The Complexities of Cloud Computing - The Rules are New, But is the Game
-
Upload
janine-anthony-bowen-esq -
Category
Documents
-
view
1.132 -
download
4
description
Transcript of The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of CloudComputing: The Rules areNew, But is the Game?
Janine Anthony Bowen, Esq., CIPP/[email protected](678) 823-6611June 8, 2012
Seems like the inevitable…
2
Source: http://geekandpoke.typepad.com;The Lighter Side of the Cloud by CloudTweaks –David Fletcher. Used under Creative CommonsLicense
The Cloud…in all its Glory!
3
The Hype Then…
• “As enterprises seek to consume their IT services in the most cost-effective way, interest is growing in drawing a broad range of services(for example, computational power, storage and businessapplications) from the "cloud," rather than from on-premisesequipment. The levels of hype around cloud computing in the ITindustry are deafening, with every vendor expounding its cloudstrategy and variations, such as private cloud computing and hybridapproaches, compounding the hype.”
• Gartner Press Release, Gartner’s 2009 Hype Cycle Special Report Evaluates Maturity of1,650 Technologies, August 11, 2009 http://www.gartner.com/it/page.jsp?id=1124212
4
And Now…
•According to Forbes…
“Interest in Cloud Computing Has Peaked”
•But Never Fear…its here to stay (for now anyway)
http://www.forbes.com/sites/reuvencohen/2012/05/24/interest-in-cloud-computing-has-peaked/
5
Agenda
6
•Overview of CloudComputing
•Contractual Considerations
•Due Diligence
•Business Considerations
•Take Aways
6
7
Cloud ComputingPlain English Definition
• From the User’s Perspective– Data processing and storage, application development, and
software hosting over the Internet instead of on a personalcomputer or over a business’ network
– Available on an ‘on demand’ basis
– Location of information stored ‘in the Cloud’ is potentially unknownat any given point in time
– Relatively inexpensive
8
National Institute ofStandards & Technology’s Definition
• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computingresources (e.g., networks, servers, storage, applications, and services)that can be rapidly provisioned and released with minimalmanagement effort or service provider interaction. This cloud modelpromotes availability and is composed of five essential characteristics,three service models, and four deployment models.
• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
9
NIST Definition (cont)
• Essential Characteristics– On-demand self-service
– Broad network access
– Resource pooling
– Rapid elasticity
– Measured Service
• Deployment Models– Private Cloud
– Community Cloud
– Public Cloud
– Hybrid Cloud
Three Service Models
SaaS (Software as a Service)The consumer uses theprovider’s applications runningon a cloud infrastructure. (e.g.Google Apps)
PaaS (Platform as a Service)The consumer has control overthe deployed applications andpossibly application hostingenvironment configurations.(e.g. Force.com)
IaaS (Infrastructure as a Service)The consumer is able to deployand run arbitrary software. (e.g.Amazon EC3)
10
Virtual Server
11
Multi-Tenancy Makes Public CloudComputing Possible
12
Single-Tenant(On-Premise or Hosted)
Dedicated App Stack for Each Application
Multi-Tenant
One Single Stack for AllApplications
Slide used with permission from Salesforce.com - © 2012 Salesforce.com
Multi-Tenant
13
Virtual Server withMultiple Tenants
ABC CompanyPurchasingApplication
XYZ CompanyPurchasingApplication
AcmeCompanyInventory
Application
AtlasCompanyInventory
Application
Top-NotchCompanyLogistics
Application
Small BizCompany
PayrollApplication
HypervisorOperating System
ABC CompanyUser
XYZ CompanyUser
Acme CompanyUser
Atlas CompanyUser
Small BizCompany User
Top-NotchCompany User
Tenants
InternetConnection
Contractual Considerations
14
How’s cloud computing different?
• Geography – Data in the cloud can be anywhere; multiple copies can be inmultiple locations
• In current state of play cloud providers assume as little liability as possible– bulk of contract risk resides with the user
• Difficult for a user to know where liability rests, even if it were properlyassigned (e.g. Global Payments data breach earlier this year)
• The nature of the potential legal issue depends on where a user plugs intothe cloud (issues with SaaS may be different than with IaaS)
• Virtually complete loss of control by data owner (who holds it and whereis it?)
• Relatively inexpensive OPEX instead of CAPEX
15
16
Cloud Contracting:Comparing Cloud to What We Knew Before
CloudComputing
TraditionalSoftwareLicensing
Co-location
Hosting ASP
Location ofService/Data
unknown known known known known
Owner ofHW/SW
provider/provider
company/company(license)
Company/Company(license)
Provider/Company(license)
Provider/provider
Contract Virtuallynon-
negotiable
negotiated negotiated negotiated negotiated
Contract Risk company shared shared shared shared
Scalability yes maybe maybe maybe maybe
Understanding the Legal Risk Profile
17
Why not just rely on the contract?Who you are drives what you can expect
• Cloud users should clearly understand what they are getting andgetting into:– Generally speaking, only the largest implementations get negotiated
contract terms (particularly wrt to SaaS)
– Minimum negotiation flexibility likely in most cases – risk mitigationanalysis should establish ‘business level’ comfort
• Where negotiation is possible, risk mitigation should drive negotiationof key provisions– The best bang for the buck is internal process risk mitigation
1818
Most Significant Issue with CloudComputing: Privacy and Security
•Gramm-Leach-Bliley Act(GLBA)
•Health Insurance Portabilityand Accountability Act(HIPAA)
•Health InformationTechnology for Economic andClinical Health (HITECH)
•Fair Credit ReportingAct/FACT Act
•Federal Trade CommissionAct (FTCA)
• ID Theft Red Flags•State Privacy Security Laws
(Breach Notification — 46 Statesand Encryption (MA and NV),use of SSN’s, etc.)
