cloud computing: managing the legal...
Post on 01-Aug-2020
1 Views
Preview:
TRANSCRIPT
Cloud Computing: Managing the Legal Risks Mitigating Liabilities When Outsourcing Virtual Storage and Applications
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, APRIL 25, 2012
Presenting a live 90-minute webinar with interactive Q&A
Janine Anthony Bowen, Partner, Jack Attorneys & Advisors, Atlanta
Lora L. Fong, Managing Counsel, salesforce.com, inc., New York
Daniel A. Masur, Partner, Mayer Brown, Washington, D.C.
Conference Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
FOR LIVE EVENT ONLY
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality of
your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory and you are listening via your computer
speakers, you may listen via the phone: dial 1-866-961-8499 and enter your
PIN -when prompted. Otherwise, please send us a chat or e-mail
sound@straffordpub.com immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
Cloud Computing:
Managing the Legal Risks
Primer and Risk Mitigation
Janine Anthony Bowen, Esq., CIPP jbowen@jack-law.com (678) 823-6611 April 25, 2012
6 6
Agenda
•Brief Overview of Cloud Computing
•Later…Minimizing & Mitigating Legal Risk
7
Cloud Computing Plain English Definition
• From the User’s Perspective – Data processing and storage, application development, and
software hosting over the Internet instead of on a personal computer or over a business’ network
– Available on an ‘on demand’ basis
– Location of information stored ‘in the Cloud’ is potentially unknown at any given point in time
– Relatively inexpensive
8
National Institute of Standards & Technology’s Definition
• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
9
NIST Definition (cont)
• Essential Characteristics – On-demand self-service
– Broad network access
– Resource pooling
– Rapid elasticity
– Measured Service
• Deployment Models – Private Cloud
– Community Cloud
– Public Cloud
– Hybrid Cloud
Three Service Models
SaaS (Software as a Service) The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps) PaaS (Platform as a Service) The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g. Force.com) IaaS (Infrastructure as a Service) The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3)
10
The Cloud…in all its Glory!
11
12
Virtual Server
Consolidation
Human
Resources
Sales
Asset
Management
Facilities
Management
Purchasing
Multiple Separate
Physical Servers and
Software Licenses
Single Physical Server
with Multiple Software
Licenses
Real
Servers
Virtual
Server
13
Multi-tenant
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
Contracting for Cloud Computing
Services — Key Considerations
April 25, 2012 Dan Masur Mayer Brown LLP Partner 202 263 3329 dmasur@mayerbrown.com
Top Secret The Real Value of Cloud Computing!
15
Contracting for Cloud Computing Services The Road to the Cloud!
16
Breadth of Cloud-Based Offerings
“Nice to have” business tools
Routine, non-sensitive data
Limited scope of business use
Mission critical applications
Regulated or business sensitive data
Enterprise-wide use
Each end of the spectrum presents different legal and contractual challenges, options and trade-offs
17
Cloud Customers Must Make Informed Tradeoffs
• There is no standard contract “form” that will work for each situation
– Traditional outsourcing and software licensing terms may be useful, but can not be inflexibly applied to cloud computing
• More robust contractual protection may or may not be the correct answer — it depends
• Prospective cloud customers must take into account – Criticality of the software, data and services in question
– Unique issues associated with cloud computing
– Availability and pricing of various alternatives
• For “nice-to-have” business tools or routine data, a low cost solution may outweigh contractual protections
• Requiring robust contractual protections may increase the price and eliminate certain providers altogether
18
Key Issues in Cloud Computing
19
Data security is by far the largest concern as the market has yet to address enterprise security requirements – source: TPI
78%
51%
49%
49%
48%
34%
33%
29%
27%
26%
25%
25%
11%
Data security
Failing regulatory requirements
Integration risks with legacy systems
Unclear who has access to my data
Disaster recovery
Co-mingling of data
Up-time availability
Connectivity / bandwidth
Service provider viability
Unclear where data is stored
Response time
Migration to different service
Ill defined business case n=73
20
Privacy, Security and the Cloud
We are the intersection of privacy regulation dramatically increasing at the same time that cloud computing will exponentially increase.
Enterprises need to understand and prepare for entry into cloud computing – requires assessment, planning (including for regulatory requirements) and careful transformation.
