Event Recording

Cloud Contracting Risks


Cloud adoption is rapidly increasing, many organisations struggle to establish a sustainable contracting process. The one-size-fits-all aspect of cloud computing is often reflected in the limited flexibility of cloud service providers during contract negotiations. More and more organizations are left with the choice of signing standard terms and conditions. This strongly increases the need for organizations to define their contract requirements prior to selecting a cloud solution. The specific types of data (e.g. confidential data, privacy sensitive data) to be stored in the future cloud service, the related risks and applicable legal domains (e.g. data privacy, trade controls) should determine the contract requirements. These requirements have to be taken into account in order to ensure compliance with laws and regulations after accepting any terms and conditions.

But I start introducing John Hermans to you of KPMG, who will be in our panel, discussing all the contractual sides of data protection in the future because cloud computing certainly leads to outsourcing if it's your own cloud, legal and organizational risk might be low, but it, the cloud as such usually becomes interesting because you have someone else doing it. So the outsourcing part of the whole idea, legally spoken is the issue of our next panel. And the contracts are the core point of outsourcing the cloud. Because with that contract, you might shift liability with that contract. You might be able to blame someone else at the end, but certainly if you are a large cloud service provider, you don't want to be blamed for a higher security standard that you offer to people that they usually would have themselves at home. So there's diverging interests, obviously between the parties.
It's a strong part. It's a strong cloud service provider that will try to more or less dictate certain rules and favor of himself and practice. And on the other hand, you have possibly pretty mighty customers wanting to move all of their information, or at least big parts of it to the cloud, wanting to address their liability issues, their security issues, their auditing issues, and all of that. So I think it's a little, it's a, it's a little under discuss this issue in practice already plays a, a very large role. Might it be a public cloud or a private cloud, a dedicated server, a server in the us or server in the EU. We all know that large cloud service providers today move to the EU with the data centers. And what we know both from the upcoming legislation and from the current laws is that there is some issues that even with moving the cloud will not be solved.
For example, the idea that a non-European or non a government might have the local right to access data, even though the data is kept in Europe, dedicatedly kept in Europe, just for a company offering cloud services in Europe, belonging to an international group, maybe headquartered in another part of the world, a non-European part in the world, according to those local jurisdictions, it might be the case that even this information is kept in Europe, foreign governments might legally have a look at it. And this of course is subject to objection from the European perspective. And it's very difficult to take that out by contract. How should you do that? So there is issues that can't be solved by the cl by the cloud contract, but there certainly is a lot of issues that can be solved by a contract. And I'm really interested in knowing more from you now about how you have handled that in the past and currently are transferring to the new situation. So very welcome, please go ahead.
Okay. Well really excited to be here. I've been looking forward for the, for the past couple of days to, to enter this, this podium. I've seen my colleagues on the, and I seen a lot of you and I really excited to tell you something about cloud contracting risks. We'll take a few seconds, I guess, before my slides are up, but hope you're just excited to, to hear something about this. I think it aligns very well with the presentation we had before on data privacy. This will go a bit deeper in the entire legal and compliance spectrum.
So, well, my name Schutze working for KPMG, the Netherlands in the it advisory sector and well focused on, on cloud security and risk management. Well cloud computing, I think while that's why we're all here, we all know its one of the biggest it phenomenon the last couple of years. And if you look to the, to the left of the right side of the screen, you see compared to others, it's being walked instead of talked about, a lot of organizations are adopting cloud using cloud either knowingly or unknown knowingly by the employees. How come to that a bit later, but cloud is big, a lot of organizations using it. And a lot of vendors here know about it, why legal and compliance is so important, but from two sides, one the organization itself struggling to know where the laws to comply to the regulations to comply to, but also on the other end, the vendors that are trying to sell cloud, but run into issues, trust issues of their consumers, where they have to explain why, well, why they're trustworthy, why the contract is sustainable.
So what is so different compared to traditional it? Well, a lot of trust related looking at the traditional, it only the proprietary software you installed on your own premises on your own systems. Well, that's where you had to have faith in trust in it as all configured, right? It management. You could do that yourself as your organization, you could hire the people and you could steer them. It assets. These are your assets, your resources, where you have influence on that. You can replace. And of course on top of that, your data, the data where well, your laws and regulations applied to, then we run on to outsourcing giving our data to well to a, to an it service provider. I'm part of your, it management. Also a part of your it assets. You, you put it a third party to manage that for you. So a part of the trust would, would, would cross also the it management and the it assets.
So you have to get a bit more trust. However, there's also audit there because we're at your own premise, you could audit your it management. You could, it assets, it resources and your data at outsourcing. You can still do that. You can go with your internal auditor or external audit to your it service provider and well verify. They actually complying to the rules. You set on your, the agreement you made on it, management and the assets to look into that and debts where it's difference in cloud. First of all, especially with public SA you lose a much larger part. All your assets are part of this cloud service provider. You can adjust the server that is running underneath and meaning that well, you have to trust them for a larger stack of this. And the only thing you still own is actually the data, but you cannot always walk in as in order to, to actually check if they're still doing it the way they should do meaning well that you just have to put faith in them doing it well.
