Your SlideShare is downloading. ×
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Is There Sun Behind Those Clouds

1,287

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,287
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Issues in Cloud Computing: Is There Sun Behind Those Clouds?
    Presented by
    Janine Anthony Bowen, Esq., CIPP
    JBOWEN@MCKENNALONG.COM
    404-527-4671
    December 1, 2009
    © 2009 J. A. Bowen. All Rights Reserved.
  • 2. 2
    Your Presenter
    Janine Anthony Bowen, Esq.
    Janine’s practice focuses on strategic commercial transactions involving technology and intellectual property. Such transactions include licensing and acquisition of technology; issues surrounding the protection and exploitation of Internet-based assets; privacy and information security; and technology export compliance. 
    McKenna Long & Aldridge LLP
    525 Attorneys and Public Policy advisors
    A national, general practice firm focused on transactional, litigation, and government/regulatory matters
    9 US-based offices, 1 international office (Brussels, Belgium)
    2
  • 3. 3
    Agenda
    I.Cloud Computing – What Is It?
    Definition of Cloud Computing
    Essential Characteristics
    Delivery and Deployment Models
    Distinguishing Cloud from Outsourcing and ASPs
     II. The Various Cloud Contracting Models
    License Agreements vs. Services Agreements
    Click wrap Agreements vs. Standard Contracts
    The Importance of Privacy Policies and Terms and Conditions
     III. Sampling of the Legal Issues
    Data Privacy and Security
    Jurisdictional Issues
  • 4. 4
    Agenda
     Commercial and Business Considerations
    Methods to Minimize Risk
    Viability of the Cloud Provider
    Impediments (or not) to Using Clouds for Mission-Critical Applications and Data
    Other Factors to Consider When Selecting a Vendor
    V. Special Topics
    The Government’s Role in Advancing (or Inhibiting) Adoption of Cloud Computing
    Litigation Issues/e-Discovery
    The Impact, if any, of Industry Standards
    VI. Take Away Messages
  • 5. 5
    Cloud Computing – What Is It?
    Cloud Computing: Adoption and Hype
    Definitions of Cloud Computing
    Essential Characteristics
    Delivery and Deployment Models
    Distinguishing Cloud from Outsourcing and ASPs
    5
  • 6. 6
    Adoption of Cloud Computing
    “As enterprises seek to consume their IT services in the most cost-effective way, interest is growing in drawing a broad range of services (for example, computational power, storage and business applications) from the "cloud," rather than from on-premises equipment. The levels of hype around cloud computing in the IT industry are deafening, with every vendor expounding its cloud strategy and variations, such as private cloud computing and hybrid approaches, compounding the hype.”
    Gartner, August 11, 2009 Press Release
  • 7. 7
    The Hype Surrounding the Cloud
  • 8. 8
    Cloud Computing Plain English Definition
    From the User’s Perspective
    Data processing and storage, application development, and software hosting over the Internet instead of on a personal computer or over a business’ network
    Available on an ‘on demand’ basis
    Location of information stored ‘in the cloud’ is potentially unknown at any given point in time
    Relatively inexpensive
  • 9. 9
    National Institute of Standards & Technology’s Definition
    Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
  • 10. 10
    Essential Characteristics:On-Demand Self-service
    Service Provider
    Consumer
    Consumer
    Consumer
    Consumer
  • 11. 11
    Essential Characteristics:
    Broad Network Access
    OfficeDesktop
    Home
    Computer
    Laptop
    Service Provider
    Smartphone
    Or PDA
    Tablet
    Computer
    Netbook
    Apple MAC
  • 12. 12
    Essential Characteristics:
    Resource Pooling & Rapid Elasticity
    New York
    Atlanta
    Multiple Tenants
  • 13. 13
    Essential Characteristics:
    Measured Service
  • 14. 14
    Three Service Models
    SaaS (Software as a Service)
    The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps)
    PaaS (Platform as a Service)The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g. Force.com)
    SoftwareAs A Service
    PlatformAs A Service
    IaaS (Infrastructure as a Service)
    The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3)
    Infrastructure As A Service
  • 15. 15
    Service Model Relationships
    15
    Gerard Briscoe, London School of Economics and Political Science, Alexandros Marinos, Faculty of Engineering & Physical Sciences, University of Surrey, “Digital Ecosystems in the Clouds: Towards Community Cloud Computing” March 2009
  • 16. 16
    Deployment Models:Private Cloud
    The cloud infrastructure is operated solely for an organization.