Privacy Cloud
21
Issues with Cloud Computing Privacy and Security — the Elephant in the Room
• Data transfer issues (EU and similar jurisdictions)
• Data location issues
• Location of users accessing data
• Movement and storage of data
• Use of subcontractors
• Use of multiple platforms
• Lack of transparency and control
• Data breach issues
• Data destruction issues
• Ability to impose security and privacy requirements
22
Issues with Cloud Computing Privacy and Security — US
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH)
• Fair Credit Reporting Act/FACT Act
• Federal Trade Commission Act (FTCA)
• ID Theft Red Flags
• State Privacy Security Laws (Breach Notification — 46 States and Encryption (MA and NV), use of SSN’s, etc.)
• Industry Standards (PCI)
• Litigation and enforcement cases
23
Issues with Cloud Computing Privacy and Security — US
• General security of personal information laws (e.g., Arkansas, California, Indiana, Maryland, Massachusetts, Nevada, Rhode Island, Texas and Utah).
• Standard: reasonable security procedures and practices appropriate to the nature of the information.
• Massachusetts regulations far exceed most other laws and regs. – Create duty to protect and have detailed system requirements
– Require a written security program
– Requires that companies oversee service providers by selecting providers who are capable of maintaining appropriate security measures consistent with the MA regs
– Requires that service provider contracts require them to implement and maintain appropriate security measures
– Requires encryption of personal information across public networks, wireless networks and portable devices (laptops, hard drives, etc.)
24
Issues with Cloud Computing Privacy and Security — Non-US
In EEA and other jurisdictions where data protection and data transfer regulation is strict, cloud computing challenges and issues increase
25
Privacy, Security and Compliance Issues with Cloud Computing: —Non-US
• Numerous countries prohibit or restrict the transfer of personal data out of a certain area, and require additional formalities before the data may be transferred
• Examples: EU and EEA countries, Argentina, Canada, Dubai, Israel, New Zealand, Uruguay
26
Covers EU to US Data Transfers
This works well for companies who
don’t have numerous worldwide affiliates,
and in third party contract situations
Safe Harbor
Data Controller to Data Controller or Data
Controller to Data Processor
Not the best solution for
multinational companies who
transfer data around the world
Approved
Clauses
Rules that apply to all affiliated companies
regarding personal data
Best solution for multi-nationals with
many inter-company data transfers, however,
process is long and cumbersome
Binding
Corporate
Rules
When Derogations do not apply, and Consent cannot be obtained, what are the options for Data Transfer?
Issues with Cloud Computing: Privacy and Security —Non-US
27
Overview of Approved Clauses
Use ensures satisfaction of “adequate protection”
Controller to Controller, or recently updated Controller to Processor Contractual Clauses
Data controller = determines the purposes and means of processing personal data
Data processor = processes personal data on behalf of a controller
Data controller to data processor (2010) clauses have some significant differences from
the prior version
Intercompany Transfers and Third
Parties
Easiest of the data transfer options to use
Must be used “as is”
Nicely covers transfers to third parties (e.g., outsourcers)
Benefits
Must be filed with DPAs in certain countries — cumbersome
Must be used “as is”
For multi-nationals, each company must sign a set with each other company or third party
provider — very cumbersome – unless delegations of authority are properly made
Drawbacks
Issues with Cloud Computing: Privacy and Security —Non-US
28
Issues with Cloud Computing: Privacy and Security —Non-US : EU Approved Clauses
• Must be used after May 15, 2010
• Old clauses still work unless changes made regarding data or new subcontract
• Data Controller must agree in writing to sub-processors (subcontracting), and are entitled to see sub-processing contracts
• Data subjects can make claims directly against sub-processors
29
German DPA Statements on Cloud Computing
• DPA of Federal State of Schleswig-Holstein new white paper on cloud computing
• Paper is not legally binding, but indicates how German states will most likely analyze cloud computing
• Conclusion is that transfer of personal data in most cloud computing arrangements is not permitted by German data protection law – with a focus on public clouds
• Companies using cloud computing services must control whether cloud computing service providers observe the data protection laws
• Look for more developments and interpretation of the white paper
30
Other Critical Contracting Issues for Cloud Customers
Regulatory and Compliance Challenges
• Auditability
• Lack of transparency and control
• Subcontracting and flow down of provisions
• Export control issues
• Electronic discovery issues
• Record retention issues
Other Key Issues and Challenges
•Service levels
• Disaster recovery and business continuity
• Intellectual property issues
• Change management issues
• Exit rights
• Financial stability of providers/due diligence
31
Cloud Computing So now what? Can we even do this?