Well, that, that, that sounds very complicated because why would we trust the cloud service provider? Well, there's three ways of trust in general. I, to I reputation, well, we heard a lot of examples about that. If an organization's being hacked, it affects their reputation. You can read other consuming organizations using death cloud party to determine their reputation, but it remains very, very subjective. Then there's assurance. If you get assurance report about the cloud service provider you're using, it will give you some idea about how they are complying to standards that have been made. And third, and that's where I want to go deeper into the guarantees you get from your cloud service provider. And these are mostly the contracts and SLAs that you have agreed upon. So that makes these contracts and SLAs very important aspect of the trust in cloud.
But looking at cloud contracting, I think cloud has a very specific element in there. And again, especially public size as an example, my Gmail account is similar to, to all people here using Gmail and same for office 365, my office 365 looks similar to all of you. They're all identical. And this one size fits all is also reflected in the contract. So you often see that organizations are stuck with signing the standard terms of conditions, especially for the larger cloud service providers. There's not a lot of room to negotiate in these standard terms of conditions. And even if there is, it's gonna cost so much money, that's usually not affordable to do so. This will affect the trust because you cannot no longer make your own, like with outsourcing with it, service provider, pin it down on what you really want to see in this contract.
You have to verify if, if this contract actually matches your preferences, instead of actually changing it, that changes the perspective besides that cloud has often in a lot of organization becomes look at a complex environment where you have besides a public cloud, the size also a private cloud. And there's a difference in there because for private cloud, you can often determine where you want to put your data, which country, and you can, for some extent, manage the private cloud and have some specific preferences for public cloud. Well, you don't, you, you share with a lot of people, it's, it's a one size fits all in most cases, meaning there's different requirements, emerging that all lot of organizations using a hybrid cloud, where they have well as well, the private part as the public art with a different contracting requirements, I'll get to that a bit later.
And another issue is where on the, on the right side, I see the picture doesn't completely work, but on the right side, you see the organization assumes we are here using books, Salesforce, and one drive for instance, because that's where we contracted with. However cloud is very easily adopted by your employees. They can make an account on any cloud service and start using it by just paying for that, with their credit card. Meaning in a lot of organizations you see, besides the one they're actually aware of a lot more cloud services popping up. And yeah, we, we perform these analysis within KPMG. And what we often do is we run a two week scan on the network identifying well, which cloud service do we see flying by used by the employees? How much data is going uploaded and downloaded from these services? Well, talking in numbers, I think we haven't seen any less than 500 cloud services in these two weeks and up to 1200 and AB bet there's, there's more so it's we are talking about hundreds in, in average organizations actually.
So meaning that if you talk about this spectrum of cloud services already being used by your employees, how do you know that they comply, that, that you can comply with laws and regulations since they all have their different characteristics and even knowing where the data stored in which country will become very, very difficult. So I think it was also mentioned yesterday, the biggest risk in cloud may not be specifically only legal data or assurance for instance, can also be that there is just a lot of shadow it, a lot of cloud services being used in the organization, setting the risk on its own.
And then I already mentioned applicable jurisdictions. I think in this specific example, there's a consumering organization deciding to adopt a cloud service. It's primary contracting partying is in Ireland. I think a lot of also United cloud service provided from the United States use in Europe, Ireland as a basis to get the contract signed. So you sign under Irish law in this case, but often this cloud service can also use other cloud service to get additional storage. I think an example here is, is Dropbox, which uses Amazon as a backbone to have its storage provided to its its customers. Meaning it's already dealing with two parties position to, well, for example, it can also be decided that the backups are placed at another data center, ensuring that we can make this SLA in case something goes wrong. We can get the data back quickly and perhaps another cloud service or another, at least another data center way or datas archive for these customers that want to retain the data for seven years, which means that you're already talking about four jurisdictions, at least while then your own consuming organizations, jurisdiction as well, keeping track of which laws and regulations would have to comply to becomes difficult.
And then it's the fear of data seizure. I think it's been NSA focused for the, for the last well, especially two years, probably because of Snowden and the media. I want to give a bit of nuance to that, but a lot of organizations care that the us government will request their organizational data, look into it. And well, who knows what? However, I think a specific case here is, is the one of Microsoft, which has wasn't even organizational data. It was a personal data stored in Ireland, L being requested by the us government where Microsoft sort said, now we are not gonna give in this, this, this person's email account because it's, it's stored in Europe. So we don't have to, well, they went to court court decided in the, in states that they would have to give this data from Ireland to the us government because they're a us company, Microsoft at this moment is still in the process of refusing.
They have a lot of support from other cloud service provider trying to, well, at least stating that Microsoft is right. The data's not stored stored in Europe, shouldn't be easily requested, but it's a very important moment for the cloud industry. If this data is actually being handed over to the us government, then it doesn't really matter anymore. Whether data is stored as long as there's some us involvement, either from you as an organization or from your cloud service provider, the data can be requested, but to put a bit of new answer that we're really, I think there's a lot of talk about us requesting data, but in general, your, your data can be stored anywhere. And in pretty much all laws in countries, they can request your data if they well, if they go to court for it. So your data, as, as we said, can be stored over four or five countries easily.
