Not that long ago, companies were concerned about the ramifications of putting all their data in a cloud, including how they would get that data out, so only certain discrete aspects of systems and storage infrastructure were being moved to the cloud. Fast forward a few years and, for cost and other reasons, the current trend is for companies to make wholesale replacements of services and move those services to the cloud. With more software and services being offered in the cloud, it’s important to understand the responsibilities of each party and the risk allocation between them.
Cloud services agreements generally employ a “shared responsibility model,” which is an allocation of responsibilities between the cloud provider and the customer. Issues arise when either cloud services agreements are used for multiple business units and services without a clear understanding of the responsibilities of the customer with respect to the data they’re moving to the cloud, or the customer does not understand that it has its own distinct responsibilities with respect to its data.
Customer: The customer is generally responsible for the protection of its data (i.e., access management, network security, and encryption).
Provider: The provider is generally responsible for the infrastructure of the cloud (i.e., the physical security of its cloud environment).
Providers are generally agnostic to the type of data because the cost model does not support a preference for one type of data over another in terms of security. The customer is responsible for determining whether the provider’s physical security parameters meet the customer’s needs.
Details regarding roles and responsibilities, as well as notifications and communications for each stage, and clear security standards are oftentimes missing from contracts. Some cloud providers publish their standards and responsibilities for compliance with certain industry regulations, security processes, and workflows (e.g., who is responsible for what aspects of incident response in the cloud?), but it’s important to know the applicable security parameters and standards, so ask if they’re not readily available.
Prior to entering into cloud services agreements and/or moving additional data to existing cloud environments, the customer should have a clear understanding of the roles and responsibilities of the parties. The customer should have its security team review the security policies, procedures, and protocols in order to understand its responsibilities, and confirm the cloud provider’s security standards and notification obligations are acceptable based on the customer’s industry, company requirements, regulations, and risk profile.
Copyright © 2024 by Morgan, Lewis & Bockius LLP. All Rights Reserved.
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins
You are responsible for reading, understanding, and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free-to-use, no-log-in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates, or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys, or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws, the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review - National Law Forum LLC 2070 Green Bay Rd., Suite 178, Highland Park, IL 60035 Telephone (708) 357-3317 or toll-free (877) 357-3317. If you would like to contact us via email please click here.
Copyright ©2024 National Law Forum, LLC
