Cloud Security and Contractual Responsibility

By Dewight Kramer, information security consultant, UC Davis.  This last year it has been my pleasure to work closely with the university’s procurement department in an advising capacity to review the contracts, and especially the Data Security and Privacy appendix, with IT services. The negotiations with these small cloud service vendors (usually including the CEO, CISO, and legal team) often uncover disagreement on what security measures the vendor is responsible for. I have regularly heard statements like “But you don’t understand, we don’t hold your data, AWS, Salesforce, or Azure does. Therefore, we can’t take responsibility for the university data.” After hours and maybe days of back and forth, we achieve a mutual understanding of their level of responsibility for securing university data.

Why do so many cloud vendors think they do not have security and privacy obligations related to the data the university would be sharing with them? Let’s come back to that question in a moment, but first let’s look at two of the most common rebuttals to the claim that a cloud provider using other cloud providers does not have security and privacy responsibilities.

First, it is true that many cloud service providers (I will call them CSP1) rely on other cloud service providers (CSP2) to deliver their service; but the university’s contract is with CSP1. CSP2 is a third party and is not contractually bound to directly inform the university of an information or data breach. Instead it is the responsibility of CSP1 to ensure it is informed by the third party about a breach and that it, in turn, informs the university.

Second, the cloud service providers that are more mature and operate on an enterprise level, like AWS and Azure, clearly state that they are only responsible for a subset of things related to the security and privacy of information stored in their cloud. For a clear example of this matrix of responsibility please review Azure PCI DSS 3.1 Responsibility Matrix 2016, or the Security Controls Matrix that AWS publishes for NIST 800-53, and 171. It is notable how many of the required controls are the customer’s responsibility. In the case of a cloud service provider (CSP1) using a CSP2 such as AWS, AZURE, SalesForce, etc., as infrastructure or as a platform, much of the security depends on how CSP1 sets up, configures, and manages CSP2. Moreover, CSP2 does not have any control over CSP1’s custom application or service. Thus, CSP1 has a major role and responsibility to protect its customers’ data.

So why do all these cloud service providers initially feel they do not have security and privacy obligations related to the university’s data? I think it is because these smaller cloud service vendors started in what Gartner has coined mode 2 of the bimodal IT environment, and are now transitioning to mode 1. That is, they were on the agile side of the IT environment, developing a proof-of-concept to deal with a new problem or with an old problem in a new way. That’s great, but mode 2 often neglects, by design, the need for security, privacy, interoperability, and a host of other concerns that are required for a mode 1 service, that is, an enterprise solution.

Gartner identifies this transition as one of the key challenges for solutions or companies in mode 2: “Mode-2-created solutions require significant re-engineering to scale up or out, delaying full realization of the new business benefits.” (Gartner, February 17, 2016. “Maturing Bimodal: Five Best Practices to Ease Transitions Between Mode 2 and Mode 1,” by Janelle B. Hill, Bruce Robertson, and David A. Willis.) So these are normal growing pains as a service moves from being agile to enterprise based.

According to the 2015 Q4 Cloud Adoption and Risk Report by the cloud information security company, Skyhigh, Across over 16,000 cloud services in use today, only 8.1% meet the strict data security and privacy requirements of enterprises… I believe it is beneficial to the university to understand the difference between mode 2 and mode 1 so it may engage the cloud service vendors appropriately and effectively. By doing so, the university both will increase the maturity of the cloud services and improve the overall posture of how we handle data.

Photo credit: © Flynt |

Comment (1)

  1. Michael Ochoa

    As of 10/18/16, the California State Department of Technology has nearly completed a system wide master agreement with UCOP which adopts the UCOP Data Security and Breach Policy as discussed here.

    For details, please contact Michael Ochoa, 916-431-4274,, (Southern California) or Cruz Nieto, 916-431-4055,, (Northern California).


Leave a Comment

Your email address will not be published.