And how do you know other countries will not request your data? So do should always keep it in perspective where your data is and, and deal with this as a risk as such, not only focus it on the us. However, I think I was just mentioned in the, in the presentation just before this, that when the you regulation will kick in, as it is, then the data would have to be, would have to stay in Europe. At least on privacy. Data would have to be we're on. I think intellectual property is one of the most common ones that start popping up. When, when, when cloud services become active, this is an example from Prezi and it it's all about you put something in the cloud, which is your intellectual property. And this cloud service provider can reuse your intellectual property. I guess any organization would wouldn't want that.
Even if it's public marketing information, you wouldn't want an other organization publishing your marketing information and sharing it with the world or modifying it. This example is from Prezi where, well, we assume as organization, you have a paid account. So you have a contract with president paid account, but if your employ employees don't specifically select, this is private, this is for private use. And believe me, that selection is really easily made. I think by default, that this public presi is according to the contract allowed to reuse everything that you as organizations store in Prezi while Prezi is a presentation software, similar to, to PowerPoint and, and presentations can contain, well, one sensitive data for instance, financial publications. But as I said, even for public marketing information, wouldn't be a good example to see that being reused by another party.
And then there's indemnification that this has been there for, for years also in the software market, that if your service provider, your cloud service provider is using an intellectual property of another third party, the third party can go to your cloud service provider and claim well is intellectual property. And, and, and try to yeah, put a claim on it, get money for it. However, you as consuming organization are using that cloud service provider, which is infringing intellectual property. So the third party could also claim you and with having stated in your contract stating that yeah, that your cloud service provider indemnifies you from claims of third party on intellectual property, you can overcome this problem. I think this is a very important aspect. You just want to see in a standard terms and conditions or cloud contract, you sign I'll come to it later.
Lastly, liability caps, if for instance, your cloud service provider goes down, it's no longer being used. It will cost you often a lot of money. If business continuity is effective, one of your critical process is using this cloud service. It will cost you thousands of euros, often in the contracts with cloud circle providers. There's a cap on liability that that can be either 20,000 thousand Euro, or let's say 12 months of payment of this cloud service. This won't rarely cover your, your cost of losing business continuity. And on the other hand, if you're talking about a party that is, for instance, on the Irish law, you would have to go to Irish court. If the cloud supervisor refused to pay, which makes it relatively difficult to actually get something back what you lose. So you would have to cover this risk yourself and, and cannot cannot do this in a contract.
Well, that sounds very scary. Now we should never use cloud anymore. That's obviously not the case. I just wanted to name a few risk. I think within legal and, and contracting are very valuable risk, but how would you approach this as organization willing to adopt cloud? Well, I think it was also discussed yesterday, but I'll zoom in to the specific legal and compliance aspect here. First of all, you want to determine what is your risk appetite towards cloud? Am I willing to take a lot of risk here or not, will be very risk averse. I, anything more importantly, even evaluate your data? I think also a colleague, Mike, I named it. Number of times, it's about the data you put in the cloud. Are you talking about your most confidential data, public marketing information, privacy, sensitive data or data that has to be available at all times.
It makes a huge difference to the amount of risk it faces and the measures you want to take to mitigate this risk and bring it in line with your risk appetite. In order to, to, to mitigate the risk, you can select controls eye TOFI, internal controls, cloud solution controls. So the technical aspects of your cloud solution that you're using assurance reports, but yeah, also the contracts and SLAs, and that makes this contracts and SLAs so important in this story because it, for one hand can help you to mitigate certain specific risk towards cloud and well should be info input for the decision you make to select a certain cloud provider or not, or to take a, a bit of a case that that will make it relatively practical. Well, we would advise our clients on stating that at first, make sure you have some baseline conflicting requirements think that you definitely want to see in your cloud contract, whether it's a standard terms of conditions or, or customized cloud, this is what you definitely want to have in at all times, no matter what data you put in, besides that before a business impact assessment, just to see what kind of data are we gonna upload to the college, it confidential data data we want to keep available at all times.
Yeah. Just to get a graph of the data and this legal assessment. I think the privacy impact assessment that was mentioned just before here is one of the examples in there, which you also want to determine is this data that is facing financial regulations, or are we talking about our intellectual property here? Because it makes a difference in the type of data that you're putting into this cloud? Well, sample example as well, we have the baseline contract requirements. They will always apply. And in this specific scenario, we have high confidential data. So data that is what most confidential for this organization. And besides that, it also contains privacy sensitive data. By this example, I think a lot of organizations using solutions, cloud collaboration solutions like Google docs, office 365, they're often put in confidential information, suggest their financial information where they're collaborating on and also privacy sensitive information.
If it's consumer their customer information for will be privacy sensitive. So this example, I think aligns with, with what a lot of organizations are facing. And I want to give some examples of, of things you would, you would like to see back in this, this cloud contract, in this, or understand in terms of conditions of this cloud service provider. Well, at first you want to make sure that your organiz, that it's stated that your organization retains its ownership of this data. So talking about intellectual property, that the consumer of this cloud services keeps the owner of the data, keeps his intellectual property. And besides that, that the cloud service provide indemnifies you from claims from a third party on intellectual property infringement. So you'll not receive this claim yourself. These are basic things that in this scenario, this organization will want to see at any time, but we're talking about also most confidential data.
