1  

Cloud Computing: Risk Mitigation Strategies from a Contracting Perspective

By: Kathy English

AP Supervisor: Dr. Anshuman Khare

April 2015

  2  

ABSTRACT

Cloud computing services have become one of the top technology trends and the industry continues to evolve at a fast pace. Organizations should take advantage of the lower costs, efficiency and scalability of cloud computing where it is a fit for their business. Prior to moving to a ‘cloud’ environment, organizations need to understand the business and legal risks associated with cloud computing services and have strategies in place to mitigate those risks. The purpose of this conceptual paper was to identify risk mitigation strategies for organizations entering into contracts with cloud services providers. This conceptual paper is a comprehensive review of secondary sources of literature and begins with a brief background and current status of cloud contracting in Canada and the US, followed by a review of the rewards and risks of cloud computing and then it identifies risk mitigation strategies thru negotiation of key contract terms and customer-focused SLAs. The intent of the research was to identify critical contract clauses and terms needed to mitigate risks as organizations move to a cloud environment. The research confirmed there are many risks associated with cloud computing, particularly with respect to data security and privacy risks and regulatory and privacy compliance. This paper analyzed the critical risks associated with cloud computing and identified and presented a framework of key contract terms and SLA metrics organizations should negotiate and incorporate into the overall contract with SaaS cloud service providers to mitigate these risks. The framework of key terms provides organizations a checklist of cloud specific clauses to include in the contract in order to protect their interests from a business and legal contracting perspective. The majority of current contracts are the cloud provider’s standard agreements therefore, negotiations are essential for cloud computing contracts. This paper also explored management themes important for successful negotiation of cloud services contracts, which included: governance and SaaS strategy, project management, purchasing best practices, and vendor performance management. Organizations can mitigate the risks associated with contracting for cloud computing services. Key findings identified from the research included:

1. IT and Purchasing should perform due diligence to mitigate the risks at the pre-contract stage,

2. Cloud specific contract terms and SLA metrics should be incorporated into cloud services contracts and a recommended framework of key cloud specific contract terms and SLA metrics was presented and;

3. Purchasing, Legal and IT need to negotiate the key contract terms and clauses. Providers are becoming more willing to accept some of the risks and are starting to work with organizations to negotiate mutually acceptable contract terms.

  3  

TABLE OF CONTENTS Acronyms 1.0 INTRODUCTION 5

1.1 Background & Significance 5 1.2 Research Design 6

2.0 RESEARCH PURPOSE AND QUESTONS 8

2.1 Audience 8 2.2 Purpose 8 2.3 Assumptions 8 2.4 Research Questions 9

3.0 LITERATURE REVIEW 14

3.1 Background of Cloud Computing 14 3.2 Cloud Computing Rewards 16 3.3 Cloud Computing Risks 18 3.4 Summary of Main Rewards and Risks 23 3.5 Risk Mitigation from IT, Legal and Purchasing Perspectives 24 3.6 Key Contract Terms & SLA Metrics to Mitigate Risks 29 3.7 Negotiation 37 3.8 Themes For Successful Contracting 38 3.9 Literature Review Summary 43

4.0 ANALYSIS 44 4.1 Resources 44 4.2 Current State of Government Cloud Contracting in Canada 45 4.3 Overview of Resources 46

5.0 RECOMMENDATIONS & CONCLUSION 47

5.1 Recommendations 47 5.2 Conclusion 53

6.0 REFERENCES 55 APPENDIX A: SAMPLE CLAUSES 62 APPENDIX B: FRAMEWORK FOR SECURITY MECHANISMS 64

FOR CLOUD SLA’s

  4  

ACRONYMS Cloud and cloud computing are used interchangeably CSP - Cloud Service Providers- the business that offers cloud services CSA - Cloud Security Alliance CSCC - Cloud Standards Customer Council CSM - Cloud Services Metric Elastic - indicates the scaling can be done rapidly in response to changes in demand (Bradshaw, Millard & Walden, 2011) FIPPA - Freedom of Information and Privacy Protection Act IaaS - Infrastructure as a Service ISO - International Standards Organization ISO 27001 - defines specific information security requirements that apply to providers and flow down to their sub-contactors. KPIs - Key Performance Indicators NIST - National Institute of Standards Technology Organization and/or Customer - the business that is purchasing cloud services PaaS - Platform as a Service SaaS - Software as a Service SAS70 - Statement on Auditing Standards SSAE16 - Statement on Standards for Attestation Engagements (Update to SAS 70 Auditing requirements) Scalable/Scalability - amount of computing capacity that can be varied according to customers needs

  5  

1.0 INTRODUCTION

1.1 Background & Significance Many organizations are moving from in-house, on premise, computer services and systems to ‘renting’ computer hardware, data storage space and software on a ‘cloud’ environment. The characteristics of cloud computing include:

• Delivery of services over the internet, • Software, platform, infrastructure resources provided as services (SaaS,

PaaS and IaaS), • Scalability on-demand and; • Utility or subscription billing (e.g. payment based on actual usage),

(Kalyvas, Overly, Karlyn (2013).

As per Carcary, Doherty and Conway (2013), by 2011, cloud computing was the main technology priorities for organizations. Gartner (2014) recently identified cloud computing as one of the ‘Top 10 Strategic Technology Trends for 2015’. Gartner, as cited by Kalyvas, Overly and Karlyn (2013), predicted cloud computing revenue would surpass $14 billion by 2013 (p. 7). Amazon describes cloud services as, ‘on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing’. (Amazon Web Services (AWS), 2015). Cloud services are sometimes described as being similar to electricity where the services are considered pooled resources. Customers pay, as the services are needed (Bean, 2009; Freeman & Gervais, 2011). The main pressures to move IT environments are reduced cost and increased efficiencies of using on demand delivery of IT services (Shaw, 2011). However, there are many risks associated with moving to a cloud environment. In cloud computing, data is placed online, in the hands of third parties, and this leads to security, governance, lack of control over service availability and privacy risks (K.B. Green & B.P. Green, 2014; Aleem & Sprott, 2013). IT environment changes are taking place at a fast-pace and there is a lack of maturity in the market due to this newer service model and not many providers (Betcher, 2010). Organizations lack experience incorporating cloud environments from both a technology and a contracting perspective. Organizations, both private and public, need to review the risks and mitigate as many risks as possible. Cloud service providers are unwilling to accept many of the risks; therefore many current contract templates are provider focused. (Feedman & Gervais, 2011; Goudreault, 2014; K.B. Green & B.P. Green, 2014). Aleem and Sprott (2013) concluded “SLAs weigh heavily in favour of cloud providers” (p. 15, para 3).

  6  

Organizations might mitigate risks thru negotiation of contract clauses and service level agreements (SLA) and enforcement of the same (Shaw, 2011). The SLA should be the mutually agreed (or minimum expected) service levels from the cloud service provider to the organization. IT, Legal and Purchasing managers and staff need to work collaboratively toward contract risk mitigation.

Note: If organizations already have cloud agreements in place, lessons learned could be applied to future cloud contract negotiations and key contract clauses be identified and modified where appropriate.

1.2 Research Design 1.2.1 Conceptual Paper This conceptual paper was a comprehensive review of literature on ‘cloud’ computing for SaaS, its rewards and risks and risk mitigation thru key contract terms negotiation and customer-focused SLAs. The research was from an IT system, infrastructure perspective, including security and data breaches and performance risks, with the main focus being on risk mitigation from a Purchasing and Legal contract perspective. Cloud computing technology is a newer service offering in an emerging market and therefore, the literature review covered the last 5 years.

This research paper focused on the key risks and risk mitigation for delivery of cloud software services (SaaS) from a contracting perspective. The resulting recommended checklist/framework of contract terms and SLA metrics should be considered when negotiating the final contract with the cloud services provider.

Management themes important for successful negotiation and implementation of cloud computing contracts were also explored, including: governance, SaaS strategy, project management, purchasing best practices and vendor performance management. In addition, knowledge, trust, human capital and communication were reviewed. 1.2.2 Key word search included: Cloud Computing -Business risks, -Legal risks, -Risks vs. rewards,

-Risk Mitigation (mitigating risks), -Security Breaches,

-Service Level Agreements (SLAs), and -Contract terms and vendor management.

1.2.3 Information and Sources of Data included:

Websites: • Google Scholar, • Athabasca Library –ABI/Inform and Business Source sites,

  7  

• IT Industry standard websites, such as, CSCC, CSA, NIST. • Legal standards/Law society of BC, • Provincial and Federal Government websites, • White papers: Deloitte, Forrester and KPMG- consulting/research firms, • Cloud related blog, posts, and • Amazon/Microsoft – Review of provider’s service level agreements.

Other sources: Company documents/papers: • WorkSafeBC’s SaaS procurement guidelines document, • Public Procurement Managers group - As part of regular business practice,

BC public entities (provincial government and crown corporations) meet quarterly and share information. The quarterly meeting was not held during the research review therefore, information from this group was not included in this paper.

The secondary sources of data analyzed included; the literature review, (journals, articles, books), consulting and research advisory white papers, IT industry standard websites, cloud computing related magazine articles and blogs, government and legal standards websites and company documents. 1.2.4 Management Models/Frameworks This research paper primarily fits in the, operations management, project management and supply chain management/purchasing domains. These domains are covered in Section 3.8 Themes for Successful Contracting.

  8  

2.0 RESEARCH PURPOSE AND QUESTIONS

2.1 Audience Cloud computing is an organization strategy that impacts a large number of stakeholders that may be directly involved in, or will be affected by, this newer service model. There needs to be an overall governance document and internal end users will need to be trained and be made aware of the risks associated with cloud computing. In addition to governance and training, organizations need to mitigate risks associated with moving IT services to a cloud environment cloud. The focus of this paper is on mitigating risks from a contracting perspective; therefore the immediate audience is Purchasing, Legal and IT Managers. 2.2 Purpose The goal of this applied project is to:

a) Identify key risks of moving to a cloud environment for Software as a Service (SaaS),

b) Summarize the key contract terms/clauses and SLA metrics that might mitigate those risks,

c) Develop a proposed checklist or framework of key contract terms/clauses and SLA metrics for use by organizations and;

d) Highlight any other themes important for successful contracting. The checklist or framework of contract terms/clauses and SLA metrics will highlight the key clauses and SLA metrics organizations need to consider in contracts with cloud providers. Organizations need to understand the importance of including cloud specific terms to contracts with cloud service providers. The contract must protect the organizations best interests from a business and legal contracting perspective. The recommendation will be a result of the literature review and from personal experience and observations. The purpose of this conceptual research paper is to:

• Explain what cloud computing is, • Review the relevant literature regarding the rewards and risks of moving IT

systems to a cloud computing environment for software services, • Focus on key contract terms/clauses and SLA specific literature (past 5-7

years) related to mitigating those risks and; • Identify themes important for successful contracting.

As per Wiseman (2014), “Provincially and municipally, there have been a few examples of adoption of cloud services” in Canada (para. 6). Therefore, the research will include public organizations outside of Canada and private organizations within and outside of Canada.

2.3 Assumptions For the purposes of this research, the assumption is made that organizations have made the decision to move to cloud computing services; Cloud computing is

  9  

included in the organization’s overall strategic plan and aligned with IT and Purchasing department’s objectives. Therefore, only the critical risks will be analyzed and the focus of this research will be risk mitigation from a contracting perspective.

2.4 Research Questions The following questions explore cloud computing and key risk mitigation strategies from a contracting perspective.

2.4.1 What is cloud computing?

.1 One of the most cited definitions is from Mell and Grance, (2011) of The National Institute of Science and Technology (NIST) who define cloud computing as: “….. a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (p.2).

Another common cited definition is from Gartner (2010) who stated, “Cloud is a style of computing where scalable and elastic IT-related capabilities are provided as a service to external customers using Internet technologies.” The definition then expands to include the rewards and risks associated with cloud computing.

As per Freedman and Gervais (2011), “cloud computing is a new strategic technology opportunity for business” (para. 1).” Organizations can outsource their IT function and focus on their core competencies. Cloud computing is similar to outsourcing; IT processes are handed over to a third-party service provider.

.2 Service models: There are three types of infrastructure service models for cloud services, namely, Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). These service models have different strengths and are chosen by organizations based on their business objectives. As per Mell and Grance (2011, p. 2) the service models are described as follows: “SaaS: The capability provided to customers to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices such as a Web browser or program interface. The consumer does not manage or control the underlying cloud infrastructure in based email), or a program interface network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. PaaS: The capability provided to customers to deploy onto the cloud infrastructure, consumer created or acquired applications, created using

  10  

programming languages and tools supported by the provider. The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. IaaS: The capability provided to customers to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications; and possibly limited control of select networking components (e.g., host firewalls)” (p.2). This paper will focus on a SaaS service delivery model. .3 Deployment models: There are four cloud deployment models, which are, Private, Community, Public, and Hybrid. As per Mell and Grance (2011, p. 3) the deployment models are described as follows: “Private cloud. The cloud infrastructure is for exclusive use by a single organization. It may be owned, managed, and operated by the organization or a third party, and it may exist on or off premise. Community cloud. The cloud infrastructure is shared use by a several organizations that share common concerns- a community of consumers that shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by the organizations or a third party, or combination of them, and it may exist on or off premises. Public cloud. The cloud infrastructure is made available for use by the general public and is owned by an organization selling cloud services and its resources are sold to the public. It exists on the premises of the cloud provider.