32
Contracting for Cloud Computing YES! • Keep your eye on
– Criticality of the software, data and services
– Unique issues associated with cloud computing
– Availability and pricing of various alternatives
• Look to traditional outsourcing contracts and software and data use agreements as a good starting point
33
Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings
Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)
Need for diligence on provider
Physical diligence/inspection not permitted, and not possible if sub-processors are used
Basic diligence information is available – certifications, audit reports, etc.
Know where your data is processed and stored
Data may be processed and stored anywhere
Location of data can be fixed in contract
Know places where your data may be transferred
Data may be transferred to or accessed from anywhere
Location of data can be fixed in contract
Rights to approve of subprocessors
Frequent use of subprocessors (scalability, flexibility, variable use)
Notice of subprocessors as necessary for compliance (EU), and approval in some cases
34
Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings
Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)
Response to data security incidents
Standardized offering, use of sub-processors and other limits may delay discovery of breaches, and ability to provide information regarding extent of breach
Notification of security incidents is offered, although extent of liability remains an item of negotiation
Audit rights
Typically not available, especially not for sub-processors
Some rights available, but may not include physical access
Proper disposal and destruction of data
No guarantee all data will be found and erased or returned
Data will be returned or destroyed
Change Control Provider may make changes without notice or consent
Notification of changes provided, but customer may have to terminate or leave cloud if changes cause issues
35
Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings
Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)
Established Contract Terms
Incorporation of additional online terms, subject to change by provider
Contract terms are established and should not materially change
Provider has some liability exposure for breaches and non-compliance
Extremely limited liability More standard (ITO like) liability, although with different caps for security and confidentiality breaches around personal data
Controls on data and security standards
Standardized offering with use of cloud provider controls
Customer must review provider standards and determine sufficiency
36
37
Minimizing and Mitigating Risks
•Agenda – Considerations in
Vendor Selection
– Contracting Models
– Impact of Industry Standards
38 38
Why not just rely on the contract? Who you are drives what you can expect
• Cloud users should clearly understand what they are getting and getting into: – Generally speaking, only the largest implementations get negotiated
contract terms (particularly wrt to SaaS)
– Minimum negotiation flexibility likely in most cases – risk mitigation analysis should establish ‘business level’ comfort
• Where negotiation is possible, risk mitigation should drive negotiation of key provisions – The best bang for the buck is internal process risk mitigation
39
But first, how’s cloud computing different?
• Geography – Data in the cloud can be anywhere; multiple copies can be in multiple locations
• In current state of play cloud providers assume as little liability as possible – bulk of contract risk resides with the user
• Difficult for a user to know where liability rests, even if it were properly assigned (e.g. Global Payments data breach earlier this year)
• The nature of the potential legal issue depends on where a user plugs into the cloud (issues with SaaS may be different than with IaaS)
• Virtually complete loss of control by data owner (who holds it and where is it?)
• Relatively inexpensive OPEX instead of CAPEX
40
Quick List of Potential Mitigation Considerations
Functionality of solution Pricing
Uptime Response time
Quality of service Data Security/Privacy
Backup and disaster recovery Integration with existing systems
Data access
Customer service/support
Insurance coverage
Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises” http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf
41 41
Some Areas of Concern
•Service quality/SLAs/Availability
•Disaster recovery
•Provider competence
•Provider Viability
42 42
Mitigation Considerations: SLAs
• Control-oriented
– System availability – System response time – Fail-over for disaster recovery
• Operations-oriented
– Data retrieval – Data integrity – Transition assistance
• Business-oriented
– Error resolution time – Timeliness re: professional services around cloud solutions
43 43
Mitigation Considerations: Backup & Disaster Recovery
• How are backup systems architected? – Complete redundancy? Multiple redundancies? Duplicate systems? Real-
time backup?
• Where are backup systems located geographically?
• Are third party backup systems utilized (partially/totally)?
• How long would a catastrophic event at a data center affect system availability?
• Concerns for physical assets based on geography (exactly where is that data center located?)
