The Complexities of Cloud Computing - The Rules are New, But is the Game
1. The Complexities of Cloud
Computing: The Rules are
New, But is the Game?
Janine Anthony Bowen, Esq., CIPP/US
jbowen@jack-law.com
(678) 823-6611
June 8, 2012
2. Seems like the inevitable…
Source: http://geekandpoke.typepad.com;
The Lighter Side of the Cloud by CloudTweaks –
David Fletcher. Used under Creative Commons
License
2
4. The Hype Then…
• “As enterprises seek to consume their IT services in the most cost-
effective way, interest is growing in drawing a broad range of services
(for example, computational power, storage and business
applications) from the "cloud," rather than from on-premises
equipment. The levels of hype around cloud computing in the IT
industry are deafening, with every vendor expounding its cloud
strategy and variations, such as private cloud computing and hybrid
approaches, compounding the hype.”
• Gartner Press Release, Gartner’s 2009 Hype Cycle Special Report Evaluates Maturity of
1,650 Technologies, August 11, 2009 http://www.gartner.com/it/page.jsp?id=1124212
4
5. And Now…
• According to Forbes…
“Interest in Cloud Computing Has Peaked”
• But Never Fear…its here to stay (for now anyway)
http://www.forbes.com/sites/reuvencohen/2012/05/24/interest-in-cloud-computing-has-peaked/
5
7. Cloud Computing
Plain English Definition
• From the User’s Perspective
– Data processing and storage, application development, and
software hosting over the Internet instead of on a personal
computer or over a business’ network
– Available on an ‘on demand’ basis
– Location of information stored ‘in the Cloud’ is potentially unknown
at any given point in time
– Relatively inexpensive
7
8. National Institute of
Standards & Technology’s Definition
• Cloud computing is a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal
management effort or service provider interaction. This cloud model
promotes availability and is composed of five essential characteristics,
three service models, and four deployment models.
• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
8
10. Three Service Models
SaaS (Software as a Service)
The consumer uses the
provider’s applications running
on a cloud infrastructure. (e.g.
Google Apps)
PaaS (Platform as a Service)
The consumer has control over
the deployed applications and
possibly application hosting
environment configurations.
(e.g. Force.com)
IaaS (Infrastructure as a Service)
The consumer is able to deploy
and run arbitrary software. (e.g.
Amazon EC3)
10
13. Multi-Tenant
ABC Company
User
ABC Company XYZ Company
Purchasing Purchasing XYZ Company
Application Application User
Acme Atlas
Acme Company
Company Company User
Inventory Inventory
Application Application Internet
Connection Top-Notch
Top-Notch Small Biz Company User
Company Company
Logistics Payroll
Application Application Small Biz
Company User
Hypervisor
Atlas Company
Operating System User
Virtual Server with Tenants
Multiple Tenants
13
15. How’s cloud computing different?
• Geography – Data in the cloud can be anywhere; multiple copies can be in
multiple locations
• In current state of play cloud providers assume as little liability as possible
– bulk of contract risk resides with the user
• Difficult for a user to know where liability rests, even if it were properly
assigned (e.g. Global Payments data breach earlier this year)
• The nature of the potential legal issue depends on where a user plugs into
the cloud (issues with SaaS may be different than with IaaS)
• Virtually complete loss of control by data owner (who holds it and where
is it?)
• Relatively inexpensive OPEX instead of CAPEX
15
16. Cloud Contracting:
Comparing Cloud to What We Knew Before
Cloud Traditional Co- Hosting ASP
Computing Software location
Licensing
Location of unknown known known known known
Service/Data
Owner of provider/ company/ Company/ Provider/ Provider/
HW/SW provider company Company Company provider
(license) (license) (license)
Contract Virtually negotiated negotiated negotiated negotiated
non-
negotiable
Contract Risk company shared shared shared shared
Scalability yes maybe maybe maybe maybe
16
18. Why not just rely on the contract?
Who you are drives what you can expect
• Cloud users should clearly understand what they are getting and
getting into:
– Generally speaking, only the largest implementations get negotiated
contract terms (particularly wrt to SaaS)
– Minimum negotiation flexibility likely in most cases – risk mitigation
analysis should establish ‘business level’ comfort
• Where negotiation is possible, risk mitigation should drive negotiation
of key provisions
– The best bang for the buck is internal process risk mitigation
18
19. Most Significant Issue with Cloud
Computing: Privacy and Security
• Gramm-Leach-Bliley Act • Federal Trade Commission
(GLBA) Act (FTCA)
• Health Insurance Portability • ID Theft Red Flags
and Accountability Act • State Privacy Security Laws
(HIPAA) (Breach Notification — 46 States
• Health Information and Encryption (MA and NV),
Technology for Economic and use of SSN’s, etc.)
Clinical Health (HITECH) • Industry Standards (PCI)
• Fair Credit Reporting • Litigation and enforcement cases
Act/FACT Act
19
20. Case Study - Contract vs. What They Say
•Privacy Policy
•Terms of Use
•Security FAQ
•Pricing
20
22. 4 Immutable Laws of Cloud Security
• “These are things that will always be, things that will never change,
and it is a state of being.”
– First is an understanding that if your data is hosted in the cloud, you no
longer directly control its privacy and protection.