Hybrid cloud. The cloud infrastructure is a composition of two or more cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).”

  11  

. Figure 1. Visual Model of NIST’s Definition of Cloud Computing 2.4.2 What are the rewards and risks associated with the ‘cloud’? The main rewards of moving IT environments to cloud based services include: Lower costs, scalability (flexible capacity), and efficiency (Shaw 2011; NIST, 2011; Kalyvas, Ovderly and Karyn, 2013). Cloud computing allows organizations to reduce costs. In a cloud environment organizations do not have to purchase hardware of infrastructure to set up the IT systems and they do not have to pay for software upgrades or maintenance fees. A cloud service provider’s goal is to have a large pool of customers; to create economies of scale, which can allow them to pass lower costs on to their customers (AWS, 2015). Aleem & Sprott (2013) identified the top three (3) risks as: security and privacy, lack of control of service availability (performance) governance. Other important risks to consider are business continuity and reputation risks. The following literature review will review risks using these three (3) risk categories. Many organizations are moving to, or are considering moving to cloud services to take advantage of lower cost and service flexibility (Kalyvas, Overly and Karyn, 2013 p 9) however, organizations need to effectively balance the risks and rewards. 2.4.3 How can risks be mitigated from IT, Legal and Purchasing perspectives? Risks can be mitigated during various stages from selection of the cloud service provider, prior to signing the contract and post contract award.

• Due Diligence Stage (provider selection),

  12  

• Business, Legal and Regulatory Risk Mitigation Stage (negotiation of contract terms and conditions including SLA metrics), and

• Vendor Performance Management- on boarding, during and post contract term, meetings for review of SLA metrics, audits, communication, change in personnel (security checks).

2.4.4 What are the key contract terms and the SLA metrics organizations should negotiate into agreements to mitigate risks? This paper explores the key contract terms and SLA metrics that might mitigate risks in contracting with cloud service providers. There are four (4) parts that make up a cloud service agreement. They are; the standard terms and conditions (standard contract template), the privacy agreement and user acceptance policy (UAP), which are usually attached to the standard terms and conditions, and the SLA. .1 Standard Contract Templates Many organizations have standard contract templates containing service terms and conditions. Internal or external legal council have usually vetted standard service terms and conditions. Existing contract template clauses need to be reviewed and modified to be cloud service specific, where applicable. In addition, new cloud specific clauses should be considered in order to protect the organizations interests. Service contracts usually include privacy agreements specific to the services being provided and these are often a customized attachment to the main contract. Most cloud contracts also include a User Acceptance Policy (UAP) as an attachment to the contract. UAP’s detail the permitted (or the unacceptable) uses of the service (Bradshaw, Millard & Walden, 2011, p. 192). .2 Service Level Agreements (SLA) Some researchers referred to the SLA as the contract while others refer to it as a sub agreement to the main contact. For the purposes of this paper, the SLA will be the service level agreement and it will be considered a sub agreement to the main contract. As per Alhamed, Dhillon and Chang (2010), the SLA describes the services, in a form of what can be measured and reported on, and is the providers guarantee to deliver the services by the method and within the timelines as promised. SLA’s should also include the steps and remedies if any service level guarantee violations occur. Noble Foster (2013), advised that there are many types of cloud SLAs in use and that only some have common elements, measures or language among them. Based on the research and analysis, a recommended contract terms checklist or framework will be presented and intend to capture:

• Key standard contract terms/clauses that need to be customized/modified to reflect cloud services,

  13  

• New clauses that should be considered, and • SLA metrics for SaaS contracts.

In addition, management themes important for successful contracting with cloud service providers, pre and post contract execution, will be presented.

  14  

3.0 LITERATURE REVIEW

The literature review will begin with the background of cloud computing and the current state of Canadian and US government cloud computing contracting. The review then examines three (3) areas; the rewards and risks associated with cloud computing, risk mitigation strategies from IT, Legal and Purchasing perspectives, and the key contract terms and SLA metrics to be considered when negotiating contracts with cloud providers. The scope of the review focuses on Software as a Services (SaaS) cloud computing. 3.1 Background of Cloud Computing 3.1.1 History Cloud computing evolved from the implementation of mainframe computers in 1950, followed by the use of PCs in 1960, private network services in 1990, IT outsourcing and virtualization in 2000, to the concept of shared/utility computing and ‘as a service’ models in 2010. The following visual model shows the evolution of cloud computing:  

Figure 2. History and Evolution of Cloud Computing

In 1997 academics started using the term ‘cloud’ and in 2006 the cloud term entered the public domain when used by Google’s CEO. (K.B. Green & B.P. Green, 2014, p. 31). Cloud services initially started with small to medium size organizations using public cloud services and its use has evolved to include larger organizations over the last few years (Bradshaw, Millard & Walden, 2014). Tufts and Weiss (2014) advised that cloud computing is becoming more common for government and public sector entities (p. 9).

  15  

3.1.2 Estimated value and growth Forbes (2014) advised that cloud computing is worth more than $13 billion a year and that “total cloud infrastructure services market grew at a pace exceeding 45% and that the leading cloud infrastructure providers growth by 2nd quarter of 2014 was as follows: Microsoft 164%, IBM 86%, Amazon Wed Services 49%, Google 47%, and Salesforce 38%” (para. 9). Woods, J (2010), as cited by Green and Green (2014), predict a 44% growth in public cloud uptake between 2014 and 2019) and presented a table describing the future of cloud computing (p. 31):

Figure 3. The Future of Cloud Computing, Statistics and Forecast Gartner (2014), identified strategic planning assumptions for 2015 to 2017, some of which included:

“By 2015, 50% of all new application independent software vendors will be pure SaaS providers, 90% of private cloud deployments will be for infrastructure as a service and 50% of large global enterprises will rely on external cloud computing services for at least one of their top 10 revenue-generating processes,

By 2016, all large global enterprises will use some level of public cloud service most SaaS contracts will include price escalation limitations and the ability to terminate contracts. By 2017, over 50% of large SaaS application providers will offer matching business process services and an integrated platform as a service and 5% of all IT job turnover will be fallout from poor risk decisions about the use of public,

  16  

By 2020, the most common use of cloud services will be hybrid model combining on-premises and external cloud services” (para. 3).

3.1.3 Current state of government cloud contracting in Canada and the US Canadian Government: The Government of Canada recently issued a Request for Information (RFI) requesting cloud providers respond to questions regarding strategies for adopting cloud solutions. The RFI closed January 30, 2015 and responses are currently being reviewed. RFI responses will be used to formulate a cloud computing strategy for Canada, including resulting contract terms and conditions for cloud computing solutions (Sheppard, 2015). The RFI’s, Annex C - Proposed Contract clauses, terms and conditions, invited respondents to review proposed terms and provide comments and/or suggestions on the clauses (Government of Canada, buyandsell.gc.ca). Canada’s cloud computing strategy will be led by a steering committee that is made up of Chief Information Officers, legal, communications, and procurement experts.

US Government: The National Institute of Standards and Technology (NIST), an agency of the US government, recently published a cloud computing technology roadmap (NIST SP500-294, 2014). The NIST provides a technology leadership role to “support accelerated US government adoption, as well as leverage the strengths and resources of government, industry, academia, and standards organization stakeholders to support cloud computing technology innovation” (p. ix).

There are many different cloud working groups and standards organizations. Aleem and Sprott (2013) advised that the Cloud Security Alliance (CSA), European Network and Information Security Alliance (ENISA) and the NIST are among the top cloud standards bodies.

The next section of the literature review looks at the rewards and risks of ‘cloud’ computing. 3.2 Cloud Computing Rewards The main rewards of moving IT environments to cloud based services include lower costs, scalability (flexible capacity), and efficiency (Shaw 2011; NIST, 2011; Kalyvas, Overly & Karyn, 2013). Organizations can reduce costs because in a cloud environment there is a reduction on capital expenditures: Organizations do not have to purchase hardware of infrastructure to set up the IT system and they do not have to pay for software upgrades or maintenance fees. Less equipment means less physical space and personnel to operate the equipment. This means lower costs related to purchasing, installing and maintaining the software and hardware as well as less staff are needed to support the systems (Bradshaw, Miller & Walden, 2011; Kalyvas, Overly & Karlyn, 2013).

  17  

A cloud service provider’s goal is to have a large pool of customers; to create economies of scale, allowing them to pass lower costs on to their customers (AWS, 2015). Gartner (2010) advised that organizations could save money by “leveraging a provider’s elastically scalable, varied priced environment.” This pay as you go model allows customers improved resource utilization (Bean, 2009) as they can focus on their own core competencies (Freeman & Gervais, 2011). Scalability allows customers to increase or decrease the IT resources of hardware, software and platforms on an as needed basis confirming the resource flexibility offered by cloud computing solutions. In addition, to these rewards, Nanath & Pillai (2013) and McKendrick (2011), as cited by Venters and Whitley (2012), mentioned cloud service’s contribution to green IT. Bradshaw, Millard and Walden (2011), discussed the power efficiency of the cloud model of one large data center compared to many single users and computers, alluding to potential greening and energy savings (p. 189). Cloud computing can be considered reliable and affordable technology within most businesses reach (Aljabre, 2012). A cost-benefit analysis done by Nanath and Pillai (2013) concluded that it is profitable for small to medium size organizations to move to the cloud yet not for larger organizations. Aljabre (2012) also reported that small businesses could ‘reap the most benefits’ based on using Amazons’ cloud computing services. However, Green and Green (2014) stated that many large organizations, including government entities, have started using cloud services as well. They predicted a 44% growth in public cloud models from 2014 to 2019. Wyld (2009), as cited by Tufts and Weiss (2014), advised governments are investigating and are starting to implement ‘cloud services’. Forrester (2014), a leading global research firm, reported that business agility was the ‘top driver for SaaS usage’ in their 2014 Q1 survey (p. 2, para. 4). SaaS solutions allow organizations to have automatic access to software upgrades and this enables IT departments to be more proactive than previous on premise service models. Cloud services allow internal and external clients up to date products and services more quickly. This business agility adds business value to IT’s services and the organization as a whole. Zielinski (2009) reported that cloud computing frees up internal resources time to allow them to spend time on strategic rather than tactical issues. In mid 2014 Forbes (2014) reported that IBM became the leader in private and hybrid infrastructure services. In addition, Forbes (2014) advised that early adopters of cloud services (pacesetters) use cloud services to connect with customers in social ways creating customer interaction and feedback enabling organizations to innovate their products and services more rapidly. This concept of new service opportunities and markets aligns with the idea of offering organizations time to focus on core competencies.

  18  

Further to idea of connecting with customers in social ways, the Cloud Standards Customer Council (2015) recently published a paper speaking about social business and social capabilities of the cloud. “Social business is the convergence of social collaborative capabilities and enterprise business processes” (p. 5, para. 3). Organizations might consider extending the benefits from cloud and applying them to their social business in the cloud. This would allow end users to interact with each other as well as with their customers for improved business outcomes. 3.3 Cloud Computing Risks Business and Legal Risks Aleem & Sprott (2013) identified the top three (3) areas of risk as: security and privacy, lack of control of service availability (performance) and governance. In a cloud model, data is placed in the hands of third parties, which raises issues of security and privacy, regulatory, compliance and creates risk management issues (Belinsky, 2012). Noble Foster (2013) advised that the critical areas of risk are data security, privacy and confidentiality. Organizations basically give up control over their company’s information (K.B. Green & B.P. Green, 2014). In addition to these risks, Freedman & Gervais (2011) identified confidentiality (regulatory), reputation and liability (legal) risks. The following risks have been categorized under headings based on the top 3 concerns identified by Aleem and Sprott (2013) and a 4th category of ‘other’: 3.3.1 Security and Privacy Security, Data and Privacy Risks: Organizations lose ‘control’ over their information (data, applications and processing) and data, security and privacy breaches can occur. (Krutz, Vines & Brunette, 2010; KPMG, 2014). KPMG’s report (2014) confirmed that the ‘cloud’ increases security risks so controls need to be in place and be aligned to this “changing environment” (p.7, para. 4). Data may be stored on a server along with another organization’s data creating increase risk of ‘unauthorized disclosure’ (Kalyvas, Overly & Karlyn, 2012, p. 1, para. 4). As per a recent blog by Sarukkai, (February, 2015), as cited on the Cloud Security Alliance’s website, a recent, high profile, security privacy breach happened at Anthem Inc., a US health insurer. There was a “ breach of a database with 80 million customer records” (para.1). The blog also mentioned previous similar privacy breaches that happened to Target and Home Depot where 70 million and 56 million customer records were stolen, respectively. Security breaches can happen either by provider errors or be initiated by actions of 3rd parties know as ‘hackers’. As per Noble Foster (2013) a 2012 survey of US IT professionals revealed the “ frequency, severity and costs with hacking” (p. 5, para. 1) incidents are on the rise. A recent survey revealed that 62 % of corporate directors list ‘cyber security’ (data privacy and protection) as a top concern (K.B Green & B.P. Green, p. 29).

