There is a wide variety of cloud service providers and many are global suppliers. The providers on G-Cloud have been pre-screened only to check they are suitable to work with government, and not to provide any assurance on their specific services. Selection criteria should, therefore, cover the specific needs of the organisation. The organisation should conduct due diligence on shortlisted suppliers to check they meet all security requirements, relevant standards, regulations and business-specific needs.
Organisations should be clear that they are responsible for the security of their data in the cloud. The supplier may provide a secure technical environment but identifying and addressing data breaches, hacking and so on remains the responsibility of the organisation and it will not be sufficient to be a passive consumer of the service.
Questions audit committees could ask:
• Will there be clear accountability between the organisation and cloud provider? What oversight regime will there be for the organisation over the cloud provider? Does the cloud provider sub-contract and how does it manage risks? Has the organisation undertaken sufficient due diligence to mitigate against the risk that in the event of a General Data Protection Regulation (GDPR) breach, it will be held liable as the data controller alongside the cloud provider as the data processor?
• Have the service features being promoted been verified? Has the organisation obtained feedback from other customers on how easy to configure the system is? How easily will the new service integrate with other systems? Are some of the features listed as 'beta', meaning they could potentially be modified or withdrawn with little or no notice?
• What are the terms of service? Is the capacity and availability guaranteed by the cloud provider sufficient for the organisation's needs? Is this backed up by the provider's track record to date? What are the business continuity arrangements? How quickly is service guaranteed to resume after an outage? Is the provider's liability cap likely to be sufficient (particularly for smaller contracts) to cover the cost of any damage the organisation suffers?
• Where is the provider's infrastructure physically situated, and in what jurisdiction(s) is the organisation's data being held and accessed? What assurances and guarantees are there on data residency and sovereignty? Are there security or sovereignty constraints imposed by a parent department or other important stakeholders? If the provider has a UK data centre, what assurances does the organisation have that it will be used for the organisation's own data, and/or covers all services that the organisation plans to make use of? Will this incur additional cost? Will UK resident data be accessed from offshore locations?
• Will the cloud service contract be governed by the law and subject to the jurisdiction of the United Kingdom? Will the cloud provider allow access to its premises and data by the organisation, its auditors (internal and external) and any relevant regulators without any restrictions? How does the provider support compliance with data protection legislation? Will they support GDPR requests, such as subject access requests?
• What security accreditation and protocols does the provider have? What information security standards do they meet? What measures are there to prevent unauthorised access, for example encryption or multi-factor user authentication? Are these part of the core offering, are they additional paid-for options, or are they left to the organisation to implement separately?
• Has the technical architecture of the system been reviewed by appropriate experts? What is the contractual liability for data losses or service unavailability? What is the provider's approach to proactive testing, and is there historical evidence of how they have responded to security issues?
• Does the organisation understand what security information will be fed back from the provider as part of the service? Will there be sufficient in-house resources to understand and interpret the information and alerts being fed back? Will there be the capacity and expertise to respond appropriately when the alerts indicate that action is required on the part of the organisation?
• Has the organisation considered the costs of exiting from a cloud provider to take advantage of competition in the market? Are contract exit arrangements fully documented with a legal commitment for the cloud provider to cooperate with transfer and removal of data? Are there contractual mechanisms to ensure the provider can supply the organisation's data in a reasonable electronic format for migration to another provider? Are the actual mechanics of how the data would be extracted under such a scenario sufficiently clear from the outset (particularly given the current contract lengths on G-Cloud)?