A few years back, companies were worried regarding the
ramifications of placing all their pertinent data in the cloud, such as how
they will be getting the data out which is why only some discrete aspects of
storage infrastructure and systems were move to cloud. Several years later, for
cost as well as other reasons, the existing trend is for the companies to shift
to wholesale replacements of the services and moving these services to the
cloud with the help of a reliable cloud provider. As more services and software
are now provided in the cloud, it is a must to know the responsibilities of
every party and risk allocation in between them.
The Shared
Responsibility
In general, today’s cloud services agreements make use of a
shared responsibility model. This is the allocation of the responsibilities
between the customer and the cloud provider. Problems take place when either
the cloud service agreements have been used for several business services and
units with no clear understanding of the customer’s responsibilities with
respect to the specific data they move to the cloud, or a customer doesn’t
understand that this has its own unique responsibilities in association to the
data.
The Risk Allocation
In general, the provider has the responsibility for the
cloud’s infrastructure, or the physical security of the cloud environment. On
the other hand, the customer is basically responsible for data protection such
as encryption, network security, and access management.
Most providers are usually agnostic to the kind of data
since the cost model doesn’t support the preference for a single kind of data
over the other as far as security is concerned. The customer is the one responsible
for identifying if the physical security parameters of the provider meet the
needs of the customer.
What is Usually
Missing in the Contract?
The details regarding responsibilities and roles and the
communications and notifications for every stage, as well as the clear
standards of security are usually amiss in the contracts. It is common for a
cloud provider to publish their responsibilities and standards for compliance
with specific industry regulations, workflows, and security processes. However,
it is a must to know the applicable standards and parameters of security so as
if these are not readily available.
The Takeaway
Before you enter into a cloud service agreement with any
cloud provider or move additional data to an existing cloud environment, a
customer must first have a clear understanding of the responsibilities and
roles of both parties. The customer must make sure that its own security team
reviews first the security procedures, protocols, and policies to better
understand the responsibilities and confirm the security standards of the cloud
provider and the notification obligations can be considered acceptable
according to the company requirements, risk profile, regulations, and industry
of the customer.
Make sure you talk with your chosen cloud provider regarding
all the contents of your service agreements to ensure that you will be getting
exactly what you need and what you pay for.
For more information please follow us here telkomtelstra.co.id/en/insights/blogs/238-key-to-a-flexible-private-cloud-platform.html
For more information please follow us here telkomtelstra.co.id/en/insights/blogs/238-key-to-a-flexible-private-cloud-platform.html