Providing cloud services involves many stakeholders—including but not limited to cloud providers, governments, and enterprise customers—working together. As a result, these parties must also cooperate to ensure the surety (security, robustness, and resilience) of these services. However, as cloud services, business models, and contracting have evolved, it has become increasingly difficult to identify who is responsible for what. This section provides a series of templates that can serve as a starting point for these stakeholders, as well as others, including managed security service providers3 and insurers, to begin identifying and dividing these responsibilities.
Clearly dividing responsibilities has obvious benefits for cloud providers and their enterprise customers, who can avoid confusion and disputes with one another in the event of a cloud incident. It can particularly benefit smaller customers of cloud services, who may lack the knowledge and power to shape the allocation of responsibility when negotiating contracts with their cloud providers. Larger enterprise customers may have chief technology officers and legal teams to help steer contract negotiations, but they may nevertheless face power asymmetries with cloud providers that stem from unfamiliarity with cloud computing technology or the broader cloud services landscape, which these templates could help offset.
This effort comes from our analysis of how major cloud providers currently divide such responsibilities.4 This reveals considerable variation on three issues:
Moreover, providers’ published models for dividing responsibility do not identify a clear role for governments (for example, in attribution, response to state or state-sponsored attacks, whole-of-system cyber risk management, and so on). However, in practice, cloud providers and their customers increasingly recognize that there is a need to clearly define the role of governments in supporting cloud surety, beyond cases wherein cloud incidents threaten government services or critical infrastructure.
The current state of uncertainty and tension has created a patchwork of individual efforts and unclear expectations of stakeholder roles and responsibilities, especially with respect to issues where government participation is welcomed or necessary. Such complexities point to the necessity of developing new approaches that focus on building and sustaining trust among stakeholders.5 With this in mind, we have developed an approach to outlining the division of roles and responsibilities among all three stakeholders (governments, cloud providers, and their customers), illustrated in the following three templates.
Click on the circle below to explore the division of responsibility between governments, cloud providers, and customers.
1 Brad Smith. “A moment of reckoning: the need for a strong and global cybersecurity response.” Microsoft. 17 December 2020. https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
2 Through force majeure clauses, cloud providers have set limits to what their service level agreements (SLAs) will cover in respect of responsibility vis a vis threat vectors that are ‘out of their control’ (i.e., war, act of terrorism, natural disasters, etc.), which complicate efforts to determine how the various stakeholders should take measures to safeguard against and address the consequences of duress borne from these circumstances
3 For a definition of this term, see this project’s lexicon: https://cloud.carnegieendowment.org/about/lexicon/
4 We conducted a review of the shared responsibility models made publicly available by IBM, Google, Microsoft, Amazon, Oracle, and Alibaba, which illustrated how several of the most prominent providers are approaching this issue.
5 Such as the approach recently advanced by Google, which proposes that customers should move from a model of central ownership and management of control processes (“confidence through organizational hierarchy”) to one where control is federated through the wider organization and observed through data (“confidence through control observability”).
Office of the CISO, “Risk Governance of Digital Transformation in the Cloud: A Guide for Chief Risk Officers, Chief Compliance Officers and Heads of Internal Audit,” Google, April 2021, https://services.google.com/fh/files/misc/risk-governance-of-digital-transformation.pdf