TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Third-Party Vendor Management Means Managing Your Own Risk, Chapter Five: the Cloud Related reading: Third-Party Vendor Management Means Managing Your Own Risk

rss_feed

""

When you are reviewing a cloud vendor’s internal policies, you should also be on the lookout for affiliations to privacy and data security organizations and for certifications with industry-recognized privacy and security standards organizations.

Cloud computing is rapidly changing the environment and economics of the IT industry. While many consider the cloud to be relatively new, the market for cloud services—including private, public, hybrid and managed clouds—will hit $235 billion by 2017, according to IHS. Enterprise cloud spending is no longer just an “IT thing,” either. With many cloud vendors offering Software-as-a-Service (SaaS) products as alternatives to traditional software, departments like HR and marketing are engaging cloud vendors directly.

There are certainly financial advantages to contracting with a cloud provider, but there are pitfalls, too. Below are some ideas on how to effectively manage third-party cloud providers.

Challenges ... and Opportunities

The top drivers for buying cloud services are cost savings and scale. Because of the commoditized nature of cloud offerings and by limiting customization options, vendors are able to provide infrastructure, software and platform services at significantly reduced prices compared to traditional custom-built solutions. Increasingly, requirements to strengthen security and improve privacy are driving cloud migration, and as a result we are seeing more day-to-day business conducted in the cloud than ever before.

Traditionally, vendors offering cloud solutions approached contracting just as they did cloud services. Everything was one-size-fits-all; the cloud offerings were standardized and so were the contracts. In other words, “Here’s what we offer, take it or leave it.” But now, with increased competition, institutional customers entering the market, and more computing power and storage than ever, vendors are beginning to offer more customizable cloud solutions and are recognizing the need to be flexible in their contracting, too. While vendors will probably never open their cloud terms for redlining and negotiation, there are some important areas where vendors are willing to negotiate.

Price

Price is always negotiable. For example, many SaaS offerings are billed—at least in part—on a cost-per-user basis. The more users you bring to the table, the more leverage you have and the more you should push for reducing your cost-per-user fee. Also, if you are a large, prestigious or institutional organization doing business with a small start-up cloud vendor, you have a lot of leverage. That vendor probably needs your logo on its website more than you need theirs. You get the idea. Negotiate the price.

Privacy and Data Security

Now the tricky stuff: let’s talk privacy and security. Privacy and security terms are some of the most heavily negotiated parts of cloud service contracts. Every decision-maker gets involved, and the stakes are very high. Typically, cloud service contracts will have standard language where the cloud service provider accepts responsibility for protecting its networks and systems, and the customer is responsible for its users and data. Negotiating these areas typically involves trying to move risk around to try to get the vendor to accept more responsibility or make stronger assurances about their efforts to secure data, preserve confidentiality and provide adequate access controls.

In addition to the contracts themselves, cloud vendors have privacy policies, information-security policies, retention policies, hosting and delivery policies and other internal documents that govern how they secure and manage customer data. Sometimes the contracts point to or cite these policies, sometimes they don’t. You should ask your vendors to provide you with all internal policies that could potentially affect the way the vendor will manage your data. Most vendors will disclaim that these policies may change at any time. That’s pretty standard and typically a good thing, because when most vendors make changes, it’s usually to add clarity, provide more protections or increase security. The important thing to keep in mind is this: Even though these policies are typically not part of the contract, and even though the vendor can change them at any time, your contract should include language that prohibits changes to the policies that materially reduce the level of security and privacy protections promised when the contract was signed or, at a minimum, include language that requires advanced notice of material reductions in security or privacy controls with an option to get out of the relationship if you deem it to be unacceptable.

When you are reviewing a cloud vendor’s internal policies, you should also be on the lookout for affiliations to privacy and data security organizations and for certifications with industry-recognized privacy and security standards organizations. You'll find that many cloud vendors have been certified by independent governing organizations or—as in the case of Safe Harbor—self-certify and promise to comply. You'll also find that well-established cloud vendors are members of industry groups or organizations that impose privacy and security industry standards on their members. Ask for assurances or at least an acknowledgement in the contract documents that the vendor has received these certifications or is a member of these groups. A vendor’s willingness to acknowledge these affiliations in their contracts creates a baseline for transparency and helps manage your expectations as well as foster trust.

