacy Policy go on to state:

We may use certain trusted third party companies and individuals to help us provide, analyze, and improve the Service. ... These third parties may have access to your information only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy. As of the date this policy went into effect, we use Amazon's S3 storage service to store some of your information (for example, your Files).

The introduction of third parties into the equation complicates things. While it's good that Dropbox identifies one of the third parties, it would be better if it identified all third parties, if Dropbox made a commitment to provide advance notice of any changes, and if the third parties were under the "same" obligations as "in this Privacy Policy" instead of "similar."

Unintentional External Access

Since your cloud vendor will be storing and/or processing your data on its infrastructure, the vendor should be obligated to take appropriate and specific steps to ensure that it has deployed adequate measures to secure it against hackers and other external threats.

Dropbox's Terms of Service state:

You, and not Dropbox, are responsible for maintaining and protecting all of your stuff. Dropbox will not be liable for any loss or corruption of your stuff.

A bit one-sided, don't you think? Not even a hint of shared responsibility? Unfortunately, this isn't uncommon with cloud vendors' standard contracts. The customer, of course, would like the vendor to take some responsibility for the security of the service it's providing. Dropbox's Terms of Service Privacy Policy do give in a little on this, stating:

We follow generally accepted standards to protect the information submitted to us, both during transmission and once we receive it. No method of electronic transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security.

A bit fuzzy on the details, to say the least. And most folks don't expect "absolute," but how about guaranteeing some "reasonable" level of security? The Terms of Service Security Overview do go on to at least provide this assurance:

We encrypt the files that you store on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data.

Still, hardly the degree of detail or assurance that a customer would want in regards to any sensitive data. For more on cloud vendor security details that the customer might want to consider, please see my column "The Cloud Contract Adviser: Making Sure Your Information Is Secure."

Intentional External Access

This has to do with a cloud vendor's obligations in relation to any governmental (for example, Prism) or other legal requests for access to customer data. I've covered some of these obligations in my previous column "In the Cloud, Your Data Can Get Caught Up in Legal Actions," but let's look at some standard cloud vendor contract language to see what we're up against. On this point, the Dropbox Terms of Service Privacy Policy state:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox's property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox's encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

This hardly gives the impression that the vendor will be a strong defender of its customer's rights. The focus seems more on the vendor's unilateral protection of itself and its own rights. It's especially disconcerting when it advises that it will also chuck out its previously highlighted encryption measures as part of the bargain. But it's kind of the vendor to (with a nod and a wink) advise that customers can always encrypt their data prior to sharing it with the vendor in order to avoid any unwanted access.

Customers have their work cut out for them in negotiating improved contract language on these issues. But for sensitive customer data and business-critical functions in the cloud, such effort will be well worth it in the long term.


Want to learn more about cloud computing contract issues? Then please register for my seminar Cloud Computing Risk Mitigation Via Contract Negotiation and Vendor Management to be held Oct. 4, 2013, in San Francisco. I look forward to seeing you there.

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about AES EnvironmentalAmazon Web ServicesDropboxElectronic Frontier FoundationNational Security AgencyPrism

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thomas Trappler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts