Is There Sun Behind Those Clouds


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Is There Sun Behind Those Clouds

  1. 1. Issues in Cloud Computing: Is There Sun Behind Those Clouds?<br />Presented by <br />Janine Anthony Bowen, Esq., CIPP<br />JBOWEN@MCKENNALONG.COM<br />404-527-4671<br />December 1, 2009 <br />© 2009 J. A. Bowen. All Rights Reserved.<br />
  2. 2. 2<br />Your Presenter<br />Janine Anthony Bowen, Esq.<br />Janine’s practice focuses on strategic commercial transactions involving technology and intellectual property. Such transactions include licensing and acquisition of technology; issues surrounding the protection and exploitation of Internet-based assets; privacy and information security; and technology export compliance. <br />McKenna Long & Aldridge LLP<br />525 Attorneys and Public Policy advisors<br />A national, general practice firm focused on transactional, litigation, and government/regulatory matters<br />9 US-based offices, 1 international office (Brussels, Belgium)<br />2<br />
  3. 3. 3<br />Agenda <br />I.Cloud Computing – What Is It?<br />Definition of Cloud Computing<br />Essential Characteristics<br />Delivery and Deployment Models<br />Distinguishing Cloud from Outsourcing and ASPs<br /> II. The Various Cloud Contracting Models<br />License Agreements vs. Services Agreements<br />Click wrap Agreements vs. Standard Contracts<br />The Importance of Privacy Policies and Terms and Conditions<br /> III. Sampling of the Legal Issues<br />Data Privacy and Security<br />Jurisdictional Issues<br />
  4. 4. 4<br />Agenda <br /> Commercial and Business Considerations<br />Methods to Minimize Risk<br />Viability of the Cloud Provider<br />Impediments (or not) to Using Clouds for Mission-Critical Applications and Data<br />Other Factors to Consider When Selecting a Vendor<br />V. Special Topics<br />The Government’s Role in Advancing (or Inhibiting) Adoption of Cloud Computing<br />Litigation Issues/e-Discovery<br />The Impact, if any, of Industry Standards<br />VI. Take Away Messages<br />
  5. 5. 5<br />Cloud Computing – What Is It?<br />Cloud Computing: Adoption and Hype<br />Definitions of Cloud Computing<br />Essential Characteristics<br />Delivery and Deployment Models<br />Distinguishing Cloud from Outsourcing and ASPs<br />5<br />
  6. 6. 6<br />Adoption of Cloud Computing<br />“As enterprises seek to consume their IT services in the most cost-effective way, interest is growing in drawing a broad range of services (for example, computational power, storage and business applications) from the &quot;cloud,&quot; rather than from on-premises equipment. The levels of hype around cloud computing in the IT industry are deafening, with every vendor expounding its cloud strategy and variations, such as private cloud computing and hybrid approaches, compounding the hype.”<br />Gartner, August 11, 2009 Press Release<br />
  7. 7. 7<br />The Hype Surrounding the Cloud<br />
  8. 8. 8<br />Cloud Computing Plain English Definition<br />From the User’s Perspective<br />Data processing and storage, application development, and software hosting over the Internet instead of on a personal computer or over a business’ network<br />Available on an ‘on demand’ basis<br />Location of information stored ‘in the cloud’ is potentially unknown at any given point in time<br />Relatively inexpensive<br />
  9. 9. 9<br />National Institute of Standards & Technology’s Definition<br />Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.<br />
  10. 10. 10<br />Essential Characteristics:On-Demand Self-service<br />Service Provider<br />Consumer<br />Consumer<br />Consumer<br />Consumer<br />
  11. 11. 11<br />Essential Characteristics:<br />Broad Network Access<br />OfficeDesktop<br />Home <br />Computer<br />Laptop<br />Service Provider<br />Smartphone<br />Or PDA<br />Tablet<br />Computer<br />Netbook<br />Apple MAC<br />
  12. 12. 12<br />Essential Characteristics:<br />Resource Pooling & Rapid Elasticity<br />New York<br />Atlanta<br />Multiple Tenants<br />
  13. 13. 13<br />Essential Characteristics:<br />Measured Service<br />
  14. 14. 14<br />Three Service Models<br />SaaS (Software as a Service)<br />The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps)<br />PaaS (Platform as a Service)The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g.<br />SoftwareAs A Service<br />PlatformAs A Service<br />IaaS (Infrastructure as a Service)<br />The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3)<br />Infrastructure As A Service<br />
  15. 15. 15<br />Service Model Relationships<br />15<br />Gerard Briscoe, London School of Economics and Political Science, Alexandros Marinos, Faculty of Engineering & Physical Sciences, University of Surrey, “Digital Ecosystems in the Clouds: Towards Community Cloud Computing” March 2009<br />
  16. 16. 16<br />Deployment Models:Private Cloud<br />The cloud infrastructure is operated solely for an organization. <br />16<br />
  17. 17. 17<br />Deployment Models:Public Cloud<br />The cloud infrastructure is made available to the general public <br />17<br />
  18. 18. 18<br />Deployment Models:Hybrid Cloud<br />Private Cloud<br />Public Cloud<br />
  19. 19. 19<br />Deployment Models:Community Cloud<br />
