Cloud Computing

Lisa K. Abe

IT.Can October 28, 2011

Introduction

• Cloud Computing Defined• Essential Characteristics• Deployment Models• Delivery/Service Models• Negotiating the Cloud Computing Contract Terms• Key Business and Legal Risks• Ownership Issues and the Copyright Act• Security• Practical Tips

Cloud Computing Defined

• National Institute of Standards and Technology (NIST) v. 15• Cloud computing is a model for enabling convenient, on-demand

network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

• Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp. 2d 1006 (N.D. Cal. Jan. 27, 2009) – “Cloud Computing” defined as a software as a service platform for the online delivery of products and services

• “Surge computing” analogous to electricity providers, where players intra cloud (or in cloud stacks) or inter-cloud, are essentially trading processing and storage capacity. Data, software and servers are able to be moved instantaneously to available computation resources

Cloud Computing Essential Characteristics

• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as applications, server time and network storage, as needed automatically without requiring human interaction with each service’s provider.

Cloud Computing Essential Characteristics

• Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Cloud Computing Essential Characteristics

• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Cloud Computing Essential Characteristics

• Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Cloud Computing Essential Characteristics

• Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Deployment Models

• Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

• Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

• Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

• Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Cloud Delivery/Service Models

• Software as a Service (SaaS)• cloud provider supplies the software• user can set limited configuration of the software

• Platform as a Service (PaaS) • cloud provider supplies the programming language and tools• user selects and controls applications and hosting environments

• Infrastructure as a Service (IaaS)• cloud provider manages and controls underlying cloud

infrastructure• user selects and configures operating systems, storage,

applications, networking components (e.g. firewalls, load balancers)

• Service aggregators bundle multiple services into a single offering, to appear as a seamless consolidated application• E.g. customer relationship and reservations app, e-signature/e-

commerce app, credit card processing app, billing platform, etc.

Cloud Delivery/Service Models

• Hardware, servers, desktops and software can be “virtualized”

• Virtualization uses programming technologies to encapsulate applications, platforms and infrastructure, to allow it to operate independently from its original operating system and all the resources managed by it, thus not requiring full installation in the traditional sense.

Data /

Content

Software Application

Platform

Computing Infrastructure(processing, storage, networks)

Cloud Infrastructure

Copyright Issues

Cloud Stack

user

useruser

CLOUD

Cloud Delivery/Service Models

Negotiating the Cloud Computing Contract Terms

• How negotiable are service provider terms?• Key business terms: price, service levels, location, security, privacy,

confidentiality, technology and encryption standards, processes, subcontractors, staff, improvements/gain sharing, term and termination

• Common Business Risks: • hidden fees (e.g. for backup, retrieval), service failures• performance/service failures, downtimes, response times, error rates• data encryption, cleansing and backup obligations pushed onto

customer• loss of data, ownership, reputational risk if breach of security, breach

of confidentiality, disclosure• responsibility for subcontractors, no background checks• indefinite term of contract, early termination, failure to notify of breach,

freezing of accounts and no access to data upon termination or deletion (data hijacking until fees paid or dispute resolved)

• cross-border transfers in violation of privacy or export laws• bankruptcy or insolvency of Cloud service provider

Negotiating the Cloud Computing Contract Terms

• Key Legal Terms: ownership and licenses, compliance with regulatory requirements, representations and warranties, limitations on liability, indemnities, governing law, amendment of contract terms

• Common Legal Risks: • no ownership of developed works• provider may not have standards, controls or notification process that meet

OSFI, PIPEDA, PHIPA or other statutory or regulatory requirements of customer

• limits on liability very low, disclaimers, short limitation periods• no recourse if breach, interruption/outage, errors, damages, loss, disclosure • exclusion of liability even if service provider had knowledge• no indemnities by service provider for third party claims• broad indemnities by customer for violation, conduct, content• foreign jurisdictions (laws, storage, disputes, exports), mandatory arbitration• terms not visible, may be cross-referenced and unilaterally amended by

service provider, deemed acceptance by use, especially if dependencies on other providers

