Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110

  1. 1. Janine Anthony Bowen, Esq., CIPP 404-527-4671 January 20, 2009 © 2010 J. A. Bowen. All Rights Reserved. Understanding, Minimizing and Mitigating Risk in Cloud Computing
  2. 2. Your Presenter <ul><li>Janine Anthony Bowen, Esq. </li></ul><ul><ul><li>Janine’s practice focuses on strategic commercial transactions involving technology and intellectual property. Such transactions include licensing and acquisition of technology, including cloud computing services; issues surrounding the protection and exploitation of Internet-based assets; privacy and information security; and technology export compliance.  </li></ul></ul><ul><li>McKenna Long & Aldridge LLP </li></ul><ul><ul><li>500 Attorneys and Public Policy advisors </li></ul></ul><ul><ul><li>A national, general practice firm focused on transactional, litigation, and government/regulatory matters </li></ul></ul><ul><ul><li>9 US-based offices, 1 international office (Brussels, Belgium) </li></ul></ul>
  3. 3. Agenda <ul><li>I. Understanding the Interaction of the Cloud </li></ul><ul><li>II. Distinguishing Cloud from Outsourcing and ASPs </li></ul><ul><li>III. The Various Cloud Contracting Models </li></ul><ul><ul><ul><li>License Agreements vs. Services Agreements </li></ul></ul></ul><ul><ul><ul><li>Online Contracts vs. Standard Contracts </li></ul></ul></ul><ul><ul><ul><li>The Importance of Privacy Policies and Terms and Conditions </li></ul></ul></ul><ul><li>IV. Commercial and Business Considerations </li></ul><ul><ul><ul><li>Methods to Minimize Risk </li></ul></ul></ul><ul><ul><ul><li>Viability of the Cloud Provider </li></ul></ul></ul><ul><ul><ul><li>Other Factors to Consider When Selecting a Vendor </li></ul></ul></ul><ul><li>V. The Impact, if any, of Industry Standards </li></ul><ul><li>VI. Take Away Messages </li></ul>
  4. 4. Three Service Models SaaS (Software as a Service) The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps) PaaS (Platform as a Service) The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g. IaaS (Infrastructure as a Service) The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3) Infrastructure As A Service Platform As A Service Software As A Service
  5. 5. Service Model Relationships Gerard Briscoe, London School of Economics and Political Science, Alexandros Marinos, Faculty of Engineering & Physical Sciences, University of Surrey, “Digital Ecosystems in the Clouds: Towards Community Cloud Computing” March 2009
  6. 6. Understanding the Differences: Cloud vs. Outsourcing vs. ASP Cloud Computing Outsourcing ASP Location of Service/Data unknown known known Owner of Technology provider company provider Contract non-negotiable highly negotiated negotiated Contract Risk company provider shared Scalability Yes No Maybe
  7. 7. Cloud Contracting Models: License vs. Service Agreement License Agreement Service Agreement Necessary in Cloud License Grant Yes. No. No. No physical transfer of SW. IP Infringement Protection Yes. No. No. No physical transfer of SW. Ownership Protection Yes. Yes. Yes. Use of cloud does not translate into ownership transfer.
  8. 8. Cloud Contracting Models: Online Contract vs. Standard Contract Online Contract Standard Contract Negotiable No. Yes, generally. Limits Placed on Provider ’ s Liability Yes. Very little or no liability to provider. Yes. Risk shared by provider and user. Risk in the Event of Problems Born by user. Born by party responsible.
  9. 9. Cloud Contracting Models: Terms of Use & Privacy Policy <ul><li>The Privacy Policy and Terms of Use specify the privacy protections in place as well as the terms under which the services are offered </li></ul><ul><li>Mini Case Study – Google’s Terms and Privacy Policy </li></ul><ul><ul><li>User grants content license – Google can modify the content to deliver the service </li></ul></ul><ul><ul><li>User’s use of services is ‘as is’ and ‘as available’ </li></ul></ul><ul><ul><li>No liability for user’s damages, including for deletion, corruption, or failure to store a user’s data </li></ul></ul><ul><ul><li>Effect on a Gmail user is one consideration, but what about a Google Apps (PaaS) user? </li></ul></ul>
  10. 10. The Law is the Law is the Law: Data Privacy <ul><ul><li>Data Breach/State Laws </li></ul></ul><ul><ul><li>Gramm Leach Bliley </li></ul></ul><ul><ul><li>HIPAA/HITECH Act </li></ul></ul><ul><ul><li>FTC Safeguards Rule </li></ul></ul><ul><ul><li>FTC Red Flags Rule </li></ul></ul><ul><ul><li>USA PATRIOT Act </li></ul></ul><ul><ul><li>European Union Data Privacy Directive </li></ul></ul><ul><ul><li>FTC Actions/Enforcement Authority </li></ul></ul>
  11. 11. The Heart of the Matter: Data Security <ul><li>Confidentiality </li></ul><ul><ul><li>Limits on who can get what kind of information </li></ul></ul><ul><li>Possession/Control </li></ul><ul><ul><li>Loss of control of the information, regardless of whether there is a breach of confidentiality </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Information is correct or consistent with its intended state </li></ul></ul><ul><li>Authenticity </li></ul><ul><ul><li>Correct labeling or attribution of information </li></ul></ul><ul><li>Availability </li></ul><ul><ul><li>Timely access to information </li></ul></ul><ul><li>Utility </li></ul><ul><ul><li>Usefulness of information (e.g. loss of encryption key for encrypted data eliminates its utility or usefulness) </li></ul></ul><ul><ul><li>*Parkerian Hexad proposed by Donn B. Parker (can be found on Wikipedia) </li></ul></ul>
