Cloud Computing: Managing the Legal Risks Mitigating Liabilities When Outsourcing Virtual Storage and Applications

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, APRIL 25, 2012

Presenting a live 90-minute webinar with interactive Q&A

Janine Anthony Bowen, Partner, Jack Attorneys & Advisors, Atlanta

Lora L. Fong, Managing Counsel, salesforce.com, inc., New York

Daniel A. Masur, Partner, Mayer Brown, Washington, D.C.

Conference Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

FOR LIVE EVENT ONLY

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality of

your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory and you are listening via your computer

speakers, you may listen via the phone: dial 1-866-961-8499 and enter your

PIN -when prompted. Otherwise, please send us a chat or e-mail

sound@straffordpub.com immediately so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

Cloud Computing:

Managing the Legal Risks

Primer and Risk Mitigation

Janine Anthony Bowen, Esq., CIPP jbowen@jack-law.com (678) 823-6611 April 25, 2012

6 6

Agenda

•Brief Overview of Cloud Computing

•Later…Minimizing & Mitigating Legal Risk

7

Cloud Computing Plain English Definition

• From the User’s Perspective – Data processing and storage, application development, and

software hosting over the Internet instead of on a personal computer or over a business’ network

– Available on an ‘on demand’ basis

– Location of information stored ‘in the Cloud’ is potentially unknown at any given point in time

– Relatively inexpensive

8

National Institute of Standards & Technology’s Definition

• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

9

NIST Definition (cont)

• Essential Characteristics – On-demand self-service

– Broad network access

– Resource pooling

– Rapid elasticity

– Measured Service

• Deployment Models – Private Cloud

– Community Cloud

– Public Cloud

– Hybrid Cloud

Three Service Models

SaaS (Software as a Service) The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps) PaaS (Platform as a Service) The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g. Force.com) IaaS (Infrastructure as a Service) The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3)

10

The Cloud…in all its Glory!

11

12

Virtual Server

Consolidation

Human

Resources

Sales

Asset

Management

Facilities

Management

Purchasing

Multiple Separate

Physical Servers and

Software Licenses

Single Physical Server

with Multiple Software

Licenses

Real

Servers

Virtual

Server

13

Multi-tenant

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

Contracting for Cloud Computing

Services — Key Considerations

April 25, 2012 Dan Masur Mayer Brown LLP Partner 202 263 3329 dmasur@mayerbrown.com

Top Secret The Real Value of Cloud Computing!

15

Contracting for Cloud Computing Services The Road to the Cloud!

16

Breadth of Cloud-Based Offerings

“Nice to have” business tools

Routine, non-sensitive data

Limited scope of business use

Mission critical applications

Regulated or business sensitive data

Enterprise-wide use

Each end of the spectrum presents different legal and contractual challenges, options and trade-offs

17

Cloud Customers Must Make Informed Tradeoffs

• There is no standard contract “form” that will work for each situation

– Traditional outsourcing and software licensing terms may be useful, but can not be inflexibly applied to cloud computing

• More robust contractual protection may or may not be the correct answer — it depends

• Prospective cloud customers must take into account – Criticality of the software, data and services in question

– Unique issues associated with cloud computing

– Availability and pricing of various alternatives

• For “nice-to-have” business tools or routine data, a low cost solution may outweigh contractual protections

• Requiring robust contractual protections may increase the price and eliminate certain providers altogether

18

Key Issues in Cloud Computing

19

Data security is by far the largest concern as the market has yet to address enterprise security requirements – source: TPI

78%

51%

49%

49%

48%

34%

33%

29%

27%

26%

25%

25%

11%

Data security

Failing regulatory requirements

Integration risks with legacy systems

Unclear who has access to my data

Disaster recovery

Co-mingling of data

Up-time availability

Connectivity / bandwidth

Service provider viability

Unclear where data is stored

Response time

Migration to different service

Ill defined business case n=73

20

Privacy, Security and the Cloud

We are the intersection of privacy regulation dramatically increasing at the same time that cloud computing will exponentially increase.

Enterprises need to understand and prepare for entry into cloud computing – requires assessment, planning (including for regulatory requirements) and careful transformation.

