Minimize risks by focusing on how your service provider manages confidentiality, integrity, and availability across the three major periods of a cloud service relationship: pre-contract, contracting and operating, and termination. Top security risks that arise across these periods are from:

1. Poor policies and practices. Most cloud security failures result from the actions of persons not following stated policies around confidentiality, integrity, and availability of your data. This comes from either lack of a stated policy or lack of practices designed to ensure conformance to policy. How well your cloud service provider defines, enforces, tests, and improves its policies and practices is your responsibility to determine, monitor, and act upon.
2. Poor confidentiality and integrity controls. Confidentiality means only authorized access to data. Integrity means only authorized changes to data. You must understand how your cloud service provider controls both, and you must routinely monitor these areas.
3. Poor availability controls. Availability is the ability to provide service or perform agreed functions when required. Most service outages are unplanned and can include cyber attacks, hardware or network failures, configuration issues, and natural disasters. How your provider handles unplanned outages is critical to your success and is your responsibility to understand.

Focus security efforts on the primary risks (poor policies and practices and poor confidentiality, integrity, and availability controls) and related causes (principal-agency problem and loss of technical expertise) for each of the three major periods of a cloud service relationship (pre-contract, contracting and operating, and termination.) Do not overlook the traditional consumer-side organizational security and privacy requirements. Identity management, security audits, encryption, physical security, and assessment and authorization are always required.

Phase 1: Pre-contract

• Identify your confidentiality and integrity requirements. Understand the laws and regulations you operate under, and be sure to consider data location, electronic discovery, etc. These form the basis for selecting a cloud service provider as well as cloud service and delivery models. Include requirements for terminating the agreement as well.
• Evaluate the cloud service provider’s track record for meeting availability promises while maintaining confidentiality and integrity controls over your data. Topics include planned and unplanned outages as well as backup and restoration. Remember to include return of physical and digital assets as well as erasing copies at termination.
• Analyze interests of the proposed cloud service provider in the context of your own interests,
  e.g., the principal-agent problem. Also consider how you'll maintain technical competence over time.

Phase 2: Contracting for and operating a public cloud service

• Engage your legal team to review the service agreement, and include them during all negotiations.
• Be sure all confidentiality, integrity, and availability requirements are in the service agreement or contract, and require that the provider specifically recognize and endorse them. Be sure to include all actions required upon contract termination.
• Continually assess the performance of the cloud provider and the quality of the services provisioned to ensure all contract obligations are being met. Manage and mitigate risk.

Phase 3: Terminating the contract with a public cloud provider

• Bring any contractual requirements relating to the end of the contract to the attention of your service provider. Remember, you should establish these requirements in Phase 1.
• Revoke all access rights or privileges granted to the cloud service provider. Collect all access tokens, badges, etc.
• Confirm the cloud service provider returns all physical and/or digital property held under the terms of the service agreement. Ensure the property is correct and complete. Verify that the cloud service provider properly erases all data and information held.