And besides the technical requirements you might want to take or internal controls, you might want to take an example. You would like to see in the contract here is confidentiality undertaking where a cloud service provider states that they will, that they'll treat your data at all times confidential and, and will not access it unless well, they follow strict procedures. Of course, there strict procedures you could have, you could request for assurance on, but will not go into detail there. But a confidential undertaking would be very relevant to see the contract here regarding privacy sensitive data. Well, the data processing agreement also been mentioned as specifically something, if you're talking about privacy sensitive data, you would want to see in your contract, why as a supplement to your contract, there's a data processing agreement stating where the data is processed, how it's processed, if they're subcontractors also able to process it, because this helps you to comply in the end to the laws and regulations.
Well, I'm giving you this example. I, I want to make it a conclusion and invite you to discuss as well. So if you have any questions, hold onto it for a few seconds, I think back to contracts as they, why is it so important for one, it helps you to trust the cloud service provider besides assurance and well, the reputation you'll need to make sure that you have your contract requirements defined and based on the type of data, yeah. Be able to mitigate the risk or, or accept the risk, but at least manage the risk over the lines, which your risk appetite in the end make the right choices. So the requirements you have to watch your cloud serve provided depending on the date, you would have to think of upfront before the cloud adoption. Well, as I said, are very challenges regarding legal and compliance.
We, we mentioned the liability gaps, the intellectual property, the fact that there's often multiple jurisdictions applicable and the indemnification. Yeah. But so there's aligned approach becomes very relevant. Optimally. You would like to integrate it and make the legal requirements. Part of other requirements you have in terms of requirements to the technical solution that you're gonna use or internal controls and make it one process. I think this is very important to have also a smooth cloud adoption. We often see clients that at the last phase of signing the contract, adopting a cloud solution, find out that the legal department has certain requirements and also stop. We're not gonna assign any contract at this moment because our, yeah, our requirements are not met. And if their requirements do not aligning with how cloud works or how cloud contracting works, as you end up waiting a year discussing with the legal department, how we're actually gonna sign the code or end up signing, not the contract at, and this is also an issue that cloud vendors are facing with the potential customers. So that we're often called to investigate. Yeah. What is actually the risk of the data you're putting in and what legal requirements would you like to see here? Well, that summarizes my, my risks and, and, and approach that I, that I suggest.
So I want to definitely thank you for attention and yeah. Please let, let us know what questions we have and question, and John will also give their views.
Thank you very much, Edward, please have a seat. So yesterday in our cloud out assessment panel, we were discussing what actually would be the biggest risk and going into the cloud. So I wonder now, after all the coins that you've made, what do you think would be the number one risk, not having an appropriate contract when you go into the cloud?
Well, I think what the biggest risk where we discussed yesterday was that there is a lot of cloud service already being used. There's a lot of shadow it already in place. So knowing which contracts, you actually already have accepted center terms of conditions you have accepted. Yeah. How do you comply with your allows and regulation if you already have so many? So you, if you don't have a structured approach, you and with a lot of shadow it there,
So it's the handling after all the handling of contracts that makes you gives you some concern.
Yeah. I think the handling itself, if you don't have a sophisticated approach, you'll end up with this, with this risk. So that's where I think your focus should be to
Solve it. So, so what's, what's the trick. How should we, how should we discuss handling of, of contracts that's to all of us? I think that's, that's indeed probably the most important point. What do you think?
So I think, like I mentioned yesterday, I think it's coming back to having a standardized process, how to acquire cloud the cloud services, which is accepted by everyone in the organization. I think that's number one, if you don't have it, then of course have all key stakeholders involved, so have legal involved. So contracting involved have the, the business side involved have, then, then have it involved, have the data owners involved,
Compliance. Right,
Right. So I think that's really key. Can you have a smooth working fast process for acquiring the cloud services? And in that process, can you take care of all legal constraints?
So that's a bit the private D privacy impact assessment where before discussing you should that's one element checkbox, right? Yeah.
So, so that's, so that's one element and there might be a difference though, that if you look to, to the PR and also the acquiring the cloud and services until the moment that we don't be, so that we are not being fined due to the fact that we are not then do comply against certain, certain privacy legislations business, not really taken care. Right. Right. So, but, but the aspect is that if you're putting business critical information in that cloud and that's really leaking out that can kill your business right. On the long term. So there is, I think, so in that, so in that respect, privacy could really piggyback on having a very sound smooth, the, the acquisition done process for cloud service
And who should be in the lead, talking about being everyone involved was a pretty long list that you gave us.
I think what's natural lead. Yeah. The interesting thing is I think there there's always a procurement process in place in the organization for standard items. Anyhow. So I think so who should organize that? The acquisition part that's I think that should be, I think also as we call or then the procurement type process.
So often I see in practice, at least that it's gonna be the it thrown into it. It's like, okay, we wanna save money. Why don't we go into the cloud and you check what's appropriate. Do you see the it hat of everything here? Like the principle of that process? You, you just were,
They should, they, should we endorse it? But the interesting thing is, of course, if you're looking to a CIO, eh, what's, what's the definition of a CIO, let's the chief information officer, if he's really acting as a chief information officer. So what we currently see in the most large organization is that basically it's just a kind of achieve it, right? Those people, those girls and boys are not really involved also in certain, certain decisions, which are being taken on, on the business side. That's the whole reason why we have shadow it. So we also, it really messed up over the last year.