Privacy Cloud

21

Issues with Cloud Computing Privacy and Security — the Elephant in the Room

• Data transfer issues (EU and similar jurisdictions)

• Data location issues

• Location of users accessing data

• Movement and storage of data

• Use of subcontractors

• Use of multiple platforms

• Lack of transparency and control

• Data breach issues

• Data destruction issues

• Ability to impose security and privacy requirements

22

Issues with Cloud Computing Privacy and Security — US

• Gramm-Leach-Bliley Act (GLBA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Health Information Technology for Economic and Clinical Health (HITECH)

• Fair Credit Reporting Act/FACT Act

• Federal Trade Commission Act (FTCA)

• ID Theft Red Flags

• State Privacy Security Laws (Breach Notification — 46 States and Encryption (MA and NV), use of SSN’s, etc.)

• Industry Standards (PCI)

• Litigation and enforcement cases

23

Issues with Cloud Computing Privacy and Security — US

• General security of personal information laws (e.g., Arkansas, California, Indiana, Maryland, Massachusetts, Nevada, Rhode Island, Texas and Utah).

• Standard: reasonable security procedures and practices appropriate to the nature of the information.

• Massachusetts regulations far exceed most other laws and regs. – Create duty to protect and have detailed system requirements

– Require a written security program

– Requires that companies oversee service providers by selecting providers who are capable of maintaining appropriate security measures consistent with the MA regs

– Requires that service provider contracts require them to implement and maintain appropriate security measures

– Requires encryption of personal information across public networks, wireless networks and portable devices (laptops, hard drives, etc.)

24

Issues with Cloud Computing Privacy and Security — Non-US

In EEA and other jurisdictions where data protection and data transfer regulation is strict, cloud computing challenges and issues increase

25

Privacy, Security and Compliance Issues with Cloud Computing: —Non-US

• Numerous countries prohibit or restrict the transfer of personal data out of a certain area, and require additional formalities before the data may be transferred

• Examples: EU and EEA countries, Argentina, Canada, Dubai, Israel, New Zealand, Uruguay

26

Covers EU to US Data Transfers

This works well for companies who

don’t have numerous worldwide affiliates,

and in third party contract situations

Safe Harbor

Data Controller to Data Controller or Data

Controller to Data Processor

Not the best solution for

multinational companies who

transfer data around the world

Approved

Clauses

Rules that apply to all affiliated companies

regarding personal data

Best solution for multi-nationals with

many inter-company data transfers, however,

process is long and cumbersome

Binding

Corporate

Rules

When Derogations do not apply, and Consent cannot be obtained, what are the options for Data Transfer?

Issues with Cloud Computing: Privacy and Security —Non-US

27

Overview of Approved Clauses

Use ensures satisfaction of “adequate protection”

Controller to Controller, or recently updated Controller to Processor Contractual Clauses

Data controller = determines the purposes and means of processing personal data

Data processor = processes personal data on behalf of a controller

Data controller to data processor (2010) clauses have some significant differences from

the prior version

Intercompany Transfers and Third

Parties

Easiest of the data transfer options to use

Must be used “as is”

Nicely covers transfers to third parties (e.g., outsourcers)

Benefits

Must be filed with DPAs in certain countries — cumbersome

Must be used “as is”

For multi-nationals, each company must sign a set with each other company or third party

provider — very cumbersome – unless delegations of authority are properly made

Drawbacks

Issues with Cloud Computing: Privacy and Security —Non-US

28

Issues with Cloud Computing: Privacy and Security —Non-US : EU Approved Clauses

• Must be used after May 15, 2010

• Old clauses still work unless changes made regarding data or new subcontract

• Data Controller must agree in writing to sub-processors (subcontracting), and are entitled to see sub-processing contracts

• Data subjects can make claims directly against sub-processors

29

German DPA Statements on Cloud Computing

• DPA of Federal State of Schleswig-Holstein new white paper on cloud computing

• Paper is not legally binding, but indicates how German states will most likely analyze cloud computing

• Conclusion is that transfer of personal data in most cloud computing arrangements is not permitted by German data protection law – with a focus on public clouds

• Companies using cloud computing services must control whether cloud computing service providers observe the data protection laws

• Look for more developments and interpretation of the white paper

30

Other Critical Contracting Issues for Cloud Customers

Regulatory and Compliance Challenges

• Auditability

• Lack of transparency and control

• Subcontracting and flow down of provisions

• Export control issues

• Electronic discovery issues

• Record retention issues

Other Key Issues and Challenges

•Service levels

• Disaster recovery and business continuity

• Intellectual property issues

• Change management issues

• Exit rights

• Financial stability of providers/due diligence

31

Cloud Computing So now what? Can we even do this?