  20. 20. 20<br />Integration Considerations<br />The nature of the cloud deployment will determine whether there is any need to integrate existing systems with the cloud architecture<br />Hybrid cloud may require<br />Integration between multiple public or community cloud services <br />Integration within the corporate data center<br />Integration between the corporate data center and the public cloud services<br />
  21. 21. 21<br />Cloud vs. Outsourcing vs. ASP<br />
  22. 22. The Various Cloud Contracting Models<br />License Agreements vs. Services Agreements<br />Click wrap Agreements vs. Standard Contracts<br />The Importance of Privacy Policies and Terms and Conditions<br />
  23. 23. 23<br />Cloud Contracting Models: License vs. Service Agreement<br />
  24. 24. 24<br />Cloud Contracting Models:Click Wrap vs. Standard Contract<br />
  25. 25. 25<br />Cloud Contracting Models:Terms of Use & Privacy Policy<br />The Privacy Policy and Terms of Use specify the privacy protections in place as well as the terms under which the services are offered<br />Mini Case Study – Google’s Terms and Privacy Policy<br />User grants content license – Google can modify the content to deliver the service<br />User’s use of services is ‘as is’ and ‘as available’<br />No liability for user’s damages, including for deletion, corruption, or failure to store a user’s data<br />Effect on a Gmail user is one consideration, but what about a Google Apps (PaaS) user?<br />
  26. 26. A Sampling of the Legal Issues<br />Data Privacy and Security<br />Jurisdiction Issues<br />
  27. 27. 27<br />Legal Issues:Data Privacy<br />Data Privacy and Security<br />Data Breach<br />Gramm Leach Bliley<br />HIPAA/HITECH Act<br />FTC Safeguards Rule<br />FTC Red Flags Rule<br />USA PATRIOT Act<br />European Union Data Privacy Directive<br />27<br />
  28. 28. 28<br />Data Breach<br />Data Breach is the loss of unencrypted electronically stored personal information<br />Significant financial and reputational harm to the breached company when a breach occurs<br />Risk of ID theft for the individual whose data is compromised<br />Data in the cloud is treated no differently than any other electronically stored information<br />The company holding the data and the company putting the data in the cloud have compliance obligations<br />
  29. 29. 29<br />Federal Legislation<br />Gramm-Leach-Bliley Act<br />Requires financial institutions to implement procedures to protect personal financial information <br />HIPAA/HITECH Acts<br />Requires “covered entities” to notify affected persons in the event of a breach of unencrypted health records<br />USA PATRIOT gives the government access to electronically stored information upon certification<br />Applies to all entities holding personal information<br />
  30. 30. 30<br />Federal Trade CommissionRules<br />FTC is charged with protecting consumer’s personal information<br />Safeguards Rule<br />Applies to financial institutions’ treatment of customer information<br />Requires a written security plan<br />Red Flags Rule<br />Applies to institutions that hold credit accounts<br />Requires a written identity theft program<br />Cloud providers and cloud users putting this information into the cloud are both responsible for compliance<br />
  31. 31. 31<br />EU Data Privacy Directive<br />Any geography to which EU data is sent must implement controls to protect against unauthorized disclosure or access of written, oral, electronic, and Internet-based data that resides in the EU<br />Not limited to EU residents – but to data in the EU<br />Both the parties that own and process the data must comply<br />The cloud user must understand how the cloud provider is treating internationally stored data<br />
  32. 32. 32<br />Legal Issues: Jurisdiction<br />Jurisdictional Issues<br />Virtualization and <br />Multi-tenancy considerations<br />Confidentiality<br />Government Access to Data<br />Subcontracting<br />
  33. 33. 33<br />Jurisdiction: A Few Definitions<br />Jurisdiction<br />Refers to a courts authority to judge acts committed in a certain territory (e.g. GA courts deal with what happens only in GA, not TN).<br />Virtualization<br />One physical server simulates being multiple servers.<br />Each simulated server is called a virtual machine.<br />Multi-tenancy<br />Refers to the cloud provider’s ability to deliver software-as-a-service to multiple client organizations (each a tenant) from a single, shared instance of software.<br />Information is virtually separated, not physically separated.<br />
  34. 34. 34<br /> Jurisdiction: Virtualization & Multi-Tenancy Considerations<br />Virtualization can occur across a single or multiple data centers<br />Difficulty in knowing where data resides at any given time<br />Multi-tenancy presents the potential for one user to access data of another<br />May be difficult to backup and restore data<br />Data Protection concerns <br />ability for data to be in multiple locations – once data is in a location it is subject to the laws of that location<br />May create conflicts with law of, or terms of the contract<br />
  35. 35. 35<br />Jurisdiction: Confidentiality & Government Access to Data<br />Scenario<br />The contract provides for the confidential treatment of information<br />The cloud provider houses the data in multiple countries<br />Are confidentiality provisions in the contract enforceable?<br />Can the government of the country that the data sits in get access to the data?<br />
