Evolving Technology Issues: Cloud Computing Michael Bennett October 16, 2011 2011 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Cloud Computing Does compliance with applicable laws fall to the user or to the service supplier? What to consider before entering agreement Which laws and regulations/standards are challenging for cloud computing Assessing the cloud provider s Mitigating cloud provider shortcomings Questions
Definition: NIST Definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction Essential Characteristics On-demand self-service. Broad network access. Resource pooling. Rapid elasticity. Measured Service. http://csrc.nist.gov/publications/drafts/800-145/draft-sp-800-145_cloud-definition.pdf
Its Easy: Vendor T&C s Vendor Terms of Service Types of Accounts Consent to Access Your Files Files and Folders Your Public Folder Your Shared Folder Your Responsibilities Privacy Account Security Your Use of the Services Vendor Property and Feedback General Prohibitions false or misleading; defamatory; ( privacy; obscene, pornographic, or offensive; (v) promotes bigotry, racism, hatred or harm against any individual or group; (vi) infringes another's rights, including any intellectual property rights; or (vii) violates, or encourages any conduct that would violate, any applicable law or regulation or would give rise to civil liability; Access, tamper with, or use non-public areas Attempt to probe, scan ; Attempt to access or search the Site, Content, Files or Services with any engine, software, tool, agent, device or mechanism other than the software and/or search agents provided by Vendor or other generally available third-party web browsers (such as Microsoft Internet Explorer or Mozilla Firefox), including but not limited to browser automation tools; Send unsolicited email, Forge any TCP/IP packet header; Attempt to decipher, decompile, disassemble or reverse engineer; Interfere with, or attempt to interfere with, the access of any user Impersonate or misrepresent your affiliation with any person or entity. Digital Millennium Copyright Act Compliance Respecting Copyright When Using Your Shared and Public Folders Links 4
Definition: Service Models IaaS Facility Management Hardware PaaS Development Platform SaaS ASP Mixed Overlap with Outsourcing Facility Management Hardware Operating Environment Applications
Definition: Deployment Model Private Cloud Community Cloud ABA Wikis Public Cloud Google Amazon Hybrid Frequently mixed Important to understand who you are dealing Important to understand who providers are dealing with
Responsibility For Compliance? Does compliance with applicable laws fall to the user or to the service supplier? You can outsource performance You cannot outsource responsibility
What to consider when your data crosses borders Privacy / Security Law Existing Policies ITAR Sarbanes Oxley Safe Harbor
Challenging Laws / Regulations / Standards Privacy Standards Whose Policies Apply Vendor Practices vs. Customer Practices Graham Leach Bliley HIPAA Bank Regulations Sarbanes Oxley SLAs PCI
Assessing the cloud provider s compliance situation Pre-assessment (honey moon) Evaluate Leverage Evaluate Data Evaluate Mission Criticality Evaluate Type of Cloud Plan for Non-contractual remedies Plan Exit Strategy
Mitigating cloud provider shortcomings Back-to-Back Obligations Insurance Non-contractual Remedies Contractual Remedies Be Aware of Boilerplate Limitations Remedies Choice of Law Contractual Statutes of Limitation
Red Flags: Criticality of Service Sensitivity of Data Reputation of Provider SAS 70 Audits Boilerplate Terms User Experience SLAs Lack of Specific Information
Key Clauses: SLA Changes to Service IP and Data Ownership Limitations of Liability Privacy and Security Litigation Termination
Key Clauses: SLAs Availability Up Time Break Fix Response Time Level of Effort Vendor Will Fix with 2 hours or Vendor will use commercially reasonable efforts to fix within 2 hours 14
Key Clauses: SLAs Uptime Measurement Monthly, Monthly 99% = 7 hours Yearly 99% - 87 hours Permitted Downtime Sunday 2:00 a.m. regular maintenance window Is Emergency Maintenance part of Permitted downtime? How Good is the Reporting? 15
Key Clauses: SLAs How Measured Force Majeure Reasonable Disaster Plan Third Party Acts Customer Acts, Equipment, Software 16
Key Clauses: SLAs Remedies Credits Incentive Stick and Carrot Exclusive? Must Request Fail to meet in 2 consecutive months Fail to meet in any 4 months in a rolling 12 month period 17
Key Clauses: SLAs Practical Considerations: Vendor Reputation Multi-tenancy Transparency 18
Key Clauses: Changes to Service Improvement or Reduction Sufficient Notice Right to Terminate? Requirement to buy new equipment/software to remain compatible? How Notified? Email Posted Notice online in Service Description Writing (unusual) Fee Increases How much notice? 19
Key Clauses: IP and Data Ownership Customer Owns Customer Data Customer Provided Software Notice when Data accessed, given to law enforcement Vendor Owns Vendor Software Tools Use of Aggregated Data How Aggregated is it? How is Data Used? Service not really License Subscription 20
Key Clauses: Limitation Liability Cap Extensive Disclaimers Frequently Disclaim Direct Low Cap 1 month fees, to 12 month fees Insurance as a Proxy 21
Key Clauses: Privacy and Security Whose Policies Apply Both? Do they Mesh Who has your Data SAS 70 Watch out for check-box approach Understand criteria against which tested 22
Key Clauses: Litigation Hold, Subpoena, Can an Effective Litigation Hold be Implement Whose Cost Pre-negotiate Rates Notice of Subpoena NSA 23
Key Clauses: Termination Vendor Suspension/Termination Payment Dispute DDOS attack, viruses High Volume Illegal Activity Client Termination Convenience not usual or for termination fee Absolute Right to Recover Data Conversion Tools, data maps? Termination Assistance? 24
Questions? Michael P. Bennett Edwards Wildman Palmer LLP 225 West Wacker Drive Chicago, IL 60606-1229 Tel: (312)201-2679 Fax: (312) 416-4597 Email: mbennett@edwardswildman.com Web: http://www.edwardswildman.com