So it's a question of self perspective. It's you don't wanna be a chief information security officer. You wanna be chief risk officer as discussed yesterday, and then you can have the holistic approach just to give it a name, meaning the way of thinking that must be behind it. Is that what you're
Saying? Now? What I'm saying is that really that the CIO should really step up, should step up to come with really compelling story then to then, to the business for using it in an meaningful and agile way. And part of that is also that issue also enable together with procurement to actually acquire in a smooth, less painful way. All those services that the real user would like to have. And part of those services that's cloud, right?
Maybe to add, I think for the, the CIO and especially the risk management and information risk, they started to meet each other in the last couple of years, but legal and compliance still seems to be quite a different world. So they don't, they don't align information, risk management and, and legal and compliance. They don't talk well to each other. If the CIO has to align all parties, it becomes relatively difficult for them. And the problem in the end will indeed be with procurement, which has to get, make sure that all these requirements are met. I think therefore also important that the CEO understands that there's different parties besides information, risk management, which because of all the incident has been shouting already, but there's also legal and compliance, which has, which has to give their input into this process. So there has to be one point brought again, I think the CIO has a big responsibility because that's where the request from the business land first
And who, and how you can actually help. There is I would challenge everyone do once a kind of a check of what kind of cloud services are you actually using. So we did the exact the same at K GNL. So in an L end. And so I did ask the CEO said, Eric, at that moment said, Eric, how many cloud service do actually use? And of course the first thing, what happened was we had a, so, so we had, so we had a definition problem, right? What is the cloud service, right? Is it an ASP or is it a, but anyway, so we clarified that one. And so we came to the conclusion saying, now he thought we might have some like 50 or 60 cloud services. So we use some, some tools, sky networks, but you have multiple of those kind of things. And basically I think the first assessment, we got something around 300 cloud services, 600 0 600, 600, we were using 600 cloud services of which basically only 50 of them passed the standard process.
And of course, then the next question is who cares? Right? And we noticed that also the trust, the trust administration of all the equity partners was in the cloud and I'm an equity partner. And I wasn't aware of that one. So of course then, then something is changing. So I think I would challenge everyone saying, do that initial check because that's making very clear that there instance a process in which you can in your organization that is orchestrating the whole usage of cloud. And if you're not getting that, it'll be a huge spaghetti is already a nice plate of spaghetti, but that we have full bowl of spaghetti, which will be so complicated. And yeah, you will have an issue any up. Yeah.
Well, speaking of just speaking of spaghetti for a minute, it's is the auditing function is kind of like when you go to the doctor and the doctor says you should eat better, go and eat better. And then you leave the doctor and you go have beer and Twinki and spaghetti, right? Because the world is presenting beer and Twinki and spaghetti to you. So for companies, they have different motivation than people. People wanna stay alive. And companies, if you look at the articles, bylaws, and contracts, basically to make money. Yeah. There's not a lot of else going on in companies. So the one of the advices is you're giving is it's good for you. You save money, you reduce risk, especially a public company, right. A public company. If they put disclosures in, based on what they think is in the contracts and they're just simply wrong, then they have all sorts of exposure. So it's like, it feels like that advice. It's trying to coax the patient, your, your clients into behaviors that are good for them, but they're out there in the world with Twinki and beer and spaghetti.
Right, right. That's of course I'm as well, an older as an advisor and more advisor than, than an author. I think we as auditing industry, we also miss the, missed the boat here. If you look to, so admin showed one slide here with all the different flags, of course, of course, Soman was making, or then the point of the whole contracts around, of course you have to different, different legal systems and all the different countries, but that's just applies also for, for the audits. Yeah, of course. It's also a spaghetti of all those statements in the past. We had done set 17 now, so two or different statements. Yeah. It's is a kind of a spaghetti of all those statements and nobody knows exactly what is stated because every statement, if you're doing a SOC two, please check what is being checked. Right? Yeah. You can do basically a sort two statement on something like three controls while, while you would basically expect something like 15 or, or, or 200 or then controls. So nobody's actually reading that. And, and so I think also that's an interesting one in all element in that one is that I'm not sure if that's still the case, but you know, one year ago it was still the case that if you would like to go to contract the cloud, then cloud provider, and of course, part of your procurement checklist is give me a, so two statement of that company. In many cases, we had to sign a non-disclosure.
Is that not strange? Is that no strange that apparently the, the clouds, the cloud market is still so competitive that the big cloud providers are asking you to basically sign a non-disclosure to actually check their public SOC two statement.
Yeah. But you know, it, it, but just to develop, if I can't may, for a second, the, it feels like, you know, in the United States, a Sarbanes Oxley, which is basically the recruitment of the company to help the auditor's job be better in a sense, right. Maybe do we need a Sarbanes Oxley for data to recruit? I
Don't hope so,
Because I mean, not provide regulation that would over what, what about a self? No, you wouldn't. What about a self-regulation Sarbanes? Oxy for data.
