Should cloud contracts cover client responsibilities?

The main focus of a cloud computing contract is on vendor responsibilities, but it's appropriate to consider what the client remains responsible for

When I was a guest on CIO Talk Radio earlier this month, a question came up about which client responsibilities are appropriate to include in a cloud computing contract. It's a good question, and one that I haven't really talked about here, since most of my Computerworld columns have focused on vendor responsibilities that you should codify in the contract.

So what are some client responsibilities that are reasonably addressed in a cloud computing contract? While they vary depending upon type of cloud service and use case, the most common examples involve client IT governance, including the following:

Client Access

When choosing a cloud provider, it's important to follow best practices in determining that the vendor's security practices align with your needs. But that's only one side of the security coin.

As with most things in IT, access to a cloud service typically requires a login ID and password. When a client enterprise acquires a cloud service, it should be the client's responsibility to figure out which end user should be given access. But to thoroughly address this responsibility, the client should define when access should be taken away from the user -- for example, upon separation from employment or upon a change in duties or responsibilities.

Password Security

Responsibility for the security of each individual login ID and password lies with the client's end users The recent alleged hack of Mitt Romney's email and Dropbox passwords, in which the hacker was able to easily answer "secret" security challenges and gain access, illustrates the risks. Even though there are many commonly available best practices in password security and widely publicized examples of these hacks (Romney might have done well to remember a similar hack against Sarah Palin a few years ago), human nature tends to make it difficult to maintain focus on these efforts, so diligence is necessary.

This isn't to say that cloud vendors don't retain some responsibilities related to password security. Because the cloud is a new and evolving market, vendors focused on growth can neglect security basics. For a quick primer on what not to do, read about the recent LinkedIn breach, which provided hackers with the passwords of over 6 million LinkedIn users.


In an initial evaluation of a cloud service, you try to project the use case. You think about the business criticality of the function being moved to the cloud and the type of data that would be processed or stored by the cloud service. Ideally, though, once the cloud service is operational, it takes off with your end users who begin to think of all kinds of ways to use the service that may not have been factored into your initial evaluation.

There's a good chance that these new uses involve new categories of data that may be subject to other regulations and/or security requirements. If so, they may not align with your initial risk assessment of the cloud vendor's infrastructure and security. To protect against this, the client's IT governance processes should include end-user training regarding the appropriate use of the cloud service (purposes, data type, etc.), as well as how to formally evaluate and communicate approved changes as use cases evolve.

Shared Responsibilities

The service model (infrastructure as a service, platform as a service, software as a service) of the cloud service that you adopt will also have an impact on your responsibilities. With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure.

Under the IaaS model, the client is expected to assume responsibility for selection and management of everything that runs on top of that raw infrastructure, including the operating system and associated updates and patches, applications software, and some security configuration such as firewalls. In some cases, such as with Amazon Web Services, the client may also have the ability, and associated responsibility, to select the geographic location of the vendor data center storing or processing the client's data.

As I said, these are just some of the areas that the client can appropriately take responsibility for in a cloud computing contract. Understanding which client responsibilities are appropriate to include in the contract, as well as how the client can most effectively fulfill those responsibilities, remains an important element in the effective adoption of a cloud computing service.

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit

Read more about cloud computing in Computerworld's Cloud Computing Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thomas J. Trappler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place