• Ultimately, whose responsibility is it anyway?
44
Mitigation Considerations: Competence Issues
• Provider track record of success? • Views of commentators/bloggers • Is the pricing right for the breadth of offering? • Perceived level of sophistication of the vendor
– Knowledge of industry vertical – Mastery of technology
• If vendor is an early stage company, who is supporting it financially? (speaks to both competence and viability)
• For SaaS in particular, are there integration partners?
44
45
Mitigation Considerations: Viability of the Cloud Provider
• Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example: – Integrating cloud services into business processes
– Migrating data from its environment
• Lack of industry standardization makes moving to a new cloud provider difficult
• What happens to a cloud user’s data in the event of:
– Bankruptcy
– M&A
– Escrow
46
Cloud Contracting Preliminaries: Comparing Cloud to What We Knew Before
Cloud
Computing
Traditional
Software
Licensing
Co-
location
Hosting ASP
Location of
Service/Data
unknown known known known known
Owner of
HW/SW
provider/
provider
company/
company
(license)
Company/
Company
(license)
Provider/
Company
(license)
Provider/
provider
Contract Virtually
non-
negotiable
negotiated negotiated negotiated negotiated
Contract Risk company shared shared shared shared
Scalability yes maybe maybe maybe maybe
Understanding the Legal Risk Profile
47
Cloud Contracting Models: License vs. Service Agreement
48
49
Cloud Contracting Models: Online Agreement vs. Standard Contract
Online Agreement Standard Contract
Negotiable No. Yes, generally.
Limits Placed on
Provider’s Liability
Yes. Very little
or no liability to
provider.
Yes. Risk
shared by
provider and
user.
Risk in the Event
of Problems
Born by user. Born by party
responsible.
Who Controls
Contracting
Ultimate End
User
Contracting
Party
50
Impact of Industry Standards
• What standards applicable to cloud computing exist? – Payment Card Industry Data Security Standards
•A set of requirements for enhancement of payment account data security – ISO 27000 Series Standards
•An information security standard that provides best practices for those implementing an information security management system
– Open Cloud Manifesto
•Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration
51 51
Take Aways
• Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable.
• Have a plan to deal with mistakes that will happen in the cloud (business, technology, legal). What level of risk can you tolerate?
• Work with your key internal and external advisors to think through your cloud strategy. A cross-functional strategy is in order.
52 52
Contact Me
•Janine Anthony Bowen, Esq., CIPP/US jbowen@jack-law.com www.visualcv.com/jdabowen www.linkedin.com/in/jdabowen
•678-823-6611
•Twitter - @cloudlawyer
•www.jack-law.com
JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It.
sfdc_ppt_corp_template_01_01_2012.ppt
Contracting in the Cloud
Lora L. Fong, Esq. Managing Counsel lfong@salesforce.com salesforce.com , inc. April 25, 2012
Copyright 2012 salesforce.com, inc
Disclaimer
My views are my own, and generally (but not always) reflect those
of salesforce.com - the leader in enterprise cloud computing
Sales Cloud™
The world’s #1 sales application.
Service Cloud™
The future of customer service.
Chatter - Collaboration Cloud
Collaboration apps and platform. Work with colleagues—real time.
Force.com - Custom Cloud 2
The leading cloud platform for custom application development
54
Agenda
– Technology model
– Key legal issues and contracting strategies
55
Technology Model
56
Ten Year Computing Cycles 10X more users with each cycle
1960’s Mainframe Computing
1990’s Desktop Cloud
Computing
2000’s Mobile Cloud
Computing
2010’s Social
Revolution
1970’s Mini Computing
1980’s Client/Server Computing
Data Management
Apps
Business Logic Apps
Process Automation
Apps
Web Apps
Mobile Apps
Social
Apps
57
2013E
2007 2008
2009 2010
2011 2012E
2006
1.8 billion mobile devices by 2014
2014E
Tablets
Smartphones
Laptops
Desktop
Social Revolution: Next Generation Devices Changing How We
Access the Web
Source: Gartner Research, Smartphone, Tablet, and PC Forecast, December 2011 58
What’s in the Cloud?
