A few weeks ago I was talking to a really smart technical leader in the IT industry. It was not too long after the Amazon Cloud Outage that impacted a number of businesses for up to two days. Of all the things he said that day, the only one I remember is his comment that when negotiating a contract with a Cloud Service Provider, you should follow the concept of MAD. I asked him what he meant, and he said, “You know, Mutually Assured Destruction.” I decided I needed to be somewhere else.
The basic concept of MAD is that each side assures the other that if it is attacked it will immediately retaliate with equal or greater force. The requirements are that each side believes that the other side has enough force to completely destroy them, and that they will unquestionably retaliate at the first sign of an attack.
The first reference to the concept of MAD was by the English author Wilkie Collins. At the time of the Franco-Prussian War in 1870, he wrote, “I begin to believe in only one civilising influence—the discovery one of these days of a destructive agent so terrible that War shall mean annihilation and men’s fears will force them to keep the peace.”
The Soviet Union detonated its first nuclear weapon in 1949, and by 1950 both nations had the aircraft and stockpiles of bombs to deliver nuclear weapons into the interior of the other. In 1954, John Foster Dulles, President Eisenhower’s Secretary of State, declared that the new US policy was deterrence in the form of massive retaliatory power. The message to the Soviets: if you attack Europe, even with just conventional weapons, the United States will retaliate against the Soviet Union with its nuclear arsenal.
By 1959, both countries had built the last step: the second strike capability. With the advent of nuclear powered ballistic missile submarines and MIRV (multiple independently targetable re-entry vehicle) missiles, each side could survive a first strike with enough weapons to completely destroy the other.
The main premise of a situation where MAD might be appropriate: the other side really wants you dead. Literally.
Don’t use MAD as the approach to your Cloud Service Provider (CSP) contracts. Most organizations that have or should move to the Cloud have two characteristics in common:
- IT is a critical part of running their business.
- IT is not a core competency of the company.
Finding the right CSP based on your requirements, especially in the areas of security, performance and availability, can address both of these factors. You can move your IT to someone who understands the importance of IT to your business, and someone whose core competency is IT. In addition, you will likely save a lot of money and gain significant IT agility when you do so, and you can concentrate on your core business. You should pick the CSP in the same way you make any other critical IT decisions. Create an RFP (request for proposal) based on your analysis and send it to a handful of CSPs that have demonstrated capability in the Cloud space the application will require, and do due diligence on the company and the response.
The result of selecting a CSP and negotiating with them is a contract. In some cases, you may not be able to make any changes to the CSP’s standard contract. I strongly suggest that you not use that CSP for anything that is really critical and has any special security, performance or availability requirements. Your contract should include all of the requirements you provided to the CSP and their responses to those requirements. It should also include definitions of any audit access, their security policy, and other security related actions on their part.
One aspect often ignored when negotiating with a CSP is notification. How and when will your CSP notify you of a security breach? Breaches will happen, just like they will happen in your own shop. You need to deal with them quickly, and your CSP needs to tell you as soon as they suspect one may have occurred.
I have worked with a lot of very good contract lawyers over the years. Every once in a while I run into one, on either side, who believes that contracts specify what one party can do and what they cannot do, and focuses on the penalties when one party fails to comply. While not quite MAD, it is certainly a confrontational approach to a contract. This kind of contract often rewards the wrong conduct by one or both parties. For example, if there are penalties when there is a security breach, then there is no incentive for a CSP to notify you when one happens. Maybe you won’t notice. When I find such a lawyer while working on a CSP contract, I find another lawyer or another CSP.
I have seen some contracts where the CSP promises nothing, so the customer has no protection. I have also seen contracts where the customer has required that there never be a security breach, and if there is the customer has the right to immediately move off that CSP with no financial penalty. However, that is not what the customer wants – they want their security breach fixed and still be able to conduct their business. Dealing with a breach when you no longer have access to the facility where the breach occurs is very difficult, and now the company has the additional distraction of quickly moving to another CSP.
No company will knowingly sign a contract that could spell the ruin of the company. Unlike international relationships, neither party must sign with the other. If a contract doesn’t provide measureable value to both sides, you are better off not signing it and go find another partner.
There will be problems. The contract should be designed to maximize the probability that everyone will work to find and implement solutions, not try to hide them. This includes providing immediate notice when there is the possibility of a security breach.
The last word:
One could argue that MAD worked in the Cold War – after all, nobody launched those ICBMs. Considering some of the people on both sides of that war, the concept probably was key to avoiding a really bad outcome for everybody.
Your CSP contract should try a different cooperative approach.
Keep your sense of humor.