Technology: A lack of due diligence still a top threat in the cloud
There is good reason for businesses to pay more attention to due diligence when choosing a cloud services provider an increasingly important part of the business supply chain.
December 06, 2013 at 03:00 AM
7 minute read
The original version of this story was published on Law.com
According to the Cloud Security Alliance (PDF), a lack of due diligence remains one of the top continuing threats to cloud computing. While businesses may have an awareness of the general nature of cloud technology and related security threats, many business undertake little due diligence about their cloud service providers (CSPs). Even basic due diligence, such as assessing the financial health of the CSP or determining the length of time the CSP has been in business, are frequently not considered.
Since less than 50 percent of new businesses survive more than 5 years and many cloud service providers (CSPs) are newer companies, there is good reason for businesses and their lawyers to pay more attention to due diligence in the area of cloud services — an increasingly important part of the business supply chain.
How deep to dive
Due diligence can involve a “deep dive” or a more limited look at specific areas of concern. The approaches vary depending on the scope of the cloud deployment and its materiality to the business. Since businesses and their lawyers often have limited time and resources to devote to cloud due diligence, developing a good roadmap and checklist for due diligence on a CSP is essential. Due diligence should involve a team approach, IT, legal, compliance and the appropriate business unit of the company.
Planning for due diligence of CSPs should include consideration of IT due diligence checklists, guidance from the Cloud Security Alliance and NIST, as well as internal control frameworks, such as those provided by the Institute of Internal Auditors, a global, guidance-setting body that provides publications that can be used to help ensure adequate scoping of due diligence review of CSP's; the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence; or Control Objectives for Information and Related Technologies (CobiT), which also provides IT governance and control frameworks that can be used as a guide in the due diligence review of CSPs.
Due diligence must be tailored to the legal and regulatory compliance considerations of each business. There are some CSP due diligence inquiries that are common to a variety of cloud users such as consideration of any recent changes in the CSP's regulatory or operating environment; new technology; new products and services adopted or offered by the CSP; and foreign operations by the CSP. New laws or changes to existing laws can significantly increase the legal risks to CSPs.
Within the cloud industry, mergers and acquisitions continue as companies compete to expand business offerings and customers through use of cloud services. Such organizational changes can have a significant impact on the CSP's operations. New technologies adopted by CSPs may also create increased risks while the CSPs adapt their processes and procedures to these new technologies since business policies and internal security controls may not keep pace with the speed of these changes. Similar risks exist with new products and services adopted by a CSP since the CSP may lack with the new product or market. A CSP's expansion into new foreign operations can present numerous legal and other business challenges.
Risk factors to consider
Further insights about the risks to consider in CSP due diligence can be gained from reviewing the “Risk Factors” sections of the Form 10-K Annual Reports filed by publicly-traded CSPs. In these SEC filings, the CSPs describe risks and vulnerabilities about their own businesses as well as the cloud marketplace generally. Risks identified have included:
Data loss or other security breaches. CSPs process, store and transmit large amounts of data, including personal information making them vulnerable to data loss and security breaches. Some CSPs have expressly acknowledged that they are a constant target of cyber-attacks of varying degrees on a regular basis and have encountered security breaches in the past. Complying with the applicable notice requirements in the event of a security breach could result in significant costs to a CSP and to its customers. Inquiry should be made about the CSP's insurance and financial capacity to handle the response to a large scale breach.
Use of third-party technology. Both large and small CSPs use third-party technology and systems for a variety of reasons, including encryption and authentication technology, employee email, content delivery to customers, back-office support and other functions. The use of these third-party technologies and services creates expanded areas of risk which should be evaluated as part of the CSP selection process.
System interruption and lack of redundancy. Both large and small CSPs experience system interruptions and delays that make the cloud services unavailable or slow to respond and prevent the CSPs from efficiently fulfilling orders or providing services to their customers. Also noteworthy are disclosures that some CSP systems are not fully redundant, that CSP disaster recovery planning may not be sufficient and insurance coverage may be inadequate to compensate for any related losses.
Government litigation and regulatory activity. The government has closely scrutinized some CSPs under U.S. and foreign competition laws and imposed various constraints on these CSPs. These constraints on CSP operating system businesses create risks for cloud users that some cloud services may be unexpectedly curtailed or prohibited.
Physical infrastructure is concentrated in a few facilities. While data backup services and disaster recovery services are available as a part of many CSP hosting services offerings, many cloud customers do not elect to pay the additional fees required to have disaster recovery services store their backup data offsite in a separate facility, which could substantially mitigate the adverse effect to a customer from a single data center failure. Consequently, any failure or downtime in a CSP's data center facilities could affect a significant percentage of a CSP's customers. The total destruction or severe impairment of a CSP's data center facilities could result in significant downtime of the CSP's services and the loss of customer data.
Some questions to ask
In developing your cloud due diligence checklist, be sure to include questions about:
Encryption? Find out whether the CSP will encrypt your company's data and whether it will be encrypted at rest and in transit.
Who owns the data? Be sure you understand and address ownership of your company's data once placed into the CSP's cloud service.
When and how will data breach notifications be handled? Ask how the CSP addresses data breaches and notifying your company and any affected persons of the breach.
Security and privacy? Are required security, privacy, monitoring and audit requirements explicitly stated in the contract/SLA with the CSP? Request details regarding security and privacy controls in the CSP's environment as well as in the environment of any cloud service sub-providers.
What happens upon termination of the contract? Be sure to address the process for revoking all physical and other access rights assigned to the CSP upon termination. Confirm that any resources provided to the CSP are returned in a format that can be accessed by your company and that all of your company's data has been properly expunged from the CSP's environment.
How does the CSP handle business continuity and disaster recovery? Request a copy of the CSP's Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and Incident Response Plan (IRP) and documentation of the associated processes and procedures. Ask whether the CSP's BCP/DRP/IRP plans have been tested. Is the CSP willing to share documentation demonstrating successful testing and the extent of the testing? Ask how the CSP's plan works for the disasters of multiple clients simultaneously.
Conclusion
Without a complete understanding of the CSP environment and operational responsibilities, such as incident response, encryption, and security monitoring, businesses are taking on unknown levels of risk in ways they may not fully understand and which may be quite different from their current risks. Lawyers can help assess and manage these risks by developing due diligence tools for this important part of the cloud services procurement process.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLawyers Drowning in Cases Are Embracing AI Fastest—and Say It's Yielding Better Outcomes for Clients
GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
8 minute readWhy ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250