10 Steps to Cloud Security: Step 10 — Understand the security requirements of the exit process

(Originally published by author in May. 2018 in Peerlyst.com)

As we come towards the end of this series, let us touch upon the security aspect of exit process. Why do we need to have a well-defined exit process as a part of the contract with the cloud service provider.

But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.

1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process

Today, we are going to discuss step 10 which is to understand the security requirements of the exit process.

Let us first understand the exit process. Exit process defines procedures which includes responsibilities of the cloud service provider and customers in case, the relationship terminate prematurely or otherwise. The exit process /clause should be part of every cloud service agreement.

What could be the reasons for which you will need a well-documented exit process? Why would relationship end between CSP and cloud customer? there could be several reasons

1. Provider is not able to meet SLA. There is lot of downtime or there is a major data breach due to provider’s negligence.
2. Provider has gone out of business (vendor lock-out)

There could be many more reasons and a clearly defined process can help in secure and speedy transfer of customer data and applications.

Another reason for having an exit process is to tackle the issue of portability. The cloud service providers, like AWS, azure or GCP, have been providing services, few of them, could be based on proprietary technologies. It may be difficult to move to different cloud service provider because of these proprietary technologies.

The customer exit process should be part of the contract annex and should ensure minimal disruption for the customer and should ensure smooth transfer.

Now, let us understand what should be there in the exit process or what customer should evaluate when reviewing the cloud service provider exit policy.

1. The exit process should ensure smooth transmission of consumer data to achieve business continuity,
2. It should make sure that the customer data is completely removed from the provider’s environment once the process is complete.
3. Responsibilities of the CSP and charges if any should be part of the exit process.
4. Providers should be responsible for removing customer data from their environment or should give assistance to the customer for erasure of data.
5. The format of data transmitted from provider to customer, during exit, should in standard format and mentioned in the exit process.
6. All the data and information of the customer should be retained for a specific period (after exit) so that customer can find new provider.
7. Customer should ensure to get business continuity protection through cloud service agreement.
8. Customer should receive written confirmation from the provider that all data has been removed from the provider’s IT environment. The written confirmation should also confirm that provider will not use customer data for any reason in future.

We have seen, above, that exit process is a very important element in cloud service agreement. It is often neglected but it should be there for protection of your data and avoid issue of portability.

By this, we complete this series of 10 steps to cloud security. If we follow these 10 steps, we can, not only, have a sound cloud security but better governance and data protection and would be able to meet our business objectives.