Recently in Cloud Computing Category

Contract Issues to Consider if Offshore Services are in your Software as a Service (SAAS) or Cloud Agreement

Posted
By Benjamin M. Dean

Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.


  • Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.

  • Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer's onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.

  • Security Concerns. Customers should ensure that they understand the physical and logical security applicable to the offshore component of the SAAS or cloud solution that they are buying, and confirm that it complies with their overall network, application and data security standards. For example, customers may want to ensure that they can (i) inspect the service provider's policies and procedures related to security and (ii) perform site audits of locations where offshore services are provided. They also may want to prohibit or restrict offshore employees from working from home.

  • Flash Drives/Printing. Customers should consider restricting the ability of offshore personnel from using computers that allow the customer's data to be downloaded. Restrictions on the ability to print, prohibitions against the use of flash drives, and prohibitions against the use of both internal and external hard drives by offshore personnel are not uncommon.

  • Permissions of Offshore Governments. Customers should consider which party (the customer or the service provider) should be responsible for obtaining any government authorizations that are necessary to provide services from offshore, whether those are onshore or offshore governments. Related to who must take responsibility for obtaining any authorization is the issue of which party is responsible to pay any associated costs.

  • Encryption. If data is being sent offshore, customers may have certain encryption standards that they want their service providers to meet or particular encryption software that they want their service providers to use. It is important to note that the use of encryption technology is restricted with respect to the transmission of data to certain countries worldwide, so customers should coordinate with legal counsel to confirm that the use of encryption technology is in compliance with applicable law.

  • Personnel Matters. Customers should inquire as to how high the turnover rate is among the offshore workforces of their potential service providers. In some cases, customers may want to ensure that (i) there are turnover restrictions or service levels in place; (ii) incentives to avoid turnover are implemented; or (iii) at a minimum, the customer receives reports as to the turnover rates so that the customer will be aware if turnover becomes an issue. Additionally, customers will want to ensure that their contract makes clear that the service provider is responsible for compliance with applicable laws and customer policies relating to personnel. This may involve not only employment screening, reference checks and hiring issues, but also compliance with any applicable immigration laws (including visa status) and employee benefits requirements.


If SAAS or other cloud solutions will involve any offshore services, customers should carefully consider these issues and ensure that they have the necessary contract terms in place in order to protect themselves from potential risks related to the offshore services. Taking this a step further, we recommend that customers have a set of pre-prepared terms that they can include in contracts that will involve offshore services (these terms can be included in a stand-alone contract schedule or incorporated into the main body of the contract). If a customer is negotiating with a large service provider that offers a standard SAAS offering or other public cloud solution, the service provider may not be open to considering the customer's standard offshore terms, but instead may have its own data security "fact sheet" or similar contract attachment. In that case, customers will want to review and attempt to supplement the service provider's data security terms to make sure they adequately address the issues described above.

Subcontracting in the Cloud

Posted
By Vipul Nishawala

The rise of cloud computing services and the privacy/security issues involved have been much discussed (see, for example, our prior blog posts here). But when customers procure cloud-based services, a critical "behind the scenes" issue is often overlooked: is the cloud provider itself relying on third party subcontractors to perform critical functions? When these subcontractors are added to the mix, things become a bit more complicated.

Cloud computing offers a wide variety of services:

  • IaaS: infrastructure as a service to replace a customer's data center or testing environment;
  • PaaS: platform as a service to replace a customer's applications development environment; and
  • SaaS: software as a service to replace a customer's need to install and operate software.
Each of these services share the key characteristics of cloud computing (resourcing pooling, rapid deployment, location independence, high scalability) that are appealing to customers. It's little wonder that Gartner forecasts that the public cloud computing market will grow 18.5% this year to $131 billion worldwide.

When customers think about obtaining cloud services, they should keep in mind that a number of these services can be layered on top of each other with different providers to create a cloud "supply chain". This makes the customer-facing service more efficient and less costly.

Take, for example, an end user customer that has procured a SaaS solution. This end user customer uses the application but doesn't control the operating system, hardware or network infrastructure on which it's running. This is the trade-off that all end user customers make when implementing a cloud solution.

But it may be the case that the SaaS provider itself doesn't control all of these delivery elements. The SaaS provider, in turn, could be the customer of an IaaS solution. Under this model, the SaaS provider is hosting its application on a third party's IaaS cloud. The SaaS provider may control some of the delivery elements (e.g., the operating system and storage applications) but it would have no control over the cloud-based infrastructure that supports the application. As with the end user customer, the SaaS provider trades off operational control for scalability and efficiency. The SaaS provider's use of an IaaS solution makes the SaaS provider's solution ultimately more "cloudy" and therefore more appealing to the end user customer.