  19  

Ouedraogo and Mouratidis (2013) reported that a cloud environment presents more opportunities for cybercrime. They propose an approach to help organizations make a better informed choice of provider and this model will be explained under the risk mitigation section of this paper. Kalyvas, Overly and Karlyn (2013) described risks from the view of both availability and security failures. In 2011, cloud service availability and security failures occurred with providers, Amazon and Microsoft. In April 2011, some of Amazons services were down for several days and some of their customers’ data was permanently lost (para. 4). In September 2011, some of Microsoft’s cloud based software services were down for several hours. These examples of lost data and customer downtime created security risk and productivity losses to organizations (para. 5). Kalyvas, Overly and Karlyn (2013) advised that nearly half of companies surveyed in 2013 identified some form of data security issues. Another security/privacy issue that organizations need to consider is the security of the provider’s physical location where the data is being stored (Tufts and Weiss (2013, p. 7). Zissis and Lekkas (2010, p. 587) provided a visual of the different categories of threats that could occur in a SaaS cloud environment. They noted ‘malicious insiders’ but ‘outside hacker attacks’ could also be added to their model.

Figure 4. Categorization of Threats. Security threats to SaaS environments. Tong, Nguyen, Jaatun (2012) identified cloud risks with respect to:

• Resource location - the providers physical location and the local laws and legislation that applies in that country,

• Multi-tenancy - challenges relating to protecting unauthorized access of users accessing each others information as they use the same ‘physical’ servers,

  20  

• Authentication and trust of acquired information - potential issues with changing data without an organizations permission,

• System monitoring and logs - logs may contain private/confidential information creating a need to monitor who accesses the logs, and

• Cloud standards. - There is a large number of standards bodies and working groups with different interests. “Will there be one dedicated standards organization in the future?” (p. 50).

Privacy/Regulation compliance: Cloud services may include storing an organizations sensitive data, which creates unique security issues. A provider’s servers might be physically located in various locations/countries and data hosted in the cloud is subject to foreign laws. As per Gilbert (2010), the flow of data and locations of the providers (or 3rd parties) servers is unique to cloud computing. Providers sometimes use 3rd parties to host the data and this creates less control over the data and overall performance of the services. Depending on the type of date being stored organizations may only want to contract with providers whose servers are located in their jurisdiction(s).

Privacy legislation involves the location of the customer as well as the service providers physical location where the data is being stored therefore, there may be overlapping access and/or privacy regulations. Depending on the jurisdiction and type of information, the data center and information itself must be physically located in Canada in order to be in compliance. In addition, customers choose from one of three infrastructure/operating models of private, public or hybrid. Public cloud models are the most cost effective, however, they offer a lower security and control over data so may not be a suitable choice for public agencies and their customer’s personal data (Blinsky, 2013; Aleem & Sprott, 2013). Customers and cloud service providers must be in compliance with all privacy legislation that is applicable to the customer’s data that is being considered for storage on the cloud (Krutz, Vines, & Brunette, (2010). For the purposes of this research, the regulatory compliance is will be in relation to British Columbia’s Freedom of Information and Protection Privacy Act (FIPPA). In BC, public bodies that store personal information must comply with FIPPA. As per the Office of the Information & Privacy Commissioner (OIPC, June 2012), “Public bodies must protect personal information by making reasonable security arrangement against such risks as unauthorized access, collection, use, disclosure or disposal” (p. 5). In addition, FIPPA states that personal information can only be stored in and be accessed from within Canada. Cloud service providers in BC must comply with FIPPA.

  21  

3.3.2 Lack of Control and Service Availability Access and Performance Issues Organizations become fully dependent on their cloud service provider. Green and Green (2014) stated that if there is an outside hacker attack, the system could run very slow and it may take longer to get running again using a 3rd party provider compared to in-house IT employees. In-house systems and employees have more knowledge, control and communication of systems, system access and availability. If a provider (or 3rd party) hires new employees, the employees need to be trained and made aware of privacy policies relating to the organizations data. Controls need to be in place to verify employees are trained and agree to comply with all policies and procedures. SLA’s provide a form of control to ensure the services are provided as the provider has promised. A study of 5 major cloud providers SLA’s done by Baset (2012) concluded that the lack of standards among providers makes it difficult to compare offerings and is very confusing for organizations. The study also revealed that the SLA’s are written such that the burden of proof for any violation to service guarantee levels rests with the customer. (p. 65). SLA’s are needed to report and track control issues, service availability and performance levels (Rose, 2011). SLA measures can be considered performance auditing (Rose, 2011). For example, customers should expect an availability uptime of 99% and this needs to be tracked and measured. In addition to availability, uptime and downtime also need to be measured for reliability and performance. SLA’s should also include penalties for missed targets due to issues with uptime, security breaches, and not meeting promised scalability targets. Noble Foster’s (2013), survey of IT professionals rated SLAs as one of their top ten contract concerns, 18% of those surveyed agreed with this view. 3.3.3 Governance Strong governance is needed in order to identify, assess, and mitigate risks related to cloud computing. Paquett, Jaegar and Wilson (2010) and KPMG (2014) reported the need for access governance, controls, security audits and management sponsorship of cloud related training programs. Organizations need to ensure controls and processes are in place prior to contracting with a cloud provider (Bean, 2009). As per Paquett et all (2010), “a key determinant in the success of cloud computing” is the ability to manage the risks (Introduction, para. 2).

  22  

3.3.4 Other Risks .1 Business Continuity/Reputation Risks Organizations open themselves up to new reputation risks with moving to a cloud environment. If there is disruption in the service, downtime or a service failure, this could result in financial loss to customer and its customers. If a provider goes bankrupt it is difficult for customers to change providers quickly (K.B. Green & B.P. Green, 2014). The cloud service provider may expose the customer to claims/liabilities and may “tarnish the customer’s reputation” (Freedman & Gervais, 2011, Liability/reputation, para. 1). .2 Legal Challenges There have been few cloud related legal challenges to date and almost no case law therefore legal council and internal auditors need to be aware of any potential issues related to security breaches, intellectual property, trade secrets and release of data to 3rd parties (Bean, 2009). Cloud services involve data being transformed by a 3rd party. One party may receive the initial data and another party adds a tool and updates the data. If the contract does not clearly state who owns the data and at what point in time, this could create confusion and generate more lawsuits in a cloud environment (Gilbert, 2010). A survey done by Bradshaw, Millard and Walden (2011) highlighted the need to carefully review all contract terms and conditions, even clauses that might appear to be standard. Many providers include disclaimers for any liability or warranty and for any issues related to the services actually performing as promised. For example, many providers SLA’s “exclude the majority of causes of cloud service outage” and the only rectification of a credit for future services (p. 221, para. 5). Depending on the type of cloud services, some cloud providers may offer all, or portions of, their contract in the form of an online agreement, sometimes referred to as a ‘click wrap’ agreement. Hon, Millard and Walden (2012) referred to this as the ‘click-through trap’. Click wrap cloud agreements request customers to accept all terms ‘as is’ with no opportunity to negotiate any of the terms. Cloud providers contracts are structured to protect the provider and customers do not have much bargaining power (Foster Noble, 2013). Many providers will not modify any of their terms (Kalyvas, Overly & and Karlyn, 2013; Gilbert, 2010). However, organizations should attempt to negotiate contract terms in all type of cloud agreements in order to balance the risks. .3 Cost as a Risk A blog by Gupta, (2011) identified the top five (5) cloud concerns as, vendor assessment (adequate security controls), data protection (format and accessibility), reputation (background check), data sensitivity (sensitive data protection) and cost. Four of the five concerns are included in evaluation of risks identified in other papers however, cost as a risk, was not identified in all of the articles. The majority of articles identified cost savings and only some authors

  23  

raised the issue of ‘security costs’ offsetting any perceived savings of going to a cloud environment. Security breaches can be considered hidden costs that can be hard to estimate. Noble Foster, 2013, advised that any savings might “quickly evaporate with a single hacking incident, a cloud providers unexpected interruption of service or sudden lack of accessibility to data due to power outage or natural disaster (p.17, para. 3). Data breaches can be very costly to organizations. A study conducted in 2009 disclosed that 45 organizations experienced breaches with “an average cost of $6.7 million, ranging from $750,000 to almost $31 million…with data breaches costing an average of $204 per compromised record.” (Karlyvas, Overly & Karlyn p. 19, para. 3.) Summary of Risks There are challenges for both organizations and providers with issues related to security and privacy, such as unauthorized access, loss of privacy, data replication and regulatory violation including the provider’s physical location. Organizations also have to deal with risks related to loss of control (governance), availability (access), performance and potential business continuity and reputation risks as well as legal risks (liability and intellectual property issues. Cost has also been identified as a risk. 3.4 Summary of Main Rewards and Risks A high level summary of the main rewards and risk is as follows: Rewards Risks Efficiency Security – security, data & privacy Scalability (flexible capacity) Regulatory & Privacy Compliance (incl. physical

location) Lower upfront costs (affordable technology)

Cost (service availability issues and security breach related costs)

Green IT Governance- lack of governance, controls (audits) Business Agility Lack of Control/Service Availability– access &

performance Focus - Core Competencies more time for innovation)

Business Continuity/Reputation

Social Business – collaboration among end users & customers

Provider’s lack of ownership for liability issues and intellectual property issues.

Table 1. Rewards & Risks for Cloud Computing The main benefits/rewards of cost reduction and service flexibility are driving organizations toward cloud solutions (Kalyvas, Overly & Karlyn, 2013). Tufts and Weiss (2013) reported that cloud computing offers government entities cost-effective ways to deliver IT solutions, however in order to realize the benefits “it is

  24  

particularly important to concentrate on the establishment, negotiation and management of high-quality cloud computing contracts” (p. 8, para. 3). 3.5 Risk Mitigation from IT, Legal and Purchasing Perspectives Before looking at ways to mitigate risks, organizations need to ensure they understand the main risks and at what stage they might be mitigated. Cloud computing environments present new data security issues to customers. The approaches that enable customers to achieve scalability and flexibility and lower costs, the rewards, are the same approaches that can increase risks to organizations. Organizations need to review the type of risks that may occur, particularly from an e-security failure perspective. As per Slack (2010), “any advance in processes or technology creates risk. No real advance comes without threats or danger” (p. 577). This applies particularly to e-business. From a risk management perspective, organizations need to ensure to include contingency and business continuity planning with safeguards set in place for internal and external systems (English, 2012). Research suggests that risks can be mitigated during various stages from selection of the cloud service provider to the contract award as follows: 3.5.1 Due Diligence a) Due Diligence –Cloud Investigation Stage (IT): Kalyvas, Overly and Karlyn (2013) proposed organizations evaluate the risks associated with cloud computing by looking at:

a) “The criticality of the business process being supported by the cloud solution, and

b) The sensitivity of the data that will be stored on the cloud (p. 19, para.5).” When an organization is contemplating a cloud solution they should evaluate the overall exposure and risk to the organization. Kalyvas, Overly and Karlyn (2013, p. 11) developed a ‘Cloud Computing Risk’ assessment graph that could be used to plot the: a) criticality of the business process and b) data sensitivity to see the ‘overall risk profile’ (low, medium or high risk) of implementing a cloud solution. The following graph is a helpful tool for organizations to determine and view of the risk level prior to a cloud services solution decision is made:

  25  

Figure 5. Cloud Computing Risk Assessment Approach Gartner (2010) suggested there are five (5) initial phases IT should follow when an organization is considering cloud computing. These phases or steps are:

• Build a business case - Ensure the ‘key initiative’ is linked directly to business objectives and gain senior leader support,

• Develop a strategy that aligns with the organizations overall strategy, • Assess readiness by developing a total cost of ownership framework and

policies/procedures to assess and manage risks and governance, • Pilot a mini project and incorporate results/lessons learned, • Gain approval by updating the business case with results of pilot and

present to senior management for buy-in.

In addition, IT needs to ensure contingency and business continuity plans are in place prior to moving to a cloud environment. b) Due Diligence –Vendor Selection Stage (Purchasing, Legal and IT): Risks associated with cloud services could be mitigated during the procurement and vendor selection process. The KPMG (2014), Freedman and Gervais (2011) and Kaylvas, Overly and Karyln (2013) articles mentioned due diligence. Based on their observations and procurement best practices, prior to selecting a cloud provider organizations must assess; Total cost of ownership, Confirm the potential cloud service provider’s experience/background including:

• Number of years in business, • References, • Financial viability (including any 3rd party sub-contractors they depend on),

  26  

• Providers physical site (inspection), and • Feedback from other organizations, user groups and industry forums.

As part of their proposal to provide cloud services, potential providers should provide a sample of their SLA and log files (type of data recorded), reports and information regarding their auditing practices, authentication and authorization processes (Krutz, Vines & Brunette, 2010), In addition, organizations should ask potential provider(s)/vendors:

• Is the cloud provider’s data center/operation avail for physical inspection? • Has the vendor had any security breaches? Potential checking can be

done via an internet search (Blinsky, 2013), • Does the vendor have a governance process with their providers? • Does the vendor have a standard- phased implementation plan/model? • Is the provider willing to negotiate?