    16
  • 17. 17
    Deployment Models:Public Cloud
    The cloud infrastructure is made available to the general public
    17
  • 18. 18
    Deployment Models:Hybrid Cloud
    Private Cloud
    Public Cloud
  • 19. 19
    Deployment Models:Community Cloud
  • 20. 20
    Integration Considerations
    The nature of the cloud deployment will determine whether there is any need to integrate existing systems with the cloud architecture
    Hybrid cloud may require
    Integration between multiple public or community cloud services
    Integration within the corporate data center
    Integration between the corporate data center and the public cloud services
  • 21. 21
    Cloud vs. Outsourcing vs. ASP
  • 22. The Various Cloud Contracting Models
    License Agreements vs. Services Agreements
    Click wrap Agreements vs. Standard Contracts
    The Importance of Privacy Policies and Terms and Conditions
  • 23. 23
    Cloud Contracting Models: License vs. Service Agreement
  • 24. 24
    Cloud Contracting Models:Click Wrap vs. Standard Contract
  • 25. 25
    Cloud Contracting Models:Terms of Use & Privacy Policy
    The Privacy Policy and Terms of Use specify the privacy protections in place as well as the terms under which the services are offered
    Mini Case Study – Google’s Terms and Privacy Policy
    User grants content license – Google can modify the content to deliver the service
    User’s use of services is ‘as is’ and ‘as available’
    No liability for user’s damages, including for deletion, corruption, or failure to store a user’s data
    Effect on a Gmail user is one consideration, but what about a Google Apps (PaaS) user?
  • 26. A Sampling of the Legal Issues
    Data Privacy and Security
    Jurisdiction Issues
  • 27. 27
    Legal Issues:Data Privacy
    Data Privacy and Security
    Data Breach
    Gramm Leach Bliley
    HIPAA/HITECH Act
    FTC Safeguards Rule
    FTC Red Flags Rule
    USA PATRIOT Act
    European Union Data Privacy Directive
    27
  • 28. 28
    Data Breach
    Data Breach is the loss of unencrypted electronically stored personal information
    Significant financial and reputational harm to the breached company when a breach occurs
    Risk of ID theft for the individual whose data is compromised
    Data in the cloud is treated no differently than any other electronically stored information
    The company holding the data and the company putting the data in the cloud have compliance obligations
  • 29. 29
    Federal Legislation
    Gramm-Leach-Bliley Act
    Requires financial institutions to implement procedures to protect personal financial information
    HIPAA/HITECH Acts
    Requires “covered entities” to notify affected persons in the event of a breach of unencrypted health records
    USA PATRIOT gives the government access to electronically stored information upon certification
    Applies to all entities holding personal information
  • 30. 30
    Federal Trade CommissionRules
    FTC is charged with protecting consumer’s personal information
    Safeguards Rule
    Applies to financial institutions’ treatment of customer information
    Requires a written security plan
    Red Flags Rule
    Applies to institutions that hold credit accounts
    Requires a written identity theft program
    Cloud providers and cloud users putting this information into the cloud are both responsible for compliance
  • 31. 31
    EU Data Privacy Directive
    Any geography to which EU data is sent must implement controls to protect against unauthorized disclosure or access of written, oral, electronic, and Internet-based data that resides in the EU
    Not limited to EU residents – but to data in the EU
    Both the parties that own and process the data must comply
    The cloud user must understand how the cloud provider is treating internationally stored data
  • 32. 32
    Legal Issues: Jurisdiction
    Jurisdictional Issues
    Virtualization and
    Multi-tenancy considerations
    Confidentiality
    Government Access to Data
    Subcontracting
  • 33. 33
    Jurisdiction: A Few Definitions
    Jurisdiction
    Refers to a courts authority to judge acts committed in a certain territory (e.g. GA courts deal with what happens only in GA, not TN).
    Virtualization
    One physical server simulates being multiple servers.
    Each simulated server is called a virtual machine.
    Multi-tenancy
    Refers to the cloud provider’s ability to deliver software-as-a-service to multiple client organizations (each a tenant) from a single, shared instance of software.
    Information is virtually separated, not physically separated.
  • 34. 34
    Jurisdiction: Virtualization & Multi-Tenancy Considerations
    Virtualization can occur across a single or multiple data centers
    Difficulty in knowing where data resides at any given time
    Multi-tenancy presents the potential for one user to access data of another
    May be difficult to backup and restore data
    Data Protection concerns
    ability for data to be in multiple locations – once data is in a location it is subject to the laws of that location
    May create conflicts with law of, or terms of the contract
  • 35. 35
    Jurisdiction: Confidentiality & Government Access to Data
    Scenario
    The contract provides for the confidential treatment of information
    The cloud provider houses the data in multiple countries
    Are confidentiality provisions in the contract enforceable?
    Can the government of the country that the data sits in get access to the data?