Yeah. Perhaps the reason why I'm saying I, I wouldn't hope so because, you know, socks did things socks helped. Yeah. But it also sucks, right? Yeah. Because it's apparently you would like to actually change behavior. Yeah. I think it it's so stupid that we are talking about security then by design, we, we talking about privacy then, then by design, why wouldn't we just call it, you know, good service then by design, right? Yeah. It's, it's so strange that apparently that, that this market is still so competitive that we are so motivated by just earning huge money, money that we, that, or that we taking shortcuts, I think. And probably, yeah, yeah. If I had a dream. So next year, I really hope that, of course I would be a, kind of a, kind of a sanity check with all CTOs and CEOs of cloud service provider saying, guys, let's also focus on what is good, what is good instead of just focus on getting some functionality out time to mark should be very fast, but then of course selling like hell and
Solving other issues. They like, it's the challenge of inviting a company to internalize costs. I mean, essentially that's what you're doing. And that invitation to internalize costs is very difficult unless there's a narrative of a future risk or a future benefit. Right.
And I think probably going to say something very stupid now I'm always saying stupid things around lunch, but I think we are really waiting on a nine 11 on the internet. And the reason why is that we, the whole security industry, I think that's the same with, with privacy, but also of course, security and privacy. That's, they're going hand in hand, but also with the whole cloud services, apparently we didn't have such a big incident that, that we, we, we got to that point that people saying let's VE our ourselves,
But well, actually we are, we're heading towards those seals and everything. Okay. It's, it's a bit theoretical to start with, but actually you were asking for service by design and in a way those seals are just trying to push the market towards that. So I think if there is a market for those CEOs, it might be, especially for the cloud environment and not for so many other services,
I'm going to, to challenge you in that one, who's putting up those seals, who is that? Is that the buyer, or is that a group of, and so enthusiastic researcher, lawmakers who thinking that might be very good for, for the society. So I would be very in favor if then the big buyers. So, so all big companies really would step up and say, Hey guys, we're going to force our industry to get mature. Well,
That will be the code of conduct then, which is another instrument that it's upcoming. And we, for both, we wouldn't know yet, who's gonna be the policymaker, both for the seal and, and the code of
Conduct. So I give you example, I'm doing, and it's, I make, I, I can say that publicly. One of my biggest clients is shell globally and together with, with Microsoft and HP and a couple of others, we basically also now developing a new security model, the CEO, the global CEO of shell main say, guys, this can't be true. This can't be true that we have a security industry, which is not working right. Apparently you, then you, you are making billions and billions and billions, but you're not reinventing your yourself. So I will find a couple of other CEOs who having, we're able to actually spend couple of hundreds million every year to come up with, to actually fund, to come up with a new model, which is really working. I think that's the push for what we need that really the big buyers really are stepping up and saying, guys, stop this nonsenses because we all, as from our thoughts and from our ideas, we all think let's find some new things to actually make somewhat safer, but we're probably not making that big step.
Well, probably not. So we have some, some issues here. We have the contract issue. We're trying to have the best contract that we could have for the, for the particular situation. We are bagging service providers to become a bit more transparent and a bit more, maybe even compliant in some parts in order to provide the services we need and to rely on them a bit better. So contracts are gonna be easier if you have that. And the structure itself, the structure of relationship must be dynamic. We discussed that yesterday. I I'm wondering if also as someone using the cloud, not only taking care of your contract, you have a choice by keeping risk. After stepping into the contractual relationship with the cloud service provider, in order to keep the risk lower. Do you have other instruments that you could use for example, which category of data is gonna be in the cloud contract only with cloud service providers in a certain area. So what else is there in the metrics that at the end will be part of the contract, of course, but what's the pre thoughts to, to give to everyone a bit more the checklist that this group of people that you thought was a good idea to have the, the, the implementation team. What's the key points that before you have the contract should be discussed and maybe help you to go to the better as far as it concerns the risk.
Yeah. I think, I think the starting point is the data. Indeed. You, you put in, you want to do that before you sign a contract. So, so investigate, or I'm gonna put business critical information in their most confidential information, the data privacy information in there. And based on that, indeed, you want to, yeah. You want to well determine the risk and know how to mitigate this risk. So the requirements or measures you want to take to mitigate the risk, or at least manage it in a way that aligns with the risk you want to take. I think contract is indeed an element there, but you also have your internal controls. If you're, if you're looking at cloud, I think if you don't manage your authorizations right yourself, how do you know that the right people accessing your conference? You're also an internal partner and thinking about basic things like, like, like change management.