32

Contracting for Cloud Computing YES! • Keep your eye on

– Criticality of the software, data and services

– Unique issues associated with cloud computing

– Availability and pricing of various alternatives

• Look to traditional outsourcing contracts and software and data use agreements as a good starting point

33

Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings

Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)

Need for diligence on provider

Physical diligence/inspection not permitted, and not possible if sub-processors are used

Basic diligence information is available – certifications, audit reports, etc.

Know where your data is processed and stored

Data may be processed and stored anywhere

Location of data can be fixed in contract

Know places where your data may be transferred

Data may be transferred to or accessed from anywhere

Location of data can be fixed in contract

Rights to approve of subprocessors

Frequent use of subprocessors (scalability, flexibility, variable use)

Notice of subprocessors as necessary for compliance (EU), and approval in some cases

34

Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings

Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)

Response to data security incidents

Standardized offering, use of sub-processors and other limits may delay discovery of breaches, and ability to provide information regarding extent of breach

Notification of security incidents is offered, although extent of liability remains an item of negotiation

Audit rights

Typically not available, especially not for sub-processors

Some rights available, but may not include physical access

Proper disposal and destruction of data

No guarantee all data will be found and erased or returned

Data will be returned or destroyed

Change Control Provider may make changes without notice or consent

Notification of changes provided, but customer may have to terminate or leave cloud if changes cause issues

35

Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings

Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)

Established Contract Terms

Incorporation of additional online terms, subject to change by provider

Contract terms are established and should not materially change

Provider has some liability exposure for breaches and non-compliance

Extremely limited liability More standard (ITO like) liability, although with different caps for security and confidentiality breaches around personal data

Controls on data and security standards

Standardized offering with use of cloud provider controls

Customer must review provider standards and determine sufficiency

36

37

Minimizing and Mitigating Risks

•Agenda – Considerations in

Vendor Selection

– Contracting Models

– Impact of Industry Standards

38 38

Why not just rely on the contract? Who you are drives what you can expect

• Cloud users should clearly understand what they are getting and getting into: – Generally speaking, only the largest implementations get negotiated

contract terms (particularly wrt to SaaS)

– Minimum negotiation flexibility likely in most cases – risk mitigation analysis should establish ‘business level’ comfort

• Where negotiation is possible, risk mitigation should drive negotiation of key provisions – The best bang for the buck is internal process risk mitigation

39

But first, how’s cloud computing different?

• Geography – Data in the cloud can be anywhere; multiple copies can be in multiple locations

• In current state of play cloud providers assume as little liability as possible – bulk of contract risk resides with the user

• Difficult for a user to know where liability rests, even if it were properly assigned (e.g. Global Payments data breach earlier this year)

• The nature of the potential legal issue depends on where a user plugs into the cloud (issues with SaaS may be different than with IaaS)

• Virtually complete loss of control by data owner (who holds it and where is it?)

• Relatively inexpensive OPEX instead of CAPEX

40

Quick List of Potential Mitigation Considerations

Functionality of solution Pricing

Uptime Response time

Quality of service Data Security/Privacy

Backup and disaster recovery Integration with existing systems

Data access

Customer service/support

Insurance coverage

Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises” http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf

41 41

Some Areas of Concern

•Service quality/SLAs/Availability

•Disaster recovery

•Provider competence

•Provider Viability

42 42

Mitigation Considerations: SLAs

• Control-oriented

– System availability – System response time – Fail-over for disaster recovery

• Operations-oriented

– Data retrieval – Data integrity – Transition assistance

• Business-oriented

– Error resolution time – Timeliness re: professional services around cloud solutions

43 43

Mitigation Considerations: Backup & Disaster Recovery

• How are backup systems architected? – Complete redundancy? Multiple redundancies? Duplicate systems? Real-

time backup?

• Where are backup systems located geographically?

• Are third party backup systems utilized (partially/totally)?

• How long would a catastrophic event at a data center affect system availability?

• Concerns for physical assets based on geography (exactly where is that data center located?)

• Ultimately, whose responsibility is it anyway?

