the business case for cloud: critical legal, business, & diligence considerations

The Business Case forCloud: Critical Legal,Business & DiligenceConsiderationsPresented byJanine Anthony Bowen, Esq., CIPP/[email protected](678) 823-6611December 7, 2012

Janine Anthony Bowen, Esq., CIPP/USYour Presenter

• With 2 degrees in Industrial Engineeringfrom Clemson University and almost adecade working in technologycompanies, Janine is an engineer-turned-lawyer who knows technology,intellectual property, and the law well.

• She specializes in helping her clientsnegotiate technology deals with Fortune500 companies.

©2012 Jack Attorneys & Advisors. All Rights Reserved 2

And JACK does what…

• Jack Attorneys & Advisors is the technology law boutique of choicefor clients seeking an expert, pragmatic, high touch experience. Wespecialize in technology, privacy, cloud computing, mobile,intellectual property, and commercial contracts.

What’s the Cloud, really?

http://www.fatcow.com/data-center/photos - You are allowed to copy, distribute, transmit the work and to adapt the work.Attribution is not required. You are prohibited from using this work in a stand alone manner.


Agenda

I. Business ConsiderationsII. Evaluation ConsiderationsIII. Privacy & Security ConsiderationsIV. Contractual ConsiderationsV. Concluding Thoughts


Business Benefits of CloudComputing

• CostAvoidance/Deferral

• ImprovedOrganizational Agility

• Focus on CoreBusiness rather than IT


Cost Avoidance/Deferral – You Decide

• Gartner says…IaaS isn’t less expensive, but it increasesoperational agility (1)

• Computerworld says…Prepare for the real costs of cloudcomputing (2)– Moving and storing data, integrating apps from multiple

vendors, testing software, rent & utilities

• CIO says…CFOs and cloud computing have a love-haterelationship (3)– Variable pricing messes up cash flow projections– Capex vs. Opex

• Booz Allen Hamilton says…savings range from 50% to 75% (4)• CloudU says…savings from 13% to 25% (5)

7©2012 Jack Attorneys & Advisors. All Rights Reserved

Cost Avoidance/Deferral – You Decide(cites)(1) Lydia Leong, research VP at Gartner Group

http://www.formtek.com/blog/?p=2696, January 12th, 2012

(2) “Preparing for the real costs of cloud computing” Computerworldhttp://www.computerworld.com/s/article/359383/The_Real_Costs_of_Cloud_Computing

(3) “Why CFOS and Cloud Computing Have a Love-Hate Relationship” CIOMagazinewww.cio.com/article/print/702074

(4) “The Economics of Cloud Computing”http://www.boozallen.com/media/file/Economics-of-Cloud-Computing.pdf

(5) “Cloudonomics: The Economics of Cloud Computing”http://broadcast.rackspace.com/hosting_knowledge/whitepapers/Cloudonomics-The_Economics_of_Cloud_Computing.pdf


Total Cost of OwnershipCost of Cloud

• Cloud providers givetransparent pricing based ondifferent usage metrics – RAM,storage, bandwidth, amongothers

• Pricing is frequently fixed perunit of time. Customers gaincertainty over pricing and arethen able to readily calculatecosts based on several differentusage estimates


Source: Cloudonomics: The Economics of Cloud Computing, CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum

Total Costs of OwnershipHidden Cost of On-Premise Technology

• The direct costs that accompany running a server: power,floor space, storage, and IT operations to manage thoseresources.

• The indirect costs of running a server: network and storageinfrastructure and IT operations to manage the generalinfrastructure.

• The overhead costs of owning a server: procurement andaccounting personnel, not to mention a critical resource inshort supply: IT management and its attention.


Source: Cloudonomics: The Economics of Cloud Computing, CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum

Improved Organizational Agility

• Use of Public Clouds or Virtual Private Clouds giveorganizations the ability to scale up or down when necessary

• IT expense can be matched to:– Seasonal or cyclical requirements

– Organizational growth or decline

• Mobile workforce/workplace solutions may improveorganizational productivity

• Cloud environments support experimentation and ability tofail with low penalty


Focus on Core Business

• Organizations can focus onbuilding the business theyknow

• Organizations can leveragethe best of breed in IT (andnot try to be best of breedthemselves)

• Potentially better disasterrecovery strategies utilizingcloud-based options



Evaluating Cloud Options


Preliminaries

• The onus is on the customer to perform extensiveevaluation of a cloud provider before entering intothe relationship.

• The nature of the cloud relationship drives therequirements of evaluation. Considerationsinclude:– The criticality of the cloud implementation

– The sensitivity of the data/processes beingoutsourced to the cloud provider

– The scale of the implementation

Checklist for Cloud Readiness

•Business Drivers– Do you have staff working remotely?

– Do you have plans to increase your IT infrastructure needs?

