Cloud contracts must address data-security contingencies: Stewart-Rattray

Companies embracing cloud-computing solutions must make sure they don't take their ability to recover data for granted, a leading security consultant has warned.

Recovery has proved to be a sticking point for more than one organisation that trusted a cloud service provider (CSP) with its data, BRM Holdich director of information security and IT assurance Jo Stewart-Rattray told more than 120 attendees at the recent CSO Perspectives Roadshow.

Stewart-Rattray, who has consulted with a range of organisations on the security implications of their move to the cloud, recalled one organisation that had been trying to get its CSP to facilitate a data restoration for six weeks – unsuccessfully. The reason: restoration and service level agreements had not been explicitly addressed in their contract, which left the customer in limbo when it came to effecting such a restoration.

"I can't tell you the number of times I've heard people saying 'well, they're a CSP, so of course there will be backup and recovery'," Rattray-Stewart said. "You mustn't ever assume that. You need to make sure it's included in your Head of Agreement. Contracts aren't the be all and end all – but you have to get it right, because then you should be able to put it away and not worry about it unless there is an issue."

Another potential risk that is often not addresses is the potential for CSPs to go out of business or be acquired – potentially leaving the customer's data in a compromised position. One of Rattray-Stewart's clients found itself chasing its data around the world after its CSP was sold – not once but three times – and its data ended up in a developing country in "an area that had geopolitical issues," she said.

"When they went back to their HoA, they realised they were locked into this. The way the contracts had been written, it meant they would go with any move that there was. This is another thing to be aware of when looking at the cloud: have you lost control of your data because it's going places you don't know, or don't want it to be? It is necessary to have assurance from the CSP that the security of your information is adequate."

Those were only a few of the issues that cloud contracts need to address: privacy controls, in particular, are becoming especially important given the looming introduction of 13 new and stricter Australian Privacy Principles in March 2014.

Another issue comes when considering how to ensure that data, when removed from a CSP's systems, does not persist on those systems. To avoid this, she said, contracts must be explicit on issues of data ownership and protection of intellectual property interests; left ignored, some customers may find their data subject to data-squatting policies that suggest that ownership of data vests with the CSP once it's been on their systems for a particular period of time.

"You need to ensure there's no loophole, and that you don't lose a copy of your data somewhere," she explained, "and if you think you own something you don't want to have to pay a lot of money to get it back."

Yet another client she had worked with – a provider of prudential services – found that its HR organisation had used a credit card to purchase cloud services, then load employees' sensitive data into the cloud system. That data, however, was being stored offshore in a jurisdiction with different privacy laws.

"HR had no idea what protections were in place around that information," Stewart-Rattray said. "They had just assumed it would be encrypted, and that because it was a Safe Harbour destination, they would be safe. There was such a hole in their due diligence and governance process that nobody in IT asked any questions, and it certainly didn't go to the CISO for a look-see."

This sort of incident highlighted the dangers inherent in rushing to the cloud without the involvement of risk-aware executives and the caution that would be attached to other types of IT and business investments.

"It goes without saying that organisations are ultimately responsible for the protection of their information regardless of where it might be stored," Stewart-Rattray said. "And if that's in the cloud, nothing changes."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOCSP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts