Barbara Melby, left, and Katherine O'Keefe, right, of Morgan Lewis & Bockius.

Cloud services have shifted from emerging to mainstream, with companies in even the most risk-adverse industries exploring and adopting cloud-based solutions. There are many variations of cloud offerings, but they generally can be categorized into three types of solutions: IaaS (Infrastructure as a service), PaaS (platform as a service) and SaaS (software as a service). Companies are seeking to leverage the potential scalability, flexibility, efficiency and cost-savings benefits of these offerings at an expediential pace. Analysts are predicting that in a little over five years, the global market for cloud services will hit the $1 trillion mark, see Global Cloud Computing Market Forecast 2019-2024, Mkt. Research Media (Jan. 8, 2018).

While companies are implementing cloud services across development, testing, production and disaster recovery environments, they typically are doing so with caution and significant diligence due to the perceived increase in cybersecurity and privacy risks. In a recent survey, over 80 percent of organizations polled expressed concerns about security, “Research Highlights the Importance of Cloud-Specific Security Capabilities,” Barracuda Networks, Inc. (Mar. 22, 2018). Hosting services (which cloud services are in their most basic form) by their nature pose risk with respect to the security of data and require heightened diligence, including review of identity, credential and access management, data breach response and remediation, security tools and management and vulnerability testing and oversight. Through thorough diligence, proactive steps and good governance, cloud solutions potentially can provide security that is as good as, if not better than, what a company can provide itself. Many companies are developing internal diligence models to evaluate cloud solutions, enabling more efficient adoption if certain standards and requirements are met. Companies are also reorganizing their internal IT departments to acknowledge the growing role of cloud services by adding cloud-specific resources, in the form of new cloud-specific roles, training and certifications.

Diligence steps companies should consider taking and questions companies should consider asking include:

• Defining the types and classification of data and technology being hosted, processed and stored. Are there enhanced standards for certain types of data, such as personal information, health information, financial information or credit card information (PCI)?
• How is data segregated? Are there dedicated environments or is there logical segregation?
• Reviewing the provider's security, privacy and acceptable use policies to identify and remediate any gaps between the company's requirements and the provider's offering.
• Reviewing physical security requirements.
• Reviewing personnel screening requirements.
• How are applications and data accessed and what access controls are in place and administered?
• How is data stored, backed up and deleted? Are there secure deletion mechanisms in place?
• Documenting how security incidents are handled—from detection, reporting, and management to remediation.
• Reviewing the location of the hosting environment—primary, testing, development and backup—and who and from where the systems can be remotely accessed.
• Reviewing applicable laws and compliance requirements and how changes are handled.
• Reviewing the list of potential subcontractors/subprocessors, if any, being used by the provider.
• Accessing the security reviews and audits conducted by or for the provider and the certifications maintained by the provider, including ISO 27000 Series compliance and SOC reports. The ISO 27000 Series is considered one of the best practices on information security management, risk and controls, with ISO 27017, in particular, relating to cloud-specific information security controls.
• Outlining data access and use rights, including access and use of data in aggregated forms, if any.
• Evaluating and documenting ongoing oversight, monitoring, penetration and testing responsibilities, including intrusion detection systems.
• Assessing company's review and audit rights.

When discussing security for cloud solutions, many providers are framing security as a “shared” responsibility, with both parties having critical roles. One analyst forecasted that through 2022, at least 95 percent of cloud security failures will be caused by the customer, see Kasey Panetta, Is the Cloud Secure?, Gartner, Inc. (Mar. 27, 2018). The company's role varies depending upon who has responsibility for certain control functions, but often focuses on identity and credential management, interface security, vulnerability management for company provided or managed systems and user security (including the security of the devices accessing the cloud environment).

A company should have its security teams review the security policies, procedures and protocols of the provider to understand the division of responsibilities and confirm that the provider's security standards and notification obligations are acceptable based on the company's industry, the company's requirements, applicable regulations and risk profile.  Considerations that may be missing from, or need to be enhanced in, the provider's models that are important even when responsibilities are shared, include:

• Defined security processes and workflows.
• Clear roles and responsibilities, as well as notifications and communications for each stage and steps taken within internal incident response teams.
• Change control and management.

As cloud services become more commonplace, companies are adapting internally, by developing their own in-house cloud-centric departments and management models. As part of this adaptation, companies are:

• Reviewing internal governance structures and management teams to ensure that they are appropriately tailored to cloud services.
• Creating new roles relating to cloud management, security and architecture.
• Restructuring architecture teams to include personnel skilled in adapting, developing and implementing applications and interfaces for use in cloud environments.
• Assessing whether internal controls need to be reworked to address changing roles in cloud environments.
• Routinely reviewing and monitoring cloud vulnerabilities, with a remediation path if vulnerabilities are found.
• Performing or having a third party perform regular security compliance audits, and engaging internal and external audit for the review of the provider's security and audit reports.
• Implementing training of IT and security personnel with respect to cloud-based technologies.

In addition to evaluating and implementing best practices for identifying, engaging and managing providers, companies also are relooking at their internal policies to determine whether they need to be updated to address cloud-driven issues. While there are a slew of policies that should be reviewed with a cloud-centric lens, examples of policies include: access management, change management, architecture standards, patch management, log management, encryption, data backup, data retention and business continuity.

At this stage of the lifecycle of cloud solutions, best practices are emerging and being established. Companies are implementing these practices across their enterprise with respect to diligence, internal controls, and oversight and management of providers. Companies and providers are incentivized to proactively identify and mitigate the security risks to acceptable levels in a thoughtful, structured manner, facilitating continued industry growth and adoption.

Barbara M. Melby, a partner at Morgan Lewis & Bockius, is a leader of the firm's technology, outsourcing and commercial transactions practice, where she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions.

Katherine O'Keefe is an associate with the firm. She handles critical commercial transactions.