The Keys to the Cloud: The Essentials of Cloud Contracting

Transcription

1 The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb & Loeb LLP 2014 LOEB & LOEB LLP

2 CLOUD TECHNOLOGY EXPLAINED KEY ISSUES IN THE CLOUD BEST PRACTICES TO MITIGATE RISK LOEB & LOEB LLP

3 LOEB & LOEB LLP Why is cloud different and how are cloud computing agreements different from other technology services agreements?

4 PART I: CLOUD TECHNOLOGY EXPLAINED PART II: KEY ISSUES IN THE CLOUD PART III: BEST PRACTICES TO MITIGATE RISK LOEB & LOEB LLP

5 LOEB & LOEB LLP NIST Definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

6 Characteristics On demand self-service Broad network access Resource pooling Rapid elasticity Measured service LOEB & LOEB LLP

7 Software-as-a-Service (SaaS) Access standard software over the internet Not a customized solution, with the software used by many No version control; new versions implemented to all users Software configuration limits set by the supplier Platform-as-a-Service (PaaS) Customer ability to access/build applications on supplier defined architecture Ability to deploy and access custom software solution over the internet Supplier established programming capability limits Infrastructure-as-a-Service (IaaS) Ability to move applications and operating system software to a cloud platform Supplier established infrastructure configuration Supplier established availability and scalability limitations LOEB & LOEB LLP

8 Private Cloud Provisioned for exclusive use by a single organization comprising multiple end users Owned/operated by the organization or a third party supplier Can be located on or off premises Public Cloud Provisioned for use by the general public, not specific organization Owned/operated by a third party supplier Located at the service provider or third party locations Hybrid Cloud A combination or 2 or more cloud infrastructures Underlying cloud infrastructures remain intact LOEB & LOEB LLP

9 PART I: CLOUD TECHNOLOGY EXPLAINED PART II: KEY ISSUES IN CLOUD CONTRACTS PART III: BEST PRACTICES TO MITIGATE RISK LOEB & LOEB LLP

10 Enterprise Risk v. Commodity Transaction The enterprise customer historically: Negotiated the transaction to address its own risk profile Used the transaction to maintain a competitive advantage Maintained control over the services The cloud computing supplier: Standardizes its own risk profile/contract terms Standardizes the services across its customer base Need to distinguish cloud from Application Service Provider and IT Outsourcing Services All business and legal issues are implicated LOEB & LOEB LLP

11 Need to address key issues and risks: Entering into the transaction Ongoing services Exit strategies LOEB & LOEB LLP

12 Terms and Conditions How are cloud contacts structured? Service Agreements Vendor paper is based on commodity offering Clickwraps Linked terms Pass through terms Terms that can be updated/changed LOEB & LOEB LLP

13 Service Levels What service levels apply to the Cloud? Availability Scalability Response time Problem escalation/resolution Limited SLAs, limited remedies and non-uniformity LOEB & LOEB LLP

14 Version control Interoperability and Ongoing Compatibility Backward and ongoing compatibility Data formats Interfaces Third party software LOEB & LOEB LLP

15 Testing Ensuring the service works in accordance with specifications Testing the back end to ensure the system is properly implemented and integrates with other systems Ongoing testing of updates/regulatory changes Access to a test environment LOEB & LOEB LLP

16 Cross-Cloud Concerns Understanding the Interaction Between Clouds Cloud architecture and topography Private, public, hybrid, dedicated General integration issues across clouds Consistent standards Data security and backup, privacy, single sign-on LOEB & LOEB LLP

17 Law and Regulatory Compliance Compliance with law Which laws/regulations apply? Impact of regulatory guidance and commentary International concerns Cloud services may be provided from multiple, unknown jurisdictions Follow the sun support services Changes in laws/regulations LOEB & LOEB LLP

18 Law and Regulatory Compliance Particular Concerns of a regulated entity Definition of laws Regulatory consents/approvals Governmental authority audits Mandatory regulatory flow downs Interaction with related documents (e.g., BAA) LOEB & LOEB LLP

19 Privacy Issues Compliance with law U.S., EU, others? Industry-specific HIPAA, Gramm-Leach-Bliley Where is the data transmitted and stored? Distinction between the controller and processor not as clear in cloud services Restrictions on use by the service provider and third parties? Solution consistent with privacy policies? LOEB & LOEB LLP

20 Data Security Issues Data security requirements Encryption Physical and electronic security, including storage Private cloud (dedicated) or public cloud Cross-cloud concerns Back-up and redundancy Where located? Provider or third party contractor? Location of, processing and storage of data Where located? General geography or street address Flow downs to subcontractors Handling security incidents LOEB & LOEB LLP

21 Data Retention Issues Document retention requirements Vendor may have limited or no policy Regulatory compliance Solution not designed for regulated use WORM drive Data destruction requirements Certification Destruction of data/wiping of drives Concerns in a multi-tenant solution LOEB & LOEB LLP

22 Data Ownership and Use Ownership of: Data input by the customer or its customers Data processed and stored in the cloud Derivative data Customer right to use supplier data Supplier right to use aggregated data LOEB & LOEB LLP

23 ediscovery and Data Preservation Full cooperation to the company and its electronic discovery provider Access to all data, in acceptable file formats Ability to run keyword searches Responding to Third-Party Requests (Subpoena) Prompt notification of request LOEB & LOEB LLP

24 Audit Rights and Audit Obligations Books and Records Required Provider Audit SSAE 16 (replaced SAS70) SOC 1 Report Data Security Locations/Data Centers Flow Down to Subcontractors LOEB & LOEB LLP

25 Liability Issues Limitation on Liability Disclaimer of Consequential Damages Limited or no exceptions to provider liability Indemnification obligations Confidentiality breaches Data security failures (including breach notification costs) Gross Negligence/Willful Misconduct Flow Down to Subcontractors LOEB & LOEB LLP

26 Subcontractors and Suppliers Client s Approval Rights Audit and Oversight Flow-down Contract Provisions Responsibility for Liabilities LOEB & LOEB LLP

27 Required Termination Assistance Disentanglement Continued provision of services Return of data Assistance to customer or its new supplier Right to use supplier materials/data Other materials/information necessary for business continuity (i.e., not COTS) LOEB & LOEB LLP

28 PART I: CLOUD TECHNOLOGY EXPLAINED PART II: KEY ISSUES IN CLOUD CONTRACTS PART III: BEST PRACTICES TO MITIGATE RISK LOEB & LOEB LLP

29 Tactical Review Pre-Contract Understand the technology to be implemented and access methods, as well as data movement, processing and storage Map the data-flows, data storage and technology infrastructure across geographies Map the interaction and integration points with third-party services/systems/software/clouds/data feeds LOEB & LOEB LLP

30 LOEB & LOEB LLP

31 Tactical Review Pre-Contract Determine whether the solution complies with: Legal and regulatory requirements for privacy and data security Privacy policies Information security policies LOEB & LOEB LLP

32 Tactical Review Pre-Contract Who should participate? Legal Business Stakeholders IT Compliance Sourcing What is the required output of the tactical review? Strategies to implement a formal review process? LOEB & LOEB LLP