Green and Green (2014) mentioned potential concerns with a small provider being sold to a larger organization. Organizations need to consider how this might affect the services and protection of data. Annual audit and financial checks may be a proactive approach to address this concern. IT needs to become familiar with, and understand all industry specific terms and standards that relate to third party cloud service audits, such as ISO 27001 and SAS 70 (K.B Green & B.P. Green, 2014), and SSAE 16 (Goudreault, 2014). This includes independent certifications to ensure providers meet all of the industry standards (Hon, Millard and Walden, p. 112). IT and Purchasing employees involved in any existing or anticipated cloud initiatives should be aware of cloud IT terms and the potential providers full range of services offered as well as clearly understand their own organization’s cloud SaaS strategies. To ensure they are making an informed choice of cloud providers, IT’s risk assessment could follow CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing (v. 3.0, 2011) and/or Ouedraogo and Mouratidis, (2013), C.A.R.E. (Complete-Auditable-Reportable approach) to determine and select a trusted cloud service provider. CSA’s website has many resources for risk mitigation, such as, ensuring providers meet CSA’s Cloud CERT – Security and Knowledge program requirements and are listed or not listed in CSA’s STAR- Trust and Assurances registry. IT needs to perform a risk analysis to analyze the data security risks prior to launch of moving confidential data on the ‘cloud’ (Sangroya, Kumar, Dhok, & Varma, 2010). Organizations should perform a Privacy Impact Assessment (PIA) as well as use a Plan, Do Act Control (PDAC) model to ensure rewards outweigh the risks (Aleem & Sprott, 2013, Migration on the cloud, para.1). In addition, IT could perform pre-contract security penetration testing to check for “security issues such as integrity and robustness of the providers security policy and

  27  

information technology systems, and how the users’ data are separated from other users data” (Hon, Millard & Walden, 2012, p. 113, para. 3). 3.5.2 Business, Legal and Regulatory Risk Mitigation Stage As per KPMG’s, Top 10 Internal Audit Considerations for Technology Companies report (2014), “the greatest opportunity to mitigate or remediate risks lies with proactive involvement of the IT team” (p.9. para. 2). Purchasing best practices need to take this one step further and ensure proactive involvement of Purchasing and Legal as well. Cloud service providers must comply with FIPPA and depending on jurisdiction and type of information, the data center and information itself must be physically located in Canada (OIPC, 2012). Customers need to have controls in place to ensure regulatory and policy compliance is enforced. The cloud provider should provide potential customers a copy of their security policies and how they will meet organizations privacy and confidentiality policies and regulations. Bean (2010), and KPMG (2014) provide suggestions from internal auditors perspectives. They believe internal auditors need to develop their knowledge base on cloud computing and that more stringent security measures should be applied to cloud services compared to what is applied to internal IT services. Aleem and Sprott (2103) confirm that IT audits should be part of an overall cloud strategy. Green and Green (2014) discussed the critical risks and need for strong encryption and they write from a business, rather than technical, perspective. Krutz, Vines, and Brunette’s, book, Cloud Security: A Comprehensive Guide to Secure Cloud Computing (2010), offers a good starting point for organizations considering going to a cloud environment. Chapter 8: Useful Next Steps and Approaches, contains a list of questions to ensure due diligence by customers, and also includes a reference tool for cloud providers. A new book, by Samani, Reavis and Honan (2015), CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security is a great resource for IT managers on how to integrate security planning into cloud initiatives and how to deal with the implications of privacy in different geographic regions. The book’s introduction advised it “is intended to present the research within the multitude of CSA working groups, as well as incorporate the research and findings across other relevant sources. It should be used as a reference for CSA research and also a broader cloud security reference guide” (p. 17-20). The Law Society of BC published a Cloud computing checklist for lawyers considering moving their firm’s data to the cloud (Blinsky, 2013). The checklist is a great risk assessment tool; it offers a series of questions that cover a range of issues that organizations should consider before engaging with a cloud service provider.

  28  

Tufts and Weiss (2013) identified legal and regulatory challenges and the need to negotiate cloud contracts. They developed a contract assessment framework and negotiation strategies aimed at government agencies considering moving IT services to the ‘cloud’. The framework will be presented at the end of Section 3.6 of this paper.

3.5.3 Risk Mitigation Categories Starting with the top three (3) risk categories outlined by Aleem and Sprott (2013), and the 4th category of other, research suggests the following contract terms and/or areas be considered in order to mitigate risks associated in contracting with cloud service providers: .1 Security and Privacy

• Strong data encryption (source code), • Compliance with privacy regulation(s), • Security monitoring and security audits, • Data breach notification & plan for security/privacy breaches, and • Back up of data.

.2 Lack of Control of Service Availability- (SLA’s) Ensure inclusion of a cloud service specific SLA to control, monitor and measure performance and availability of services. .3 Governance Ensure there is organizational governance in place as well as program and project governance, including, controls and decision-making processes and accountability. .4 Other a) Standard contract clauses to be customized for cloud services include:

• Services (definition for cloud services), • Pricing Protection, • Dispute Resolution, • Liability/Indemnification, • Insurance (see new clause for cyber insurance) • Intellectual Property Rights • Disaster Recovery/Business Continuity plans, • De-commissioning services – transitioning to another provider, and • Termination clause (exit obligations/penalties).

b) New cloud specific contract clauses that should be considered include:

• Benchmarking/Vendor Performance Management (KPI/Scorecard), • Cyber Insurance, • Governance, • Exclusivity,

  29  

• Implementation, and • Training.

3.6 Key Contract Terms and SLA metrics to Mitigate Risks Overview As identified in the previous section there are many business and legal (regulatory) risks associated with moving to a cloud environment, therefore organizations need to ensure their contract with cloud providers deal with the above risks from IT, Legal and Purchasing perspectives. Current SLAs are service provider focused and need to be more ‘customer centric’. (Stamou, Morin, Gateau et all, 2012). This section will begin with a review of security and privacy issues, SLAs, and governance concerns followed by a review of standard contract clauses that should be customized for cloud services, as well as, potential new cloud specific clauses that should be negotiated into agreements to mitigate risks. Some research articles highlighted the clauses/provisions that require close attention and negotiation while other articles presented sample clauses authors proposed customers consider adding into their cloud agreements. This section will include a Cloud Computing Contract Assessment Framework provided by Tufts and Weiss (2013). Based upon the literature review, additional key contract terms and SLA metrics will be incorporated into an updated framework, which will be presented in Section 5. Recommendations & Conclusion. Section 3.6 will be followed by a literature review of negotiation strategies for cloud contracts in Section 3.7 and end with a review of themes important for successful contracting in Section 3.8. Starting with the 4 categories identified in the previous section, research suggests the following considerations, along with applicable measures and language be added to contracts clauses, in order to mitigate the risks associated in contracting with cloud service providers. 3.6.1 Security and Privacy Several authors, (Bean, 2009; Freedman & Gervais, 2011; Gilbert, 2010; K.B. Green & B.P. Green, 2014; Krutz, Vines & Brunette, 2010; Hon, Millard & Walden, 2012), recommend similar measures to deal with security and privacy issues in cloud contracts as follows;

• Data Security- Ensure there is strong data encryption and contract language confirms the source code is provided,

• Compliance with Privacy regulation(s) – Ensure compliance with privacy legislation by ensuring data segregation (add as an attachment to the contract),

  30  

• Security monitoring, security audits and audit rights - Establish process for monitoring/auditing, e.g. how is it done, by whom and how often (by customer, provider or by a 3rd party?)

• Data breach notification – Outline the method and timelines for breach notification,

• Plan for security/privacy breaches – Outline steps to take when breach occurs, and

• Back up data – Include details of how and when regular back up will occur. Bradshaw, Millard and Walden (2011) analyzed and compared providers standard contract terms and conditions that were made available on the provider’s websites. The research provided a summary of the main terms customers should keep in mind when reviewing contract terms and conditions. In addition to data security, privacy and protection issues noted above they also identified data integrity and preservation issues, as well as, resolution of disputes (location for those disputes) and warranty, service and acceptance of liability issues. Many providers want the contract to be enforceable in their jurisdiction and try to exclude any warranty, service and acceptance of liability (p. 220). Noble Foster (2013) identified key contract problem areas of data security, privacy and confidentiality. He then reviewed these clauses in four (4) leading cloud providers contracts and provided suggestions of how to modify the contract clauses to mitigate risks to organizations in order that the contract terms are not solely for the provider’s benefit (p. 8). Kalyvas, Overly and Karlyn (2013, p. 20) proposed organizations include specific contract clauses/provisions for data ownership, data security, redundancy and conversion as follows:

• Data Ownership & Rights Provision related to ensuring standard data ownership clauses clearly state “ that the customer owns all data stored by the provider for the customer and that the provider is obligated to keep all of the customers information confidential except for performance of the services” (p. 3, para. 4),

• Data Security Provision related to general security, access and maintenance of customer’s information, ensuring a secure environment and security controls, and security audits at customers request,

• Data Redundancy Provision related to backing up of customer’s data, including frequency and related reporting requirements, and

• Data Conversion Provision related to delivery of data at the start of the services and the return, and destruction of data at the end of the contract term.

Sample clauses for data security, redundancy and conversion proposed by Kaylvas, Overly and Karyln (2013) are attached as Appendix A. Cloud specific clauses are constantly evolving, however, these sample clauses are a good starting point for organizations to consider incorporating into cloud contracts.

  31  

3.6.2 Lack of Control of Service Availability – (SLA’s) Aleem and Sprott (2013), identified the SLA as “one of the most important areas to consider when evaluating a cloud provider” (p.14). The SLA must include key metrics that will measure and monitor services. Key metrics should include: availability (scalability), performance (reliability), security, compliance, and data retention and the target levels must be SMART! (Rose, 2011). Shaw (2011) advises that SLA metrics need to be relevant to performance and not the technology itself. Almathami (2012) suggests that metrics could also include trust, violation ratio and elasticity. SLA’s should also include a metric for customization, to allow for change in numbers, such as, the number of concurrent users (Alhamed, Dillon and Chang, 2010). Alhamad, Dillon and Change (2010, p. 4), suggested 5 common SLA metrics as follows: Metric (parameter) Description Reliability (performance) Ability to keep operating in most cases Usability Easy built-in user interface Scalability Flexibility for number of users (individual or

large organizations) Availability (uptime/downtime) Uptime of software users in specific time Customizability Flexible to use with different types of users Table 2.1 SLA Metrics Tong, Nguyen and Jaatun (2012), advised the main SLA metrics are availability and performance (reliability). They also suggested that SLA’s could measure security performance levels by using confidentiality and integrity as metrics. These metrics could measure the level of trust an organization has in the provider’s ability to keep the data secure. These metrics could also be included in SLA’s or alternatively, could be incorporated into a vendor management performance scorecard: Metric (parameter) Description Performance Reliability from a performance perspective Trust Trust in vendor – vendor management

perspective- the cloud vendor and 3rd party provider- revealed from audit report (post)

Table 2.2 Additional SLA Metrics The type of data that could measure the security of the customer’s data includes; access control, audit verification and incident management and response. Bernsmed et al, as cited by Tong, Nguyen and Jaatun (2012), offered a visual of this concept, which is attached as Appendix B. SLA metrics need to be meaningful, measured and reported on. Internal clients, IT, Purchasing and Legal need to ensure metrics (and their underlying measures

  32  

p. 7) are well defined and understood in order to that reliable service measures can be part of the contract deliverables. Salem (2012) suggested SLAs need to include service guarantee metrics, time period, scale, and service guarantee exclusions, as well as, a service credit if the guarantee is not met and how and who is responsible to measure and report any service violations. Salem’s (2012) article concluded with recommendations to cloud providers on how they might improve their SLAs in future. SLA’s that share the risks more evenly may help providers differentiate their service offerings from those providers unwilling to make any changes to their contracts. Hon, Millard and Walden (2012), advised that service credits may not be an adequate deterrent and that providers might offer a money back guarantee. Service guarantees could include nonfinancial remedies such as, for each service failure-document how the provider might prevent reoccurrences (root cause analysis), assurances the support team is adequate for service, and include contract language that provider cannot bid on other opportunities if SLA metrics not met (Shaw, 2011, p. 38). NIST (2015) advised that SLA provides a measurement of the business level objectives or its performance level (p. 8). NIST has a Cloud Computing Service Metrics Description document (2015) currently being drafted by a working group. The audience for the service metrics document is government agencies, auditors, cloud customers and providers. The document provides a cloud service metric (CSM) model that defines the elements needed to describe the metric itself, such as, availability and performance, the parameter and the metric rule. IT manager’s can use their expertise to lead the decision of the standard metrics and relevant measurement (unit of measure and scale) to be used in the SLA. Zielinksi (2009) suggested organizations also establish a service level agreement with their internal IT team to clarify roles and responsibilities of IT help desks. Laying out clear responsibilities between the cloud provider and internal IT will allow end users to know who to turn to if they require technical assistance. Instead of an SLA, a contract project charter, with a specific section detailing technical assistance could be made available for internal staff as a help guide.

