• Save
Understanding Minimizing And Mitigating Risk In Cloud Computing
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Understanding Minimizing And Mitigating Risk In Cloud Computing

on

  • 2,841 views

 

Statistics

Views

Total Views
2,841
Views on SlideShare
2,693
Embed Views
148

Actions

Likes
2
Downloads
0
Comments
0

5 Embeds 148

http://cloud-security.i-base.co 130
http://www.slideshare.net 11
http://www.visualcv.com 5
http://www.lmodules.com 1
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Understanding Minimizing And Mitigating Risk In Cloud Computing Presentation Transcript

  • 1. Janine Anthony Bowen, Esq., CIPP 404-527-4671 December 9, 2009 © 2009 J. A. Bowen. All Rights Reserved. Understanding, Minimizing and Mitigating Risk in Cloud Computing
  • 2. Your Presenter
    • Janine Anthony Bowen, Esq., CIPP
      • Janine’s practice focuses on strategic commercial transactions involving technology and intellectual property. Such transactions include licensing and acquisition of technology; issues surrounding the protection and exploitation of Internet-based assets; privacy and information security; and technology export compliance. 
    • McKenna Long & Aldridge LLP
      • 525 Attorneys and Public Policy advisors
      • A national, general practice firm focused on transactional, litigation, and government/regulatory matters
      • 9 US-based offices, 1 international office (Brussels, Belgium)
  • 3. Agenda
    • Understanding the Interrelationships
        • The Cloud Service Model Relationships
        • Distinguishing Cloud from Outsourcing and ASPs
    • II. Understanding the Various Cloud Contracting Models
        • License Agreements vs. Services Agreements
        • Click wrap Agreements vs. Standard Contracts
        • The Importance of Privacy Policies and Terms and Conditions
    • III. Minimimizing and Mitigating Risk - Commercial and Business Considerations
        • Methods to Minimize Risk
        • Viability of the Cloud Provider
        • Other Factors to Consider When Selecting a Vendor
    • IV. The Impact, if any, of Industry Standards
    • V. Take Away Messages
  • 4. Service Model Relationships Gerard Briscoe, London School of Economics and Political Science, Alexandros Marinos, Faculty of Engineering & Physical Sciences, University of Surrey, “Digital Ecosystems in the Clouds: Towards Community Cloud Computing” March 2009
  • 5. Cloud vs. Outsourcing vs. ASP Cloud Computing Outsourcing ASP Location of Service/Data unknown known known Owner of Technology provider company provider Contract non-negotiable highly negotiated negotiated Contract Risk company provider shared Scalability Yes No Maybe
  • 6. Cloud Contracting Models: License vs. Service Agreement License Agreement Service Agreement Necessary in Cloud License Grant Yes. No. No. No physical transfer of SW. IP Infringement Protection Yes. No. No. No physical transfer of SW. Ownership Protection for Provider? Yes. Yes. Yes. Use of cloud does not translate into ownership transfer.
  • 7. Cloud Contracting Models: Click Wrap vs. Standard Contract Click Wrap Standard Contract Negotiable No. Yes, generally. Limits Placed on Provider ’ s Liability Yes. Very little or no liability to provider. Yes. Risk shared by provider and user. Risk in the Event of Problems Born by user. Born by party responsible.
  • 8. Cloud Contracting Models: Terms of Use & Privacy Policy
    • The Privacy Policy and Terms of Use specify the privacy protections in place as well as the terms under which the services are offered
    • Mini Case Study – Google’s Terms and Privacy Policy
      • User grants content license – Google can modify the content to deliver the service
      • User’s use of services is ‘as is’ and ‘as available’
      • No liability for user’s damages, including for deletion, corruption, or failure to store a user’s data
      • Effect on a Gmail user is one consideration, but what about a Google Apps (PaaS) user?
  • 9. Commercial & Business Considerations
    • Methods to Minimize Risk
    • Viability of the Cloud Provider
    • Other Factors to Consider When Selecting a Vendor
      •  
  • 10. Commercial & Business Considerations: Minimizing Risk
    • Methods to Minimize Risk
      • Data Integrity – ensuring that data at rest is not subject to corruption
        • Look for contractual obligations regarding data integrity
      • Service Level Agreements (SLAs) – the cloud provider’s contractually agreed to level of performance
        • What is the SLA and what happens if it is not met?
      • Disaster Recovery – ability to recover from a catastrophic event
        • Is there any way to learn more about the cloud provider’s DR strategy?
        • If your information is lost due to a catastrophe at the cloud provider, can you recover?
        • Mini Case Study: T-mobile Sidekick
  • 11. Commercial & Business Considerations: Viability of the Cloud Provider
    • Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example:
      • Integrating cloud services into business processes
      • Migrating data from its environment
    • Lack of standardization makes moving to a new cloud provider difficult
    • What happens to a cloud user’s data in the event of:
      • Bankruptcy
      • M&A
      • Escrow
  • 12. Viability of the Cloud Provider: Bankruptcy
    • Cloud Provider files for Bankruptcy
      • Data is treated as a non-intellectual asset and is subject to different rules
      • Privacy Policy will provide first indication of what a Provider will do with the data
      • Depending on the data’s sensitivity a “ consumer privacy ombudsman ” may determine what happens with personally identifiable information
  • 13. Viability of the Cloud Provider: M&A
    • Cloud provider merges with or is acquired by another company
      • Cloud user will likely get no notice (unless size of transaction is news worthy)
      • Privacy policy will indicate disposition of personal information
      • Click wrap or terms of use may specify termination option available to user
  • 14. Viability of the Cloud Provider: Will Escrow Help?
    • Software Escrow
      • Provision of a copy of the source code by the owner or licensor with a neutral third party for the benefit of a user.
      • Escrow is released in certain situations (e.g. bankruptcy)
    • Helpful?
      • Maybe in SaaS contexts – neither PaaS nor IaaS lends themselves to escrow
      • If available to the user – does the user have the resources to implement the code?
  • 15. Commercial & Business Considerations: Other Factors to Consider
    • Other Factors to Consider When Selecting a Vendor 
      • Experience vs. Functionality
      • Longevity vs. Early stage players
  • 16. Special Topic: Industry Standards
    • What standards applicable to cloud computing exist?
      • Payment Card Industry Data Security Standards
        • A set of requirements for enhancement of payment account data security
      • ISO 27000 Series Standards
        • An information security standard that provides best practices for those implementing an information security management system
      • Open Cloud Manifesto
        • Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration
  • 17. Take Away Messages
    • Don’t be in a hurry – the clouds aren’t going anywhere.
    • Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable.
    • Have a plan to deal with mistakes that will happen in the cloud. What happens if your data is lost, can you still run your business?
    • Work with your key internal and external advisors to think through your cloud strategy.
  • 18. Q&A Contact Me
    • Janine Anthony Bowen, Esq.
    • [email_address]
    • http://www.visualcv.com/jdabowen
    • 404-527-4671
    • Twitter - @cloudlawyer
    © 2009 J. A. Bowen. All Rights Reserved.