CONTINUE READING

What's Missing from My Software as a Service (SAAS) Agreement? (Part 2)

Posted
By Benjamin M. Dean

As customers continue to embrace Software as a Service (SAAS) solutions that are hosted in the cloud, rather than traditional software solutions that are loaded onto and hosted on the customer's own environment, they should closely review the contract that will govern their relationship with their SAAS provider. Frequently, we see SAAS contracts that are missing certain basic (and key) requirements that serve to protect SAAS customers.

In Part 2 of our two-part series, we continue our list from Part 1 of the critical contract protections that SAAS customers should keep in mind, before signing any SAAS agreement. Alternatively, if a customer already has a SAAS agreement that omits any of the following terms, the customer should explore amending its current agreement to include these protections, during its next contract renegotiation.

CONTINUE READING

What's Missing from My Software as a Service (SAAS) Agreement? (Part 1)

Posted
By Benjamin M. Dean

As customers continue to embrace Software as a Service (SAAS) solutions that are hosted in the cloud, rather than traditional software solutions that are loaded onto and hosted on the customer's own environment, they should closely review the contract that will govern their relationship with their SAAS provider. Frequently, we see SAAS contracts that are missing certain basic (and key) requirements that serve to protect SAAS customers.

In the first of a two-part series, we offer the following critical contract protections that SAAS customers should keep in mind, before signing any SAAS agreement. Alternatively, if a customer already has a SAAS agreement that omits any of the following terms, the customer should explore amending its current agreement to include these protections, during its next contract renegotiation.

CONTINUE READING

Processing personal data in Europe? New Binding Corporate Rules for data processors since 1 January 2013

Posted
By Steven P. Farmer

On 1 January 2013, over 4 years after the idea was first discussed, new Binding Corporate Rules (BCRs) for data processors were launched following a meeting of European data protection authorities.

BCRs are internal codes of conduct which companies within a group can "sign up to" regarding data privacy and security to ensure that transfers of personal data outside of Europe will meet European rules on data protection. Whilst BCRs have been an option for data controllers to ensure compliant transfers from Europe for some time, the introduction of BCRs for processors have been welcomed with open arms by both data controllers and data processors alike.

As a result of this change, processors, such as IT outsourcing providers, cloud providers and data centre providers, who implement BCRs will be able to receive data in Europe from their controller clients and then transfer that data within their group, outside of Europe, whilst complying with European privacy rules. For processors who choose BCRs to ensure compliance, this development could significantly reduce managerial time (and paper) spent negotiating often complicated, data protection safeguards for each and every data processing activity they carry out, whilst also doing away with the supervision associated with such contracts once they are up and running. At the same time, this development offers controllers' clients comfort in the sense that controllers will be able to more simply demonstrate that their processing activities comply with European laws by pointing to an approved set of BCRs.

Whilst the use of BCRs for processors is not obligatory, it is expected that they will be widely utilised, particularly because processors will be able to take advantage of the mutual recognition application procedure, applying to one lead data protection authority in Europe to approve their BCR application.

In short, if you are processing data in Europe (or controlling and processing such data), this new, "hot of the press" development may offer the opportunity for considerable cost savings for your business, reduce managerial headaches and help you position yourself as a more attractive option to potential clients in a competitive marketplace.

A Break in the Clouds - What's Trending in Cloud Computing?

Posted
By Tim Wright

I recently attended the UK Society for Computers and Law's Annual Conference where Cloud Computing was one of the 'IT Law Hot Topics' under discussion. The others, in case you are interested, were Big Data, Apps and Mobile Payments. The event was sold out which goes to show how 'hot' these topics really are!

One of the speakers was Christopher Millard, Professor of Privacy and Information Law at Queen Mary, University of London where he leads the Cloud Legal Project - a three-year Microsoft funded academic project undertaken by the Queen Mary Centre for Commercial Law Studies. Started in October 2009, its mission is to reduce uncertainty regarding legal and regulatory status of essential aspects of cloud computing by "the production and dissemination of a series of scholarly yet practical research papers to address various legal and regulatory issues that will be fundamental to the successful development of cloud computing... [which will] demonstrate thought leadership in several complex and difficult areas of law and regulation that are of vital importance to governments and businesses globally."

