Think ahead on risk management in the cloud before it's too late!

Published: 27 Jul 2015 Average Rating: 4.3 / 5 Print
This article appeared in Contracting Excellence magazine on 27 Jul 2015 view edition

Author: Bernhard Kainrath, Senior Manager, Legal Field & Deal Management, NetApp; Dr. Dierk Schindler, Head of EMEA Legal Field Operations & Worldwide Contract Administration, Attorney at Law, NetApp

If you're thinking of investing in any cloud service, be smart and make sure you do your homework first. Two seasoned practitioners - Bernhard Kainrath and Dr. Dierk Schindler - discuss the importance of knowing the risks before making any commitments, so you can get the top benefits from a cloud service without any unpleasant surprises.

Today, most of the technical and commercial barriers for companies to move to a cloud infrastructure have been removed, and exciting new business opportunities are possible. But beware - cloud computing isn't for everyone. Decision makers very often don't know the many risks that could lie ahead or, if they do, they don't know how to handle them. This article offers potential cloud customers an insight into questions to ask if they're thinking of moving their data to the cloud - and future trends to consider that could change everything. 

Confidentiality, integrity and availability – the big cloud risks

Few can disagree - cloud computing technology offers many opportunities. It improves operational efficiency of the company, strengthening its competitiveness. It also helps improve flexibility, reduce capital costs and spend on technology infrastructure, providing adaptable “work from anywhere” environments, automation, a reduced carbon footprint and much more. 

Medium-sized companies, as well as start-ups, can now take advantage of high-performance cloud IT solutions, previously reserved only for large organizations. Upper management and chief information officers (CIOs) know that innovation and modern technology are the foundations for growth, and are aware of all the opportunities the cloud is offering to them. Therefore they have a big appetite to move their in-house services to the cloud, but they should consider obvious risks before making that decision.

Depending on one cloud service provider only may create operational and commercial risk. Increasing dependence may shift the balance in contract negotiations in favor of the supplier.  The customer may have to accept higher prices, or face a supply shortage that could quickly lead to business continuity risks.

While these risks may seem obvious, the consequences for data security and data protection are often less prominent. The so-called “vendor lock-in” can create a severe data security and data privacy problem, for example. First CIOs should consider their legal and corporate guidelines, and which systems and services are critical to the company before they outsource any of their services to the cloud. Then they might decide to have different types of cloud solutions or to keep certain data or applications “in-house.”

Know what questions to ask

Security in the cloud

The basic principles of IT security revolve around confidentiality, integrity and availability, known as the “CIA triad.” Everything that needs to be done to secure an IT infrastructure links to at least one aspect of the triad. These requirements do not change in the cloud. The advantages of the cloud may sound good but ultimately, with less direct control, customers have to rely on a high degree of trust – making it vital to address the following questions with the cloud provider:

  • How does the cloud provider protect data integrity?  Integrity is only guaranteed when it is not possible to manipulate data unnoticeably. Therefore it's not just the cloud service that needs to meet that protective goal, but also all of the various components that make up the cloud, the software and its configuration. It's important therefore to ask how patches and updates are managed.
  • How does the cloud provider manage availability?  Data loss can be a real threat to the existence of a company, especially in online infrastructures, and there are many possible causes of data loss, including disaster, a hacker attack as well as human error. Data loss can be especially problematic if there's a legal obligation to store particular data. To ensure availability of data in the event of a security breach, ask how the cloud provider defends itself against Denial of Service attacks.
  • How does the cloud provider ensure secure access to data? Cloud storage moves data to remotely-located data centers - over which customers have no control. So ask: where will our data be stored, including copies? Security breaches are very often caused by internal employees. Therefore, it's good to know exactly who will personally manage and access the equipment that holds corporate data. Weak interfaces and application programming interfaces (APIs) are also a potential risk. Potential customers should therefore ask what interfaces and APIs are used – and what the security implications are.