Traditionally Managed On-Premise
– Servers
– OS
– Application software
– Development environment
– Upgrade/Maintenance
– Security
– Backup
– Disaster Recovery/BCP
59
NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance, Version 16
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with
minimal management effort or service provider
interaction. This cloud model is composed of five
essential characteristics, three service models, and
four deployment models.
60
NIST Definition of Cloud Computing
Five Essential Characteristics
1. On-Demand Self-Service: Consumer provisions computing
capabilities without provider intervention
2. Broad Network Access: Accessible via standard mechanisms
promoting use by various “client” platforms (smart phones, pdas,
tablets, laptops)\
3. Resource Pooling: Provider resources pooled using multi-tenant
model to serve multiple consumers; customer has no control or
knowledge over exact location of provided resources
4. Rapid Elasticity: scale up, scale down, appearing “unlimited”
5. Measured Service: control and optimize resources with metrics on
resources, transparent to provider & consumer
61
NIST Definition – 3 Service Models
Software as a Service (SaaS)
– Provider’s applications, infrastructure
– Accessible via client devices over “thin-client” interface” (e.g. web browser or web-based
email)
– Consumer doesn’t manage or control infrastructure (network, servers, OS, storage,
application capabilities)
– Consumer may have configurable application settings (e.g. user permissions)
Platform as a Service (PaaS)
– Consumer created or acquired applications
– Use of programming languages & tools supported by cloud provider
– Consumer control over deployed applications
– Provider managed infrastructure
Infrastructure as a Service (IaaS)
– Consumer capability to provision resources (processing, storage, networks)
– Provider controls underlying cloud infrastructure
– Consumer able to deploy arbitrary software (OS, Apps)
62
NIST Definition - 4 Deployment Models
1. Private Cloud
– provisioned for exclusive use by single organization,
– owned/managed operated by the organization or 3rd party
– May exist on or off premises
2. Community Cloud
– Exclusive use by specific community of multiple organizations with shared concerns
– May be owned/managed/operated by one or more of the organizations
– May exist on or off premises
3. Public Cloud
– Available to general public
– May be owned/managed/operated by business, academic or gov’t organization
– exists on cloud provider’s premises
4. Hybrid Cloud
– Two or more distinct clouds bound together by technology
– enabling data and application portability
63
NIST: Features of Mature SaaS Applications
Version 15
Scalability
– 1 to N users
Multi-Tenancy
– One code base supporting multiple logical instances
Metadata driven Configurability
– Users configure via metadata vs. application code changes
64
Multi-Tenancy Makes Public Cloud Computing
Possible
Single-Tenant
(On-Premise or Hosted)
Dedicated App Stack for Each
Application
Multi-Tenant
One Single Stack for All
Applications
65
66
Metadata: How Multi-Tenant Services Deliver a
Unique Experience to Every Customer
Salesforce
Apps ISV Apps
850+
Custom Apps 100k+
upgrades
Customizations, Integrations and apps run on the latest release automatically
Metadata
100,000+ salesforce.com customers
11 Million +
Customer
Customizations
100+ M
Integration Calls / Day
Shifting the Burden to the Cloud
Application and Platform
– Development
– Maintenance
– Functional Enhancements
Infrastructure
– Hardware resource acquisition, management
– Economies of scale
• (e.g. salesforce.com supports approximately 83,000 customers
currently on only 1,500 Dell PCs, plus an additional 1,500 for
redundancy/Disaster Recovery etc.).
67
Faster Rollouts and Innovation
Faster implementation of applications
Faster Vendor Innovation
Flexibility and scalability to serve companies of all sizes
(1 – X users)
Code base developed, maintained, enhanced by the
provider
• Upgrades tested and deployed
• Security
• Audit history tracking
• Tuning
• Backups
• Disaster Recovery
68
Subscription Model
Fixed # of Users / Period / Product
For customer
– Minimal up-front investment
– Flexibility
For vendor
– Financial predictability
– Cash flow
Pricing
– Provider may discount for greater commitment
69
Subscription
Contracting in the Cloud
70
Subscription Model vs. Software License Model
Inside customer’s firewall
– Licensing model
– Software license seeks to avoid first sale doctrine
(allows purchaser to sell or give away a copy of a copyrighted work
once lawfully obtained)
Outside customer’s firewall
– No copies distributed in cloud computing, therefore no software
license needed
– Cloud computing is a “service” that is “provided” or “made
available” to customer (SaaS, PaaS, IaaS)
71
Maintenance & Support
On premises model typically requires customer to
purchase maintenance or support in addition to software
license; customer responsible for installing/managing
Multi-tenancy model typically includes
– Functional enhancements, upgrades
– Fixes, patches
– May include user support (Help desk)
72
NIST Guidelines on Security and Privacy in Public
Cloud Computing
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494
Carefully plan the security and privacy aspects of cloud computing
solutions before engaging them.
