Shaping a Cloud Services ContractGive and Take in Defining Security Terms of an Agreement
Three years ago, most providers offered customers take-it-or-leave terms for cloud computing services except for their very largest customers. "In the beginning, they might not have been so eager to discuss those responsibilities [to secure data] but now it seems to be more of a standard practice," Starkey says in an interview with Information Security Media Group. "There's a lot more give and take."
That give and take means customers don't always get everything they want. Initially, Delaware didn't want any of its data to be co-located with other customers' data on cloud providers' servers. Co-location reduces providers' costs to operate the servers, and those savings are passed on to their customers. Now, Starkey says, Delaware only insists that backup data stored by the provider not be co-located. "When there's other data comingled on that, it becomes difficult [to restore systems]," she says.
To assure providers comply with terms of a cloud services contract, Delaware relies on third-party auditors to assess compliance.
Starkey says she would like to bring such auditing services in-house, but that would be too costly. "[Having] the right extra staff and the right resources to have a full-blown audit program is the ideal way to enforce the terms and conditions," she says. "But the economic situation has not allowed for that, yet."
In the interview, Starkey discusses:
- Delaware's Cloud First program, patterned after a federal government initiative, in which all data is analyzed to determine whether it's appropriate to be stored on the cloud.
- The state's insistence that cloud providers comply with Delaware's breach notification law and cover costs associated with a breach and its recovery.
- How she envisions Delaware will employ secure cloud computing over the next three years.
Less than 15 percent of Delaware's state government data are stored on the cloud, Starkey said in an e-mail sent after the interview.
Starkey has been Delaware's state CSO for nine years. She previously served as the chief technology officer of the Department of Technology and Information and chief information officer of the Department of Public Safety. Starkey earned two computer science degrees, a master of science from Rochester Institute of Technology and a bachelor of science from James Madison University.