There's a good chance that these new uses involve new categories of data that may be subject to other regulations and/or security requirements. If so, they may not align with your initial risk assessment of the cloud vendor's infrastructure and security. To protect against this, the client's IT governance processes should include end-user training regarding the appropriate use of the cloud service (purposes, data type, etc.), as well as how to formally evaluate and communicate approved changes as use cases evolve.
The service model (infrastructure as a service, platform as a service, software as a service) of the cloud service that you adopt will also have an impact on your responsibilities. With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure.
Under the IaaS model, the client is expected to assume responsibility for selection and management of everything that runs on top of that raw infrastructure, including the operating system and associated updates and patches, applications software, and some security configuration such as firewalls. In some cases, such as with Amazon Web Services, the client may also have the ability, and associated responsibility, to select the geographic location of the vendor data center storing or processing the client's data.
As I said, these are just some of the areas that the client can appropriately take responsibility for in a cloud computing contract. Understanding which client responsibilities are appropriate to include in the contract, as well as how the client can most effectively fulfill those responsibilities, remains an important element in the effective adoption of a cloud computing service.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.
Sign up for CIO Asia eNewsletters.