When it comes to switching cloud providers or terminating a contract, it's essential to have a clear understanding of how you'll get your data back. The Data Portability Contractual Obligations control ensures that your agreement with the cloud provider specifies exactly how you'll access your data if you decide to part ways. This includes details like the format of the data, how long the provider will store it, what specific data will be returned, and when it will ultimately be deleted.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. The Cloud Controls Matrix provides a comprehensive set of security controls that are specifically designed for cloud computing environments. It's a great resource for anyone looking to ensure their cloud setup is secure and compliant.

Who should care?

This control is particularly relevant for:

• CIOs and CTOs planning a cloud migration who need to ensure data portability
• Compliance officers who must meet data retention and deletion requirements
• Legal teams responsible for drafting and reviewing cloud service contracts
• IT managers considering switching cloud providers who need to migrate data

What is the risk?

Without clear contractual obligations around data portability, you could face several risks:

• Vendor lock-in: If you can't easily get your data out, you're stuck with your current provider
• Data loss: If the provider doesn't return all your data, you could lose critical information
• Compliance violations: If data isn't deleted as required, you could face regulatory fines
• Operational disruption: If you can't migrate data smoothly, it could interrupt your business

While having portability provisions doesn't completely eliminate these risks, it significantly reduces their likelihood and potential impact.

What's the care factor?

For most organizations, data portability should be a high priority. Your data is one of your most valuable assets, and losing access to it could be catastrophic. Even if you're not planning to switch providers, having the ability to do so gives you leverage in negotiations and ensures you're not entirely at the mercy of your vendor.

However, the specifics of your industry and regulatory environment will influence just how much you need to care. If you're in a heavily regulated sector like healthcare or finance, data portability is absolutely critical. If you're a smaller business with less sensitive data, it may be slightly less urgent, but still important.

When is it relevant?

Data portability provisions are most relevant when:

• Signing a new cloud service contract
• Renewing an existing contract
• Planning a migration to a new cloud provider
• Responding to changes in regulatory requirements around data retention and deletion

They're less relevant for organizations that primarily use cloud for non-critical workloads or have very little data stored in the cloud.

What are the trade-offs?

Including data portability provisions in your contract may involve some trade-offs:

• Higher costs: Providers may charge more for services that include robust portability guarantees
• Reduced flexibility: Strict portability requirements could limit your ability to use proprietary services or features
• Complexity: Managing data across multiple formats and locations can be complex and time-consuming

However, for most organizations, the benefits of ensuring data portability will outweigh these potential drawbacks.

How to make it happen?

To implement data portability contractual obligations, follow these steps:

1. Identify your key data assets and where they reside in the cloud
2. Determine your specific portability requirements, including:
   • Required data formats
   • Retention periods
   • Deletion policies
3. Work with your legal team to draft contract language that specifies:
   • The CSC's right to access data upon contract termination
   • The format(s) in which data will be provided
   • How long the CSP will retain the data
   • The scope of data to be returned
   • When and how the CSP will delete the data
4. Negotiate these provisions with your CSP and ensure they're included in the final contract
5. Implement processes to regularly test your ability to retrieve data from the CSP
6. Monitor the CSP's compliance with portability obligations and address any issues promptly

What are some gotchas?

When implementing data portability provisions, watch out for:

• Non-standard contract clauses that allow CSCs to waive portability rights
• CSPs that resist including specific portability language in contracts
• Requests for data in formats the CSP doesn't support
• Discrepancies between the CSP's stated deletion policies and actual practices

To access your data, you'll likely need administrative permissions on the relevant cloud resources. The exact permissions required will depend on the specific services you're using, but often include broad permissions like s3:GetObject for retrieving data from S3 buckets.

What are the alternatives?

While contractual provisions are the best way to ensure data portability, there are some alternatives:

• Use open data formats and avoid proprietary services to reduce dependence on a specific CSP
• Implement a multi-cloud strategy to diversify your data storage
• Use third-party data management tools that can move data between cloud platforms

However, these options are not a substitute for strong contractual language.

Explore further

For more information on data portability and cloud contracts, check out:

• AWS Data Portability Whitepaper
• Google Cloud Data Portability Whitepaper
• CSA Code of Conduct for GDPR Compliance

This control aligns with the CIS Control 13 "Data Protection" which emphasizes the importance of protecting data at rest and in transit. Specific sub-controls like 13.3 "Monitor and Detect Unauthorized Data Exfiltration" and 13.6 "Encrypt Data at Rest" are particularly relevant.