In the cloud: sharing is caring
Suppliers getting savvy about legal requirements
Published 21:42, 24 May 11
At Accenture we are refreshing our Cloud Security & Data Privacy point of view. It’s been 2 years since we advocated ‘more caution,’ ‘less action’ in public cloud computing.
Today, we are more optimistic and more realistic about the road ahead.
As a co-author of both points of view, here are some observations of what has changed the sentiment:
- We've moved away from a lot of the red-herring topics that can distract from the more significant issues
- Cloud providers have done a good job plowing the field and helping organizations get a good "feeling" about security and privacy
- Cloud providers are now willing to change standard contracting positions and are acknowledging that data owners remain responsible for the acts and omissions of their service providers
- We are seeing a move away from a take or leave approach to security and compliance on the part of cloud provider offerings
One of those steps is to realise that you must learn to share responsibility and risk. Clarifying the roles of the data owner, cloud provider (and system integrator, if applicable) in delivering legally compliant solutions is crucial.
From a legal perspective, there is no clear division of labour between the cloud provider, an application manager (or system integrator), and the data owner. The law only cares that certain things get done and makes the data owner responsible for causing them to be done—it does not care who actually does them.
Unfortunately, many data owners and cloud providers have misperceptions of their responsibilities that hinder the evolution of a secure and compliant cloud solution. That division of labour varies by the cloud service model. Some requirements will be in the span of the cloud providers’ control, others in the tenant’s control.
For example, perhaps there is business continuity or disaster recovery capability that does not ship “standard”, but can be designed-in as a separate data centre or a dedicated backup tape solution. The irony is that plenty of security and compliance capabilities exist today, but cloud providers have not considered how to use these capabilities to meet customer needs.
Cloud providers now acknowledge their role in supporting their clients’ legal compliance and the savvy ones are agreeing to "signing" the contracts that allow their clients to meet their obligations.
Stay tuned for the refreshed point of view. You can contact me, or visit Accenture.com
Posted by Walid Negm, Director Cloud and Cyber Security Offerings, Accenture