A new dawn
The term 'cloud' can be interpreted as a reference to the cloud symbol frequently used in network diagrams to represent the Internet. The expression 'cloud computing' refers to a style of computing in which IT-related capabilities are provided 'as a service'.
The increased use of this style of computing has been facilitated by the ever increasing power of servers to hold large databases, the ability to access them more efficiently remotely because of increased network bandwidth, together with improved virtualisation techniques which allow single servers to be used concurrently for multiple users. This last expertise facilitates much higher utilisation levels than are typically achieved in traditional computing environments; this when combined with the infrastructure buying power of large-scale cloud providers, drives significant cost savings.
The literature on cloud computing has grown rapidly over the last 12 months. Typical of the attention is the special report on corporate IT contained in The Economist (25 October 2008) entitled 'Let it rise'; which starts in biblical tone as follows: 'In the beginning computers were human. Then they took the shape of metal boxes, filling entire rooms before becoming ever smaller and more widespread. Now they are evaporating altogether and becoming accessible from anywhere.' The Economist cannot be accused of understatement in assessing the significance of this new trend: '(T)he rise of the cloud is more than just another platform shift that gets geeks excited. It will undoubtedly transform the information technology industry, but it will also profoundly change the way people work and companies operate. It will allow digital technology to penetrate every nook and cranny of the economy and of society, creating some tricky political problems along the way.'
Those familiar with Gartner's Hype Cycle which captures the notion that the benefits of many technology innovations are at first much over-rated, might be expected to be very sceptical about news of this latest 'big thing' and the transformational promises attached to it. Cloud computing all seems very familiar. Might this just be a rebranding of well rehearsed offerings such as utility computing or application service provision? Closer analysis suggests that while cloud computing embraces some already known offerings, the combination of various factors means that this is indeed an idea whose time has at last arrived, even if it is not in all respects entirely new.
Public and private clouds
A detailed study undertaken at the University of Berkeley Reliable Adaptive Distributed Systems Laboratory provides a useful approach to defining cloud computing, adding a distinction between the public and private dimensions which is useful for any risk analysis of a particular project or system:
'Cloud Computing refers to both the applications delivered as services over the internet and the hardware and systems software in the datacenters that provide those services. The services themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware and software is what we will call a Cloud. When a Cloud is made available in a pay-as-you-go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing. We use the term Private Cloud to refer to internal datacenters of a business or other organization, not made available to the general public. Thus Cloud Computing is the sum of SaaS and Utility Computing, but does not include Private Clouds. People can be users or providers of SaaS, or users or providers of Utility Computing.'
The focus of the Berkeley study is very much on SaaS Providers (who may themselves also be Cloud Users) and Cloud Providers on the basis that to date they have received less attention than SaaS users.
Tim O'Reilly usefully identifies different kinds of SaaS, distinguishing between the applications themselves and the platforms upon which they reside, between Software as a Service on the one hand and Platform as a Service ('PaaS') on the other. This latter variant of SaaS provides access to a software platform remotely via the Internet in a way which allows developers to create bespoke versions of a defined platform so that it is tailored to their particular needs. These needs may or may not be related to the functionality of the original application. In his analysis we can therefore distinguish between Infrastructure as a Service ('IaaS') (or utility computing), Platform as a Service ('PaaS') and Software as a Service ('SaaS').
Commercially established examples
The most widely known variant of cloud computing is the third category, SaaS. This had its origins in consumer markets, for example with social networking applications such as Facebook. In rapid fashion the same approach has been adopted for business use. Examples of such SaaS offerings include Salesforce.com, which is a CRM system for use in sales force administration, Google Apps, which includes word processing, spreadsheet, and presentation applications as well as e-calendars and e-mail, and Netsuite, which is also a CRM package but which includes accounting, ERP and e-commerce functionality. Salesforce.com also provides a PaaS offering known as Force.com, which makes its platform available via the Web to developers so that they can customise the application to meet the particular needs of their organisation, or indeed develop the platform to meet entirely new requirements. So far as IaaS is concerned, one of the most widely known examples is Amazon Web Services where the infrastructure and computing skills developed to underpin the original Amazon internet bookseller business model is now deployed to utilise those skills in a generalised non sector specific IaaS offering to the world at large.
