1 Your Place or Mine? In-House e-discovery Platform vs. Software as a Service Technology & Business Overview of Cloud Computing Janine Anthony Bowen, Esq. Jack Attorneys & Advisors Atlanta, GA 2014 Janine Anthony Bowen. All Rights Reserved.
2 TABLE OF CONTENTS I. Objective of Paper II. Definition of Cloud Computing A. Essential Characteristics: B. Service Models: C. Deployment Models: III. Technological Underpinnings Virtualization and Multi-tenancy A. Virtualization B. Multi-tenancy IV. A Cloud User s Viewpoint Risk-related Issues A. Maintaining Data Integrity B. Accessibility and Availability of Data/SLAs C. Disaster Recovery V. Conclusion
3 I. Objective of Paper In the cloud computing environment businesses have essentially outsourced the development, hosting, or running of applications and data to a third party; that part is not new and is no longer a challenging scenario. What continues to challenge is the combination of: (a) cloud-based service models, (b) relegation of system control to third parties, (c) use of virtualization, (d) the potential for multi-vendor integration, and (e) the increasingly borderless nature of Internet globalization. Technologically, it s complicated. But from a business perspective, cloud computing simply capitalizes on the need of a business to manage costs, stick to its core competencies and outsource the rest. The business case is easy to grasp, but the technology raises some interesting business and legal issues that are relevant for both the cloud provider and the cloud customer. II. Definition of Cloud Computing The definition below is a summary of the definition of cloud computing 1 set forth by the National Institute of Standards and Technology 2, an agency of the United States Government. Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released. This cloud model is composed of five essential characteristics, three service models, and four deployment models. A. Essential Characteristics: On-demand self-service. A consumer can provision computing capabilities, such as server time and network storage, as needed automatically. Broad network access. Capabilities are network accessible by various client platforms (e.g., mobile phones, tablets, and desktops). Resource pooling. The provider s computing capabilities are pooled to serve multiple consumers using a multi-tenant model. Resources are dynamically assigned and reassigned according to consumer demand. In most cases the customer generally has no control or knowledge over the exact location of the provided resources. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically. The consumer capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability. B. Service Models: Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible through a web browser (e.g., web-based ). Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumercreated or acquired applications created using programming languages and tools supported by the provider (e.g. Salesforce.com). 1 Full text of the cloud Computing definition can be found at 2 National Institute of Standards and Technology,
4 Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications (e.g. Amazon S3). C. Deployment Models: Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together to allow data and application portability (e.g., cloud bursting for load-balancing between clouds). III. Technological Underpinnings Virtualization and Multi-tenancy A. Virtualization Computer virtualization in its simplest form is where one physical server simulates being several separate servers. For example, in an enterprise setting, instead of having a single server dedicated to payroll systems, another one dedicated to sales support systems, and still a third dedicated to asset management systems; virtualization allows one server to handle all of these functions. A single server is able to simulate being all three. Each one of these simulated servers is called a virtual machine. Some benefits of virtualization are the need for less hardware and less power consumption across the virtualized enterprise. Virtualization also provides greater utilization and maximization of hardware processing power. Because of these benefits, virtualization should lower expenses associated with operating a data center. Further, because the emphasis in the virtualized environment is on maximizing usage of available resources no matter where they reside, virtualization across a single or multiple data centers makes it difficult for the cloud user or the cloud provider to know what information is housed on various machines at any given time. B. Multi-tenancy Multi-tenancy refers to the ability of a cloud provider to deliver software as-a-service solutions to multiple client organizations (or tenants) from a single, shared instance of the software. The cloud user s information is virtually, not physically, separated from other users. The major benefit of this model is cost-effectiveness for the cloud provider; however, the cloud provider must be careful with respect to the manner in which it licenses software for intended multi-tenant use. Some risks or issues with the model for the cloud user include: a) the potential for one user to be able to access data belonging to another user; and b) difficulty to back up and restore data. 3 IV. A Cloud User s Viewpoint Risk Minimization 3 German Goldszmidt and Indrajit Poddar, Develop and Deploy Multi-Tenant Web-delivered Solutions using IBM middleware: Part 1: Challenges and architectural patterns
5 As potential cloud users assess whether to utilize cloud computing there are several commercial and business considerations that may influence the decision-making. Many of the considerations presented below may manifest in the contractual arrangements between the cloud provider and cloud user. A. Maintaining Data Integrity Data integrity is ensuring that data at rest is not subject to corruption. Multi-tenancy is a core technological approach to creating efficiencies in the cloud, but the technology, if implemented or maintained improperly, can put a cloud user s data at risk of corruption, contamination, or unauthorized access. A cloud user should expect contractual provisions obligating a cloud provider to protect its data, and the user ultimately may be entitled to some sort of contract remedy if data integrity is not maintained. That being said, contract remedies are of little solace if data integrity is compromised, so cloud users should have their own plans in place in the event of a loss of integrity at the cloud provider level. B. Accessibility and Availability of Data/SLAs The service level agreement (SLA) is the cloud provider s contractually agreed-to level of performance for certain aspects of the services. The SLA, specifically as it relates to availability of services and data, should be high (i.e., better than 99.7%), with minimal scheduled downtime (scheduled downtime is outside the SLA). Regardless of the contract terms and the provider s willingness to agree to a high service level, the cloud user should get a clear understanding of the cloud provider s performance record regarding accessibility and availability of services and data. A cloud provider s long term viability will be connected to its ability to provide its customers with almost continual access to their services and data. The SLAs, along with remedies for failure to meet them (e.g., credits against fees) if any, are typically in the agreement between the cloud provider and cloud user. The cloud user may find that many cloud providers offers relatively low SLAs. That means that SLAs may provide little assurance of quality to the user, and little likelihood of SLA default by the provider. The cloud user may also find that it bears the burden of establishing the occurrence of and requesting whatever remedies are available for a default. This approach is allowable (though not desirable) because there is no law, for the most part, requiring or mandating SLAs. The service level agreement is borne out of a business need that outsourcing service providers faced long before cloud computing. The service providers customers were asking for certain contractual levels of quality. The response over time was the creation of the SLA to incent the provider to perform at high levels and to compensate the user when the service quality did not reach that level. The SLA is a contractual creation and is borne out of contract, not out of the law itself. Because of this reality, cloud providers have no legal requirement to use SLAs, create robust SLAs, or to police them. Cloud users should diligence cloud providers prior to contracting to understand both the contractual and actual service quality level. Additionally, analysis before moving to the cloud ensures that the business process to be moved can tolerate the cloud provider s SLA. C. Disaster Recovery For the cloud user that has outsourced the processing of its data to a cloud provider, a relevant question is what is the cloud provider s disaster recovery plan? What happens when the unanticipated, catastrophic event affects the data center(s) where the cloud services are being provided? It is important for both parties to have an understanding of the cloud provider s disaster recovery plan. More importantly, the cloud user must have its own disaster recovery plan (of which the cloud provider s plan is only a part) to support its business needs. V. Conclusion This paper was intended to provide a general overview of Cloud Computing and some of the commercial and risk-related issues associated with Cloud. It set forth the technical framework and some business items to consider.