44

Mitigation Considerations: Competence Issues

• Provider track record of success? • Views of commentators/bloggers • Is the pricing right for the breadth of offering? • Perceived level of sophistication of the vendor

– Knowledge of industry vertical – Mastery of technology

• If vendor is an early stage company, who is supporting it financially? (speaks to both competence and viability)

• For SaaS in particular, are there integration partners?

44

45

Mitigation Considerations: Viability of the Cloud Provider

• Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example: – Integrating cloud services into business processes

– Migrating data from its environment

• Lack of industry standardization makes moving to a new cloud provider difficult

• What happens to a cloud user’s data in the event of:

– Bankruptcy

– M&A

– Escrow

46

Cloud Contracting Preliminaries: Comparing Cloud to What We Knew Before

Cloud

Computing

Traditional

Software

Licensing

Co-

location

Hosting ASP

Location of

Service/Data

unknown known known known known

Owner of

HW/SW

provider/

provider

company/

company

(license)

Company/

Company

(license)

Provider/

Company

(license)

Provider/

provider

Contract Virtually

non-

negotiable

negotiated negotiated negotiated negotiated

Contract Risk company shared shared shared shared

Scalability yes maybe maybe maybe maybe

Understanding the Legal Risk Profile

47

Cloud Contracting Models: License vs. Service Agreement

48

49

Cloud Contracting Models: Online Agreement vs. Standard Contract

Online Agreement Standard Contract

Negotiable No. Yes, generally.

Limits Placed on

Provider’s Liability

Yes. Very little

or no liability to

provider.

Yes. Risk

shared by

provider and

user.

Risk in the Event

of Problems

Born by user. Born by party

responsible.

Who Controls

Contracting

Ultimate End

User

Contracting

Party

50

Impact of Industry Standards

• What standards applicable to cloud computing exist? – Payment Card Industry Data Security Standards

•A set of requirements for enhancement of payment account data security – ISO 27000 Series Standards

•An information security standard that provides best practices for those implementing an information security management system

– Open Cloud Manifesto

•Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration

51 51

Take Aways

• Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable.

• Have a plan to deal with mistakes that will happen in the cloud (business, technology, legal). What level of risk can you tolerate?

• Work with your key internal and external advisors to think through your cloud strategy. A cross-functional strategy is in order.

52 52

Contact Me

•Janine Anthony Bowen, Esq., CIPP/US jbowen@jack-law.com www.visualcv.com/jdabowen www.linkedin.com/in/jdabowen

•678-823-6611

•Twitter - @cloudlawyer

•www.jack-law.com

JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It.

sfdc_ppt_corp_template_01_01_2012.ppt

Contracting in the Cloud

Lora L. Fong, Esq. Managing Counsel lfong@salesforce.com salesforce.com , inc. April 25, 2012

Copyright 2012 salesforce.com, inc

Disclaimer

My views are my own, and generally (but not always) reflect those

of salesforce.com - the leader in enterprise cloud computing

Sales Cloud™

The world’s #1 sales application.

Service Cloud™

The future of customer service.

Chatter - Collaboration Cloud

Collaboration apps and platform. Work with colleagues—real time.

Force.com - Custom Cloud 2

The leading cloud platform for custom application development

54

Agenda

– Technology model

– Key legal issues and contracting strategies

55

Technology Model

56

Ten Year Computing Cycles 10X more users with each cycle

1960’s Mainframe Computing

1990’s Desktop Cloud

Computing

2000’s Mobile Cloud

Computing

2010’s Social

Revolution

1970’s Mini Computing

1980’s Client/Server Computing

Data Management

Apps

Business Logic Apps

Process Automation

Apps

Web Apps

Mobile Apps

Social

Apps

57

2013E

2007 2008

2009 2010

2011 2012E

2006

1.8 billion mobile devices by 2014

2014E

Tablets

Smartphones

Laptops

Desktop

Social Revolution: Next Generation Devices Changing How We

Access the Web

Source: Gartner Research, Smartphone, Tablet, and PC Forecast, December 2011 58

What’s in the Cloud?

Traditionally Managed On-Premise

– Servers

– OS

– Application software

– Development environment

– Upgrade/Maintenance

– Security

– Backup

– Disaster Recovery/BCP

59

NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance, Version 16

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Cloud computing is a model for enabling ubiquitous,

convenient, on-demand network access to a shared

pool of configurable computing resources (e.g.,

networks, servers, storage, applications, and services)

that can be rapidly provisioned and released with

minimal management effort or service provider

interaction. This cloud model is composed of five

essential characteristics, three service models, and

four deployment models.