It's not that you're gonna tell your cloud provider, change this for me. Now, your cloud provider is gonna make a change which may impact your business. So you, on the receiving side also have to adapt your change management a bit too to cloud. So internal controls is important. I think also the technical measures and the cloud services, a large aspect in there. I think if you're talking about very confidential data, you would want some layers of encryption in that cloud service, maybe even manage the keys yourself. Well, to, to, to be able to, to bring the risk down
To, to your perspective, how big is the part, the behavioral part of your staff? How important is it to, to assure that staff is acting according to those rules that you're gonna set up when it comes to asking what kind of data is supposed to be in there? Is that like a major thing? Or is that something that you shouldn't
The biggest? I think it's, it's probably the biggest element in there. And I think when we were talking about the 600 services being used, the first thing we heard is, yeah, let's block all these, the ones that we do not like about the, we had 60 in mind, there's 600, we've gonna block 540 of these services. Yeah. That's the worst thing you can do in cloud, because I think even for cloud storage solution, there's already couple of hundreds and, and probably the ones, the 25 that, you know, are the ones that you would even consider using the ones that you're not aware of will probably store your data somewhere in countries that you've never heard about. So I think blocking is, is definitely not a solution for cloud solutions are popping up every minute. So that's not the way to go. White listing will also not work because there will be so many exceptions of, yeah, people just need this, this cloud solutions for a specific scenario, which would have to make, make your white list all the time.
The process will never work. I think it's all about educating your users and to give a very practical example in there is we've already seen solutions that, oh, let's imagine organization chooses. We're gonna use Dropbox as our sort solution. That's what we approve of. But as also OneDrive, Google drive and box, for instance, these are not the ones that we want our people to use. It would be great. And there's already solutions trying to play in there that if you go to Google, drive your employee, you will see a popup look, we're using draw box for our organization. That's what you're supposed to use for organizational use. However you want to use it for personal use. You can accept it and, and use that before for organizational use. Please use Dropbox. That's how you educate people without directly blocking them and, and still allow this, these exceptions that they're always there, that they may need Dropbox for, or Google drive or one drive for once. And so I think that's how you, that's how you can educate using cloud. And according with policy,
It's like with your kids, when you want, 'em get to eat their carrots, you don't say, eat your carrots. You say, do you want peas or carrots, right, right. To give them right.
So if, if you have done that, if you have checked with everyone in the company that you have made some achievements in educating people how to use the cloud, I personally have the impression it's important to educate your cloud service provider as well. A lot when it especially comes for to the question of data storage, I have met so many situations where the internal policy, for example, for certain meta information, was to keep it for 90 days. And then I've seen so many cloud service provider only on third asking, answering, even to that question. And after a certain discussion, you would learn that information would be in there indefinitely. And then the response would be like, okay, be, make sure that there will be no private Infor per personal identifiable information in the cloud. But before the marketing was like, you could put, can put everything in there.
So the alignment with the service provider, which you do that in the contract, or is that something that you would try to adapt step by step later on? Because you're like, okay, you are in the contract in the contract, you will have some notion that certainly loss will be fulfilled. And then you go there and you say, okay, stay with the 90 days. And you will put pressure on them like that. Or will you do that before? Because it's not so easy to succeed to make the system change. So is the pressure higher if you do that after the contract and you really aim at maintaining the contract afterwards, or will you discuss that before and maybe think successful not having the solution?
An interesting thing is it's, it's all about you, your buying power, right? Yeah. If you're an SME cloud, provider's not going to change anything full
Stop. Well, it's not only about the buying power I'm consulting the one or the other company that even possesses parts of the one or the other cloud service provider. And even for that shareholder, they wouldn't change the procedures. Right. Right. So I see dictation part from the cloud service providers, like take it or leave it. Isn't that like a major problem that I personally wouldn't see addressed enough in the contract. And the risk maintains stays with you as the, the, the one putting in your data. You were showing to us that what remains with you is not the task around the technical part. What remains with you is right on the data. And it's not even your data, it's your customer's data. And isn't that the part that we need to educate the service provider on. Listen, I put in there all my information and it's my goal that I put in there. And you can't even tell me how long you keep that
Information. No, I think, but then we need to go back to the business model of cloud. Right? If you, if you're just going to acquire a public cloud services, you can't expect something else. Okay. You cannot expect something else. That's the same. You know, when you're inland, you know how we are building houses, right. We have all those big blocks of eight in a row and all standardized. And you have villas. Of course, if you, if you're a public cloud service provider, if you would like to actually enter a contract with, with a public then cloud provider, you're getting just a kind of standard house. That's full sub with very few items, which you can change. Of course, if you would like to change a lot, you probably get into the field of the villas and that will be expensive. Okay. So I think that's, that's, that's, that's the whole trade of that you should be making. And again, there, I think that discussion
That
Should be clear from the, from day one.
Okay. So there is things that you can't patch with with an appropriate contract, because what we're discussing here is in compliance to be very, very clear about it. And you will have to accept that Compli that in compliance, as far as you don't wanna spend more money and get that V that's the core line that's factor
Life.
But oh, go
Ahead, please. There's also, it's how the market works, I guess. I mean, it's indeed standardized, but if there's a lot of market, let's say the financial sector demanding certain things from a cloud service, let's say a data processing data demanded cloud service are willing to make that change if that's for all their customers. So I think the change is not during the contract so upfront, you would want to know what you want to see in this cloud fiber, but there's a big industry wanting some things in the contract. Yeah, of course. The bigger parties seeing that market will change it. So there's also market failure for the cloud service provider making a change during the contract now? No, I don't think so. It's standardized, but upfront, of course, if it has market failure to, to increase sales, then yes. There's also
Failure stem. And one of the ways to educate service providers is by organization of the buying. Absolutely. Co-op. So if you, you could, one can imagine absolutely. A KPMG audit function becoming something that pay people, pay attention to in order to cohere their buying function. Right? So you could say, well, gee, we're noticing this risk out there, all you clients. So you should think about all of you, not that you're gonna organize people. That would be not a good business plan necessarily, but, but it's, it becomes the seed crystal of starting that idea that there's a buying co-op because the way you educate a company is with dollars. That's the, that is the pretty much the way they pay attention. Right?
