Who’s responsible for business risks in the cloud?

As businesses shift ever more data, applications and processes away from their premises, the issue of who’s responsible for what in the cloud is becoming increasingly complex 

Illustration of storm clouds with lightning hanging over a city

The days of carefree cloud usage are over. As service providers’ offerings have evolved, so has the level of complexity. Given the expanding smorgasbord of services offering ever more functionality, keeping a handle on all things cloud is no easy task for business users. More cloud means more obligations, from cybersecurity to regulatory compliance. 

It’s why hyperscalers and other providers have had to wade in. Microsoft and Amazon Web Services have developed shared-responsibility models, while Google has adopted what it calls a shared-fate model. It’s also why many providers have started offering managed services to help clients account for all their various cloud activities.

When businesses hold more power, it seems reasonable that they should also accept more responsibility

The idea behind the former type of model is straightforward enough: if a business runs servers on its premises, it’s fully liable for complying with data protection laws and other regulations. If it moves material on to the cloud, such duties increasingly become shared between it and its service provider. Under the shared-fate model, the provider and the customer work together towards an outcome greater than shared profits, building on mutual trust and effort, so that both parties benefit.

Sander Nieuwenhuis is a governance, risk and compliance advisory lead at Nordcloud, a consultancy specialising in cloud computing. He observes that, “because of these models, it needs to be clearly defined who is actually accountable for, say, cybersecurity. Businesses must understand the consequences of the choices they make about these services at a technical level. In the case of security, we usually apply formal frameworks laying out who’s responsible for what. This works well for classic cloud services.”

Nieuwenhuis believes that shared models will oblige businesses to scan for knowledge and accountability gaps and, where any are pinpointed, fill these promptly. 

“Shared responsibility as a concept is well known by our customers working with public clouds, yet the actual impact of that shared responsibility is often not recognised,” he stresses.

How much is a fair share of responsibility?

Good governance models are one thing, but understanding cause and effect when it comes to business decisions about the cloud is another. For instance, it’s easy to start a new cloud application, which is likely to require lots of processing power. But this may have a huge environmental impact that may not have been considered. There can be a disconnect.

Businesses cannot rely solely on providers for all aspects of responsibility. It has to be a collective effort

Matt Watts, chief technology evangelist at data management specialist NetApp, notes that vendors have started providing “tools to show the true emissions arising from companies’ cloud workloads. Now that these are maturing, it means that both parties can play their part in dealing with cloud growth and climate change. No longer can anyone assume that this is somehow someone else’s issue.” 

Starting a new generative AI application in the cloud also has consequences for a business, presenting tricky questions about data processing, transparency, bias and intellectual property rights. But the overriding message is clear: customers of cloud services cannot outsource all obligations to a third-party provider. They must take accept an increasingly predetermined degree of accountability. 

“When businesses hold more power because of their use of generative AI, say, it seems reasonable that they should also accept more responsibility,” argues Elle Todd, a partner specialising in data protection regulation at law firm Reed Smith.

Certain factors are raising the expectation of accountability

Another layer of complexity results from the fact that cloud service providers are delivering ever more applications – it’s rarely about data storage alone. Calibration is important here. If you can’t measure it, you can’t manage it, which in turn makes the assignment of liability harder. But there are data-led tools available, including accountability matrices and dashboards, that can help in this effort. 

“Cloud providers have an increasing responsibility as they expand their services,” says Shane Maher, MD at Intelliworx, a specialist in cloud and managed IT services. “They need to ensure the security, reliability and scalability of their infrastructure to meet the demands of businesses.” 

But he adds that their clients “also must step up and be more responsible. They need to understand and then mitigate the risks associated with using cloud services, including cybersecurity, carbon emissions and AI usage. Businesses cannot rely solely on providers for all aspects of responsibility. It has to be a collective effort.”

Education is also key. Using cloud services responsibly is perhaps not quite there as an enterprise-wide skill, but awareness of the issues is increasing. Cloud obligations are being enshrined in law across the EU with the adoption of the European Cloud Initiative and the Digital Operational Resilience Act, both of which have implications for the UK. Regulation will certainly make organisations focus more closely on their obligations in this area.

Can cloud customers benefit from taking more responsibility?

If businesses do get their checklist of obligations in order, they will be in a better position to deploy state-of-the-art services as a point of competitive differentiation. When accountabilities are crystal clear, far more can be achieved, notes Perry Krug, head of developer experience at Couchbase, a cloud database platform developer. 

“With a greater understanding of cloud models and a commitment to the fine print, enterprises can then look to use new types of architecture, such as super-clouds,” he says. “These combine three computing models – infrastructure-as-a-service, platform-as-a-service and software-as-a-service – into one solution.” 

Some people believe that the cloud is much like any other utility, such as water, electricity or the road network: the provider maintains the infrastructure to ensure reliability of service, but consumers are responsible for how they use it. But, in the case of cloud services, the difference is that the infrastructure providers are also the same organisations selling the products that largely determine how consumers will use that infrastructure. When it comes to the cloud, questions of liability may be slightly more nuanced than they first appear, even if shared models succeed in providing some clarity.