The "cloud computing" trend of replacing hardware or software traditionally installed on office computers with applications delivered via the Internet is driven by aims of reducing IT complexity and cost. While today's "cloud-powered" enterprises can gain significant flexibility and agility, the migration of business-critical data into remote, worldwide data centers – the "cloud" itself – introduces profound legal and compliance issues. This is particularly true for organizations in heavily regulated sectors such as education, healthcare and industries subject to export controls.
John L. Nicholson and Wayne C. Matus, attorneys in Pillsbury's Privacy and Data Protection practice, advise clients on numerous legal issues surrounding their strategic technology decisions. In this Q&A, they explain factors organizations should consider when studying cloud computing and negotiating with service providers.
Q. It seems like every technology vendor is touting a "cloud" strategy. What is the common thread?
Nicholson: While there is a lot of discussion about what "cloud computing" really means, in essence it is one party – the customer – obtaining IT services from a provider. Some aspects of cloud computing aren't new – for example, companies have been using software provided by application service providers for years. The difference with cloud computing is the supplier's substitution of a presence in "the cloud" (i.e., the Internet) for a physical presence.
Q. Why all the excitement? What are cloud computing's biggest advantages?
Nicholson: The promise of higher accessibility, availability and efficiency is leading companies, universities, government agencies and others to consider the cloud.
Cloud computing lets employees access storage, e-mail, databases and other business applications anywhere, on-demand. This expanded, device-neutral access theoretically lets employees use information more effectively. Centralizing applications and data in a cloud provider's data centers is also seen as affording a high degree of data availability, particularly for small or mid-size companies, as large service providers can theoretically invest in high-capacity infrastructures and hosting to keep software available in the event of technical glitches or heavy traffic.
There is also an efficiency argument. Amazon's EC2 platform, for example, lets users "order" as many virtual servers as they need and pay for them by the hour. Once they are done, the virtual servers disappear and the user doesn't pay anything else. Some of Amazon's customer "turn on" their servers first thing in the morning, use them during the business day, and turn them "off," again, at the end of the day.
Q. Where is cloud computing prompting the greatest concerns for enterprises?
Matus: Privacy and security are the top concerns. Traditional IT systems, of course, have their risks and vulnerabilities, but the major issue with cloud computing is that according to most providers' models, customers' sensitive data and applications exist alongside those of other entities in data centers located in various countries. This triggers a host of technology, regulatory and liability questions. Our clients are eager to use the latest technologies available, but they also ask us to help them address whether their data will be secure and recoverable in these arrangements, as well as whether cloud services could subject them to new risks, jurisdictions and adjustments to their business.
Clouds offer novel approaches, but still require thorough risk management. Of course, the cloud itself is both a simplified data repository and a single point of failure. A loss of Internet connectivity anywhere between the customer and provider's network will cause interruptions of varying severity, as we saw with recent reports of a Google services outage.
Q. What do many organizations overlook when evaluating cloud computing?
Matus: First, they don't look "under the hood." The cloud is a nice metaphor, but your data or applications are sitting on real, physical servers in a data center somewhere. You need to know where your data is hosted – especially if it could be multiple places – and you need to perform the same due diligence required for any other outsourcing.
Second, many potential customers overlook the risk of cloud "lock-in." Service providers want to get your enterprise in the cloud, but may not be as helpful when it comes to letting you take your data out of their infrastructure, in the event you decide to end the relationship. A good way to estimate the "portability" of their data is to consider the nature of what you are putting in the cloud. If you are just using the cloud for storage, you can probably migrate to another provider pretty easily. If you're using a platform like EC2 as a substitute for buying hardware and software, that may also be relatively easy.
If, however, you have selected a provider that uses a proprietary Web-based application to create and classify your data, you might be effectively "locked" in that system for all practical purposes. Most providers will not want to go through the trouble of converting your files into a transferrable format simply to help you re-compete or transition a contract.
Nicholson: "Who owns the data?" is another important question. With cloud computing customers do not own the underlying software. Again, depending on the nature of the service provider and applications in question, we recommend clients read the fine print carefully and approach each vendor from the standpoint of maintaining ownership over not only their raw business data, but valuable data processing results – such as new analyses of sales prospects or who their most valuable customers are – which will also reside on providers' systems.
Q. Is cloud computing a better fit for some organizations than others?
Nicholson: Because cloud computing providers are fundamentally service providers, complying with applicable laws is ultimately the customer's responsibility.
We advise our clients to seek out providers who can accommodate their specific or unique requirements. For example, whether a cloud computing solution complies with the Payment Card Industry Data Security Standards is something of an open question right now – it depends on certain interpretations of the rules. So, it might not be as good a solution for those companies who have to be PCI compliant until that issue gets sorted out.
Matus: The cross-border issues inherent to cloud computing pose real hurdles for businesses holding sensitive government contracts, for example, or those subject to export controls over their products and intellectual property. You really don't want to wake up one morning and discover that by using a cloud service provider you've accidentally violated US export laws. Other organizations, such as universities, might be subject to numerous state and federal laws covering data on grades, health records or financial aid. Certain countries have very strict rules about cross-border transfers of personal information, and complying with those rules can be challenging in the virtual world of the cloud.
Nicholson: The key question is whether cloud providers' offerings can conform to these varying regulatory frameworks. Many cloud providers purposely offer what amounts to a "one size fits all" package because it is in their interest to leverage economies of scale. This makes the contract negotiation phase crucial.
Q. What should enterprises prioritize in negotiating cloud computing contracts?
Nicholson: Among other important terms, organizations should ask questions about disaster recovery, liability for security breaches, the supplier's ability to suspend the services for any reason and termination, both "when" and "why" it can happen, and what the supplier is required to do to help you transition.
Typical cloud agreements define service level agreements (SLAs) establishing providers' expected uptime and performance. We advise cloud customers to look carefully at the math behind those measurements and figure out what they actually mean in terms of end-user experience and the client's business operations. We urge customers to have cloud providers define their data recovery and business continuity postures and what they are responsible for in a natural disaster affecting data centers, for example, or other crises.
Matus: Establishing both providers' and customers' liability and exclusions is also critical. Customers are generally concerned about cloud providers' liability for things like data breaches occurring on their infrastructures, or a provider's facing a court-ordered shutdown as a result of patent infringement or other penalty. Providers, in turn, usually want customers to accept liability for placing infringing or other illegal material into their cloud platforms, or using the cloud for illegal activity, such as sending spam.
"What happens if either the customer or cloud provider goes bankrupt and terminates the service? Is there a means for customers to recover their business critical data when a provider fails? Is a provider obligated to return or maintain data in the event a customer can no longer pay for the cloud?" These are all questions that need to be considered up front, before any costly business disruptions occur due to insolvency or other hardships.
Q. What do you emphasize the most for clients on cloud computing?
Nicholson: Organizations should continually look for new technology advantages, but they need to keep their unique business requirements and regulatory factors at the forefront of decision making, ahead of pure IT trends or budget advantages. Cost, complexity and compliance are on every CIO's mind, and it helps for IT and legal stakeholders to work with advisors who can assess these areas and offer insight gained from experience with major cloud computing providers' business models, terms and conditions.
Matus: To the greatest degree possible, organizations contemplating a jump to the cloud should survey providers, prioritize their requirements and seek objective insight on lessons different industries are learning in this and other emerging technology trends.