Cloud Computing : Negotiating Cloud Contracts

The contract between your company and a potential cloud provider may be more complex than most, so it’s well worth the time to ensure you get it right.

Vic (J.R.) Winkler

Adapted from “Securing the Cloud” (Syngress, an imprint of Elsevier)

Once you’ve narrowed your selection of cloud service providers, you need to sit down with your provider and spell out and agree upon the details of the actual contract. Depending on the services for which you’re contracting, this may not be a negotiable issue at all. Your contract may be limited to an online click-through agreement that you either accept or you don’t.

Due diligence will obviously play a large part in deciding what you need in terms of a contract. If you need a tailored contract, you can immediately eliminate a number of suppliers. The bulk of cloud services are less likely to involve tailored contracts than traditional hosting or outsourcing contracts. The economics of the cloud computing service provider model (for both provider and client) make that the case.

There will be many scenarios where you’ll accept a click-through agreement from a supplier. This is due to either financial savings (both in terms of minimal contract negotiations and ongoing costs from the supplier) or the low risk profile of your application or data. However, you should also look at the bigger picture and define a strategy and procedure for future applications your company may need to deploy.

Having other business units want to follow your lead without doing a full measure of due diligence is another risk. Often one part of the business may see that you’re using a cloud infrastructure. That other business unit may opt to deploy applications in the same way without going through the rigor of determining whether or not the solution is appropriate for the new applications. Having well-defined corporate standards and procedures in place will ensure that rogue applications are not deployed that breach your security model—or, worse, that don’t comply with one or more regulations by which your company is bound.

When it comes to points you do want to negotiate within your contract, ensure that your requirements are defined in a way that the provider can understand and to which the provider can agree. For example, specifying that data is to be held according to Health Insurance Portability and Accountability Act (HIPAA) regulations may be meaningful to your company. However, the cloud provider may not fully understand the law or its implications. If you know you want the supplier to ensure segregation of duties, personnel screening, data privacy or other security measures, you need to fully define these parameters.

Client requirements are onerous for cloud providers to manage when each client presents their requirements in a non-standard and unique manner. For a provider, wading through numerous requests from multiple prospective clients eats into profitability. The cloud model favors on-demand resource allocation, not on-demand contract negotiations.

Rather than have a cloud service provider respond to numerous prospective client contract requests, there are a number of external accreditations providers can obtain that will provide evidence they have both implemented appropriate security and follow sound security practices. One of these is the Statement on Auditing Standards (SAS) No. 70, commonly known as an SAS 70 audit. This was originally published by the American Institute of Certified Public Accountants (AICPA).

This audit is for service organizations, and it’s designed to ensure a company has adequate controls and safeguards when it’s hosting or processing data belonging to one of its customers. A company that has an SAS 70 certificate has been audited by an external auditor. That auditor has found the control objectives and activities to be acceptable per SAS 70 requirements. The Sarbanes-Oxley Act Section 404 relates to the process of reporting on the effectiveness of the internal controls over its financial reporting.


The lifecycle of the contract process doesn’t end when the contract is signed. You’ll have to continually evaluate the status throughout the term of the agreement. This will obviously be less rigorous with a click-through agreement as opposed to a negotiated contract.

Even with a click-through agreement, though, you need to assess the cloud supplier to ensure that contracted services are in fact delivered. For example, if you contract your supplier to perform OS updates, you’ll need to check to ensure this is undertaken in the specified time and manner. Checks to ensure all policies and procedures that have been contracted for are being followed are important, even though these may be difficult as the cloud provider and enterprise may be in different states or countries.

Throughout the length of the contract, you and your company need to reevaluate your needs and ever-changing risk profile—which may be due to the need or desire to deploy different applications or data in the cloud. It may also have to do with changes in laws and regulations by which the enterprise must abide. Also, any external accreditation the supplier has—such as an SAS 70 certificate—must be checked to ensure that they are renewed and not revoked due to non-compliance.

Termination (End of Term or Abnormal)

When the end of the contract term arrives, whether due to reaching full-term or because of abnormal termination, there are some unique needs you must carefully consider. This transition time is when data is at the most risk. Abnormal termination can occur due to a number of factors, such as:

  • Cloud provider ceasing activities
  • Breach of contract by one party
  • Bankruptcy

During this time, your will probably be more involved with sourcing a replacement vendor than spending time and effort policing the current supplier. The data will still be on the supplier’s systems and in their backups. You may opt to remove this data sooner rather than later, depending upon its confidentiality level. Obviously, if the contract is terminated (for whatever reason) the cloud supplier may be less than willing to assist in your data cleanup.

If you can define what you require in the event of original contract termination, you’ll have a good legal basis to ensure data is removed and cleansed as required. As the cloud provider may be in a different jurisdiction and your data may be stored elsewhere, this may be an enhanced risk you’ll have to accept, or ensure it’s well defined in your contract.

Supplier Transfer

If you transfer services from one supplier to another, either at contract termination or during the contract life span, you’ll have to consider many of the same factors that were discussed in the previous section. You’ll also need to define a plan for how to transfer the data securely between vendors.

Depending on the amount of data involved, you may just move it back to your organization. Then you can upload it to the new supplier. You could also consider transferring it directly between the two vendors. Whichever method you use, you’ll need to ensure the data is secure for each of the transfers, perhaps using encryption for the data while it’s in transit.

You’ll need to thoroughly consider and manage these factors when drafting, reviewing and approving a contract with a cloud provider. You are entering a potentially long-term relationship, so you’ll need to ensure that expectations and responsibilities are sufficiently understood.

Vic (J.R.) Winkler

Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton Inc., providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security researcher, as well as an expert in intrusion and anomaly detection.

©2011 Elsevier Inc. All rights reserved. Printed with permission from Syngress, an imprint of Elsevier. Copyright 2011. “Securing the Cloud” by Vic (J.R.) Winkler. For more information on this title and other similar books, please visit