  33  

3.6.3 Governance KPMG (2014) stressed the importance of aligning controls to the new cloud environment by establishing clear roles and responsibilities between the cloud provider and organization as well access governance program and process documents. Paquet et all (2010) recommended IT specific governance including oversight from a risk management perspective and decision making processes and accountability thru a roles and responsibility document. This could be accomplished by inclusion of a project charter as part of the contract. In addition, Goudreault (2014) recommended a formal SaaS strategy be part of governance. IT’s roles with respect to cloud services could also be outlined in an internal SLA for the organization’s employees (Zielinksi, 2009). 3.6.4 a) Standard Form Contract Clauses to Customize for the ‘Cloud’ Standard form service contract clauses need to be customized to cover the increased risks; to protect an organization’s needs and any specific legal requirements as they move to a cloud services model (Goudrealt, 2014). Tufts and Weiss (2013) discussed the importance of negotiating and managing ‘high-quality’ cloud computing contracts. They reported that organizations sometimes sign master service agreements (MSA) or standard contract documents ‘without properly reviewing, negotiating, and modifying the terms and conditions’ of providers contract to meet the best interests of the organizations” (p. 8, para. 2). In addition to the above security & privacy, SLA and governance concerns and contract terms/clauses, several authors (Bean, 2009; Freedman & Gervais, 2011; Gilbert, 2010; Goudreault, 2014; Hon, Millard & Walden, 2012 KPMG, 2014; Zielinski, 2009) confirm the following standard clauses should also be negotiated and customized for cloud services;

• Services- the description of the cloud services needs to be specific, yet broad enough, to cover a potential issue (in case the provider states it was out of contract scope). If the services require a phased pilot approach this could be added to the services description section (Kalyvas, Overly and Karlyn, 2013),

• Pricing/Fees - price flexibility if number of users increases or decreases as well as pricing protection upon renewal term (e.g. not to exceed CPI), (Zielinksi, 2009; Kalyvas, Overly & Karlyn, 2013),

• Dispute Resolution – develop a process for dispute resolution and state where this would take place (Goudreault, 2014, Gilbert, 2010),

• Liability/Indemnification – Zielinski (2009) suggested an indemnification clause that would fully protect the organization for any breaches while Freedman & Gervais (2011) suggested a risk allocation approach and Hon, Millard and Walden’s, 2012 study found that many providers cap liability,

  34  

• Intellectual Property Rights – important to include where property may become a work product therefore needs definition (Bean, 2009; Hon, Millard & Walden, 2012; Kalyvas, Overly & Karlyn, 2013),

• Disaster Recovery/Business Continuity plans- develop the plan and detail what it includes e.g. complete restoration? How long? (Bean, 2009; Freedman & Gervais, 2011). Hon, Millard and Walden, 2012 advised some organizations recognized the need to have their own data back up strategy,

• De-commissioning services – method to transition to another provider and removal and Proof of removal of data (Kalyvas, Overly & Karlyn, 2013),

• Warranties – review warranty offer related to specific services provided (Hon, Millard & Walden, 2012; Kalyvas, Overly & Karlyn, 2013), and

• Termination – Ensure no ‘vendor Lock in ‘ clauses exist and include a transition plan and/or exit obligations by either party (Goudreault, 2014; Hon, Millard and Walden, 2012).

3.6.4 b) New ‘Cloud’ Specific Clauses to Negotiating into Contracts Organizations should negotiate new cloud specific clauses into agreements, such as:

• Benchmarking – use of a scorecard/KPIs to assess providers overall performance (Forrester, 2014; Goudreault, 2014),

• Cyber Insurance – specific insurance policy to cover for privacy and/or security breaches (Scott, 2014; Noble Foster, 2013; Kalyvas, Overly & Karlyn, 2013),

• Exclusivity – review providers clause to ensure no lock in (Kalyvas, Overly & Karlyn, 2013),

• Implementation - phased pilot project approach- this could be its own clause or be a sub-clause to Services (Kalyvas, Overly and Karlyn, 2013; Krutz, Vines & Brunette, 2010),

• Training – sub-clause to Services (Kalyvas, Overly & Karlyn, 2013). 3.6.5 Cloud Computing Contract Assessment Framework Tufts and Weiss (2013) developed a ‘Cloud Computing Contract Assessment Framework’ with 12 key contract issues/areas and used this framework to assess five (5) public sector cloud contracts (p. 9 & 10). Tufts and Weiss’s framework created a ‘baseline’ that other organizations could apply when assessing cloud contracts. The framework is as follows:

  35  

Major Issues for Cloud Contracts

Table 1. Cloud Computing Contract Assessment Framework Description of Specific Elements

1. Pricing

• Pricing Caps (limit on pricing increase over time) • Pricing Changes Notice (requirement to give notice prior to pricing

changes) • Pricing Changes Time Frame Limitation (limitation on how many

pricing changes can occur within set time frame) • Demand Pricing (requirement to match lower pricing offered to

other similar entities when quantities, services, etc., are comparable)

• Costs for Special Services/Additional Quantities/Etc. (costs related to items not specifically included in the original contract scope)

2. Infrastructure Security/ Right to Audit and Inspect

• Financial Audit/Review • Performance Audit • Infrastructure/Data/Security Assurances (broadly stated) • Security Monitoring Practices (Logical and Physical) • Data Segregation Practices • Operations Management Requirements • Employee Approval Processes for Sensitive Data • Third-Party Audit and Inspection of Physical and Logical Security • Review of Company Audit Logs, Event Logs, Testing Results

Related to Physical and Logical Security (including specifications and topology diagrams)

• Forensic Access 3. Data Assurances

• Data Ownership: data custody, intellectual property, exclusion of

data mining or selling, data processing ownership • Access to Data: consent to access, government access and

retrieval at sole discretion, process for access/retrieval • Disposition of Data Upon Request: destruction authority, audit

process • Disposition of Data Upon Termination: data provision process,

obligation to transfer, common data format, destruction authority, audit process

• Data Breaches: notification process, vendor obligations, government obligations, indemnification, remediation/penalties

• Data Storage Location: Physical data storage requirements, data segregation requirements

• Litigation Holds: metadata/imaging, legal cooperation clause, data preservation/media preservation, cost allocation, redaction process, data provision process

• Public Records Requests (FOIA Requests): data provision process,

4. Governing Law, Jurisdiction, and Forum Selection

• Specified as North Carolina Pursuant to NC G.S.22B-3

  36  

Major Issues for Cloud Contracts

Table 1. Cloud Computing Contract Assessment Framework Description of Specific Elements

5. Service Level Agreements (SLAs)

• Definitions • Parameters/Performance Requirements • Monitoring and Auditing for SLA Compliance • Technical Support • Acceptable Use • SLA Violation or Non-Performance Penalties Notice • Specification of Remediation and Penalties for Non-Compliance

6. Outsourced Services

• Requirement to Inform Customer of Outsourced Functions • No Assignment of Contract without Express Written Permission • Approval of Subcontractors

7. Functionality

• Description of Functionality • Notice of Substantive Changes • Customer Right to Replace Product or Terminate Due to

Substantive Changes

8. Disaster Recovery/ Business Continuity

• Minimum Requirements • Notification Process • Inspection and Audit (covered under Technical Audit/Inspection) • Penalties (covered under SLAs)

9. Mergers and Acquisitions

• Notice of Pending M&A • Assignment Rights • Contract Binding Upon M&A • Continuity of Service

10. Compliance with Laws, Regulations, and Other Standards

• Specifications of Applicable Governing Laws • Specifications of Applicable Regulatory Requirements • Direct Liability • Indirect Liability • Limitations of Liability • Warranties • Indemnification

11. Terms and Conditions Modification

• Notice of Modification

12. Contract Renewal and Termination

• Renewal Options • Obligation to Transfer • Contract Release Without Show Cause • Suspension of Services • Non-Appropriation Clause • Advance Notice of Contract/Service Termination by Vendor • Escrow Language

Table 3. Cloud Computing Contract Assessment Framework

  37  

The above Cloud Computing Contract Assessment Framework provided by Tufts and Weiss (2013) was used as a starting point and based on the research conducted, it was updated with recommended additional key contract terms/clauses and is presented in Section 5. Recommendations & Conclusion. 3.7 Negotiation 3.7.1 Top 6 Terms to Negotiate A qualitative research study by Hon, Millard and Walden (2012), identified the top six (6) most negotiated terms: the providers standard cloud contract terms that were not in the customers best interest. These terms were: 1. “exclusion or limitation of liability and remedies, particularly regarding data integrity and disaster recovery; 2. service levels, including availability; 3. security and privacy, 4. lock-in and exit, including term, termination rights, and return of data on exit; 5. providers’ ability to change service features unilaterally; and 6. intellectual property rights” (p. 83). 3.7.2 Tips to Successful Negotiation Tufts and Weiss (2013) summarized their study with a lessons learned and best practices guideline for negotiating cloud contracts. A summary of the lessons learned included:

• “IT and Legal professions must work together to create a technically and legally sound contract

• All contracts, including cloud contracts, are negotiations • All contracts involve some form of risk calculation (p. 31).”

They also recommended six ‘Best Practices in Negotiating Cloud Computing Contracts’ (p. 32) and of these six, the common approaches that apply to most organizations include the need to:

• Identify the contract term must haves, the game changers, and have a back up plan of a second choice vendor, if the provider won’t meet the organizations terms,

• Take a team approach toward negotiation, include IT, Legal and Purchasing, and

• Always take time to carefully review, negotiate and modify the contract terms and conditions to meet the organizations needs.

Purchasing best practices include planning a negotiation strategy with internal clients and IT (Goudreault, 2014; Deloitte, 2013). Forrester (2014) suggested, “negotiation planning should balance price, flexibility and risk mitigation (p. 1, para. 1).”

Negotiations have been initiated mainly by larger organizations (government or financial institutions), due to their internal procedures, support from legal council

  38  

and their purchasing power (Hon, Millard & Walden 2012). Increased competition in the marketplace may push providers to become more interested in negotiating; to work with organizations proactively to share the risks with the ultimate goal to secure contracts/business. As per Bradshaw, Millard and Walden (2011), “As the cloud marketplace expands and matures terms will evolve and diversify to be more closely reflect customer’s concerns and local legal framework under which customers operate” (p. 223). 3.8 Themes (Management Models) for Successful Contracting This section highlights important themes related to successful cloud computing contracting including: governance and SaaS strategy, project management techniques and tools, purchasing best practices and vendor performance management. In addition, knowledge, trust, human capital and communication are key to successful contracting. 3.8.1 Governance and SaaS Strategy As part of governance, organizations need to have an overall SaaS strategy. Forrester (2014) advised that most organizations have “a limited strategy for how they can gain business benefits from SaaS” (p. 3, para. 2). Some organizations have silos, divisions that would like to use Saas, and an overall long term SaaS strategy has not been developed yet. IT needs to develop an overall cloud strategy with a vision that aligns with core business objectives (Deloitte, 2013). In order to stay on top of cloud trends, a SaaS strategy should be updated, as required. According to the OPMT-505 Study Guide (Athabasca University, 2012, Section 7: Improvement, 7-10 Balanced Scorecard), "the Balanced Scorecard is a technique for aligning organizational strategy, operations strategy, and stakeholders.” The overall strategy is then translated into objectives and measures (KPI’s) for each area of an organization. A specific scorecard with relevant KPI’s could be apart of a cloud services contract as further described in 3.8.4 vendor performance management, of this section. 3.8.2 Project Management .1 Operations Improvement As organization’s move from in house systems to cloud services, cloud computing initiatives should be set up as a project incorporating: Process mapping of current and proposed future state, SMART Objectives: Specific, measureable, achievable, relevant and timely, Risk management & readiness assessment tools, Change Management for training of staff/change of job, Continuous improvement models, such as, PDAC- Plan, Do, Act, Check, (English, 2012)

  39  

.2 Project Planning The project must be aligned to corporate objectives, has senior management support, and overall governance must be in place. Governance will provide the structure, the means of reaching the projects objectives and determine how to monitor performance of the project (Muller, 2009). Projects themselves need to be governed and the as per Muller (2009) the focus is on:

• “Ensuring effectiveness by doing the ‘right projects’ and • Ensuring efficiency by doing ‘projects right” (p. 45, para. 2).

Moving IT systems to a cloud environment is a strategic initiative that affects many areas of the organization so cloud projects need to be done right! As per Slack (2010), the project planning steps should include: 1. Identify activities in the project and gather data, 2. Estimate time and resources, 3. Identify relationships (e.g. Purchasing, Legal and Information Systems) and dependencies between activities. For cloud computing, it is imperative internal or external Legal council review any legal issues/implications with contract clauses, 4. Identity any scheduling conflicts/issues and; 5. Adjust the schedule as necessary. Cloud services might include significant implementation services, including a pilot project in a test environment. This would allow for contingency and business continuity planning and could be covered in a specific implementation contract clause (Kalyvas, Overly & Karlyn, 2013; Krutz, Vines & Brunette, 2010). .3 Continuous Improvement Aleem and Sprott (2013) suggested Deming’s PDCA improvement cycle, ‘Plan, Do, Check and Act’, could be used for initial risk assessment and during the contract term to ensure there is continuous improvement in the process. (p. 18). Forrester (2015) stressed the importance of including continuous improvement (CI) in the actual cloud services contract and recommended linking CI within the pricing and performance reporting (KPIs), for example, a price reduction for improved efficiency for next renewal term. This would “transfer more responsibilities to vendors and increase service delivery accountability” (p. 2). This is discussed further under .4 vendor performance management. A visual of a Continuous Improvement model is as follows:

  40  

Figure 6. Continuous Improvement .4 Benefits realization Benefits realization is an essential subcomponent of project and portfolio management. As per Simon (2013), “Benefit realization entails establishing a process and guidelines to measure actual financial and non-financial benefits of a program or project” (p.1). A formal benefits realization can help manage change and will confirm the value of the project to the organization, at project completion, and during sustainment. “To help move from an IT focus to a business focus, organizations need to improve their communication and relationships (social capital). IT needs to build effective relationships with all business units in order to truly understand the business needs and the best measures to realize benefits during and post project” (English, 2014). 3.8.3 Purchasing Best Practices .1 Best Practices Purchasing’s role is to perform due diligence, at all stages of contracting, including: provider selection, negotiation of contract and SLA terms and costs, implementation of services, during the contract term (contract &vendor management) and at contract end (termination including transition of services). Purchasing needs to lead ongoing contract & vendor management. .2 Benchmarking Survey Contract terms and SLA metrics could be shared among both private and public procurement and IT groups. The organization’s Purchasing department could survey other like entities to see if they currently use or are exploring using cloud services and if yes, share contract clauses and lessons learned. Questions that could be posed include:

• Do you currently use or are you planning to use cloud services? • If yes, do you have a cloud contract and/or clauses to share? • Did you perform a benefits analysis and if yes, can you share your

methodology?