The Cloud Legal Project website contains a rich source of content and is recommended reading for IT law practitioners whether in house or in private practice. Topics covered include an analysis of Cloud service provider's standard legal terms; data protection issues in cloud computing; law enforcement access in a cloud environment; and the role of competition law in the cloud; as well as a report on some of the differing legal issues in cloud computing as compared with conventional outsourcing or hosting contracts.

CONTINUE READING

Revisiting Outsourcing in the Cloud

Posted
By Sean Williamson

In April, we wrote about what we were seeing in the cloud space, including the impact of cloud computing on the CIO agenda. Since then, Savvis published an independent survey of 550 CIOs and Senior IT personnel from large global enterprises concerning their IT outsourcing strategies, including those around cloud computing. We decided to take a look at how some of our personal experiences with cloud computing compared with the survey's results. Spoiler alert: we weren't far off.

CONTINUE READING

Due Diligence in a Cloud Environment

Posted
By Tania L. Williams

Want to learn more about the key areas customers should consider as part of their cloud computing due diligence exercise? Read my recent article on the topic here.

Clouds in the Forecast

Posted
By Joseph E. Nash

Not too long ago a major supplier asked us what we are seeing in the cloud space. We thought the interchange might be of interest to readers of the blog -- so here are some selected questions and our responses.

CONTINUE READING

Accounting for Cyber Security Part Four - Auditing Cloud Providers' Security

Posted
By John L. Nicholson

Because evaluating a service provider's security posture is more challenging in the cloud, in Part Three of this article we looked at ways to evaluate a cloud service provider's security prior to signing the contract and some of the issues between customers and suppliers created by the SEC Guidance. In Part Four we'll look at ways to monitor the provider's security during the term of the agreement.

CONTINUE READING

Accounting for Cyber Security Part Three - Cloud Service Providers and ISO 27001

Posted
By John L. Nicholson

In Parts One and Two of this article we discussed the new Guidance issued by the Securities and Exchange Commission (SEC) Division of Corporation Finance that provides guidance to companies with regard to whether and how a company should disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

In particular, the Guidance suggests that companies need to evaluate cyber-related risks including:


  • prior cyber incidents and the severity and frequency of those incidents;

  • the probability of cyber incidents occurring;

  • the quantitative and qualitative magnitude of those risks, including potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and

  • the adequacy of preventative actions taken to reduce cyber-related risks in the context of the industry in which they operate and risks to that security.

The Guidance specifically states that if a company outsources functions that have material cybersecurity risks, the company should provide a description of those functions and how the company addresses those risks. The Guidance also appears to recommend that companies use secure logging, which becomes challenging when functions are outsourced to the cloud.

Since researchers recently found flaws in Amazon Web Services that they believe exist in many cloud architectures and enable attackers to gain administrative rights and to gain access to all user data, in this Part Three and in Four of this article we'll discuss how you can evaluate the security of a cloud service and the contractual terms you should consider (or try to insert) into your cloud contracts.

CONTINUE READING

Clouds : Behind the Scenes

Posted
By Douglas S. Parker

With cloud services now obtaining as much press as the fallout from Kim Kardashian's wedding, it seems safe to say that clouds are likely to be in the business forecast for the foreseeable future.

A strong answer to every IT infrastructure manager's prayers, cloud computing can provide both a scalable on-demand combination of hardware, software and services, as well as helping fulfill corporate/social mandates for becoming greener.

The people over at Carbon Disclosure Project decided to commission a study into the potential impact of cloud computing on large US businesses. Released in July 2011, the report was independently produced by Verdantix and sponsored by AT&T.

Not surprisingly, the study shows "that by 2020, large U.S. companies that use cloud computing can achieve annual energy savings of $12.3 billion and annual carbon reductions equivalent to 200 million barrels of oil - enough to power 5.7 million cars for one year."

What is surprising is the incredibly thoughtful nature of the free, 23-page report (aptly named "Cloud Computing - The IT Solution for the 21st Century"). Not only is it an easy read, but it offers:

  • Terrific insight into the characteristics, types of services and deployment models of clouds
  • A crisp explanation of the differences between dedicated IT, private clouds and public clouds
  • Analysis that is based on at least 10 name-brand, multi-national companies (e.g., Aviva, Boeing, Novartis, State Street) that have invested in cloud computing
  • The logic as to why adopting a cloud model makes sense
  • A financial analysis of the costs of the various models in response to a hypothetical (but realistic) loss of operational support for an HR application within one year
  • The green benefits of clouds, including a carbon emissions model for CO2 reductions
  • A glossary of cloudy and cloud-related terms
While not a silver bullet, for the right applications, cloud computing can offer dramatic savings of both time (think in terms of multiple weeks for new servers to be provisioned to minutes) and money (think in terms of limited or no upfront capital costs and a pay-for-what-you-use billing model).

