Data Security and Control in the Cloud: Third-Party Providers and the Shared Responsibility Model
Although it appears relatively seamless (and perhaps beneficial) to the end user, the shift to the cloud brings a seismic change in terms of ownership of the technology components and ultimate control of the data.
From a legal perspective, though, the cloud introduces a unique shared responsibility model that many businesses are only now coming to appreciate—specifically, although the cloud provider may house the data and provide functionality for access and data security, the legal obligations remain the responsibility of the business procuring these services.
In fact, for the two most important security controls—access and data—responsibility rests wholly with the business procuring the service.
Comparison with Traditional Models
In the shared responsibility model, the customer company does not have full dominion over its software, hardware, and threat landscape. It connects to resources within the cloud model, and its data is stored on someone else’s servers. A business’s most sensitive data may be transferred to and stored by thousands of different cloud providers. Each provider has unique processes and functionality, and they are typically designed for mass use rather than bespoke to a specific customer’s needs.
There are a variety of types of cloud computing services, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS). For simplicity, this article refers to all cloud computing models as “the cloud”; however, appropriate controls may depend on the model and type of technology. This means that, in order to assess, implement, and manage appropriate controls, a business must conduct an individualized assessment of each cloud provider. In effect, the shared responsibility model is a decentralized model that requires customization for each cloud service used by the business.
This shared responsibility model is a fundamentally different approach from the traditional on-premises environment, which allows for more centralized control over people, processes, and technology. When computing was “on-prem,” everything from desktop machines to server farms were hosted, managed, and controlled by the IT group employed by the business. That centralized infrastructure could support standardized approaches to data and access controls that could be pushed out across the entire infrastructure. Legal and risk management teams could approve, and rely on, a standardized, principles-based approach to access and data controls.
Although it appears relatively seamless (and perhaps beneficial) to the end user, the shift to the cloud brings a seismic change in terms of ownership of the technology components and ultimate control of data.
At the same time, data profiles are increasing, not only in size, but also in risk. The risk comes from all fronts: business-critical and confidential data; business operational data; personal information; and, in some cases, regulated information. These changes, coupled with a rapidly developing legal landscape, have ushered in the reality of the shared responsibility model.
Too few businesses adequately address the risk under this shared responsibility model, leading to data misuse, destruction, and theft—and exposing the business to the risk of regulatory, operational, and reputational harm.
Legal Framework and Responsibility
Virtually all modern privacy and security regulatory frameworks—and the sometimes hazy legal concept of “reasonable security”—require the business to understand the data it holds and assure appropriate security around that data.
Specific obligations to ensure the security of a business’s data arise, depending on the sector and jurisdictions, from statutes including New York Department of Financial Services Part 500 (N.Y. Comp. Codes R. & Regs. tit. 23, pt. 500); the New York SHIELD Act (N.Y. Gen Bus. Law §899-bb); Health Insurance Portability and Accountability Act Security Rule (45 C.F.R. §164.306); Gramm-Leach-Bliley Act Safeguards Rule (16 C.F.R. pt. 314); and Massachusetts Standards for the Protection of Personal Information (201 Mass. Code Regs. §17.00). Although these statutes decline to specify security measures that must be implemented in a covered business’s security infrastructure, each statute requires an assessment of the sensitivity of the data held by the business and the scope of the business’s operations.
Compliant security programs under these regimes have physical, technical, and administrative safeguards in place that are sufficient to protect against anticipated threats to the business’s data. In the shared responsibility model, this obligation requires businesses covered by these laws to think critically about their use of cloud services to store their data, and to conduct thorough diligence regarding the safeguards in place at their chosen cloud service providers.
Take, for example, the employee data commonly found in HR departments. Most businesses hold all the common identifiers for employees—name, address, date of birth, Social Security Number, former addresses and workplaces, driver’s license numbers, passports, family or relationship data, and the administration of benefits like healthcare and life insurance. These data points may or may not be protected by comprehensive data privacy legislation, but any incident involving those types of data is going to be covered by every data breach notification law—many of which include the requirement to have some sort of “reasonable security.”