Vendor lock-in

Vendor lock-in means it is not easy to transfer a product or service to a competitor - or bring it back in-house again. An example of this could be a customer wanting to transfer their email activities from cloud one email provider to another.

The best way of avoiding vendor lock-in and cross-sector dependence on only one cloud provider is interoperability. Any contract between cloud provider and cloud customer must guarantee to support data relocation at both the beginning and the end of their business relationship. It should state clearly which data format and interfaces are used, when data will be imported or exported, and what the costs are, if any. It must also stipulate deletion of data after termination.

Open cloud standards and open source are keys to achieving true interoperability. Standardization efforts in cloud computing are evolving, but unfortunately there are still many construction sites. Many new standards that are explicitly designed for the cloud are not 100% mature, and there are no standards available for specific cloud business models.

Data privacy

When intrusions lead to leaks of personal data, the damage to a company's brand, customer relationships and intellectual property can be substantial. According to Kaspersky Lab's Global IT Risks Report,1 a global survey of attitudes and opinions of IT security, 94% of companies surveyed had experienced some form of external security threat and only 46% of businesses thought their conventional security solutions provided adequate protection. These figures are alarming, and take on greater significance given that an organization will need to engage the services of a cloud provider to process personal data on its behalf which could, in some circumstances, bear no responsibility for data privacy compliance.

A common misconception is that giving up control of data passes data privacy liability on to the cloud provider. The Data Protection Directive of the European Union (EU)2 requires Data Controllers to observe a number of principles when processing personal data. Data Controllers are bodies or people who collect and manage personal data and they must comply with the EU law when handling the data. If a company selects a cloud provider for storage and processing of data, the cloud provider will usually act as the Data Processor for them. This means that the Data Controller remains responsible for how data is processed and for compliance with data protection. In this scenario, if a cloud provider stores data outside the European Union, cloud customers must ensure that the data remains protected.

One response to this risk is to implement a hybrid cloud strategy. As a first step, Data Controllers must compare the risk levels in a private and a public cloud scenario. After that assessment they should think about which personal data can be moved into the cloud and which should never move. It's also recommended to create data categories for this purpose. Another important step is to obtain consent from individuals before collecting, processing, storing or transferring personal data. This can vary from country to country if data is processed in a multinational environment.

When you choose, take your time

Finally, we recommend spending some time in selecting the right cloud provider. Today, various cloud providers specialize in distinct markets, with niche cloud providers emerging that tailor their services for those markets. Seen from this angle, it's better to choose a cloud provider whose services are designed for your specific requirements, if not this can cause an additional set of risks.

Insolvency protection

If a cloud provider files for bankruptcy protection, the only thing that matters is how quickly you can access and repatriate your data. What precautions can you take in advance to minimize the drawbacks of a cloud provider bankruptcy?

  • Due diligence: Use a well-known and financially strong provider. Examine the strengths of the chain of all participants involved in the cloud services provided (for example host and data center).
  • Ownership of data: To avoid to becoming disadvantaged by an insolvency procedure, ensure the agreement with the cloud provider stipulates that you own all data in the cloud.
  • Backup data: Require the cloud provider to provide a copy of a backup on an appropriate medium at frequent intervals. If all fails you may at least still have the most current data to work with.
  • Time: Think about how quickly you will be able to recover your data in terms of the amount of data and bandwidth available.
  • Stay in touch with the cloud market: Keep a record (list) of possible service suppliers that could help at short notice.

What are the trends in cloud computing?

In the near future ownership of data will take on greater significance. The Internet of Things has the potential to disrupt everything. According to Cisco Systems3, the number of devices connected via the Internet is expected to reach fifty billion by 2020. These smart connected things, meanwhile, are available in all areas of our life, capturing, transferring, analyzing and acting on data. Everyday items such as white goods are collecting information, wearable items are monitoring our sport activities and cars can monitor the behavior of drivers. But where does all that data end up? For example, it could be sent directly to the cloud.