  • 36. 36
    Jurisdiction: Subcontracting &Brokering of Capacity
    Scenario
    Cloud provider subcontracts with a third party to handle some of the processing (e.g. disaster recovery storage)
    Cloud provider utilizes excess capacity of other providers in periods of peak demand (e.g. for seasonal surges in demand)
    All of this is invisible to the cloud user
    Something breaks – whose risk and problem is it?
  • 37. 37
    Commercial & BusinessConsiderations
    Methods to Minimize Risk
    Viability of the Cloud Provider
    Impediments (or not) to Using Clouds for Mission-Critical Applications and Data
    Other Factors to Consider When Selecting a Vendor
     
  • 38. 38
    Commercial & Business Considerations: Minimizing Risk
    Methods to Minimize Risk
    Data Integrity – ensuring that data at rest is not subject to corruption
    Look for contractual obligations regarding data integrity
    Service Level Agreements (SLAs) – the cloud provider’s contractually agreed to level of performance
    What is the SLA and what happens if it is not met?
    Disaster Recovery – ability to recover from a catastrophic event
    Is there any way to learn more about the cloud provider’s DR strategy?
    If your information is lost due to a catastrophe at the cloud provider, can you recover?
    Mini Case Study: T-mobile, Gmail
    38
  • 39. 39
    Commercial & Business Considerations: Viability of the Cloud Provider
    Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example:
    Integrating cloud services into business processes
    Migrating data from its environment
    Lack of standardization makes moving to a new cloud provider difficult
    What happens to a cloud user’s data in the event of:
    Bankruptcy
    M&A
    Escrow
  • 40. 40
    Viability of the Cloud Provider: Bankruptcy
    Cloud Provider files for Bankruptcy
    Data is treated as a non-intellectual asset and is subject to different rules
    Privacy Policy will provide first indication of what a Provider will do with the data
    Depending on the data’s sensitivity a “consumer privacy ombudsman” may determine what happens with personally identifiable information
  • 41. 41
    Viability of the Cloud Provider:M&A
    Cloud provider merges with or is acquired by another company
    Cloud user will likely get no notice (unless size of transaction is news worthy)
    Privacy policy will indicate disposition of personal information
    Click wrap or terms of use may specify termination option available to user
  • 42. 42
    Viability of the Cloud Provider: Will Escrow Help?
    Software Escrow
    Provision of a copy of the source code by the owner or licensor with a neutral third party for the benefit of a user.
    Escrow is released in certain situations (e.g. bankruptcy)
    Helpful?
    Maybe in SaaS contexts – neither PaaS nor IaaS lends themselves to escrow
    If available to the user – does the user have the resources to implement the code?
  • 43. 43
    Commercial & Business Considerations: Potential Impediments to Adoption
    Potential Impediments to Using Clouds for Mission-Critical Applications and Data
    Contracting Models
    Data Security/Privacy
    Government Access
  • 44. 44
    Commercial & Business Considerations: Other Factors to Consider
    Other Factors to Consider When Selecting a Vendor 
    Experience vs. Functionality
    Longevity vs. Early stage players
  • 45. Special Topics
    The Government’s Role in Advancing (or Inhibiting) Adoption of Cloud Computing
    Litigation Issues/e-Discovery
    The Impact, if any, of Industry Standards
  • 46. Special Topics:Government’s Role
    Government acknowledges the potential value of the cloud
    Federal CIO is advocating the federal government’s use of cloud technologies
    NIST is actively working in the space
    46
    46
  • 47. 47
    Special Topics:e-Discovery
    E-Discovery is the production of electronically stored information in the course of litigation
    Cloud user will have the responsibility to produce information housed with a cloud provider
    Depending on the magnitude of the discovery, a separate agreement with the provide may be required
    Cross border e-Discovery may be particularly challenging
  • 48. 48
    SpecialTopics:Industry Standards
    What standards applicable to cloud computing exist?
    Payment Card Industry Data Security Standards
    A set of requirements for enhancement of payment account data security
    ISO 27000 Series Standards
    An information security standard that provides best practices for those implementing an information security management system
    Open Cloud Manifesto
    Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration
  • 49. Take Away Messages
    Don’t be in a hurry – the clouds aren’t going anywhere.
    Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable.
    Have a plan to deal with mistakes that will happen in the cloud. What happens if your data is lost, can you still run your business?
    Work with your key internal and external advisors to think through your cloud strategy.
    49
  • 50. 50
    Q&AContact Me
    Janine Anthony Bowen, Esq.
    jbowen@mckennalong.com
    http://www.visualcv.com/jdabowen
    404-527-4671
    Twitter - @cloudlawyer
    Blog - http://cloudlawyer.wordpress.com/
    50
    © 2009 J. A. Bowen. All Rights Reserved.

×