Understand the public cloud computing environment offered by the
cloud provider.
Ensure that a cloud computing solution satisfies organizational
security and privacy requirements.
Ensure that the client-side computing environment meets
organizational security and privacy requirements for cloud
computing.
Maintain accountability over the privacy and security of data and
applications implemented and deployed in public cloud computing
environments.
73
Privacy & Security: Contract Checklist
Ownership & Use Limitation: Ensure the cloud provider claims no ownership rights in customer data and
uses customer data only as customers instruct or to fulfill contractual or legal obligations.
Disclosure. Ensure the cloud provider discloses customer data only if required to do so by the customer
or by law, and provide affected customers prior notice of any legally compelled disclosure to the extent
permitted by law.
Security Management System: Ensure the cloud provider maintains a robust security management
system based on an internationally accepted security framework (such as ISO 27002).
Customer Security Features: Ensure the cloud provider offers customers a selection of security features
to implement in their usage of cloud computing services.
Audit: Ensure the cloud provider uses independent, third-party auditors to ensure compliance with their
security management system.
Breach Notification: Ensure the cloud provider promptly notifies customers of known security breaches
that affect the confidentiality or integrity of their respective customer data.
Data Location: Ensure the cloud provider makes available to customers a list of
countries in which their respective customer data is hosted.
74
Liability Considerations
For provider, risk of data security breach outstrips all
others
Multi-tenancy enables single incident to affect
thousands of customers, changing risk calculus
For provider, critical to think through worst-case
scenarios, and re-think as company grows and evolves
– Types of harm
– Damages available
– Settlement values
– Insurance coverage
75
Limitation of Liability
Cloud computing provider typically considers worst-case
scenario, and draft contracts accordingly
– Capped liability base on fees paid or fixed amount
Typical technology industry agreements exclude
special, consequential or indirect damages
(i.e., cost of cover, lost profits, punitive damages)
76
Third-Party Applications
Trend: cloud computing platforms allowing applications
from multiple sources to integrate and share data
Contractual consent to sharing of data when 3rd party
applications are invoked
77
Indemnification in the Cloud
In cloud computing,
Customer inputs content into provider’s system
Provider doesn’t collect or control content, but stores & processes it
Cloud provider has control of its infrastructure and the technology it
provides
Customer should indemnify cloud computing vendor for claims based on content
submitted by its users,
– e.g. that storage, processing, display of content by the provider violates a law or third-party
right
Cloud provider should indemnify customer for claims based on technology
provider supplies
– e.g. that the SaaS applications provided violate patent or copyrights of a third party
78
Reliability & Availability
Service Levels
– Multi-tenancy motivates provider to deliver high availability
– If service unavailable for one, almost certainly unavailable for
many or all
– Effect on business will usually impose much greater discipline
on vendor than contractual remedies
Trend is toward transparency & published metrics
79
Data Ownership, Access & Destruction
Explicit provisions as to who owns the data
Assurances as to ability to access data
– During the contract term
– After termination
– In a format that is usable
Obligation to destroy the data
– After termination
– At any time if necessary (tricky multi-tenancy issues)
80
Source Code Escrow
Escrow Agreements - Common in enterprise software
license agreement where vendor ceases to support
software
Makes sense in behind-the-customer-firewall model
Doesn’t make sense in multi-tenant model
– Much more practical for customer to take its content and load it
in alternative service
81
Key Customer Obligations
Self-Service – key distinction in SaaS model
– administrative function is customer role
– Access to data – permissions, profiles, record or field level controls
– Password security, no sharing of passwords
Control of content
– legality of customer’s content and means by which it acquired content
Using SaaS apps/PaaS/IaaS in accordance with applicable
laws
– e.g. not use to store or transmit infringing, libelous, or otherwise
unlawful or tortious material, or to store or transmit material in
violation of third-party rights
82
top related