So Scott, the reason why I'm smiling is that you really think that an auditor is having impact. So I'm very happy that you're cause we probably then don't have that, but
I was a tax lawyer for many years.
No, I think, but I think who is currently organizing that buying power, you know, taking example in airline, that's a Dutch, the Dutch national bank, right? Yeah. They're putting up some, some guidelines how banks can use cloud service. Yeah. So what you see is that, of course the buying power might be, or will be organized per then per sector, per country. And that's, and that's something good because that's also giving the cloud service provider the opportunity to basically to not change only for one client, their business model, but also then for sector, I think that's also then the way to go. That
Feels, how does this differ from an auditor's perspective view, the history of different audits of outsourcing. So when I outsource my shipping of packages for the first time, and let's say I'm a company that's very dependent on my shipping. I have cus people have custody of the package. It's a lot of similarities. How does this the same and different than other outsourcing where you're trading off one risk for another, right. You're getting the reliability of a big provider, you know, mom and pop type organization can't take care of data. They're probably better off in the cloud. Although yesterday, someone was noting about making yourself a target by going in with other big targets, but how, how does this the same or different than other outsourcing risks? Cuz it feels like it's more pervasive maybe, but are there other ways in which we can learn from what happened in the outsourcing and the way that trended in terms of the, you know, initially there was a lot of concern, then it got more reliable and then there was less concern. Is there anything like that that you, we can
Observe? Yeah. I think an interesting question. And of course it depends on how you will. Yeah. What, and so what the object of all this, right? And on, on which behalf you are doing or that audit. So I suppose I were doing you an audit on the it environment of a large organization, of course, cloud is making it so complex because currently nobody knows exactly what kind of it he or she is using. And of course using, using cloud it's, it's even more a mess. Right. So getting that full picture of what kind of assets do I really have and like also the picture of admin saying what is used as a backup and those kind of things. Nobody is having that topology of all than components and sourcing providers. So in that respect, it makes it more different than, than difficult because since there's not a huge amount of openness of the cloud service providers, it's pretty big task to actually get clear picture.
However, coming back, if you're looking from a kind of, so two statement perspective, of course the interesting thing is that at the moment, since there's more and more pressure from, from groups of buyers to actually get standardized services, it's it's will make it easier. It'll make it easier. You know, the most it outsourcing companies in the past, let me be very honest. The most of them that never did make a lot of money, right? The biggest contracts were always the contracts where they lost a huge amount of money because everyone was just outsourcing their biggest pain and their biggest chaos. So by the fact that now of course getting more standardized services for them, of course it will be easier. And also for us it will be
Easier. So it sounds like it's like a supply chain situation where really any company in a supply chain cannot see more than one level above or below their supply chain. Right. There's it becomes invisible
Very quickly. Yeah. I think that's, yeah. That's an interesting concept. All supply chain and then, then element that's I think something, what we still ignoring in the whole security and auditing industry.
That's a good point. Yeah.
So we have few minutes left. When you say it's all about the buying power. Imagine you don't have it. Imagine you don't have the buying power and you just wanna be smart in buying your cloud. What would be like the, the major one, two or three questions that you would ask your possible cloud service provider taking for granted you have high risk data in there such as health information maybe, or like really intellectual property information. So what would be the main questions that you'd ask?
I think, I think concerning the contract, I think retaining ownership of your data is very important and make sure you are indemnified against claims from third parties. You're looking at the contract. These are very important. And, and, and in terms of technical requirements and encryption of your data and transit is a must these days using SSL connections. And by looking assurance at a minimal, you want to have your cloud service provider provide you yearly assurance reports on actually be careful with the scope on the cloud service that you're using. I think these are the minimal things you want to see of your cloud service provider.
Okay. Well,
Yeah, I think that's, that's almost a complete list. I think again, this whole issue is not stopping people to, to actually buy the cloud services. Right. It's doing business taking risk. It just do it. And especially for smaller organizations, I think cloud services in my view are more secure than most it services in small companies, right?
From a security
Side, from security side, from privacy side, probably there could be of course legal issue ever since, of course it might be sorted then somewhere else in different country and then those kind of things. But then from security side, who's doing the system admin of a small, a small organization. And that's basically always the son of the daughter of the CEO. Right. Because he, he's smart of being able to actually be in the windows admin
All
Right. To rest my case. So probably I think the most cloud service provider, the big ones I would expect to have more security people. Right. Yeah.
Well, thank you very much for going through all that I think there's so many aspects of that. We haven't touched them all, but we have touched a lot. Thanks. Especially for your presentation. I think that was a very, very good start. Very comprehensive for our discussion here. Thanks for being here. And I think we'll be here back in one and a half hours if
I think that's right. I think so. Check
The schedule. Thank you very much.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00