To the Cloud! Anticipating the Legal Issues in Cloud-Based Gaming

Posted
By John L. Nicholson

Given the great interest in "the cloud" from a business perspective, as well as Microsoft's popularization of the concept with its "To the Cloud!" advertising campaign, it's no wonder that many game providers are looking to the cloud as the next viable and profitable gaming platform. The cloud movement not only provides economic incentives through various subscription and pay-to-play models, but also helps defeat piracy by locking down game code and other intellectual property from potential thieves.

Cloud game providers have a lot to gain from virtualization, but moving to a cloud-based framework raises potential legal issues that should be considered.

LatencyThe first big issue for gaming providers considering moving to the cloud is both a practical one and a legal one - latency. Unlike digital downloads, streaming games require both down and upstream communications. Further, gaming often demands instant, real-time action, so any material latency will be noticed, especially for multi-player, FPS-type or other real-time games. Currently, some game providers have tried to satisfy gamers' demand for real-time, low-latency play by operating in data centers that are physically close to the gamer. From a technical perspective, cloud gaming may present an issue because it could involve moving the game servers much farther away from the gamer, thus having the potential to lead to increased, or even significant latency. Another technical fix may be to use "tricks" similar to those used in non-cloud gaming to compensate for latency issues.

From a legal perspective, however, the move to the cloud could bring such "tricks" into the realm of patents held by the gaming company OnLive--patents which cover "twitch gameplay" over a cloud-based system. When porting a game from client-server or mobile-based platforms to a cloud-based platform, game providers should be sure to investigate whether the conversion will expose them to potential infringement liability, including the OnLive patent portfolio. This is especially important because most game providers are not the actual game developer, so game providers should also review their agreements with the game developer to understand whether indemnification or re-development are options. Further, if the agreement is with a small game developer, the developer may not have the financial resources to indemnify the game provider, and thus the game provider should be aware of the potential risks before embarking on a cloud-based venture.

To read this publication by John Nicholson and Jenna Leavitt in its entirety, click here.

This is also posted Pillsbury's Virtual World Law Blog.

Pillsbury Hosts Cloud Security Alliance Federal Cloud Security Summit

Posted
By John L. Nicholson

On June 22, Pillsbury hosted the first annual Federal Cloud Security Summit, organized by the Washington, DC, chapter of the Cloud Security Alliance (CSA-DC). The keynote address was presented by Sonny Bhagowalia, former Deputy Associate Administrator with the GSA's Office of Citizen Services and Innovative Technologies and current CIO of the State of Hawaii, and covered the GSA's efforts and outreach to help drive Vivek Kundra's 25-Point Plan and "Cloud First" initiative.
Among other things, Mr. Bhagowalia spoke extensively about the Federal Risk and Authorization Program (FedRAMP), its goals, its accomplishments and where it is headed. FedRAMP was created to support the government's cloud computing initiative and is intended to provide a standard, cross-agency approach to providing the security assessment and authorization for agencies to use the services required under the Federal Information Security Management Act (FISMA). The idea is to facilitate the adoption of cloud computing services by federal agencies by evaluating services offered by vendors on behalf of the agencies. The evaluations are based on a unified risk management process that includes security requirements agreed upon by the federal departments and agencies. Because the services are vetted by the FedRAMP, theoretically each agency does not need to conduct its own risk management program - reducing duplication of effort, the time involved in acquiring services and costs.

A draft of FedRAMP requirements was released for comment in October 2010, and final release of the first version was expected by December 2010. Initially, the comment period was extended through January 2011 and the release delayed until the end of June, but according to this report, the requirements are now expected to be released sometime between August and October.

Despite the delays in the FedRAMP program, GSA has recently announced that it is offering cloud computing services via its Apps.gov website. Federal agencies now can order from a menu of three Infrastructure as a Service (IaaS) offerings--cloud storage, virtual machines and Web hosting--from service providers who have received GSA authorities to operate (ATOs) to offer them. Under the GSA program:

  • Each service provider is offering its own cloud services and bundled pricing;
  • Services are billed by the month; and
  • The process includes agencies getting quotes for the type of service they are looking for through the GSA eBuy system before making a purchase.
Mr. Bhagowalia's presentation was followed by two panels. The first was a Federal agency panel discussing challenges and opportunities presented by cloud computing for federal agencies, The second was an industry panel that I moderated on cloud computing in general.