Compliance with Laws and Regulations

If your organization is in a heavily regulated sector, keeping compliance in focus during negotiation is key. Don’t hesitate to discuss your compliance and regulatory requirements with your cloud vendors. Ask how the cloud service will impact your organization’s ability to comply with regulators. Ask the vendor how it secures customer data and where, geographically speaking, your data will be hosted. Some cloud vendors may not have the infrastructure in place to adequately answer these concerns, and if your organization is heavily regulated or your company is based in a country with very specific legal requirements, you should take care not to buy or subscribe to a cloud service that triggers noncompliance, makes regulatory compliance more difficult or causes you to violate the law.

Up Time

Availability and service level agreements (SLAs) are often absent in cloud contracts. This is by design. However, you should raise the issue during negotiations. Ask for concrete SLA commitments from your vendor and ensure there are remedies for down time. Cloud vendors will typically offer service credits for interruptions, which may not be a great remedy, but it’s better than nothing.

Limitation of Liability and Indemnities

These areas used to be set in stone in cloud service contracts. That has changed. There is risk variance depending on the type of cloud service and the type of data involved. Particularly when it comes to liability surrounding intellectual property (IP) and data breaches or breaches of confidentiality, cloud vendors are increasingly willing to negotiate terms. Don’t be afraid to push back if you think the vendor is trying to avoid all liability and responsibility, especially in areas where tech vendors traditionally accept some risk such as claims related to their IP. At the same time, it's important to recognize that vendor liability and risk exposure is usually directly linked to pricing. So a vendor may be willing to accept more liability and risk, but at a higher price point. You’ll have to work together to find middle ground, but the point is that these areas are now malleable.

Be Realistic and When Appropriate, Deploy a Team

Don’t expect tons of negotiability if you are buying something at a significant discount or at a low standard price. Because there are both commercial and technical limitations that cloud vendors must confront to run and maintain cloud services, many are unwilling to negotiate terms when selling cloud solutions that are low-margin or generate small revenues. So approach each transaction realistically and don’t expect the vendor to bend over backwards when the project is small and the cloud solution is basic. 

That being said, companies are increasingly moving important infrastructure, sensitive data and mission-critical operations to the cloud. Cloud services such as "Infrastructure as a Service," "Data as a Service," "Platform as a Service" and "Managed Cloud" can be very complex and sometimes require substantial negotiation during the contracting phase.

For these types of transactions, you should assemble a team that includes procurement and contract specialists, the business owner—meaning the senior-most person of the organization within the company that is buying the cloud solution, legal counsel and engineering or IT.

If your company is small and doesn’t have some of those elements, then consider hiring an outside consultant and outside counsel with expertise in the cloud to help you deal with vendors. Putting the right team together will help move negotiations quickly, help identify potential problems and make it easy to communicate your organization’s needs and expectations to the vendor.  

 Editor's Note:

Missed the first four installments of this series? Find them here, at the IAPP’s Resource Center.

2 Comments

If you want to comment on this post, you need to login.

  • comment Peter • Feb 9, 2015
    Thanks for the series Pedro!
    One element that I miss in this piece is the role that standards can play here: for example, the recently approved ISO 27018 provides a framework for cloud service vendors to demonstrate their compliance with a set of clear data protection and privacy protections. In the same way that food labelling helps customers decide among competing offers on the shelf, proof of such compliance should be a key differentiator among competing cloud offers. Something that all us privacy professionals ought to take on board.
  • comment Peter • Feb 9, 2015
    To be clear (no way to edit an earlier post!), you mention the importance of standards - I was missing the explicit call-out for ISO 27018, the first Standard that explicitly and specifically deals with privacy in the cloud...