Security Integrators Need to Keep Data in the Cloud, Eyes on the Contract
Cyber attorney David Willson suggests a few things electronic security contractors should consider when helping clients who are seeking to utilize cloud-based services.
Before You Sign an Agreement
Willson recommends that before deciding to do business with a cloud service provider, perform a discovery process that should include questions such as:
- Who owns and controls the cloud environment?
- What is outlined in the SLA (service level agreement) with the cloud provider?
- If a customer has access to their security devices via the cloud, what SLA, contract, or other agreement is in place between the customer and the cloud provider, if any?
- If a customer suffers an electronic or other type of breach, what is the incident response plan? Who handles the investigation and who coordinates these actions?
Typically, cloud providers write their contracts to avoid liability and responsibility on their part. Chances are that your cloud provider’s contract or SLA absolves them of any liability unless you can prove negligence on their part.
Pay Attention to Contract Details
Parties to the contract may include the customer, the integrator and the cloud provider. In the typical scenario, one contract will be between the integrator and the cloud provider and another between the integrator and the customer.
This puts the integrator in the middle. One important detail to uncover is what should happen if the cloud provider is breached. If this breach provides hackers access to the customer’s network, who is liable – you, the integrator, or the cloud provider? Putting the right agreements in place, understanding the fine points of the SLA or contract of the cloud provider defining the customer’s responsibility with regard to their own security of their network is crucial.
Ask the Tough Questions
When you review the SLA or contract, there are some questions that are crucial to ask. For instance, find out where the servers are located, in the U.S. or outside, and whether the provider owns and controls the servers or if they use a third party. Determine if an incident response plan is included, and if yes, what happens and who is responsible if the cloud provider suffers a breach. Have a clear understanding as to how soon you will be notified of a breach, or suspected breach, so you can alert customers if necessary. Ask if the provider will give you access to its network or provide the necessary information for incident response and digital forensics.
There are scenarios that should also be considered and planned for. For example, what happens if the cloud provider goes bankrupt? How will you maintain access to the data? The demand for convenient and scalable cloud-based services will continue to rise as a means for companies to expand their financial and operational landscapes. As you look to partner with a provider, performing your due diligence will help ensure you continue to enjoy the many benefits cloud services provide users while lowering your risk and liability.
Barbara Shaw, CPLP, is Director of Education for PSA Security Network.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Related Content
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.
