Telecom & Tech
Whose Cloud Is It, Anyway?
Security and legal liability for offsite data
By Tracy Barbour
A

lthough businesses are capitalizing on cloud-based solutions to enhance their operations, the interconnectedness of the cloud creates unique security risks. Therefore, companies must implement effective cloud security strategies to protect the sensitive and private data—especially health information, personally identifiable data, and payment card information—they have stored online.

Chad Alessi headshot
Chad Alessi
Computer Task Group
“Unauthorized access can lead to data breaches, compromising sensitive information and damaging the integrity of the business,” says Chad Alessi, a solutions architect with New York-based Computer Task Group (CTG) who works for the company’s Alaska office remotely from Katy, Texas. “By implementing robust security measures and staying proactive in addressing vulnerabilities, businesses can safeguard their sensitive data, maintain uninterrupted operations, and uphold the trust of their customers and stakeholders.”

Paul Clark, manager of systems engineering at Arctic Information Technology (Arctic IT) in Anchorage, says a lapse in security not only can cost an organization its reputation but can even put a company out of business if it is not prepared. “A ransomware attack that encrypts an entire organization with no viable backups can potentially devastate the entire organization,” Clark says. “Another thing to keep in mind is that, as more and more organizations are compromised, cyber insurance companies are scrutinizing organizational security practices and looking for ways to either partially pay or not pay at all, if it can be determined that an organization has not done everything they can to secure their data and systems.”

Key Cloud Considerations
When developing a cloud security strategy, companies should understand the four types of cloud computing environments: public, private, hybrid, and multicloud. As described by Microsoft, public cloud environments are run by cloud service providers that host data from multiple tenants. Private cloud environments can be in a customer-owned data center or run by a public cloud service provider. (In both instances, servers are single-tenant, and organizations do not have to share space with other companies.) Hybrid clouds incorporate on-premises data centers and third-party clouds. And multicloud environments include two or more cloud services operated by different cloud service providers.
“By implementing robust security measures and staying proactive in addressing vulnerabilities, businesses can safeguard their sensitive data, maintain uninterrupted operations, and uphold the trust of their customers and stakeholders.”
Chad Alessi
Solutions Architect
Computer Task Group
Paul Clark headshot
Paul Clark
Arctic IT
Regardless of where data resides—in a public, hybrid, or private cloud—the security principles remain virtually the same, although there are some distinctions. For example, “In a public cloud, organizations benefit from already-present security tools and reporting, low maintenance, high reliability/redundancy, consistency, scalability, and the ability to leverage security tools across the entire organizational cloud as the organization grows,” Clark says. “On the other hand, in a private cloud, typically hosted in someone’s data center, the organization or a third party must engineer in and maintain scalability, reliability, and security features, which can result in higher costs and administrative burden.”

It’s crucial for businesses to understand the kind of cloud they have and how they can use it, says Cindy Christopher, director of managed IT product and sales at Alaska Communications. “An important consideration is that some controls might not be interoperable between different types of cloud environments,” she explains. “Each public cloud provider has a set of security tools available to clients that are specific to that tool. They each have different costs associated. For example, if you export your data from one type of cloud to another, you may have to pay data transfer fees. Using multiple services often leads businesses to purchase their own tools for centralized visibility.”

Cindy Christopher headshot
Cindy Christopher
Alaska Communications
Many security principles apply to on-premises and cloud facilities, despite their differences. “In an on-premises environment, the organization has full control and responsibility for the security of its infrastructure, as well as the people who have access to it,” Christopher explains. “When you operate and store data in the cloud, you give up some of that control. You can pick where your data is hosted, but you cannot always choose who administers it (could be overseas). If your business or industry requires specific compliance requirements, be sure you require your cloud provider to follow your contractual flow-down requirements.”
Cloud Security Best Practices
Cloud security should always involve a multi-layered strategy, and one of the first security tasks is robust identity and access management. Multi-factor authentication (MFA), for instance, should be a priority, and conditional access policies are highly recommended. “This means that even if a user has the correct credentials, access can still be denied if the request doesn’t originate from an approved device, location, or credential method,” Clark says.

Protecting data involves encryption, and data loss prevention tools can prevent unauthorized exposure. “Firewalls and access control lists should be set up according to best practices and audited regularly for effectiveness and compliance,” Clark says. “It’s also worth considering the implementation of ‘just-in-time access’ for IT staff and critical applications. JIT allows access only when necessary and for a specific duration, creating a clear audit trail of who accessed which application or data, and when.”

Christopher adds that companies should not assume everything is taken care of when it comes to cloud security. “Generally, cloud platforms provide the environment, but it’s your responsibility to ensure it’s properly managed and protected based on your business’ unique requirements,” she says.

In addition, Alessi says businesses can minimize vulnerabilities by using secure configuration practices, such as disabling unnecessary services and ports, applying security patches, and properly configuring network security groups. They should also have an incident response plan. “Compliance with industry-specific regulations and legal considerations should be ensured and ongoing security governance should be established to monitor, review, and update cloud security controls regularly,” he says.

Due diligence when selecting a cloud service provider involves thoroughly assessing the provider’s security practices, certifications, compliance with data protection regulations, and contractual commitments. “Reviewing terms and conditions, SLAs [service-level agreements], and data processing agreements helps businesses understand the legal responsibilities and obligations shared with the provider,” Alessi says.

Leveraging Outside Expertise
Small and medium-sized companies may face resource constraints and limited in-house cybersecurity expertise. Thus, they often rely on outside service providers to implement security best practices. “These providers have dedicated teams with specialized knowledge and experience in cloud security,” Alessi says. “They can assist businesses in assessing their security needs, implementing appropriate controls, and monitoring the cloud environment for potential threats.”