  41  

The survey results and a summary of contract terms/clauses could be summarized and shared with respondents and internal IT and Legal and be part of a due diligence approach. .3 Tactical to Strategic approach Procurement, as a profession, has evolved from tactical to more strategic approaches. As per BC government’s IM/IT Enablers Strategy (2012) procurement methods have moved from “stated requirements and fixed price contract to an iterative process to leverage expertise in the private sector and co-develop solutions” (p. 2). Strategic relationships with IT vendors can develop better services and increased innovation. Purchasing needs to include strategic approaches to their procurement processes including tender specifications, evaluation, vendor selection and contract negotiation processes. As per Forrester (2015), organizations sourcing priorities are moving from cost to innovation.” (p. 1, para. 3). With less focus on cost savings, organizations can spend more time and focus on “stronger business and customer alignment” (p. 1, para. 4). They summarized the findings with a view that there will be a shift in sourcing strategy. Purchasing best practices includes staying abreast of current contract developments and any new clauses or modifications to existing cloud contract clauses. This includes trends from government and industry regarding policies and regulations with respect to data security and privacy issues, as well as, new cloud service offerings. In addition, Purchasing needs to perform ongoing contract & vendor performance management. Gilbert (2010) spoke to the provider’s responsibility to treat data with a duty of care. This duty of care also extends to the organization at the pre-contract, during negotiation and the contract monitoring stages. 3.8.4 Vendor Performance Management SLAs may not address an organization’s business needs as they focus on the actual service measure and penalties, post service, versus improving the services. Therefore, a separate scorecard with measures, KPIs, could focus more on the relationship aspect of the contract (Forrester, 2015). Kalyvas, Overly and Karlyn (2013) referred to this as “post-execution- ongoing provider assessment” (p. 27, para. 3) while Forrester (2014) and Goudreault (2014), referred to this as ‘benchmarking’. This provider benchmarking could be added as a clause to the contract or as a scorecard (KPIs) which could be included as part of the contract. DeSilva (2013) confirmed that SLA’s focus on performance criteria from a technical, tactical perspective and that a “smaller number of metrics…that reflect the business objectives” with assigned weights and scores could be incorporated into a balanced scorecard to track a provider’s performance. DeSilva (2013) also advised that scorecards can be used as a governance tool or as an incentive,

  42  

which could be tied into a compensation model (e.g. a bonus for meeting or exceeding one of the goals/objectives).

Figure 7. Balanced Scorecard 3.8.5 Communication, Knowledge and Trust Other important elements for successful contracting include communication, training, knowledge and trust. Employees must be kept apprised of new initiatives and IT employees and internal clients (end users) must have the capabilities (knowledge) to provide cloud services and organizations must match supply and demand. Cloud initiatives affect many different areas of an organization therefore, effective communication is important in creating a positive organizational culture. Deloitte (2013) recommended ongoing change management, training and communication for buy-in and continuous improvement as key to the success of cloud services. The organization and provider need to have the expertise and knowledge related to the specific cloud services, understand the contract documents and relevant terms, and there needs to be a level of trust around the relationship between organization and the provider. In contracting relationships, trust is gained when both parties believe each other will behave as expected and deliver the services as required. Zisiss & Lekkas (2010) viewed trust from an IT technical perspective and the need to deal with trust (and a trust certificate) at every layer in the system requiring a security guarantee. They proposed using a ‘trusted third party’ approach and cryptography ‘to ensure the confidentiality, integrity and authenticity of data and communication (p. 585)” to address security concerns. Alhamed, Dhillon and Chang (2010) suggested that successful negotiation could increase the trust level of the provider-customer relationship.

  43  

Garrison, Kim and Wakefield (2012, p. 66) viewed trust from a vendor management perspective and their research concluded that successful cloud deployment can be achieved with a “user (customer) - vendor partnership” approach. Rather than solely looking at the vendor’s capabilities, organizations need to look at their own technical capabilities, management resources (training and experience) and their ability to build trust with the cloud provider. These 3 areas contribute to successful cloud partnerships.

Figure 8. Model of cloud deployment success, relational (vendor/customer) trust. 3.9 Literature Review Summary As per Section 2.2, the goal of this applied project was to:

• Identify key risks of moving to a cloud environment for Software as a Service (SaaS),

• Summarize the key contract terms/clauses and SLA metrics that might mitigate those risks,

• Develop a proposed checklist or framework of key contract terms/clauses and SLA metrics for use by organizations, and

• Highlight any other themes important for successful contracting. The literature review identified the main risks and key contract clauses and SLA metrics to mitigate risks, revealed a cloud contract framework with key cloud contract terms/clauses, confirmed the importance of negotiation in cloud contracts, as well as, highlighted themes important for successful contracting.

  44  

4.0 ANALYSIS

The following analysis is an overview and limitations of the review of type of resources, industry standards organizations and websites used for this paper, as well as, the current status of government cloud contracting in Canada. 4.1 Resources 4.1.1 Journal Articles/Academic Research Papers The majority of the sources found are from an IT or legal perspective. For example, many of the journal articles are from Legal council and IT managers/professionals (IT technology groups/ associations). Some of the research articles are from consulting firms (KPMG, Deloitte) or research advisory firms such as, Forrester and Gartner. None of the articles are strictly from a Purchasing perspective, however, Purchasing works closely with Legal. Purchasing is more involved at the due diligence stages of vendor selection, contract negotiation, and contract management and performance management stages. Some research articles appear to be sponsored by IT companies, such as, IBM (Baset, 2012; Tufts & Weiss, 2013) and Microsoft or Oracle and/or some articles reviewed cloud contracts offered from the big five (5) cloud companies, such as, IBM, Microsoft, Amazon, Google or Salesforce. Provider sponsored articles might minimize or play down the risks associated with cloud computing.

Tufts and Weiss (2013) contract assessment framework and negotiation strategies was a great starting point for development of an updated recommended checklist of terms/clauses organizations should consider when moving to the ‘cloud’.

4.1.2 Books The research included a high level review of a few books. The books were mainly from an IT cloud security perspective, however they also revealed useful due diligence steps, as well as, questions that are helpful for organizations considering entering info a cloud environment.

A new book, by Samani, Reavis and Honan (2015), CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security is a great resource for IT managers on how to integrate security planning into cloud initiatives and how to deal with the implications of privacy in different geographic regions. The book’s authors have an impressive wealth of knowledge and experience. Samani, is currently VP, Chief Tech Officer at McAfee and is Cloud Security Alliance CIO, Honan is a recognized expert of IS in Europe, Ireland and provided advise to European commission expert in ISO standards (wrote ISO 27001) and Reavis is a writer, speaker, technologist and business strategist and is co founder and CEO of the Cloud Security Alliance.

  45  

4.1.3 IT Industry Standards The Cloud Standards Customer Council (CSCC), the Cloud Security Alliance (CSA) and the National Institute of Standards and Technology (NIST) were among the most cited standards and therefore, they appear to be the main standards customers/organizations use. There are many cloud computing standards bodies and currently there is no ‘one dedicated’ cloud standard. It remains to be seen if this will be addressed in the future (Hon, Millard and Walden, 2012; Tong, Nguyen, Jaatun, 2012). The CSCC’s website advises they are an end user advocacy group (http://www.cloud-council.org/about-us.htm) and their board of directors is made up of a mix of providers and organizations. However, review of some of their documents, in particular, Public Cloud Service Agreements; What to Expect and What to Negotiate, reveals contract clause recommendations that are somewhat provider focused (Appendix A - D; p. 25 to 29). In light of this potential conflict, the documents the CSCC provides are very helpful for both organizations and cloud providers in understanding cloud services, the related risks and areas to consider for negotiation in cloud service agreements. The CSA’s website advises they are a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”. The Cloud Security Alliance is led by industry practitioners, corporations and associations. The NIST is an agency of the U.S. Department of Commerce that works with industry to develop and apply technology, measurements, and standards. The NIST’s goals are to promote economic growth, science and information, and environmental stewardship in the US. Their economic growth sub-goals include innovation, entrepreneurship market development, commercialization, trade promotion and compliance. 4.1.4 Magazine articles and blogs Google word searches revealed online blogs and magazine articles that provided recent articles on the status of cloud computing, industry spend and cloud trending, which is useful information particularly since cloud computing is changing at such a fast pace. However, it is difficult to confirm the accuracy of this type of information. 4.2 Current State of Government Cloud Contracting in Canada The US federal government started a cloud strategy in 2011 and the NIST (2014) recently published a US government cloud strategy direction document that lays out a clear cloud strategy. As per Wiseman (2014), “the government of Canada has yet to follow other countries in a national strategy for cloud computing” (para. 7). The Canadian Government is currently working on a cloud strategy and cloud

  46  

contract terms and conditions (Sheppard, 2015). Canada has been slow to develop a cloud computing direction and cloud computing contract documents and is lagging behind the US and. This may hinder uptake by public organizations that are anxious to incorporate cloud services. This can also affect cloud regulations and standards from moving forward. The Canadian Governments goal is to have a strategy in place by this summer, which remains to be seen. 4.3 Overview of Resources The Athabasca Library, ABI/Inform and Business Source sites, and Google scholar searches revealed the majority of the journal articles and academic literature reviewed. Research also included articles from consulting and research advisory firms, magazines, blogs, books, as well as, company and industry standards websites. There currently are many industry standards, no one standard, and it remains to be seen if one main standard will emerge. The majority of the sources found were from an IT or legal perspective and there was minimal literature specifically related to contracting for cloud services. Research revealed there are many risks associated with cloud computing and that some of the risks might be alleviated thru contract negotiation and by incorporating cloud specific clauses into the contract and SLA between the cloud service provider and the organization. The following section provides recommendations to organizations considering moving to ‘cloud’ services.

  47  

5. RECOMMENDATIONS AND CONCLUSION 5.1 Recommendations 5.1.1 Overview There are many risks associated with cloud computing, however, as summarized in section 3.4 of the literature review, organizations feel the rewards of lower cost and service flexibility outweigh the risks of moving to a cloud environment. As per section 3.6, some of the risks might be alleviated thru contract negotiation and by incorporating ‘cloud’ specific clauses into the contract and SLA between the cloud service provider and the customer/organization. Currently, there are no comprehensive cloud contract templates or SLA standard agreement templates that are customer focused; customers rely on the service provider’s agreements therefore, a framework of cloud specific terms/clauses is presented for use by both public and private organizations. The final recommendations are a result of the findings from the literature review and from personal experience and observations. The following cloud computing risk mitigation contracting strategies will be presented in this section:

• IT and Purchasing should perform due diligence to mitigate the risks at the pre-contract stage,

• Cloud specific contract terms/clauses and SLA metrics need to be incorporated into cloud contracts to mitigate risks and a recommended framework of key contract terms/clauses and SLA metrics will be presented,

• Purchasing, Legal and IT need to negotiate the key contract terms/clauses, and

• There are themes, management models that are important for successful contracting.

Recommended cloud computing risk mitigation contracting strategies include: 5.1.2 Due Diligence As described in Section 3.5, Purchasing, Legal and IT must perform pre-contractual due diligence. IT needs to perform a cloud risk and readiness assessments and Purchasing needs to perform a thorough vendor selection process and work with Legal to ensure local privacy and regulatory requirements are met. IT, Purchasing and Legal must then work collaboratively to review all business, legal and regulatory risks.

  48  

5.1.3 Recommended Framework of Cloud Specific Contract Clauses As identified in Section 3.6 of this literature review, organization’s standard service contract clauses currently do not cover cloud service risks. Organizations need to develop contract templates, or add risk-mitigating clauses to existing templates. There is also a need to develop SLA metrics to monitor and measure the cloud service provider’s performance in order to ensure successful contracting partnerships (Rose, 2011; Freedman & Gervais, 2011; and Goudreault, 2014). The Cloud Computing Contract Assessment Framework provided by Tufts and Weiss (2013) was used as a starting point and based on the research conducted, it has been updated with the following recommended framework. The recommended new contract elements are bolded and noted in red:  Major Issues for Cloud Contracts

Recommended Cloud Computing Contract Assessment Framework

Description of Specific Elements 1. Pricing

• Pricing Caps (limit on pricing increase over time) • Pricing Changes Notice (requirement to give notice prior to pricing

changes) • Pricing Changes Time Frame Limitation (limitation on how many

pricing changes can occur within set time frame) • Demand Pricing (requirement to match lower pricing offered to

other similar entities when quantities, services, etc., are comparable)

• Costs for Special Services/Additional Quantities/Etc. (costs related to items not specifically included in the original contract scope) Recommended New Elements:

• Price Flexibility up or down (number & type of users) • Pricing Cap limited to Consumer Price Index (CPI)

2. Infrastructure Security/ Right to Audit and Inspect

• Financial Audit/Review – Annual status or as required • Performance Audit & Security Audit • Infrastructure/Data/Security Assurances (broadly stated) • Security Monitoring Practices (Logical and Physical) • Data Segregation Practices – with specific Encryption language • Operations Management Requirements (provider’s governance) • Employee Approval Processes for Sensitive Data • Third-Party Audit and Inspection of Physical and Logical Security • Review of Company Audit Logs, Event Logs, Testing Results

Related to Physical and Logical Security (including specifications and topology diagrams) - reporting of same, as required

• Forensic Access 3. Data Assurances

• Data Ownership: data custody, intellectual property rights,

exclusion of data mining or selling, data processing ownership • Access to Data: consent to access, organizations access and

retrieval at sole discretion, process for access/retrieval • Disposition of Data Upon Request: destruction authority

  49  

Major Issues for Cloud Contracts

Recommended Cloud Computing Contract Assessment Framework

Description of Specific Elements & process, audit process

• Disposition of Data Upon Termination: data provision process, obligation to transfer, common data format, data conversion, destruction authority, audit process

• Data Breaches: notification process (method & timelines), vendor obligations (steps if breach occurs), organization’s obligations, indemnification, remediation/penalties

• Data Storage Location: Physical data storage requirements, data segregation requirements

• Litigation Holds: metadata/imaging, legal cooperation clause, data preservation/media preservation, cost allocation, redaction process, data provision process

• Public Records Requests (FOIA Requests): data provision process, - jurisdiction specific e.g. BC’s is FIPPA

Recommended New Elements: • Data Security Provision – general safety, security, access and

maintenance of organizations information • Data Redundancy – data back up plan (frequency & reporting) • Data Compliance with organization/jurisdiction privacy

regulations/laws 4. Governing Law, Jurisdiction, and Forum Selection

• Specified as North Carolina Pursuant to NC G.S.22B-3

Recommended New Element • Update to local law/jurisdiction – e.g. Province of BC

5. Service Level Agreements (SLAs)

• Definitions • Parameters/Performance Requirements (service guarantees) • Monitoring and Auditing for SLA Compliance • Technical Support (availability of support) • Maintenance window (shut down time) • Acceptable Use • SLA Violation or Non-Performance Penalties Notice • Specification of Remediation and Penalties for Non-Compliance • (Service credits

Recommended New Elements:

• Cloud service specific SLA metrics, parameters and measures e.g. Reliability (performance), Availability etc.