  36. 36. 36<br />Jurisdiction: Subcontracting &Brokering of Capacity<br />Scenario<br />Cloud provider subcontracts with a third party to handle some of the processing (e.g. disaster recovery storage)<br />Cloud provider utilizes excess capacity of other providers in periods of peak demand (e.g. for seasonal surges in demand)<br />All of this is invisible to the cloud user<br />Something breaks – whose risk and problem is it?<br />
  37. 37. 37<br />Commercial & BusinessConsiderations<br />Methods to Minimize Risk<br />Viability of the Cloud Provider<br />Impediments (or not) to Using Clouds for Mission-Critical Applications and Data<br />Other Factors to Consider When Selecting a Vendor<br /> <br />
  38. 38. 38<br />Commercial & Business Considerations: Minimizing Risk<br />Methods to Minimize Risk<br />Data Integrity – ensuring that data at rest is not subject to corruption<br />Look for contractual obligations regarding data integrity<br />Service Level Agreements (SLAs) – the cloud provider’s contractually agreed to level of performance<br />What is the SLA and what happens if it is not met?<br />Disaster Recovery – ability to recover from a catastrophic event<br />Is there any way to learn more about the cloud provider’s DR strategy?<br />If your information is lost due to a catastrophe at the cloud provider, can you recover?<br />Mini Case Study: T-mobile, Gmail<br />38<br />
  39. 39. 39<br />Commercial & Business Considerations: Viability of the Cloud Provider<br />Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example:<br />Integrating cloud services into business processes<br />Migrating data from its environment<br />Lack of standardization makes moving to a new cloud provider difficult<br />What happens to a cloud user’s data in the event of:<br />Bankruptcy<br />M&A<br />Escrow<br />
  40. 40. 40<br />Viability of the Cloud Provider: Bankruptcy<br />Cloud Provider files for Bankruptcy<br />Data is treated as a non-intellectual asset and is subject to different rules<br />Privacy Policy will provide first indication of what a Provider will do with the data<br />Depending on the data’s sensitivity a “consumer privacy ombudsman” may determine what happens with personally identifiable information<br />
  41. 41. 41<br />Viability of the Cloud Provider:M&A<br />Cloud provider merges with or is acquired by another company<br />Cloud user will likely get no notice (unless size of transaction is news worthy)<br />Privacy policy will indicate disposition of personal information<br />Click wrap or terms of use may specify termination option available to user<br />
  42. 42. 42<br />Viability of the Cloud Provider: Will Escrow Help?<br />Software Escrow<br />Provision of a copy of the source code by the owner or licensor with a neutral third party for the benefit of a user.<br />Escrow is released in certain situations (e.g. bankruptcy)<br />Helpful?<br />Maybe in SaaS contexts – neither PaaS nor IaaS lends themselves to escrow<br />If available to the user – does the user have the resources to implement the code?<br />
  43. 43. 43<br />Commercial & Business Considerations: Potential Impediments to Adoption<br />Potential Impediments to Using Clouds for Mission-Critical Applications and Data<br />Contracting Models<br />Data Security/Privacy<br />Government Access<br />
  44. 44. 44<br />Commercial & Business Considerations: Other Factors to Consider<br />Other Factors to Consider When Selecting a Vendor <br />Experience vs. Functionality<br />Longevity vs. Early stage players<br />
  45. 45. Special Topics<br />The Government’s Role in Advancing (or Inhibiting) Adoption of Cloud Computing<br />Litigation Issues/e-Discovery<br />The Impact, if any, of Industry Standards<br />
  46. 46. Special Topics:Government’s Role<br />Government acknowledges the potential value of the cloud<br />Federal CIO is advocating the federal government’s use of cloud technologies<br />NIST is actively working in the space<br />46<br />46<br />
  47. 47. 47<br />Special Topics:e-Discovery<br />E-Discovery is the production of electronically stored information in the course of litigation<br />Cloud user will have the responsibility to produce information housed with a cloud provider<br />Depending on the magnitude of the discovery, a separate agreement with the provide may be required<br />Cross border e-Discovery may be particularly challenging<br />
  48. 48. 48<br />SpecialTopics:Industry Standards<br />What standards applicable to cloud computing exist?<br />Payment Card Industry Data Security Standards<br />A set of requirements for enhancement of payment account data security<br />ISO 27000 Series Standards<br />An information security standard that provides best practices for those implementing an information security management system<br />Open Cloud Manifesto<br />Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration<br />
  49. 49. Take Away Messages<br />Don’t be in a hurry – the clouds aren’t going anywhere.<br />Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable.<br />Have a plan to deal with mistakes that will happen in the cloud. What happens if your data is lost, can you still run your business?<br />Work with your key internal and external advisors to think through your cloud strategy.<br />49<br />
  50. 50. 50<br />Q&AContact Me<br />Janine Anthony Bowen, Esq. <br /><br /><br />404-527-4671<br />Twitter - @cloudlawyer<br />Blog -<br />50<br />© 2009 J. A. Bowen. All Rights Reserved.<br />