– when your data is burst into the cloud, you no longer directly control where
the data resides or is processed.
– if your security controls are not contractually committed to, then you may
not have any legal standing in terms of the control over your data or your
assets.
– if you don't extend your current security policies and controls in the cloud
computing platform, you're more than likely going to be compromised
– Tari Schreider, HP chief architect of HP Technology Consulting and IT
Assurance Practice.
“Security and the Cloud: The Great Reconciliation”, eCommerce Times, 14 May 2012
http://www.ecommercetimes.com/story/Security-and-the-Cloud-The-Great-
Reconciliation-75094.html
22
23. Quick List of Potential Diligence
Considerations
Functionality of solution Pricing
Uptime Response time
Quality of service Data Security/Privacy
Backup and disaster recovery Integration with existing systems
Data access Customer service/support
Insurance coverage
Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises”
http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf
23
24. Some Areas of Concern
•Service
quality/SLAs/Availability
•Disaster recovery
•Provider competence
•Provider Viability
24
25. Diligence Considerations:
SLAs
• Control-oriented
– System availability
– System response time
– Fail-over for disaster recovery
• Operations-oriented
– Data retrieval
– Data integrity
– Transition assistance
• Business-oriented
– Error resolution time
– Timeliness re: professional services around cloud solutions
25
26. Diligence Considerations:
Backup & Disaster Recovery
• How are backup systems architected?
– Complete redundancy? Multiple redundancies? Duplicate systems? Real-
time backup?
• Where are backup systems located geographically?
• Are third party backup systems utilized (partially/totally)?
• How long would a catastrophic event at a data center affect system
availability?
• Concerns for physical assets based on geography (exactly where is
that data center located?)
• Ultimately, whose responsibility is it anyway?
26
27. Diligence Considerations:
Competence Issues
• Provider track record of success?
• Views of commentators/bloggers
• Is the pricing right for the breadth of offering?
• Perceived level of sophistication of the vendor
– Knowledge of industry vertical
– Mastery of technology
• If vendor is an early stage company, who is supporting it financially?
(speaks to both competence and viability)
• For SaaS in particular, are there integration partners?
27
28. Diligence Considerations:
Viability of the Cloud Provider
• Viability matters. Why? A cloud user makes an investment when
choosing cloud provider. For example:
– Integrating cloud services into business processes
– Migrating data from its environment
• Lack of industry standardization makes moving to a new cloud
provider difficult
• What happens to a cloud user’s data in the event of:
– Bankruptcy
– M&A
– Escrow
28
30. Benefits of Cloud Computing
•Cost Avoidance/Deferral
•Improved Organizational
Agility
•Focus on Core Business
rather than IT
30
31. Cost Avoidance/Deferral – You Decide
• Gartner says…IaaS isn’t less expensive, but it increases operational
agility (1)
• Computerworld says…Prepare for the real costs of cloud computing
(2)
– Moving and storing data, integrating apps from multiple vendors,
testing software, rent & utilities
• CIO says…CFOs and cloud computing have a love-hate relationship (3)
– Variable pricing messes up cash flow projections
– Capex vs. Opex
• Booz Allen Hamilton says…savings range from 50% to 75% (4)
• CloudU says…savings from 13% to 25% (5)
31
32. Cost Avoidance/Deferral – You Decide
(cites)
• (1) Lydia Leong, research VP at Gartner Group
– http://www.formtek.com/blog/?p=2696, January 12th, 2012
• (2) “Preparing for the real costs of cloud computing” Computerworld
http://www.computerworld.com/s/article/359383/The_Real_Costs_of_Cloud_Com
puting
• (3) “Why CFOS and Cloud Computing Have a Love-Hate Relationship” CIO
Magazine
– www.cio.com/article/print/702074
• (4) “The Economics of Cloud Computing”
http://www.boozallen.com/media/file/Economics-of-Cloud-Computing.pdf
• (5) “Cloudonomics: The Economics of Cloud Computing”
http://broadcast.rackspace.com/hosting_knowledge/whitepapers/Cloudonomics-
The_Economics_of_Cloud_Computing.pdf
33. Improved Organizational Agility
•Use of Public Clouds or Virtual Private Clouds give
organizations the ability to scale up or down when
necessary
•IT expense can be matched to:
– Seasonal or cyclical requirements
– Organizational growth or decline
•Mobile workforce/workplace solutions may improve
organizational productivity
•Cloud environments support experimentation and ability
to fail with low penalty
33
34. Focus on Core Business
•Organizations can focus on building the business they
know
•Organizations can leverage the best of breed in IT (and not
try to be best of breed themselves)
•Potentially better disaster recovery strategies utilizing
cloud-based options
34
36. Take Aways
• Be thoughtful about which parts
of your business are cloud-worthy.
All business processes are not
suitable.
• Have a plan to deal with mistakes
that will happen in the cloud
(business, technology, legal).
What level of risk can you
tolerate?
• Work with your key internal and
external advisors to think through
your cloud strategy. A cross-
functional strategy is in order.
36
37. Q&A
Contact Me
•Janine Anthony Bowen, Esq., CIPP/US
jbowen@jack-law.com
www.visualcv.com/jdabowen
www.linkedin.com/in/jdabowen
•678-823-6611
•Twitter - @cloudlawyer
•www.jack-law.com
JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It. 37