Ownership Issues

• Back ups and transfers of content – is it permitted? • More complex where content goes beyond data files, or

single exclusive user supplied material, e.g. music, ebooks, videos, images, software applications stored on the cloud and accessed by or transferred to various devices or shared among users

Copyright Act, R.S.C. 1985, c. C-42

• Does copyright exist in the cloud?• To date, no Canadian cases have dealt with the issue of

“virtualization” or “cloud computing”• Copyright exists in literary (includes software and databases),

dramatic and artistic works, including compilations• Raw data going into the cloud is not subject to copyright – therefore

must be protected by contract – terms dealing with what service provider can and cannot do with data, e.g. non-disclosure obligations

• Databases and compilations likely have copyright, but recommend coverage in contract

• Who owns processed output from the cloud or work product created? It depends – was it original creation? Does it meet fixation requirement?

• In Canada, no “work for hire rule”. Payment for copyright work does not imply ownership, only a license.

• Licensing – Scope of rights of use? Restrictions? Parties?

Who owns the Cloud?

• Who owns the cloud?• Google cloud made up of 500,000 systems, 1 million CPUs

and 1500 gigabits per second of bandwidth• Amazon cloud has 160,000 systems, 320,000 CPUs and

400 Gbps of bandwidth• Who owns data, software applications or other works forming

part of or created in the cloud? Depends on copyright law and cloud service agreements

• Further complicated by differing copyright laws in other jurisdictions

• Where is the cloud and which laws apply to the infrastructure, the platform, the software, the service, the data?

• Governing law set forth in the contract and interpretation under local copyright laws

Why is ownership important to You?

• The cloud is constantly evolving, changing shape, structure, content

• Its temporal, dynamically provisioned, cannot be pinned down

• Software and servers become virtualized and dynamically provisioned around the cloud, so that they may be operated without dependency on a particular operating system or platform

• Likewise, content and data are moved around to where processing or storage is more, cost effective or efficient or available

• The creation of virtual servers or applications could be making a “copy” and require license rights – could also affect pricing calculations

• Thorough review of agreement terms is necessary to mitigate risk of asset loss

Security

• Service commitment to best practices with respect to industry information security (IS) governance.

• having in place written IS policy documents, dealing with handling of Confidential Information

• Administrative, technical and physical safeguards: • To ensure the safety and confidentiality of Confidential

Information • Business continuity and disaster recovery plans • Protection against unanticipated threats or hazards to the security

or integrity of Confidential Information• Protection against unauthorized access to or use of Confidential

Information • Only provide Confidential Information to those with prudent

access levels• Properly dispose of Confidential Information

Security

• Provide notice and information regarding any failure of security measures, any security breaches or any security incidents related to Confidential Information that may materially affect others

• Plan, provide and execute audits of physical, logical and information security controls commensurate with the Services and provide written reports of audit results.

• Ensure electronic data maintained at a level of cryptographic integrity and strength greater than or equal to that of the originally supplied electronic data.

• Officer’s certificate confirming compliance.• Approval, controls and indemnities for subcontractors.

Practical Tips

• Legal counsel, business and IT procurement team should discuss key terms and plan steps to mitigate risk, including:

• Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing.

• Insist on transparency. Identify the parties, type of cloud, service provider processes, data flow, locations/jurisdictions, security, business resumption planning.

• Select configurations and controls.

• Specify ownership of data, components, software, technology.

• Obtain assignments of rights or licenses, if applicable

• Understand the scope of licenses needed.

• Analyze contracts and if can’t negotiate necessary changes, implement internal process to control what gets onto Cloud.

Practical Tips

• Also, work through payment term calculations to ensure they accurately reflect the deal and make sense.

• Consider what happens if one of the parties sells its business - requirement for purchaser’s acknowledgment of existing contract?

• Consider what happens if Cloud provider goes bankrupt. Understand the process and take action to claim your data or have sufficient backups.

• Expressly state whether or not rights and obligations under the contract are transferable or sublicensable and which rights survive termination or require transition.

• Think ahead – contractual requirements should be part of any RFP process.

Lisa K. Abe 416 868 3358

labe@fasken.com

This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.Fasken Martineau DuMoulin LLP is a limited liability partnership under the laws of Ontario and includes law corporations.