• Industry Standards (PCI)•Litigation and enforcement cases
19
Case Study - Contract vs. What They Say
•Privacy Policy•Terms of Use•Security FAQ•Pricing
20
Due Diligence
21
4 Immutable Laws of Cloud Security
• “These are things that will always be, things that will never change,and it is a state of being.”
– First is an understanding that if your data is hosted in the cloud, you nolonger directly control its privacy and protection.
– when your data is burst into the cloud, you no longer directly control wherethe data resides or is processed.
– if your security controls are not contractually committed to, then you maynot have any legal standing in terms of the control over your data or yourassets.
– if you don't extend your current security policies and controls in the cloudcomputing platform, you're more than likely going to be compromised
– Tari Schreider, HP chief architect of HP Technology Consulting and ITAssurance Practice.
“Security and the Cloud: The Great Reconciliation”, eCommerce Times, 14 May 2012http://www.ecommercetimes.com/story/Security-and-the-Cloud-The-Great-
Reconciliation-75094.html
22
Quick List of Potential DiligenceConsiderations
Functionality of solution Pricing
Uptime Response time
Quality of service Data Security/Privacy
Backup and disaster recovery Integration with existing systems
Data access Customer service/support
Insurance coverage
23
Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises”http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf
Some Areas of Concern
24
•Servicequality/SLAs/Availability
•Disaster recovery
•Provider competence
•Provider Viability
24
Diligence Considerations:SLAs
• Control-oriented– System availability– System response time– Fail-over for disaster recovery
• Operations-oriented– Data retrieval– Data integrity– Transition assistance
• Business-oriented– Error resolution time– Timeliness re: professional services around cloud solutions
2525
Diligence Considerations:Backup & Disaster Recovery
• How are backup systems architected?– Complete redundancy? Multiple redundancies? Duplicate systems? Real-
time backup?
• Where are backup systems located geographically?
• Are third party backup systems utilized (partially/totally)?
• How long would a catastrophic event at a data center affect systemavailability?
• Concerns for physical assets based on geography (exactly where isthat data center located?)
• Ultimately, whose responsibility is it anyway?
2626
Diligence Considerations:Competence Issues
• Provider track record of success?• Views of commentators/bloggers• Is the pricing right for the breadth of offering?• Perceived level of sophistication of the vendor
– Knowledge of industry vertical– Mastery of technology
• If vendor is an early stage company, who is supporting it financially?(speaks to both competence and viability)
• For SaaS in particular, are there integration partners?
2727
28
Diligence Considerations:Viability of the Cloud Provider
• Viability matters. Why? A cloud user makes an investment whenchoosing cloud provider. For example:– Integrating cloud services into business processes– Migrating data from its environment
• Lack of industry standardization makes moving to a new cloudprovider difficult
• What happens to a cloud user’s data in the event of:– Bankruptcy– M&A– Escrow
Business Considerations
29
Benefits of Cloud Computing
•Cost Avoidance/Deferral
•Improved OrganizationalAgility
•Focus on Core Businessrather than IT
30
Cost Avoidance/Deferral – You Decide
• Gartner says…IaaS isn’t less expensive, but it increases operationalagility (1)
• Computerworld says…Prepare for the real costs of cloud computing(2)– Moving and storing data, integrating apps from multiple vendors,
testing software, rent & utilities
• CIO says…CFOs and cloud computing have a love-hate relationship (3)– Variable pricing messes up cash flow projections– Capex vs. Opex
• Booz Allen Hamilton says…savings range from 50% to 75% (4)• CloudU says…savings from 13% to 25% (5)
31
Cost Avoidance/Deferral – You Decide(cites)
• (1) Lydia Leong, research VP at Gartner Group– http://www.formtek.com/blog/?p=2696, January 12th, 2012
• (2) “Preparing for the real costs of cloud computing” Computerworldhttp://www.computerworld.com/s/article/359383/The_Real_Costs_of_Cloud_Computing
• (3) “Why CFOS and Cloud Computing Have a Love-Hate Relationship” CIOMagazine
– www.cio.com/article/print/702074
• (4) “The Economics of Cloud Computing”http://www.boozallen.com/media/file/Economics-of-Cloud-Computing.pdf
• (5) “Cloudonomics: The Economics of Cloud Computing”http://broadcast.rackspace.com/hosting_knowledge/whitepapers/Cloudonomics-
The_Economics_of_Cloud_Computing.pdf
Improved Organizational Agility
•Use of Public Clouds or Virtual Private Clouds giveorganizations the ability to scale up or down whennecessary
•IT expense can be matched to:– Seasonal or cyclical requirements– Organizational growth or decline
•Mobile workforce/workplace solutions may improveorganizational productivity
•Cloud environments support experimentation and abilityto fail with low penalty
33
Focus on Core Business
•Organizations can focus on building the business theyknow
•Organizations can leverage the best of breed in IT (and nottry to be best of breed themselves)
•Potentially better disaster recovery strategies utilizingcloud-based options
34
Insurance Considerations
•Cyber Risk•Privacy•E&O•Data Asset Protection•CGL
35
Take Aways
36
• Be thoughtful about which partsof your business are cloud-worthy.All business processes are notsuitable.
• Have a plan to deal with mistakesthat will happen in the cloud(business, technology, legal).What level of risk can youtolerate?
• Work with your key internal andexternal advisors to think throughyour cloud strategy. A cross-functional strategy is in order.
36
Q&AContact Me
•Janine Anthony Bowen, Esq., CIPP/[email protected]/jdabowenwww.linkedin.com/in/jdabowen
•678-823-6611
•Twitter - @cloudlawyer
•www.jack-law.com
3737JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It.