60

NIST Definition of Cloud Computing

Five Essential Characteristics

1. On-Demand Self-Service: Consumer provisions computing

capabilities without provider intervention

2. Broad Network Access: Accessible via standard mechanisms

promoting use by various “client” platforms (smart phones, pdas,

tablets, laptops)\

3. Resource Pooling: Provider resources pooled using multi-tenant

model to serve multiple consumers; customer has no control or

knowledge over exact location of provided resources

4. Rapid Elasticity: scale up, scale down, appearing “unlimited”

5. Measured Service: control and optimize resources with metrics on

resources, transparent to provider & consumer

61

NIST Definition – 3 Service Models

Software as a Service (SaaS)

– Provider’s applications, infrastructure

– Accessible via client devices over “thin-client” interface” (e.g. web browser or web-based

email)

– Consumer doesn’t manage or control infrastructure (network, servers, OS, storage,

application capabilities)

– Consumer may have configurable application settings (e.g. user permissions)

Platform as a Service (PaaS)

– Consumer created or acquired applications

– Use of programming languages & tools supported by cloud provider

– Consumer control over deployed applications

– Provider managed infrastructure

Infrastructure as a Service (IaaS)

– Consumer capability to provision resources (processing, storage, networks)

– Provider controls underlying cloud infrastructure

– Consumer able to deploy arbitrary software (OS, Apps)

62

NIST Definition - 4 Deployment Models

1. Private Cloud

– provisioned for exclusive use by single organization,

– owned/managed operated by the organization or 3rd party

– May exist on or off premises

2. Community Cloud

– Exclusive use by specific community of multiple organizations with shared concerns

– May be owned/managed/operated by one or more of the organizations

– May exist on or off premises

3. Public Cloud

– Available to general public

– May be owned/managed/operated by business, academic or gov’t organization

– exists on cloud provider’s premises

4. Hybrid Cloud

– Two or more distinct clouds bound together by technology

– enabling data and application portability

63

NIST: Features of Mature SaaS Applications

Version 15

Scalability

– 1 to N users

Multi-Tenancy

– One code base supporting multiple logical instances

Metadata driven Configurability

– Users configure via metadata vs. application code changes

64

Multi-Tenancy Makes Public Cloud Computing

Possible

Single-Tenant

(On-Premise or Hosted)

Dedicated App Stack for Each

Application

Multi-Tenant

One Single Stack for All

Applications

65

66

Metadata: How Multi-Tenant Services Deliver a

Unique Experience to Every Customer

Salesforce

Apps ISV Apps

850+

Custom Apps 100k+

upgrades

Customizations, Integrations and apps run on the latest release automatically

Metadata

100,000+ salesforce.com customers

11 Million +

Customer

Customizations

100+ M

Integration Calls / Day

Shifting the Burden to the Cloud

Application and Platform

– Development

– Maintenance

– Functional Enhancements

Infrastructure

– Hardware resource acquisition, management

– Economies of scale

• (e.g. salesforce.com supports approximately 83,000 customers

currently on only 1,500 Dell PCs, plus an additional 1,500 for

redundancy/Disaster Recovery etc.).

67

Faster Rollouts and Innovation

Faster implementation of applications

Faster Vendor Innovation

Flexibility and scalability to serve companies of all sizes

(1 – X users)

Code base developed, maintained, enhanced by the

provider

• Upgrades tested and deployed

• Security

• Audit history tracking

• Tuning

• Backups

• Disaster Recovery

68

Subscription Model

Fixed # of Users / Period / Product

For customer

– Minimal up-front investment

– Flexibility

For vendor

– Financial predictability

– Cash flow

Pricing

– Provider may discount for greater commitment

69

Subscription

Contracting in the Cloud

70

Subscription Model vs. Software License Model

Inside customer’s firewall

– Licensing model

– Software license seeks to avoid first sale doctrine

(allows purchaser to sell or give away a copy of a copyrighted work

once lawfully obtained)

Outside customer’s firewall

– No copies distributed in cloud computing, therefore no software

license needed

– Cloud computing is a “service” that is “provided” or “made

available” to customer (SaaS, PaaS, IaaS)

71

Maintenance & Support

On premises model typically requires customer to

purchase maintenance or support in addition to software

license; customer responsible for installing/managing

Multi-tenancy model typically includes

– Functional enhancements, upgrades

– Fixes, patches

– May include user support (Help desk)

72

NIST Guidelines on Security and Privacy in Public

Cloud Computing

http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494

Carefully plan the security and privacy aspects of cloud computing

solutions before engaging them.