New business models
The business models used in the sale of these applications differ from traditional approaches. Traditionally software is licensed and commercial users sign license and support agreements. Where the software needs to be modified to meet the needs of the user there will also be a services or development agreement to cover the required development or modification activity. The cost model usually provides for the payment of licence, development and integration fees up front (or as stage payments in the case of development costs) with support fees following on an annual basis. The cloud computing model tends to move these arrangements towards a subscription basis, with the payment stream based on use by way of micro payments or periodic per user payments, and with no up-front payments required. These new payment models are attractive to users from a cash flow perspective.
Unsurprisingly, vendors' sales efforts to date have been characterised by the use of standard terms rather than negotiated contracts. Where the applications are business critical, there is an obvious need for business users to analyse the standard form contracts in detail to see whether they provide appropriate contractual warranties and remedies. Users need to be satisfied not just with the functionality of the application but also with the way in which performance of the system can be managed in the event of any defects, and in particular in the event of any outages which cause the system to be unavailable for use. As might be anticipated in circumstances where software is being made available on a vanilla basis for use in a wide variety of circumstances and for relatively modest cost, the typical standard form agreements contain relatively low levels of protection and limited if any service levels. As well as performance issues, the inherently international nature of the cloud computing market means that data protection compliance and the choice of appropriate law and jurisdiction also require careful consideration.
The team at Berkeley has considered the potential problems with cloud based computing models and identified what they term the Top 10 0bstacles to Cloud Computing. At the same time, for each obstacle they identify an opportunity which if successfully pursued and implemented might overcome it. The ten, and their associated opportunities, are shown in the Table below.
Source: University of Berkeley Reliable Adaptive Distributed Systems Laboratory
The ten obstacles identified in the Table broadly conflate into issues with availability, data, and performance. It is not surprising that the cloud computing model has quickly led commentators to recognise and identify some of the data protection, privacy and security issues associated with cloud computing as referred to in obstacles 2 and 3 in the Table.
Perhaps of greater surprise is the way in which the speed of adoption of cloud computing has led to quickly organised and co-ordinated action to address some of these obstacles, in particular those associated with security. In April this year, the Cloud Security Alliance, which is incorporated as a not-for-profit organisation and which had its first meeting only in December 2008, issued its initial report entitled: 'Security Guidance for Critical Areas of Focus in Cloud Computing'. This is the output of a 'grassroots effort to facilitate the mission to create and apply best practices to secure cloud computing'. The intention of the report is 'to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers'. The Alliance rejects the notion that users can ignore what's inside the black box of any cloud offering, urging security practitioners to 'look under the hood of [your] cloud providers and [to] do so using the broadest precepts of [your] profession in order to properly assure that the service engagements meet and exceed the security requirements of [your] organisation.'
The report is divided into 15 domains with the intention of focussing on areas of concern that are either unique to cloud computing or are significantly affected by the model. The first report is tabled as a work in progress with a clear expectation that through widespread collaborative activity and feedback the guidance contained within it will be developed upon and improved.
The way forward
There seems little doubt that cloud computing is entering the mainstream. It will not be confined to social networking for consumers, nor to business use in small and medium sized enterprise. Google is already reporting success with major corporate users. The international automotive component supplier Valeo with a presence in some 27 countries was recently reported in Computer Weekly (13 May 2009) to be the first company to sign a contract to use Google Apps globally. The continuing focus on cost reduction and an increasing emphasis on collaborative working are typical of the drivers for this kind of market development.
How best to manage legal risk
Contracts function as risk management tools. In the cloud environment we have a spectrum from standard terms and conditions, accepted by 'click through' as part of the process of first accessing and using a cloud service, through to fully negotiated contracts marked by a process not unlike that of a fully fledged outsourcing negotiation.
First of all there is a need to 'look under the hood' and understand the nature of the technical and business model in play. Then armed with this understanding, it becomes a question of 'horses for courses'. Even in business environments, low levels of contractual protection might not matter for some uses of cloud computing, particularly where the user keeps independent copies or back ups of all materials used in the cloud computing environment for separate access where needed, and where the use is not business critical. However where use of these applications is central to the user's business model, and involves significant investments of time and money, or where there are particular risk factors such as the transmission of personal data, there may well be a need to engage the vendor in a more traditional form of negotiation before the transition to a cloud computing model is made.