Understanding the Shared Responsibility Model in Cloud Services Agreements
Not that long ago, companies were concerned about the ramifications of putting all their data in a cloud, including how they would get that data out, so only certain discrete aspects of systems and storage infrastructure were being moved to the cloud. Fast forward a few years and, for cost and other reasons, the current trend is for companies to make wholesale replacements of services and move those services to the cloud. With more software and services being offered in the cloud, it’s important to understand the responsibilities of each party and the risk allocation between them.
Cloud services agreements generally employ a “shared responsibility model,” which is an allocation of responsibilities between the cloud provider and the customer. Issues arise when either cloud services agreements are used for multiple business units and services without a clear understanding of the responsibilities of the customer with respect to the data they’re moving to the cloud, or the customer does not understand that it has its own distinct responsibilities with respect to its data.
Customer: The customer is generally responsible for the protection of its data (i.e., access management, network security, and encryption).
Provider: The provider is generally responsible for the infrastructure of the cloud (i.e., the physical security of its cloud environment).
Providers are generally agnostic to the type of data because the cost model does not support a preference for one type of data over another in terms of security. The customer is responsible for determining whether the provider’s physical security parameters meet the customer’s needs.
What's Often Missing from the Contract?
Details regarding roles and responsibilities, as well as notifications and communications for each stage, and clear security standards are oftentimes missing from contracts. Some cloud providers publish their standards and responsibilities for compliance with certain industry regulations, security processes, and workflows (e.g., who is responsible for what aspects of incident response in the cloud?), but it’s important to know the applicable security parameters and standards, so ask if they’re not readily available.
Prior to entering into cloud services agreements and/or moving additional data to existing cloud environments, the customer should have a clear understanding of the roles and responsibilities of the parties. The customer should have its security team review the security policies, procedures, and protocols in order to understand its responsibilities, and confirm the cloud provider’s security standards and notification obligations are acceptable based on the customer’s industry, company requirements, regulations, and risk profile.