How to write security into a cloud contract

There are some very effective security provisions vendors could offer, but don't.

Enterprises have been loud and clear about ongoing security concerns regarding cloud computing, but by and large, vendors haven't responded with robust service level agreements or any other reassuring controls, experts say. Customers should be on the lookout for nine controls that could relieve their concerns, reports Brandon Butler at Network World

One of the most effective security provisions customers should ask for in a cloud contract is a certificate that shows data is deleted when the contract expires. This is not at all common, Butler notes, but it is legally defensible.

Other highly effective provisions would include a disaster recovery clause and a clause that establishes that the provider is responsible for the customer's losses if a security breach occurs. Unfortunately, these provisions are also non-existent today.

Far more common are provisions that outline reimbursement for downtime and the customer's right to evaluate a provider's security measures. However, analysts don't consider these measures very effective in protecting the security of the customer's data. The same is true for hacking insurance, which is still rare but becoming more common. A more effective security provision would allow customers to audit the provider on demand, but this isn't seen very often either. 

As far as encryption is concerned, the effectiveness varies considerably among providers, who use a wide variety of methods. Experts advise that cloud customers be aware of the risks of encryption keys being lost when multiple copies are made. For large enterprises, there is always the possibility of paying for higher levels of security than everyone else.

For more:
- see Brandon Butler's article at Network World

Related Articles:
Lower your expectations for cloud SLAs
Customers on the hook for data security in the cloud
FBI insists cloud providers meet strict security requirements