Too many businesses have fallen into the pitfall of thinking that the cloud provider takes responsibility for securing the data and complying with the legal obligations outlined above. It is true that in the cloud environment there is some responsibility on the provider to ensure security, but those areas are in security of the physical infrastructure, network security, and (in the case of SaaS) software security. Cloud providers’ security responsibility stops at access and data in all models. This raises the question of why a cloud provider cannot adequately protect a business’s data, and what the business must to do address the gaps.
First, the legal obligations reside with the business that collected the data from the person who ultimately owns it, made the required legal disclosures, and chose the cloud provider (processor) to host and display that data. The provider may create a user-friendly display that encouraged the business to subscribe to the software, but the provider has no insight into the data and, in any event, is often required by statute to act at the customer business’s direction.
Second, the cloud provider cannot know which data is most sensitive to the business or which employees should be accessing any given dataset. Only the business that selected the provider and transferred the data to the provider can evaluate its own data risk and employee, contractor, or partner base, and then assign access rights to the data. Controlling access, like controlling data collection, reduces risk.
Practical Considerations
Tasked with responsibility for understanding the risk each data collection imposes and providing reasonable security for the data, how does a business find a comfort level when that data is wholly outside of their environment and instead controlled in a cloud environment? A business can implement several key controls to manage risk in a shared responsibility model:
Contractual terms. Although a business cannot contract away its legal responsibilities, a business can work to achieve the maximum protections available. When a business engages a cloud provider to help store, manage, and display its data, legal and procurement teams should carefully read and understand the terms of use, whether incorporated into the contract directly or by reference.
Commonly, the terms of use will contain boilerplate “reasonable security” obligations that the cloud provider must adhere to; will absolve the provider of any liability for the customer’s data, including unauthorized access or alterations to the data; and will be silent or disclaim breach obligations that are not statutorily mandated.
Where possible, the customer business should negotiate appropriate liability provisions and provide specified terms for implemented security measures and the allocation of costs and responsibilities in the event of a breach.
Data categorization and identification. Not all data risk is created equal. Understanding the business’s data and data risk profile, categorizing data risk, and establishing standards for each type of data risk that can be applied when evaluating cloud services can make managing the plethora of cloud providers less daunting. For example, personal data carries the broadest and most stringent legal requirements. Business confidential or material nonpublic information (MNPI) may carry fewer legal requirements but carry high monetary, operational, or reputational risk. Other types of data may be low (or no) risk, requiring less legal scrutiny prior to contracting or implementation.
Identity management. Strong identity management is crucial to ensuring appropriate data security. This includes assigning unique identifiers to each user, prohibiting reuse of identities, tracking user access by unique identifier, and deploying strict controls for approving access. It is surprising how often businesses do not implement strong identity management protocols.
Access controls. Risks around data misuse and theft arise from two sources: cybercriminals outside the business and cybercriminals inside (or recently departed from) the business. This comes down to access controls—who has access, what level of access they have, and what security and controls have been enabled. Solid password controls, access permissions and restrictions, auditable trails, and enabling or requiring features like multifactor authentication (MFA) for access can all aid in preventing data misuse and theft.
Lifecycle management. One of the benefits of cloud technology is that it can and does change rapidly to accommodate business needs. One of the downsides of cloud technology is that it can and does change rapidly without regard for the impact on the customers’ legal obligations. It is important to assign IT personnel to monitor changes to cloud technology and assess the impact those changes may have, not only on operations, but also on access and data security controls.
Understanding and protecting data from unlawful access, misuse, and theft is the fundamental responsibility of the organization that seeks and collects the data in the first place. While it may be cost-effective, efficient, and supremely convenient to engage a cloud provider to manage critical and sensitive data, it is remains incumbent on the business to manage and secure that data according to its risk profile.
Catherine Castaldo is a counsel with Reed Smith’s tech & data practice, and Therese Craparo is a partner with the tech & data and records & e-discovery practices. Christine R. Gartland is an associate with the tech & data group. All are based in New York.
From: New York Law Journal