There is no doubt that all of the current developments in the Internet of Things can make our lives easier, but we need to be aware that data is hugely valuable. Who owns this data? Does the owner of a smart washing machine own the data about how they use it?


The biggest risk of all is that no one knows what is up ahead. Potential cloud customers should consider that cloud computing is not for everyone and weigh what level of risk they would be taking take if they decide to move data into the cloud. If organizations do finally decide in favor of the cloud, they should be as well-prepared as possible, in every way.

Clearly one of the biggest lessons you don't want to learn the hard way is that using cloud services requires a clear contractual understanding.

  • Before starting contract negotiations, as a first step both contractual parties need to be clear and candid on how the provided cloud service will look, and identify possible risks.
  • As a second step, to minimize such risks and ensure a fair distribution of risks between the parties you need a comprehensive contractual agreement that regulates clearly and understandably the rights and obligations of the parties. This will avoid mock battles and the risk of negotiating against each other.


  1. The Kaspersky Lab Global IT Risk Report – a survey of attitudes and opinions on IT security (April 2013 to May 2014), titled Ready or Not – Balancing Future Opportunities with Future Risks.
  2. The Data Protection Directive regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. 
  3. See Cisco blog.


Bernhard Kainrath – Sr. Manager Legal Field & Deal Management, Northern EMEA

Currently, Bernhard Kainrath is member of the EMEA Legal Management Team at NetApp and leads a team of legal professionals and pre-sales project managers to support NetApp's "Big Deals" business in the Northern EMEA Area (Nordics, UK & Ireland, Benelux). His team works closely together with the sales teams and leads, negotiates and operationalizes complex deals. He gained many years of management experience at BMC Software and Hitachi Data Systems, amongst others. In addition to his international management responsibilities, he has been lecturing and authoring in his field since the beginning of his professional career.

Dr. Dierk Schindler, Member of the Board of NetApp Deutschland GmbH, Head of EMEA Legal Field Operations & WW Contract Administration, Attorney at Law

Dr. Schindler has studied Law at Augsburg University, where he also completed his doctorate thesis in European Law. In 2012, Dr. Schindler became Head of Legal Field Operations in EMEA and a member of the senior staff of NetApp's new General Counsel, Matthew Fawcett. In 2014 he assumed additionally the responsibility to lead the worldwide Contract Management & Services Team for the Global Legal Department. Dr. Schindler regularly presents at both, business and peer groups as well as at various universities in- and outside Germany. He also serves as a sworn member of the Board of Examiners of the Chamber of Commerce.









Related Discussions

Please sign in or register to post on this forum

Occidental Petroleum Corporation
2019-02-12 17:17:02

Cloud Contracting

I am interested in perspectives on various issues and contracting approaches for the use of cloud services, particularly from niche providers who may, in-turn, actuall...
Replies: 2
2017-04-25 05:18:00

Infrastructure Security Audit Report

Can anyone help me with Service Provider's Infrastructure Security Audit Report?
Replies: 1

Occidental Petroleum Corporation
2016-04-13 11:39:59

X-as-a-Service" Contract templates and terms

I am in the process of reviewing materials and any existing templates to prepare an a "X-as-a-Service" template for use by my organization. This would inclu...
Replies: 2
2016-01-21 14:10:34

Contracts Management Value - Changing the Corporate Culture

I am a new Contracts Manager at a global information services company. This is a new position to the company, so I am effectively starting from scratch. I am running...
Replies: 15

Seplat Petroleum Development Company Plc
2019-08-10 20:51:14

Digital Contracts

Please does any one have experience of having contracts prepared electronically and executed electronically? The parties do not receive any hard copies after execution...
Replies: 2

sussex university
2019-08-02 11:41:07

Establishing Contract Management within a Digital Team: consolidation, asset management, systems

Does anyone have experience of establishing a contract management framework in a digital team? I am mulling over which risks/areas to prioritise first (Asset Managemen...
Replies: 2