While external expertise is valuable, businesses still retain responsibility for their own cloud security. “They should actively participate in security discussions, understand the shared responsibility model with their cloud service providers, and ensure that appropriate oversight and governance are in place,” Alessi says. Consequently, it’s up to the leadership to ensure the implementation of a comprehensive data protection plan—whether through their internal IT staff and security team or by enlisting the help of an external organization such as Arctic IT.

Arctic IT, a technology consulting firm that specializes in application modernization, is a Microsoft Gold Business Partner, so the company’s solutions center primarily around Microsoft’s M365 and Azure cloud computing platforms. Arctic IT also helps clients with data loss prevention, data classification, cloud readiness, cloud vulnerability and security assessments, and adherence to specific compliance requirements.

CTG also offers a comprehensive range of services. The company begins with a thorough assessment of the client’s cloud infrastructure to identify vulnerabilities and ensure compliance with best practices. Then it works to design a robust security architecture, incorporating multi-layered controls, encryption mechanisms, and secure network configurations.

“When working with a provider, it’s important to use a matrix like the Cloud Controls Matrix and CAIQ questionnaire from the Cloud Security Alliance to understand your responsibility, the cloud service provider’s responsibility, and what’s shared.”
Cindy Christopher
Director of Managed IT Product and Sales
Alaska Communications
“Overall, CTG’s services equip businesses with the expertise, tools, and strategies needed to enhance their cloud security posture and protect their data and applications in the cloud,” Alessi says.

The security experts at Alaska Communications help businesses with a full range of cloud services and security management solutions. It’s an authorized reseller of industry-leading cloud services, including Microsoft Azure. “Alaska Communications offers Security as a Service, giving our customers access to advanced technologies that are fully customized to meet their needs and simplify important processes that might otherwise be difficult to manage,” Christopher says.

In addition, Alaska Communications conducts third-party provider assessments to help businesses ensure their cloud solution is providing the security they promised. “Our experts can help you manage and secure your business applications and services with your regulatory and data sovereignty needs in mind,” Christopher says.

Shared Responsibility
Cloud security is clearly a shared liability, but who is legally responsible for protecting data in the cloud—the business or its third-party provider? There’s no one-size-fits-all answer, Christopher says. “You should refer to your contract with your service provider or cloud vendor,” she says. “Be sure you seek assistance if you do not fully understand the terms and conditions included.”

Christopher also advises, “When working with a provider, it’s important to use a matrix like the Cloud Controls Matrix and CAIQ questionnaire from the Cloud Security Alliance to understand your responsibility, the cloud service provider’s responsibility, and what’s shared.”

Alessi says businesses should have a clear understanding of their legal obligations regarding cloud security. They should also clarify data ownership and control in their contractual agreements, ensuring they know who owns the data and the extent of their control over it. International considerations come into play if data transfers occur across borders.

Typically, the business and its cloud service provider share the responsibility for security. “The business, as the data owner and user of the cloud services, bears the primary responsibility for securing their applications, data, user access, and compliance with applicable regulations,” Alessi says. “On the other hand, the cloud service provider is responsible for the security of the underlying cloud infrastructure, physical security of data centers, network architecture, and host security.”

Ultimately, the business cannot delegate all security responsibilities to the cloud service providers. “Both entities have a shared interest in ensuring the security of the cloud environment, and collaboration is key to effectively address cloud security challenges and maintain a robust security posture,” Alessi says.

Law firms like Dorsey & Whitney are well equipped to help businesses understand their cloud security liability. The multinational firm serves clients in locations across the United States, including Anchorage, as well as in Canada, Europe, and Asia.

“Clearly the service provider has an obligation to provide reasonable security,” says Dorsey partner Robert Cattanach. “This sounds like a vague term, but it involves a degree of specificity. The cloud provider should specify their security in their contract.”

Robert Cattanach headshot
Robert Cattanach
Dorsey & Whitney LLP
Cattanach continues, “Once data gets into the cloud, it’s the cloud provider’s responsibility. Getting it there is a joint responsibility. They [the provider] have to provide the means to get it into the cloud, and the business has to follow the protocol. The business that collects the data in the first place is responsible for the data while it is stored before it gets into the cloud.”

Businesses need to read their service-level agreement, whether it’s with a managed service provider, Amazon Web Services (AWS), or a cloud provider. “Part of the key in ensuring their security is understanding how everything works,” says Cattanach, who is based in Minnesota and represents clients in the areas of cybersecurity, data breach response, and privacy compliance. “What happens when I first get data, and what are my reasonable expectations when I transfer that data to the cloud… There are practical implications.”

The service-level agreement will clearly spell out their provider’s obligations relating to cloud security. And being familiar with the agreement can help the business be better prepared to mitigate potential cloud security issues. “That awareness will help a company understand where they are not protected with the service provider, so they can do the things that can limit their exposure,” Cattanach says.

Businesses in highly regulated industries often have greater concerns for cloud security and liability. However, major cloud providers design solutions to meet their unique requirements. For example, AWS has a special product for clients that must comply with the Health Insurance Portability and Accountability Act.

In most cases, cloud service providers are not the kind of third parties that cause problems for clients, Cattanach says. But if a cloud provider does have a security breach, the recourse for the customer will be spelled out in their agreement. If that cloud provider fails to do what it agreed to, it will be responsible to the customer for damages.

However, Cattanach emphasizes that human error is responsible for most data compromises. So the most important—and preemptive—strategy for managing cloud security and legal liability is for companies to have a culture of security awareness. He maintains, “If people are aware of data security, that’s the biggest battle of all.”