Understand the public cloud computing environment offered by the

cloud provider.

Ensure that a cloud computing solution satisfies organizational

security and privacy requirements.

Ensure that the client-side computing environment meets

organizational security and privacy requirements for cloud

computing.

Maintain accountability over the privacy and security of data and

applications implemented and deployed in public cloud computing

environments.

73

Privacy & Security: Contract Checklist

Ownership & Use Limitation: Ensure the cloud provider claims no ownership rights in customer data and

uses customer data only as customers instruct or to fulfill contractual or legal obligations.

Disclosure. Ensure the cloud provider discloses customer data only if required to do so by the customer

or by law, and provide affected customers prior notice of any legally compelled disclosure to the extent

permitted by law.

Security Management System: Ensure the cloud provider maintains a robust security management

system based on an internationally accepted security framework (such as ISO 27002).

Customer Security Features: Ensure the cloud provider offers customers a selection of security features

to implement in their usage of cloud computing services.

Audit: Ensure the cloud provider uses independent, third-party auditors to ensure compliance with their

security management system.

Breach Notification: Ensure the cloud provider promptly notifies customers of known security breaches

that affect the confidentiality or integrity of their respective customer data.

Data Location: Ensure the cloud provider makes available to customers a list of

countries in which their respective customer data is hosted.

74

Liability Considerations

For provider, risk of data security breach outstrips all

others

Multi-tenancy enables single incident to affect

thousands of customers, changing risk calculus

For provider, critical to think through worst-case

scenarios, and re-think as company grows and evolves

– Types of harm

– Damages available

– Settlement values

– Insurance coverage

75

Limitation of Liability

Cloud computing provider typically considers worst-case

scenario, and draft contracts accordingly

– Capped liability base on fees paid or fixed amount

Typical technology industry agreements exclude

special, consequential or indirect damages

(i.e., cost of cover, lost profits, punitive damages)

76

Third-Party Applications

Trend: cloud computing platforms allowing applications

from multiple sources to integrate and share data

Contractual consent to sharing of data when 3rd party

applications are invoked

77

Indemnification in the Cloud

In cloud computing,

Customer inputs content into provider’s system

Provider doesn’t collect or control content, but stores & processes it

Cloud provider has control of its infrastructure and the technology it

provides

Customer should indemnify cloud computing vendor for claims based on content

submitted by its users,

– e.g. that storage, processing, display of content by the provider violates a law or third-party

right

Cloud provider should indemnify customer for claims based on technology

provider supplies

– e.g. that the SaaS applications provided violate patent or copyrights of a third party

78

Reliability & Availability

Service Levels

– Multi-tenancy motivates provider to deliver high availability

– If service unavailable for one, almost certainly unavailable for

many or all

– Effect on business will usually impose much greater discipline

on vendor than contractual remedies

Trend is toward transparency & published metrics

79

Data Ownership, Access & Destruction

Explicit provisions as to who owns the data

Assurances as to ability to access data

– During the contract term

– After termination

– In a format that is usable

Obligation to destroy the data

– After termination

– At any time if necessary (tricky multi-tenancy issues)

80

Source Code Escrow

Escrow Agreements - Common in enterprise software

license agreement where vendor ceases to support

software

Makes sense in behind-the-customer-firewall model

Doesn’t make sense in multi-tenant model

– Much more practical for customer to take its content and load it

in alternative service

81

Key Customer Obligations

Self-Service – key distinction in SaaS model

– administrative function is customer role

– Access to data – permissions, profiles, record or field level controls

– Password security, no sharing of passwords

Control of content

– legality of customer’s content and means by which it acquired content

Using SaaS apps/PaaS/IaaS in accordance with applicable

laws

– e.g. not use to store or transmit infringing, libelous, or otherwise

unlawful or tortious material, or to store or transmit material in

violation of third-party rights

82