Like it or not, cloud computing has fundamentally altered the commercial relationship between organizations and information technology (IT) providers. Businesses—and even the federal government—are no longer architecting data centers, or storing data on servers in the basement or a closet. Rather, the majority of businesses today are somewhere along the path of cloud migration; some wading in cautiously with just a few software applications and others, especially new businesses, going “cloud native” from the start.
The big cloud service providers (CSPs) offer everything from basic computer essentials like processing power, storage space and networking, to a huge and relentlessly growing catalog of other services providing “cutting-edge” technologies e.g., artificial intelligence, voice control, and “serverless” computing (aka “Function-as-a-Service”). The capabilities these services offer thus enabled to automate and deploy rapid and cost-effective scaling, in sync with data flows and demands, as well as the potential security benefits, makes the risk and cost of following the “on-prem” model (short for the on-premises, traditional model of capital investment in IT infrastructure) much less palatable than the alternative of on-demand, pay-per-use services from technology giants like Amazon Web Services (AWS) or Microsoft Azure (Azure). While Azure is giving chase to AWS, achieving astounding growth by leveraging Microsoft’s historically embedded relationships with enterprise customers, AWS is the leading CSP in global market share by a margin that seems insurmountable for the foreseeable future. Accordingly, the discussion below focuses on AWS as the originator and leader in the category of enterprise CSPs.
The advent of cloud computing triggered a tidal wave of legal discourse, flooding professional channels in the form of CLEs, ethics opinions, and law review articles. Prominently, this discourse featured recommendations to obtain contractual assurances regarding cybersecurity, avoid vendor lock-in, reserve audit rights, and secure indemnification. Meanwhile, the dominant CSPs have propagated standard terms and conditions, i.e., “facts on the ground,” that have not received attention from legal pundits.
A key feature of these contracts is the allocation of responsibility for cybersecurity between provider and customer. CSPs call this the “shared responsibility model”—a position on security risk allocation that receives scant attention from counsel. A recent report on a survey of chief information security officers (CISOs), the Oracle and KPMG Cloud Threat Report 2019, indicates high levels of confusion about who is responsible for what, even stating that “[c]onfusion around the shared responsibility security model has resulted in cybersecurity incidents … [a] lack of clarity on this foundational cloud security construct has had real consequences for many enterprises, including the introduction of malware and loss of data.”
As the authors of the report states, “[p]erhaps most concerning is that those who should be most knowledgeable about the shared responsibility model are not.” Counsel should be at least as knowledgeable as CISOs, given the legal risk involved in cybersecurity, if customers and clients are to have a chance of understanding, evaluating, and addressing the integrated security and legal risks they accept by following the global migration of enterprise IT to the cloud.
Defining ‘Shared Responsibility’
According to AWS, cloud security risk allocation boils down to this mantra: the CSP is responsible for security “of” the cloud, the customer for security “in” the cloud. It sounds painfully simple, but what does it mean? One explanation AWS provides is that it assumes responsibility for the underlying infrastructure, while the customer is responsible for what they put in the cloud or connect to the cloud. If only reality were that straightforward. “Infrastructure” simply does not describe the vast AWS menu of offerings, which includes hundreds of variations of services involving AWS software, systems, applications, functionality, and more.
AWS may realize that the “in/of” mantra does not sufficiently explain its position on security risk allocation, judging from the volumes of AWS material elaborating on it. In marked contrast to the simplicity of the “in/of” rule, this commentary indicates, inter alia, that the delineation of cybersecurity responsibilities varies by service (remember, there are many, many, many AWS services). For illustrative purposes, AWS diagrams different services with depictions of the IT components involved, filling areas of responsibility for the customer and AWS in different colors. (Space constraints do not allow reproduction, but a Google image search for “AWS shared responsibility model” will provide enough examples to satisfy even the most curious.)
Alas, these information materials may not enlighten most lawyers, especially those not already familiar with enterprise cloud services. Presumably, lawyers would be more comfortable reading contracts. Perhaps the AWS Customer Service Agreement (the AWS Agreement) clarifies the boundaries? In the AWS Agreement, the CSP undertakes to “implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.” See AWS Customer Service Agreement at 3.1. Alas, there is no further definition of either “reasonable” or “appropriate.”
Moreover, the AWS Agreement is for services “as is,” expressly disclaiming all warranties and making no representations of any kind. Id. at §10. Conversely, customers undertake responsibility for all activities that occur under the customer’s account (including, e.g., proper configuration to secure, protect, and backup content). AWS is expressly “not responsible for unauthorized access,” to a customer’s account. Id. at §4. Indemnification turns out to be a one-way street, with the customer assuming the obligation to indemnify AWS. The “shared” part of the responsibility model appears to be AWOL.
Bargaining Power and Alternatives
While there are always exceptions, generally customers do not have leverage to extract custom deviations from standard terms by tough negotiating with Amazon. AWS customers who identify security risk allocation as an issue and seek to hedge against associated legal exposure can turn to an AWS-approved “partner.” These partners, traditional resellers or managed service providers who negotiate terms directly with their customers, for a variety of reasons (e.g., they really want the business), may be willing to assume more risk. The kind of situation where this occurs is illustrated by AWS government customers operating under statutory prohibitions against indemnification. Even here, Amazon does not negotiate directly with the agency to change or delete the indemnification provision. Instead, it refers the agency to a partner who may waive the indemnification provision and assume the risk.
If they are to have a clear picture of where the risks lie in cloud migration, clients need lawyers who understand the specific cloud computing services they are using or considering and the corresponding implications for potential legal liability under the “shared responsibility model.” The latter involves not only careful analysis of CSP statements elucidating which party is responsible for security of what information assets, but also how or whether the client/customer is prepared to meet their “share” of the associated security requirements in light of the client’s enterprise cybersecurity program and the relevant client information assets interacting with the specific cloud services in question. As a logical prerequisite, counsel should have a firm foundation in cloud cybersecurity more broadly, as well as the client’s IT environment. Depending on the level of risk or sensitivity assigned to the information assets moving to the cloud or impacted by such a move, a CSP’s standard terms could represent an unacceptable risk, suggesting that consideration of TPSP engagement might be appropriate.
In many ways, the problem involved with assessing and addressing fair allocation of cybersecurity responsibilities, in a new kind of commercial relationship with interactive, interconnected and interdependent IT products and services, reflects the need for lawyers to evolve if they aspire to competently serve enterprise clients. Cloud computing is quickly absorbing enterprise IT, and cybersecurity is an inherent issue in any category of IT. Moreover, legal risk is inherent to cybersecurity, especially where contractual and other sources of legal standards are defined by words like “reasonable.”
At this time, no corpus of jurisprudence directly or clearly guides our understanding of how courts are likely to allocate legal responsibility for cybersecurity under the “shared responsibility model” (or any other particular cloud computing model or contract). But these issues are not likely to escape notice and attention from lawyers and jurists much longer, because enterprise cloud computing is becoming ubiquitous. Unfortunately, it is inevitable that security incidents will trigger disputes between customers and CSPs as to where responsibility lies—and equally inevitable that not all such disputes will be amicably resolved.
Adam Cohen is a partner of Redgrave LLP and certified cloud security professional whose practice focuses on cybersecurity, data privacy, electronic discovery, and information governance. Ambre McLaughlin, counsel at the firm, focuses on transactional and litigation matters involving information technology with a particular emphasis on cloud computing initiatives at the enterprise level.