  12. 12. Commercial & Business Considerations <ul><li>Methods to Minimize Risk </li></ul><ul><li>Viability of the Cloud Provider </li></ul><ul><li>Other Factors to Consider When Selecting a Vendor </li></ul><ul><ul><li>  </li></ul></ul>
  13. 13. Commercial & Business Considerations: Minimizing Risk <ul><li>Contractual Methods to Minimize Risk </li></ul><ul><ul><li>Data Integrity – ensuring that data at rest is not subject to corruption </li></ul></ul><ul><ul><ul><li>Look for contractual obligations or representations regarding data integrity </li></ul></ul></ul><ul><ul><ul><li>Perhaps have SOW-level detail </li></ul></ul></ul><ul><ul><li>Service Level Agreements (SLAs) – the cloud provider’s contractually agreed to level of performance </li></ul></ul><ul><ul><ul><li>What is the SLA and what happens if it is not met? Look for teeth here. </li></ul></ul></ul><ul><ul><li>Disaster Recovery requirements </li></ul></ul><ul><ul><ul><li>Learn more about the cloud provider’s DR strategy? </li></ul></ul></ul><ul><ul><ul><li>If your information is lost due to a catastrophe at the cloud provider, can you recover? </li></ul></ul></ul><ul><ul><li>Cost of contract vs. Provider contract obligations </li></ul></ul>
  14. 14. Commercial & Business Considerations: Viability of the Cloud Provider <ul><li>Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example a user: </li></ul><ul><ul><li>Integrates cloud services into existing business processes </li></ul></ul><ul><ul><li>Migrates data from its environment to a cloud environment </li></ul></ul><ul><li>Lack of standardization makes moving to a new cloud provider difficult </li></ul><ul><li>What happens to a cloud user’s data in the event of: </li></ul><ul><ul><li>Bankruptcy </li></ul></ul><ul><ul><li>M&A </li></ul></ul>
  15. 15. Viability of the Cloud Provider: Bankruptcy <ul><li>Cloud Provider files for Bankruptcy </li></ul><ul><ul><li>Data is treated as a non-intellectual asset and is subject to different rules </li></ul></ul><ul><ul><li>Privacy Policy will provide first indication of what a Provider will do with the data </li></ul></ul><ul><ul><li>Depending on the nature of the data and it’s sensitivity, a “ consumer privacy ombudsman ” may determine what happens with personally identifiable information </li></ul></ul><ul><ul><li>Contract terms can override the general rule </li></ul></ul>
  16. 16. Viability of the Cloud Provider: M&A <ul><li>Cloud provider merges with or is acquired by another company </li></ul><ul><ul><li>Cloud user will likely get no notice (unless size of transaction is news worthy or contract requires it) </li></ul></ul><ul><ul><li>Privacy policy will indicate disposition of personal information </li></ul></ul><ul><ul><li>Online agreement or terms of use may specify termination options available to user </li></ul></ul>
  17. 17. Commercial & Business Considerations: Other Factors to Consider <ul><li>Other Factors to Consider When Selecting a Vendor  </li></ul><ul><ul><li>Experience vs. Functionality </li></ul></ul><ul><ul><li>Longevity vs. Early stage players </li></ul></ul>
  18. 18. Additional Mitigation Approach: Industry Standards <ul><ul><li>Payment Card Industry Data Security Standards </li></ul></ul><ul><ul><ul><li>Though no panacea, PCI-DSS certification or compliance provides a minimal bar to which the provider ascribes </li></ul></ul></ul><ul><ul><li>ISO 27000 Series Standards </li></ul></ul><ul><ul><ul><li>An information security standard that provides best practices for those implementing an information security management system </li></ul></ul></ul><ul><ul><ul><li>ISO compliance, though not dispositive, informs of a culture of quality in an organization </li></ul></ul></ul>
  19. 19. Negotiation Strategy <ul><li>Start with a considered list of what’s important AND what’s not </li></ul><ul><ul><li>If you can recover money will that make you whole? </li></ul></ul><ul><li>Recognize the business model of the cloud provider </li></ul><ul><ul><li>Set reasonable expectations about the provider’s flexibility and reasonable expectations about your own </li></ul></ul><ul><ul><li>Assess whether the provider is really a cloud provider </li></ul></ul><ul><li>Understand there is a trade off between dollars spent and contract protections desired </li></ul>
  20. 20. Negotiation Strategy <ul><li>Limitation of Liability </li></ul><ul><ul><li>Data Breach/Privacy </li></ul></ul><ul><ul><li>Compliance with laws </li></ul></ul><ul><li>SLAs </li></ul><ul><ul><li>What’s commercial in a non-cloud environment </li></ul></ul><ul><ul><li>Determine whether you need contractual terms or business-level comfort </li></ul></ul><ul><li>Whose Problem is it? </li></ul><ul><ul><li>Determine what is your responsibility and what’s the provider’s </li></ul></ul>
  21. 21. The Take-Aways <ul><li>Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable. </li></ul><ul><li>Have a plan to deal with mistakes that will happen in the cloud (business, technology, legal). What level of risk can you tolerate? </li></ul><ul><li>Work with your key internal and external advisors to think through your cloud strategy. A cross-functional strategy is in order. </li></ul>
  22. 22. Q&A Contact Me <ul><li>Janine Anthony Bowen, Esq. </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li>404-527-4671 </li></ul><ul><li>Twitter - @cloudlawyer </li></ul>© 2010 J. A. Bowen. All Rights Reserved.