The federal agency panel featured:

  • Greg Elin, Chief Data Officer, FCC
  • Bill Perlowitz, Vice President of Advanced Technology, Apptis
  • Katie Lewin, Director of Cloud Computing, U.S. General Services Administration
and was moderated by Bhavesh C. Bhagat, Co-Founder ConfidentGovernance.com and EnCrisp and one of the co-founders of the CSA-DC chapter.

The main theme of the first panel was that the goal of FedRAMP is not perfect security, which is impossible, but, rather, "to put the risk back into security management." The panel noted that organizations that want the benefits of cloud-based services must accept the fact that some risk is inevitable in moving to the cloud and must have a system to manage that risk. According to Greg Elin, Chief Data Officer for the FCC, "This is not about pretending we can stop it from happening." Katie Lewin, Director of Cloud Computing for GSA estimated that about a quarter of the government's $80 billion annual IT budget could be shifted to the cloud, with the least critical and sensitive applications going first. Early candidates would include public facing websites and internal email services. The panel noted that the shortage of qualified government technical workers with expertise in cloud computing increases the risk associated with moving to the cloud.

CONTINUE READING

Don't Let the Cloud Fog Your Thinking

Posted
By D. Craig Wolff

Cloud-based services give new meaning to the IT holy grail of "cheaper, better, faster" in the right circumstances. You might not even have to settle for just two. But it is important not to let the Cloud fog your thinking when it comes to configuring mission-critical IT-enabled services: adequate failover capabilities, and service levels that will support the operational imperatives of the business, are as important as ever.
It is typical, if not the norm, for Cloud service providers to offer only a single contractual service level - Availability - and then to define it in a way that wouldn't pass the sniff test in a traditional IT services contract. For example, it is not unusual for a Cloud service's Availability standard to be exceedingly low by customary data center standards - 98% or even 97% (versus 99.999% or even 99.9999%) - and then to make an already weak standard even weaker by contractual devices such as:


  • Excluding downtime during the provider's weekly maintenance window -which may span 2 days or more during the weekend, with no limit on how long the service can be taken down during that period,

  • Excluding so-called "brief" outages - any outage of a few (e.g., 5-15) minutes or less in duration, and

  • Providing that performance against the standard is measured over a quarter (or an entire year in some cases) instead of a month


A 98% Availability standard measured over a quarter would permit the service to be unavailable for more than 43 hours during a 3-month span, not counting planned maintenance downtime or excluded short-duration outages. Few substantial businesses would knowingly agree to such a low service commitment, but customers of Cloud services do it routinely. The same 98% Availability standard, if expressed as an annual Availability standard, would permit the service to be unavailable for a staggering 172 hours over the course of a year (not counting planned maintenance downtime or excluded short-duration outages) without violating the service level.
Service Level Agreements (SLAs) for Cloud services often contain other customer-unfriendly terms as well, such as:

  • Committing only to use commercially reasonable efforts to meet the service levels rather than making a firm commitment to either meet them or give the customer a service credit.

  • Offering a very low service credit in relation to the time period over which compliance with the service level is measured - e.g., providing a credit equal to 1/10th of the customer's monthly bill for the month in which an annual availability standard was violated. This would give the customer a service credit equal to approximately 3 days' of the Cloud provider's annual charges if the provider fails to meet the annual availability standard. To be meaningful, the service credit should represent a significant percentage of the provider's charges for the affected service for the entire time period over which compliance with the service level is to be measured, whether it be a month, a quarter or an entire year.

  • Cloud provider SLAs typically provide that the service credit is the customer's sole and exclusive remedy for any unavailability or non-performance of the Cloud service or other failure by the provider - meaning you can forget about claiming actual damages.

  • To receive a service credit, the customer must request it in writing and provide documentation of each service outage or disruption contributing to the service level violation within a fairly short period (e.g., 30 days) of the last reported incident in the service level claim. Although it is conceivable that some customers might take on the burden of documenting and requesting a service credit for one or a couple of long-duration outages that cause a violation of a service level, it's hard to imagine most customers taking on this burden to request a low-value service credit.

The recent well-publicized disruption in Amazon's EC2 service is certainly no reason for companies to back away from the extraordinary opportunities offered by Cloud solutions, but it should serve as a wake-up call to enterprises on the importance of configuring their Cloud services in a way that eliminates single points of failure and to demanding operationally meaningful service level commitments, including a meaningful service availability standard and a commitment to respond to and resolve service problems in a timely manner, coupled with meaningful service levels and service credits if the provider fails to meet the service levels.