Due Diligence on Cloud Providers

Because cloud computing involves outsourcing an application, infrastructure or function to a third party, cloud computing relationships inherently involve risk. Examples of these risks include:

  • the third party platform will fail or be severely degraded,
  • the third party will hold data hostage,
  • the third party will use customer data without permission,
  • the third party systems will be susceptible to attacks or hackers, and
  • the third party will “go dark” and data will vanish.

While cloud users can never be immune from these risks, they can mitigate their risks by conducting due diligence on the cloud provider and ensuring that cloud contracts allow for ongoing reviews and audits.

To help companies prepare for and conduct the due diligence process, Chris Davis, Mike Schiller, and Kevin Wheeler walk through the process step-by-step in their recently-updated book titled IT Auditing: Using Controls to Protect Information Assets. In addition to giving advice on vendor selection and what to look for in the due diligence review, they include a list of contractual items that should be negotiated in each contract, such as:

  • Specify how performance will be measured, including Service Level Agreements (SLAs) that specify requirements for availability (such as expected uptime), performance (such as speed of transaction response after the ENTER key is pressed), response time (such as whether the vendor will respond to problems 24/7 or only during normal business hours), and issue resolution time (such as how quickly you should expect issues to be fixed).
  • Data should be stored (such as encryption, including requirements for the algorithm and key length), who may be granted access to it, how business continuity and disaster recovery will be ensured, how investigations will be supported, what security training and background checks are required for personnel who will access your systems and data, how data retention and destruction should occur, and so on. Overall, you want to make sure your vendor takes contractual responsibility for security.
  • Add a right to audit clause, specifying what your company is allowed to audit and when. You obviously will want to push for a broad right to audit, allowing you to audit whatever you want, whenever you want (including the ability to perform surprise audits). You can negotiate from there. The broader you make this clause, the more freedom you will have.
  • Gain assurance that you can retrieve your data when you need it and in the format you desire.
  • Add language prohibiting the vendor from using your data for its own purposes (that is, for any purposes not specified by you).

The entire chapter entitled “Auditing Cloud Computing and Outsourced Operations,” which outlines due diligence as well as other audit-related issues, is available as a free PDF from TechTarget.com. This is an excellent resource if you are looking for comprehensive and understandable due diligence guidelines related to cloud computing.