Cloud Provider – What Does Shared Responsibility Model Means in Cloud Service Agreements?

A few years back, companies were worried regarding the ramifications of placing all their pertinent data in the cloud, such as how they will be getting the data out which is why only some discrete aspects of storage infrastructure and systems were move to cloud. Several years later, for cost as well as other reasons, the existing trend is for the companies to shift to wholesale replacements of the services and moving these services to the cloud with the help of a reliable cloud provider. As more services and software are now provided in the cloud, it is a must to know the responsibilities of every party and risk allocation in between them.

The Shared Responsibility

In general, today’s cloud services agreements make use of a shared responsibility model. This is the allocation of the responsibilities between the customer and the cloud provider. Problems take place when either the cloud service agreements have been used for several business services and units with no clear understanding of the customer’s responsibilities with respect to the specific data they move to the cloud, or a customer doesn’t understand that this has its own unique responsibilities in association to the data.

The Risk Allocation

In general, the provider has the responsibility for the cloud’s infrastructure, or the physical security of the cloud environment. On the other hand, the customer is basically responsible for data protection such as encryption, network security, and access management.

Most providers are usually agnostic to the kind of data since the cost model doesn’t support the preference for a single kind of data over the other as far as security is concerned. The customer is the one responsible for identifying if the physical security parameters of the provider meet the needs of the customer.

What is Usually Missing in the Contract?

The details regarding responsibilities and roles and the communications and notifications for every stage, as well as the clear standards of security are usually amiss in the contracts. It is common for a cloud provider to publish their responsibilities and standards for compliance with specific industry regulations, workflows, and security processes. However, it is a must to know the applicable standards and parameters of security so as if these are not readily available.

The Takeaway

Before you enter into a cloud service agreement with any cloud provider or move additional data to an existing cloud environment, a customer must first have a clear understanding of the responsibilities and roles of both parties. The customer must make sure that its own security team reviews first the security procedures, protocols, and policies to better understand the responsibilities and confirm the security standards of the cloud provider and the notification obligations can be considered acceptable according to the company requirements, risk profile, regulations, and industry of the customer.

Make sure you talk with your chosen cloud provider regarding all the contents of your service agreements to ensure that you will be getting exactly what you need and what you pay for.

For more information please follow us here telkomtelstra.co.id/en/insights/blogs/238-key-to-a-flexible-private-cloud-platform.html