April 9, 2020

April 08, 2020

Subscribe to Latest Legal News and Analysis

April 07, 2020

Subscribe to Latest Legal News and Analysis

April 06, 2020

Subscribe to Latest Legal News and Analysis

Understanding the Shared Responsibility Model in Cloud Services Agreements

Not that long ago, companies were concerned about the ramifications of putting all their data in a cloud, including how they would get that data out, so only certain discrete aspects of systems and storage infrastructure were being moved to the cloud. Fast forward a few years and, for cost and other reasons, the current trend is for companies to make wholesale replacements of services and move those services to the cloud. With more software and services being offered in the cloud, it’s important to understand the responsibilities of each party and the risk allocation between them.

Shared Responsibility

Cloud services agreements generally employ a “shared responsibility model,” which is an allocation of responsibilities between the cloud provider and the customer. Issues arise when either cloud services agreements are used for multiple business units and services without a clear understanding of the responsibilities of the customer with respect to the data they’re moving to the cloud, or the customer does not understand that it has its own distinct responsibilities with respect to its data.

Risk Allocation

Customer: The customer is generally responsible for the protection of its data (i.e., access management, network security, and encryption).

Provider: The provider is generally responsible for the infrastructure of the cloud (i.e., the physical security of its cloud environment).

Providers are generally agnostic to the type of data because the cost model does not support a preference for one type of data over another in terms of security. The customer is responsible for determining whether the provider’s physical security parameters meet the customer’s needs.

What's Often Missing from the Contract?

Details regarding roles and responsibilities, as well as notifications and communications for each stage, and clear security standards are oftentimes missing from contracts. Some cloud providers publish their standards and responsibilities for compliance with certain industry regulations, security processes, and workflows (e.g., who is responsible for what aspects of incident response in the cloud?), but it’s important to know the applicable security parameters and standards, so ask if they’re not readily available.


Prior to entering into cloud services agreements and/or moving additional data to existing cloud environments, the customer should have a clear understanding of the roles and responsibilities of the parties. The customer should have its security team review the security policies, procedures, and protocols in order to understand its responsibilities, and confirm the cloud provider’s security standards and notification obligations are acceptable based on the customer’s industry, company requirements, regulations, and risk profile.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Emily Lowe, Corporate finance Attorney, Morgan Lewis
Of Counsel

Emily R. Lowe represents clients in commercial transactions, with a focus on the acquisition, use, protection, development, and commercialization of technology and biotechnology. Emily helps domestic and international companies commercialize their products through various commercial vehicles, including manufacturing and supply agreements and distribution strategies, and development and licensing agreements.

Glen Rectenwald, Morgan Lewis, Technology Attorney

Glen W. Rectenwald focuses his practice on technology, outsourcing, and commercial transactions. He regularly assists a broad range of clients with development, licensing, and distribution agreements; strategic alliances and joint ventures; manufacturing and supply agreements; complex outsourcing and strategic commercial transactions; and general commercial matters. Glen’s experience also includes mergers and acquisitions, private equity, venture capital, and general corporate matters.