• Non Financial remedy for service failure, such as, investigation and process to prevent re-occurrences

• Customization (flexibility to add up/down different types and number of users)

6. Outsourced Services

• Requirement to Inform Customer of Outsourced Functions • No Assignment of Contract without Express Written Permission • Pre-Approval of Subcontractors and/or 3rd party providers

  50  

Major Issues for Cloud Contracts

Recommended Cloud Computing Contract Assessment Framework

Description of Specific Elements 7. Functionality

• Description of Functionality • Notice of Substantive Changes • Customer Right to Replace Product or Terminate Due to

Substantive Changes Recommended New Elements:

• Dispute Resolution process and location for disputes (Commercial Arbitration Act),

• Exclusivity 8. Disaster Recovery/ Business Continuity

• Minimum Requirements • Notification Process • Inspection and Audit (covered under Technical Audit/Inspection) • Penalties (covered under SLAs)

Recommended New Element: • Data back up plan – provider’s and organization’s

9. Mergers and Acquisitions

• Notice of Pending M&A • Assignment Rights • Contract Binding Upon M&A • Continuity of Service

10. Compliance with Laws, Regulations, and Other Standards

• Specifications of Applicable Governing Laws • Specifications of Applicable Regulatory Requirements • Direct Liability • Indirect Liability • Limitations of Liability • Warranties • Indemnification to fully protect for any breaches

Recommended New Element: • Cyber Insurance – consider option of specific Cyber

insurance 11. Terms and Conditions Modification

• Notice of Modification of any and all terms and conditions

12. Contract Renewal and Termination

• Renewal Options –ensure no Lock-In clause • Obligation to Transfer • Contract Release Without Show Cause • Suspension of Services • Non-Appropriation Clause • Advance Notice of Contract/Service Termination by Vendor • Escrow Language

Recommended New Element:s • De-commissioning • Severability, • Transition Plan/Process (exit obligations)

  51  

Major Issues for Cloud Contracts

Recommended Cloud Computing Contract Assessment Framework

Description of Specific Elements 13. Services

Recommended New Elements: • Definition: detailed description of the services, milestones

and what is in scope • Definition of all contract terms • Implementation Plan or Pilot, if applicable • License grants & restrictions • Training Plan and follow up as required (state method &

timeline) • Governance – organizations governance (e.g. project charter)

and request copy of providers data governance process • Data Conversion Plan –delivery of data at onset of services • Vendor Performance Management Plan (KPIs) • Warranty Commitment (may be in SLA)

Table 4. Recommended Cloud Computing Contract Assessment Framework 5.1.4 Recommended SLA Metrics Research identified the top 3 SLA Metrics are performance, scalability and availability as follows: Metric (parameter) Description Reliability (performance) Ability to keep operating in most cases Scalability Flexibility for number of users (individual or

large organizations) Availability (uptime/downtime) Uptime of software users in specific time Table 5. Top 3 Recommended SLA Metrics The SLA metric, parameter and metric rule should be customized for specific cloud service being contracted. NIST’s Cloud Computing Service Metrics Description document (2015) is currently being drafted and will be a great resource for organizations. 5.1.5 Negotiation Purchasing best practices include planning a negotiation strategy with internal clients and IT (Goudreault, 2014; Deloitte, 2013). Tufts and Weiss (2013) identified an approach to successful negotiations starting with the need for organizations to identify the contract term ‘must haves' and having a back up plan of a second choice vendor, in case the provider won’t meet the organization’s needs. As competition in the marketplace increases, cloud providers are becoming more willing to negotiate contract terms with organizations (Bradshaw, Millard & Walden, 2011).

  52  

5.1.6 Themes for Successful Contracting Organizations need to take advantage of management models that will lead to successful contracting including: Governance and SaaS strategies, project management techniques and tools (continuous improvement), and purchasing best practices, including ongoing contract and vendor performance management. In addition, knowledge, trust, human capital and communication are key to successful contracting. These apply to all contracts, not just cloud computing, and are necessary for successful provider selection, contract negotiation and contract execution for ongoing service delivery to meet the business needs of the organization. Section 3.8 provided details on the various themes mentioned. 5.2 Conclusion 5.2.1 Relevance & goal of this applied project The goal of this applied project was to:

a) Identify key risks of moving to a cloud environment for Software as a Service (SaaS),

b) Summarize the key contract terms/clauses and SLA metrics that might mitigate those risks,

c) Develop a proposed checklist or framework of key contract terms/clauses and SLA metrics for use by organizations and;

d) Highlight any other themes important for successful contracting. The research confirmed there are many risks associated with cloud computing, particularly with respect to data security and privacy risks and regulatory and privacy compliance. This paper analyzed the critical risks associated with cloud computing and identified and presented a framework of key contract terms and SLA metrics organizations need to negotiate into cloud contracts to mitigate these risks. The framework of key clauses provides organizations with a checklist of cloud specific clauses to include in the contract in order to protect their best interests from a business and legal contracting perspective.   The majority of current agreements are provider focused therefore, negotiations are essential for cloud computing contracts (Tufts & Weiss, 2013). As organizations look for opportunities to move to cloud services, in order to realize the benefits, they need to ensure providers are willing to negotiate contract terms and accept some of the risks. Increased competition and the purchasing power of large organizations seem to be driving negotiations for contract terms that are a win-win for both parties. The marketplace is maturing and contract terms will eventually more closely reflect organizations concerns (Bradshaw, Millard and Walden, 2011). As discussed by Hon, Millard and Walden (2012), “contract terms for cloud computing services are evolving, driven by users' attempts to negotiate providers' standard terms to make them more suitable for their requirements” (p. 1, para. 1).

  53  

The paper also highlighted themes important for successful negotiation of cloud computing contracts including: governance, SaaS strategy, project management, (operations improvement, project planning, continuous improvement, benefits realization), purchasing best practices, and vendor performance management. In addition, knowledge, trust, human capital and communication are key to successful contracting. These themes apply to all contracts, not only for cloud services, and are necessary for successful provider selection, contract negotiation and contract implementation for ongoing service delivery to meet the business needs of the organization. 5.2.2 Main recommendations The main recommendations to mitigate risks from a contracting perspective include:

1. IT and Purchasing should perform due diligence to mitigate the risks at the pre-contract stage,

2. There are key cloud specific contract terms and SLA metrics that organizations should incorporate into cloud contracts. A recommended framework of key cloud specific contract terms/clauses and SLA metrics was presented in Section 5.1,

3. Purchasing, Legal and IT need to negotiate the key contract terms and clauses. As the market evolves providers are willing to accept more of the risks and are starting to work with organizations (customers) to negotiate mutually acceptable contract terms and;

4. There are important themes (management models) that are key to successful contracting with cloud providers.

5.2.3 Ideas for future consideration There are several ideas organizations can explore or need to stay on top off in order to improve successful ‘cloud’ contracting in the future. For example, industry sectors could increase their buying power by forming buying groups. Purchasing and IT professionals could form a cloud contract working group (public and private sector) to share cloud contract knowledge, sample clauses, issues and current risk mitigation ideas and to develop and maintain an updated contract framework. In addition, cloud industry regulators could try to push vendors toward addressing contract clause issues (Noble Foster, 2013, p. 18). Lastly, governments need to become more involved and push legislation to deal with customers privacy concerns.

5.2.4 Current and future state of cloud computing Wiseman (2014) advised that there are not many examples of cloud services adoption, provincially and municipally, in Canada (para. 6). The Canadian government is currently reviewing responses to an RFI with the goal of developing a cloud strategy by this summer and therefore will soon follow other countries with a national strategy for cloud computing. Mechling (2014) of Gartner Research, as cited by Wiseman (2014), stated that “cloud computing is revolutionizing the world” and that in order to realize the benefits, governments

  54  

need to move to the cloud and collaborated their requirements to improve their buying power. Cloud computing technology is enabling a significant shift in an organizations technology business model (Aleem & Sprott, 2012; Samani, Honan & Reavis, 2015). Cloud service offerings and the industry continue to evolve at a fast pace and as per Aleem and Sprott (2013), “Cloud services are expected to drive IT industry growth for the next 25 years” (p. 21). Garner (2014) reported that by 2015 50% of all new independent software vendors will be SaaS providers and that by 2016 many organizations will be using some form of ‘cloud’ services. Therefore, organizations need to stay on top of market trends, the type of model in which services are being offered, any new ‘cloud’ market entrants and the evolution of cloud standards, regulations, legislation and cloud specific contract documents.

5.2.5 Limitations Few articles researched spoke to ‘cloud’ specific procurement strategies and did not reveal any recommended cloud contract templates. The majority of articles were from an IT and Legal perspective. The suggested cloud contract terms and/or clauses were from Legal firm’s perspective, with the exception of the framework presented by Tufts and Weiss (2013). These authors are academics with the University of Carolina and presented their recommendations from a business view versus strictly a legal perspective.

5.2.6 Further research Current research has limited scope from a Purchasing contracting perspective. Ongoing analysis and research of cloud contract issues (lessons learned) is needed, as well as, the need to maintain a current common framework and/or checklist of contract terms/clauses and SLA metrics and be made available for organizations as a shared resource. Purchasing and IT managers of public and private organizations, provincially and nationally, could meet to share any cloud contract templates they develop, to discuss ‘cloud’ contract issues and to discuss performance issues with specific providers. Continued communication and collaboration among Purchasing, Legal and IT professionals is imperative particularly on breach and privacy issues.

Further research might reveal a similar framework of key cloud specific contract clauses and SLA metrics that could be developed for IaaS and PaaS cloud service models. In addition, organizations need to stay on top of recent developments with respect to privacy legislation and/or regulations within their jurisdiction and ensure cloud providers comply.