– Is your infrastructure reaching end of life?

– Are you constrained in terms of Capital Expenditure?

– Does your organization have a high level of softwaretest/development?

– Does your organization struggle to obtain IT talent internally?

– Is 24*7 support important for your organization?


Source: Appendix in “You Want to Put my Database Where? CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum

Checklist for Cloud Readiness

•Technical Drivers– Is your application workload highly variable?

– Do you need automatic infrastructure scaling andprovisioning?

– Do you have a need for complex IT redundancy andresiliency that you struggle to obtain internally?

– Have you faced issues around IT security?


Source: Appendix in “You Want to Put my Database Where? CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum

List of Potential Cloud ProviderEvaluation Criteria

Functionality of solution Pricing

Uptime Response time

Quality of service Data Security/Privacy

Backup and disaster recovery Customization capability

Ability to personalize Integration with existing systems

Data access Customer service/support

Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises”http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf



Evaluation Considerations:Disaster Recovery

• How are backup systems architected?– Complete redundancy? Multiple redundancies? Duplicate

systems? Real-time backup?

• Where are backup systems located geographically?

• Are third party backup systems utilized (partially/totally)?

• How long would a catastrophic event at a data center affectsystem availability?

• Concerns for physical assets based on geography

• Ultimately, whose responsibility is it anyway?

Evaluation Considerations:Transition Issues – Lock In

• All the typical softwaremigration issues

• Plus:– Data ownership

•Raw data•Resultant information

– Professional servicesto migrate to newprovider


Privacy and Security


4 Immutable Laws of Cloud Security• “These are things that will always be, things that will never change,

and it is a state of being.”

– First is an understanding that if your data is hosted in the cloud, you nolonger directly control its privacy and protection.

– when your data is burst into the cloud, you no longer directly controlwhere the data resides or is processed.

– if your security controls are not contractually committed to, then you maynot have any legal standing in terms of the control over your data or yourassets.

– if you don't extend your current security policies and controls in the cloudcomputing platform, you're more than likely going to be compromised

– Tari Schreider, HP chief architect of HP Technology Consulting and ITAssurance Practice.

“Security and the Cloud: The Great Reconciliation”, eCommerce Times, 14 May 2012http://www.ecommercetimes.com/story/Security-and-the-Cloud-The-Great-

Reconciliation-75094.html


Issues with Cloud Computing:Privacy and Security

22

• Data location issues

• Location of users accessing data

• Movement and storage of data

• Use of subcontractors

• Use of multiple platforms

• Lack of transparencyand control

• Data breach issues

• Data destruction issues

• Ability to impose security andprivacy requirements

©2012 Jack Attorneys & Advisors. All Rights Reserved

Regulatory Landscape:Data Privacy Compliance


• State Information Security Laws

• State Data Breach Laws

• Gramm Leach Bliley

• HIPAA/HITECH Act

• Electronic CommunicationsPrivacy Act (Gov’t Access toData)

• USA PATRIOT Act (Gov’tAccess to Data)

Contractual Requirements:Gap Analysis


Customer Needs vs. Vendor Offerings

CustomerRequirement

Public Cloud

Response to datasecurity incidents

Standardized offering, use of sub-processors and other limits may delaydiscovery of breaches, and ability toprovide information regarding extent ofbreach

Audit rights Typically not available, especially notfor sub-processors

Proper disposaland destruction ofdata

No guarantee all data will be found anderased or returned

Change Control Provider may make changes withoutnotice or consent


Customer Needs vs. Vendor Offerings

CustomerRequirement

Public Cloud

EstablishedContract Terms

Incorporation of additionalonline terms, subject to changeby provider

Provider hassome liabilityexposure forbreaches andnon-compliance

Extremely limited liability

Controls ondata andsecuritystandards

Standardized offering with useof cloud provider controls


Liability Considerations – VendorPerspective

• For vendor, risk of data security breach is greatest risk

• Multi-tenancy enables single breach incident to affectthousands of customers

• Vendors must think through worst-case scenarios, andreevaluate as company grows and evolves– Types of harm

– Damages available

– Settlement values

– Insurance coverage


Cloud is here to stay, so…

• Plan for success andplan for failure.

• Know and mitigate yourbusiness andtechnology risk.

• There are no silverbullets, shortcuts, oreasy answers.


Q&AContact Me

• Janine Anthony Bowen, Esq., CIPP/[email protected]/in/jdabowen

• 678-823-6611

• Twitter - @cloudlawyer

• www.jack-law.com

• Facebook – www.facebook.com/JackAttorneys

JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It.


the business case for cloud: critical legal, business, & diligence considerations

Technology

longer directly

janine anthony

cloud computing

evaluation

cost avoidancedeferral

cloudu http

cloud computing

intellectual