Although there is no official definition, cloud computing is generally understood to mean the use of the Internet, or the “cloud,” to access information technology (IT) assets and services such as software, data storage, or specialized business platforms and programs, from a third-party service provider. The Internet cloud contains the provided services, which, similar to utilities like electricity or water, are accessed on an as-needed basis. Generally, cloud computing users are charged for their use of the services on a subscription- or use-based pricing model. This update provides an overview of the benefits and risks of using cloud computing services.
- Cloud Computing Benefits
Low Barriers to Entry
One of the biggest benefits provided by cloud computing is the relatively low barrier to entry. IT assets often require large upfront capital expenditures, such as the purchase of hardware, software, and network capabilities, as well as the accompanying services. Instead of incurring the upfront capital expenditures on IT assets, a cloud computing user needs only to pay the sign-up and use costs for the cloud computing services.
Low Maintenance Costs
Another benefit of utilizing cloud computing is the convenience and cost savings of not having to maintain or update the software, data, or other cloud computing technology or service. A user does not bear the costs of hiring and employing an IT staff to service cloud technology. The user is better able to control maintenance costs because the user pays only for the amount of service it commits to consume.
Cloud computing provides the additional benefit of flexibility to the user. Because cloud computing is a need-based service, it allows the user to increase or, subject to usage commitments that may be applicable, decrease capacity requirements as necessary and only pay for the amount of services it consumes.
Additionally, because cloud computing services are accessed via the Internet, the user is able to access a cloud computing-provided service anywhere on any machine that can access the Internet. This increased accessibility is useful for a user who travels or for users who telecommute. Also, because the user’s machine only needs to be able to access the Internet, a user does need to have a fully functional computer; a smaller, less expensive netbook, or possibly a smartphone with Internet capability, may be sufficient to use the cloud computing services.
- Potential Cloud Computing Issues
While cloud computing provides many benefits to users, any person considering a cloud computing solution should consider the potential issues that may arise when using cloud computing services.
Cloud computing raises several access-related issues that potential users must consider. A cloud computing user relies on the Internet for accessing technology; any service interruption would prevent the user from accessing the provided services. In addition to Internet availability, the user is also subject to the availability and proper operation of the provider’s technology. Availability standards, and the remedies for failure to meet such standards, should be discussed with the provider.
A user typically does not control whether and when the technology is updated. The user should consider issues such as the prospect that incompatibility of future upgrades with the user’s technology environment may require hardware or software upgrades and may also require retraining of the user’s personnel, possibly at times or during seasons of peak activity in the user’s business.
A user must determine the ability it will have to access the data that it transfers to or stores in the cloud. The user should inquire about the provider’s policies and procedures related to a user’s access of data, both during the term of the agreement and following the termination of the agreement and the compatibility of the provider’s data format with other applications with which the user may expect to access or process the data it retrieves from the cloud.
A user should also consider the impact of the following on its business: a provider’s bankruptcy, termination or expiration of the cloud computing agreement, or a dispute with the provider. The parties should agree on dispute resolution procedures and end-ofagreement procedures so that the technology or data transfer runs smoothly and the user’s business operations can proceed without interruption.
Privacy, Confidentiality, and Security
A cloud computing user must thoroughly review the provider’s policies and procedures regarding confidential information and data security if cloud computing technology or services will be used to store, submit, process, or otherwise transfer confidential or personally identifiable information. Data security procedures and capabilities should be commensurate with the sensitivity of the data being protected, and must support obligations the user has undertaken to third parties and obligations the user has under applicable laws. The parties should reach agreement on standards and safeguards that will be applicable to confidential information, as well as remedies for unauthorized disclosure or use of confidential information or breach of data security.
A user must also inquire where the provider proposes to store any personally identifiable information that may be processed or stored using cloud technology. This information is important because different jurisdictions have different privacy laws. For example, personal information that is stored in the European Union (EU) is subject to an EU Directive that imposes significant obligations on collectors of personal data.
Rules and regulations of the U.S. Federal Trade Commission may also apply to personal information transferred, stored, or processed via cloud computing. Many companies publish policies about the type of personal information they collect, how such information is used, and to whom such information is disclosed, as well as the security procedures in place to protect such information. The companies must then abide by their policies. An agreement for cloud computing services should be clear about the types of information collected and how the information is stored, as well as the minimum data protection standards. A user should also consider whether it requires data protection audit rights.
A user should consider whether other regulatory requirements may apply to its use of cloud computing technology or services. For example, regulatory compliance issues arise in connection with applications and services that are used to prepare public companies’ financial data (Sarbanes-Oxley compliance) and applications and services that store, process, or transmit personal information (e.g., Health Information Portability and Accountability Act of 1996 compliance concerning confidentiality of patient records and Gramm-Leach-Bliley Act compliance concerning confidentiality of personal financial information). A cloud computing agreement should address and allocate each party’s responsibilities for complying with applicable regulations, as well as remedies, such as indemnities, for failure to meet these obligations.
Because cloud computing offers many benefits to its users, it is a rapidly growing tool in business IT infrastructure. To create the best business relationship between parties to a cloud computing agreement, each party should carefully consider not only its own business requirements but the business requirements of the other party, and the parties should structure an arrangement that comes as close as possible to meeting their respective needs.