Common use of Cloud Security Clause in Contracts

Cloud Security. ● The following sections may not be applicable if a third party owns the cloud environment: Preferred Environment, Resource Organization, Network Configuration, Secrets Management, Infrastructure as Code. ● Preferred Environment ○ Is the environment one of the “big 3” (AWS, GCP, Azure)? These are generally preferred as they are considered the services that are most mature security-wise. ○ Note: Using multiple services for infrastructure may be necessary (some vendors may require a specific service to be used), but it increases complexity and attack surface. ● Resource Organization ○ Can resources be deployed to different environments (development, production, sandbox, etc.)? This is valuable to allow developers a chance to test new features in non-production environments, allowing production to maintain uptime. ● Identity Management ○ Who will own the accounts/environments in the cloud? Who requires access keys/hard credentials? Who requires temporary access? ○ How will users be audited? For example, how will you remove users that are no longer employees? ● Access Management ○ How will your team access the environment (single-sign-on, role-based access, programmatic access, user-based access)? ○ How will your team audit access controls (e.g., removing permissions from users who no longer need access to certain controls/features)? ● Logging Requirements ○ Note: Many cloud services will be able to facilitate comprehensive logging. Focus on who has access to those logs, where the logs should be stored, and what value can be derived from the captured logs. ○ Do your logs need to be centralized for auditing purposes? ○ Are there specific infrastructure metrics that must be captured? ○ How long should logs be retained (consider any legal requirements to maintain logs for a certain amount of time)? ● Data Ingress and Manipulation ○ What are the requirements for data at rest and in transit? ○ Does your data require transformation/standardization? ○ Are there multiple points of data ingress into the cloud environment? ● Network Configuration ○ Are there specific requirements for infrastructure accessibility (Virtual Private Network (VPN) connection required for remote access, isolating databases/storage solutions from the internet, etc.)? ○ Are there any requirements for asset distribution? ■ Will the environment be hosting data/content that will be public? ● Secrets Management ○ How will secrets be protected in your infrastructure (e.g., encryption keys, parameterization, etc.)? ○ Describe the process for rotation. This is valuable in the event that a secret is leaked, such as through accidental upload to public source code. ● Infrastructure as Code ○ If the infrastructure will be managed internally, will a robust/replicable solution like Terraform be desired, or a cloud-specific Software Development Kit (SDK)? ■ If managed by a third-party/managed services team, this is not applicable. ○ If IaC is being utilized: ■ How is security built into the pipeline (e.g., source code analysis tools)? ■ Is extra scrutiny given to security-relevant changes (e.g., terraform being updated that provides a certain user group administrator-level permissions)? ■ How is drift detected (e.g., identify where alerts go when a certain user group obtains administrator-level permissions despite IaC only providing them a small subset of permissions)? ● Automated Threat Detection ○ Is automated or AI-powered threat or vulnerability detection a desired component of the environment?