   

  55  

6.0 REFERENCES Aleem, A., & Sprott, C. R., (2013). Let me in the cloud: Analysis of the benefit and risk assessment of cloud platform. Journal of Financial Crime, 20(1), 6-24. Retrieved from: http://0-search.proquest.com.aupac.lib.athabascau.ca/docview/1242242133?accountid=8408 Alhamad M., Dillon T., & and Chang E., (2010), Conceptual sla framework for cloud computing - Digital Ecosystems and Business Intelligence Institute (DEBII), Retrieved from: http://dx.doi.org/10.1109/DEST.2010.5610586 Aljabre, A. (2012). Cloud computing for increased business value. International Journal of Business and Social Science, 3(1), n/a. Retrieved from http://search.proquest.com/docview/913056373?accountid=8408  Almathami, M. (2012) SLA-based risk analysis in cloud computing environments. Thesis. Rochester Institute of Technology. Retrieved from: https://scholar.google.ca

Amazon Web Services. (2015). What is cloud computing? Retrieved on the World Wide Web from: http://aws.amazon.com/what-is-cloud-computing/

BC Government (2015). Freedom of information and protection of privacy act of BC, Queens Printer, Retrieved from: http://www.cio.gov.bc.ca/cio/priv_leg/foippa/foippa_guide.page

BC Government (2012). IM/IT Enablers Strategy V1.5, Retrieved from: http://www.cio.gov.bc.ca/local/cio/about/documents/it_strategy.pdf Baset, S. A. (2012). Cloud SLAs: present and future. ACM SIGOPS Operating Systems Review, 46(2), 57-66. Retrieved from: https://scholar.google.ca Bean, L. (2009). Cloud computing: what internal auditors need to know. Internal Auditing, 24(5), 34-38. Retrieved from ABI/Inform database (ProQuest document ID 214387723) from: http://proquest.umi.com/pqdweb

Betcher, T. J. (2010). Cloud computing: Key IT-related risks and mitigation strategies for consideration by IT security practitioners (Doctoral dissertation, University of Oregon). Retrieved from: https://scholar.google.ca

Blinsky, D. (2013). Practice resource: Cloud computing checklist, the law society of british columbia, Retrieved from: www.lawsociety.bc.ca

  56  

Bradshaw, S., Millard, C., & Walden, I. (2011). Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services. International Journal of Law & Information Technology, 19(3), 187-223. Retrieved from http://0-search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=iih&AN=64112914&site=eds-live Carcary, M., Doherty, E., & Conway, G. (2013). The adoption of cloud computing by irish SMEs - an exploratory study. Electronic Journal of Information Systems Evaluation, 16(4), 258-269. Retrieved from http://0-search.proquest.com.aupac.lib.athabascau.ca/docview/1521023374?accountid=8408 Cloud Security Alliance (2011), Security Guidance for Critical Areas of Focus in Cloud Computing v. 3.0, Retrieved from: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Cloud Security Alliance (2015), Blogpage, Anthem’s breach and the ubiquity of compromised credentials, Retrieved from: https://blog.cloudsecurityalliance.org/2015/02/09/not-alone-92-companies-share-anthems-vulnerability/ Cloud Security Alliance (2015), Blogpage, Top security questions to ask your cloud providers, Retrieved from: https://blog.cloudsecurityalliance.org/2014/02/06/top-security-questions-to-ask-your-cloud-provider/ Cloud Standards Customer Council (2015) website, Retrieved from: http://www.cloud-council.org/about-us.htm Cloud Standards Customer Council (2015) website, Retrieved from: http://cloud-standards.org/wiki/index.php?title=Main_Page Deloitte (2013), IT SaaS readiness assessment, WorkSafeBC, Retrieved from: WorkSafeBC’s intranet purchasing site. De Silva, S. (2013). A beginner's guide to balanced scorecards. Supply Management, 18(9), 38-40. Retrieved from: http://0-search.proquest.com.aupac.lib.athabascau.ca/docview/1472003141?accountid=8408 English, K (2012), Operations process improvement proposal: electronic contracting and signature authorization, operations management, OPMT-505, St. Albert: Athabasca University, Faculty of Business. English, K (2014), Project management; benefits realization individual assignment, EPMG- 681, St. Albert: Athabasca University, Faculty of Business.

  57  

Forrester Research Inc. (2014), TechRadar: Software-as-a-services, Q1, 2014, Retrieved from: WorkSafeBC’s intranet purchasing site. Forrester Research Inc. (2015), Be aware of these sourcing trends for managed services and cloud, Retrieved from: WorkSafeBC’s intranet purchasing site Freedman B. J. & Gervais, B. L. (2011), Procuring cloud computing services in Canada. Managing Intellectual Property, Retrieved from: ABI/Inform database (ProQuest document ID 897000122): http://proquest.umi.com/pqdweb

Gartner, (2010, February). Cloud computing, key initiative, Retrieved from: https://www.gartner.com/doc/1263918/cloud-computing-key-initiative-overview

Gartner (2014, April), Cloud computing innovation key initiative overview, Retrieved from: https://www.gartner.com/doc/2718918/cloud-computing-innovation-key-initiative

Gartner (2014, October), Gartner identifies the top 10 strategic technology trends, Retrieved from: http://www.gartner.co/newsroom/id/2867917

Gilbert, F. (2010). Cloud service contracts may be fluffy; selected legal issues to consider before taking off. Journal of Internet Law, 14(6), 1-30., Retrieved from: http://0-search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=bth&AN=55528463&site=eds-live

Goudreault, C (2014). WorkSafeBC’s saas procurement guidelines. Retrieved from WorkSafeBC’s intranet purchasing site. Government of Canada, Procurement tender notice for RFI (EN578-151297(B), buyandsell.gc.ca website, Retrieved from: https://buyandsell.gc.ca/procurement-data/tender-notice/PW-EEM-033-28243 Green, K. B., & Green, B. P. (2014). Reining in the risks of cloud computing. Internal Auditing, 29(5), 29-35. Retrieved from ABI/Inform database (ProQuest document ID 1626831802), from: http://0-search.proquest.com.aupac.lib.athabascau.ca/docview/1626831802?accountid=8408 Gupta, U (2011), Cloud Computing: 5 Topics for the Boss: Data Protection, Cost are Two Key Items, Retrieved from http://www.inforisktoday.com/cloud-computing-5-topics-for-boss-a-3554

  58  

Hon, W. K., Millard, C., & Walden, I., (2012) Negotiating cloud contracts - looking at clouds from both sides now (May 9, 2012). 16 STAN. TECH. L. REV. 81 (2012); Queen Mary School of Law Legal Studies Research Paper No. 117/2012. Retrieved from: SSRN: http://dx.doi.org/10.2139/ssrn.2055199 Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical framework for managing cloud computing risk-part I. Intellectual Property & Technology Law Journal, 25(3), 7-18,1. Retrieved from: http://search.proquest.com/docview/1322734722?accountid=8408 Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical framework for managing cloud computing risk--part II. Intellectual Property & Technology Law Journal, 25(4), 19-27. Retrieved from: http://0-search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&AuthType=url,ip,uid&db=iih&AN=86273408&site=ehost-live

KPMG’s Top 10 internal audit considerations for technology companies, Retrieved from: http://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/RiskNewsletter/Documents/Top10InternalAudit.pdf

Krutz, R. L., Vines, R. D., & Brunette, G. (2010). Cloud security: a comprehensive guide to secure cloud computing. Useful next steps and approaches, NJ, USA: John Wiley & Sons. Retrieved from: Proquest e-brary database (ISBN 9780470921449) from: http://proquest.umi.com/pqdweb Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing-The business perspective. Decision Support Systems, 51(1), 176-189. Retrieved from: https://scholar.google.ca McKendirk (2014), IBM and Microsoft surge ahead of amazon in cloud revenues analysts estimate. Forbes, Retrieved from: http://www.forbes.com/sites/joemckendrick/2014/07/28/ibm-microsoft-surge-ahead-of-amazon-in-cloud-revenues-analysts-estimate/ Mell P., & Grance T., (2011), The NIST Definition of Cloud Computing, Special P 80-145, Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf Muller, R. (2009), Project Governance. Fundamentals of Project Management. Surrey, English; Gower Publishing Ltd. NIST Cloud computing synopsis and definitions, National Institute of Standards and Technology, US Department of Commerce SP 800-146, Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf

  59  

NIST (2015), Cloud computing service metrics description, National Institute of Standards and Technology, US Department of Commerce SP 500-307, Retrieved from: http://www.nist.gov/itl/cloud/upload/RATAX-CloudServiceMetricsDescription-DRAFT-20141111.pdf

NIST (2014), US government cloud computing technology roadmap, volume 1, National Institute of Standards and Technology, US Department of Commerce SP 500-293, Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-293.pdf

Nanath, K., & Pillai, R. (2013). A model for cost-benefit analysis of cloud computing. Journal of International Technology and Information Management, 22(3), 95-II. Retrieved from: ABI/Inform database (ProQuest document ID 1522799222) from: http://proquest.umi.com/pqdweb

Noble Foster, T., (2013), Navigating through the fog of cloud computing contracts, ExpressO, Retrieved from: http://0-works.bepress.com.aupac.lib.athabascau.ca/tnoble_foster/1

Office of the Information & Privacy Commissioner for BC (2012), Cloud computing guideline for public bodies, Retrieved on the World Wide Web from: https://www.oipc.bc.ca/search.aspx?SearchTerm=cloud Paquette, S., Jaeger, P. T., & Wilson, S. C. (2010). Identifying the security risks associated with governmental use of cloud computing. Government Information Quarterly, 27(3), 245-253. Retrieved from: http://0-dx.doi.org.aupac.lib.athabascau.ca/10.1016/j.giq.2010.01.002 Rose, F. (2011). SLAs: promises, promises. Information Week, (1304), 20-21. Retrieved from ABI/Inform database (ProQuest document ID 878516004) from: http://proquest.umi.com/pqdweb Samani, R., Honan, B., Reavis, R., (2015), CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security, Science Direct, Syngress, an imprint of Elsevier, 225 Wyman Street, Waltham, MA 02451, USA. Retrieved from: doi:10.1016/B978-0-12-420125-5.09001-4

Sangroya A., Kumar., Dhok J., and Varma V., Toward analyzing data security risks in cloud computing environments., Information Systems, Technology and Management, 2010, Volume 54, (ISBN : 978-3-642-12034-3). Retrieved from: https://scholar.google.ca

  60  

Scott, R. J. (2014). Contract corner. Licensing Journal, 34(2), 21-21. Retrieved from: http://0-search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=bth&AN=94445027&site=eds-live Shaw, J. (2011). 4 steps to cloud quality. InformationWeek, (1311), 36-36,38,40,42. Retrieved from: ABI/Inform database (ProQuest document ID 898969349) from: http://proquest.umi.com/pqdweb Sheppard, D. (2015), Observations on the canadian government cloud rfi, IT World, Retrieved from: http://www.itworldcanada.com/blog/the-canadian-government-cloud-rfi-some-observations/102235 Simon, T. (2003). What is benefit realization? The Public Manager, 32(4), 59-60. Business Insights: Essentials. Retrieved from: http://0-bi.galegroup.com.aupac.lib.athabascau.ca/essentials/article/GALE%7CA119744207/60a5895fae2166b7070f555f401fee83?u=atha49011 Slack, N., Chambers, S., Johnson, R., (2010), Operations management. Essex, England: Pearson Education Limited Stamou, A., Morin, J. H., Gateau, B., & Aubert, J. (2012). Service level agreements as a service-towards security risks aware SLA management. Retrieved from: https://scholar.google.ca

Tong, C., Nguyen, St. T., R Jaatun, M. G., (2012), Beyond lightning: a survey on security challenges in cloud computing, Computer & Electrical Engineering, V 39,(1), p. 47-54, Retrieved from: doi:10.1016/j.compeleceng.2012.04.015

Tufts, S. H., and Weiss, M. L., (2014). Cloudy with a chance of success : Contracting for the cloud in government Center for The Business of Government. Retrieved from: http://0-search.ebscohost.com.aupac.lib.athabascau.ca/login.aspx?direct=true&db=edsssb&AN=edsssb.bkg00062755&site=eds-live Tutorials website, Cloud Computing Overview page, Retrieved from: http://www.tutorialspoint.com/cloud_computing/cloud_computing_overview.htm Venters, W., & Whitley, E. A. (2012). A critical review of cloud computing: Researching desires and realities. Journal of Information Technology, 27(3), 179-197. Retrieved from: http://0-dx.doi.org.aupac.lib.athabascau.ca/10.1057/jit.2012.17 Wiseman, R. (Oct 2014), Canadian Government Executive, Retrieved from: https://cgexecblog.wordpress.com/tag/cloud-computing/

  61  

Zielinski, D. (2009). Be clear on cloud computing contracts. HRMagazine, 54(11), 63-65. Retrieved from: ABI Inform database (ProQuest document ID 205042081) from: http://proquest.umi.com/pqdweb Ouedraogo and Mouratidis, (2013), Selecting a cloud service provider in the age of cybercrime, Retrieved from: http://0-eds.b.ebscohost.com.aupac.lib.athabascau.ca/ehost/pdfviewer/pdfviewer?sid=2ef5746a-9816-49b3-9edc-de8b5fc0a186%40sessionmgr115&vid=1&hid=117

  62  

APPENDIX A - SAMPLE CLAUSES

DATA SECURITY, REDUNDANCY & DATA CONVERSIONCLAUSES

As per Kalyvas, Overly and Karlyn (2013) the following sample clauses are recommended for managing cloud risk in the areas of data security, data redundancy and data conversion (p. 20-22). “Sample Data Security provision: a. In General. Provider will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Customer Information (1) that are at least equal to industry standards for such types of locations, (2) that are in accordance with reasonable Customer security requirements, and (3) which provide reasonably appropriate technical and organizational safe-guards against accidental or unlawful destruction, loss, alteration, or un authorized disclosure or access of Customer Information and all other data owned by Customer and accessible by Provider under this Agreement. b. Storage of Customer Information. All Customer Information must be stored in a physically and logically secure environment that protects it from unauthorized access, modifi cation, theft, misuse, and destruction. In addition to the general stan-dards set forth above, Provider will maintain an adequate level of physical security controls over its facility. Further, Provider will maintain an adequate level of data security controls. See Exhibit A for detailed information on Pro-vider’s security policies protections. c. Security Audits. During the Term, Customer or its third party designee may, but is not obligated to, perform audits of the Provider environment, including unannounced penetration and security tests, as it relates to the receipt, maintenance, use, or retention of Customer Information. Any of Customer’s regulators shall have the same right upon request. Provider agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. Sample Data Redundancy provision Provider will: (i) execute (A) nightly database backups to a backup server, (B) incremental data-base transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer’s database and default path to an off – site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (ie at any given time).

  63  

APPENDIX A - SAMPLE CLAUSES

DATA SECURITY, REDUNDANCY & DATA CONVERSIONCLAUSES Sample Data Conversion provision At Customer’s request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider’s or its agents’ or subcontractors’ possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer’s request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.”

  64  

APPENDIX B

FRAMEWORK FOR SECURITY MECHANISMS FOR CLOUD SLAs

Bernsmed et al, (2011), as cited by Tong, Nguyen and Jaatun (2012), presented a framework for security mechanisms in service level agreements in cloud computing at an international conference on cloud computing and services in 2011.