Post on 08-Jul-2020
9/16/2013 3
The U.S. National Institute of Standards and Technology (NIST) defines cloud
computing as: “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Platform as a Service
Windows Azure
Application as a
Service
What is Cloud computing?
9/16/2013 7
Cloud Computing Bespoke IT Outsourcing Arrangement
Business Model • Scale – Large and diverse customer base
with smaller revenue streams per
transaction
• Operating control is critical due to cost
pressures
• Size of the Deal – Large multi-million or multi-
billion dollar and multi-year deals
• Individualized deal allows the flexibility to transfer
costs back to individual customers
Operating Model • Economies of scale requires consistency in
processes and operations
• Shared “multi-tenant” platform serves
potentially millions of customers
• Less flexibility to develop customized
features or operating requirements
• Bespoke nature of the deal allows outsourcers to
customize each arrangement
• Platform built to accommodate individual
customer needs with the customer directing the
arrangement
• Features and operations can be developed to
address individual customer needs
Costs • Shared platform and operations allows the
operating costs to be distributed across
large base of customers, leading to lower
costs due to economies of scale
• Higher costs due to bespoke nature of the deal
• Customer directly finances cost of the outsourcing
arrangement
Cloud computing may offer a less flexible contracting process
Most Cloud vendors offer standard contractual terms because of
the scale, multi-tenant design, and turnkey nature of Cloud
In-house counsel should be careful when a Cloud vendor is to
quick to agree to change their standard terms
9/16/2013 8
Service level agreements
Examination rights
Limitation of liability
Certifications ISO 27001, SSAE 16, etc.
9/16/2013 11
Data location – Cloud data center infrastructure
EU data transfer requirements
Safe Harbor
EU Model Clauses
Applicable law and jurisdictions
9/16/2013 12
Who owns the data? What is the vendor business model?
Data use limited to providing Cloud services to the customer
Detailed security and privacy commitments
Data portability
9/16/2013 13
Sophisticated Cloud vendors perform rigorous analysis to
ensure compliance with generally applicable laws
EU Law (and Model Clauses)
HIPPA
FERPA
Breach notification
Customer is ultimately responsible for compliance with laws
and regulations
Cloud vendors should help customer’s understand how to
comply with major regulations, even if they don’t apply
directly to the Cloud vendor
9/16/2013 14
Jeffrey D. Bridges, esq.
Associate Director, Information Governance
Boehringer Ingelheim Pharmaceuticals, Inc.
Introduction
Learning Points:
Ways to protect intellectual data
Holding service providers accountable
Strategies in choosing a secure cloud service
provider
Managing content stored with a cloud provider
Thought
No Security system is a match for a careless employee.”
-- Steig Larsson
—The Girl Who Played With Fire
(2d of The Girl with the Dragon Tattoo series)
How Our World Appears:
Data Breach costs $194 per person breached.
- 2011 Ponemone –Cost of Data Breach Study
Breach costs in health care records custody continues
to grow.
Law Firms are increasingly targeted to get at client
information.
As much as 47% of business data stored on the Cloud.
Let’s Start The Discussion Some questions to get folks talking:
How many have content on the cloud?
Vendor hosted apps?
Third party review?
How many assess risk in environment?
How do you assess risk?
What’s the harm in storing content offsite?
Breach of non-public personal information
Breach of corporate “Confidential” or “Proprietary” content.
Mining for business intelligence and competitive advantage.
Who Should You Assess? What environment needs assessment?
Is vendor storing your information?
Is vendor storing information on your behalf?
Is vendor accessing or receiving your information?
Is vendor soliciting information on your behalf?
What is the nature of the information being gathered? Personal Information
Confidential or Proprietary
Other Internal Use
What Do You Assess? What are some questions?
Any security certifications? SAS 70
Password requirement
Access Controls
Pen Tests
Content logically separated
What is the physical environment of server
Server location
Assess Legal and RIM Who owns content
EU Safe Harbor certified
Records Management Policy
Metadata retained
Audit trails
Apply Retention
Preserve content
Contract Considerations Notice of Breach
Within 48-72 hours of discovery
Liability for Breach
Notice if vendor is outsourcing content or work New assessment
Ownership of content
Treatment of content at end of relationship
Other Considerations
Verify financial capabilities of vendor
Security/Integrity issue – may not be
overwhelming, but….
What happens if provider goes bankrupt?
Does vendor have liquidity to remain current
with technology threats?
Other Considerations Who owns vendor?
Folders logically separated from competitors?
What is underlying service/records created?
PHI? PII?
Call Center?
Marketing content creation?
On-site inspection? Evaluate work stations
Is your content visible to competitor’s workers?
“Trust, but verify"--Ronald Reagan