Cloud computing is widely recognized as one of the most important new strategic technology opportunities for business. Cloud computing enables a business to outsource its information technology requirements to a specialist service provider, to provide required services in a better and more efficient and cost effective manner. Cloud computing allows a business to focus on its core competence and leave the “IT stuff” to the experts. Cloud computing can provide significant benefits, but it can also present substantial business and legal risks.

BASIC DEFINITION

Cloud computing is a business/technology/service model that treats IT resources (including networks, servers, data storage and software applications) and related services (including hardware and software maintenance and technical support) as a utility or consumption-based service.

The term “cloud” is a metaphor for the Internet and an abstraction for the ill-defined underlying technologies used by a cloud service provider to provide the service.  

There are various kinds of cloud computing services, but they generally have the following characteristics:

  • Pooled resources: The cloud service infrastructure is owned/licensed and managed by the service provider (not the business), and is used by the provider to efficiently serve many businesses.  
  • Broad access: The cloud services are accessible using standard, Internet-enabled devices.  
  • Elastic/Scalable: The cloud services are flexible, and can be rapidly increased and decreased to meet the business’ changing requirements.  
  • On-demand self-service: The business can provision the c loud services as needed and without human interaction with the service provider.  
  • Measured service/fees: Fees for cloud services are based on usage, which is monitored, controlled and reported to the business using appropriate metrics.  

SERVICE AND DEPLOYMENT MODELS

Cloud computing services can be provided using various service and deployment models. The basic service models are:

  • Infrastructure as a Service (IaaS): The ser vice provider procures and manages the IT infrastructure (networks, servers, da ta storage) and the business provides the rest (operating system, software applications and related services). Examples are Amazon Elastic Compute Cloud (EC2), and IBM Smart Business Development and Test.
  • Platform as a Service (PaaS): The service provider procures and manages everything except the software applications and related services. Examples are Microsoft Azure, Google App Engine and Amazon Simple Storage Solution (S3).  
  • Software as a Service (SaaS): The service provider procures and manages everything, including the software applications and related services. Examples are Facebook, LinkedIn, Google Docs, Gmail, Microsoft Sharepoint, WebEx, Salesforce.com and Postini.  

The basic deployment models are:  

  • Public Cloud: The cloud service infrastructure is used by all businesses served by that service provider.  
  • Community Cloud: The cloud service infrastructure is used by several related businesses, who have shared requirements or other common interests.  
  • Private Cloud: The cloud service infrastructure is used by a single business.  
  • Hybrid Cloud: The cloud service infrastructure is a combination of different kinds of clouds that exchange data and applications.  

WHY IT WORKS

Cloud computing works because of new technologies (grid and cluster computing, virtualization and super-high speed Internet) and economies of scale. Cloud computing services often use geographically distributed data centres that house powerful and flexible IT platforms, which are used to maximum efficiency to process and store tremendous amounts of data for many businesses. The data centres might be owned and operated by the service provider itself or they might be owned by a third party (such as Google, Amazon, Oracle, IBM and Cisco) and used by several providers.

Cloud computing is similar to the way in which most businesses obtain electricity. Instead of having their own small power plant (which is like the traditional IT model), most businesses buy electricity from the local electric company, which operates several large power plants and distributes electricity to businesses that pay based on consumption. The businesses don’t have to buy their own power plant or hire skilled workers to maintain it. But the analogy is imperfect, because electrical utilities are regulated, and generally do not have custody of the business’s sensitive business information and data (including data collected from third parties).  

BENEFITS AND RISKS

The benefits and risks of cloud computing will depend on the particular circumstances, including the service and deployment model, the importance of the service to the business, the source and sensitivity of the data created, processed or stored using the service, the character, quality and experience of the service provider, the nature of the business, the applicable legal/regulatory rules and requirements, and the availability and practicability of alternative services.

The benefits offered by many cloud computing services are:

  • Lower Cost/Financial Risk: Cloud services usually use a pay-as-you-go/pay-as-you-grow pricing model. The business pays for the ser vices it needs when it needs them, subject to contractual usage commitments. The business is not required to make an y up-front capital investment to acquire or maintain IT infrastructure or related resources (including personnel). Costs are operating expenses rather than capital expenses, and those expenses are better aligned with returns. There is less financial risk and better cash flow, and greater return on the IT spend.
  • Elasticity/Scalability: Cloud services are usually flexible, and the business can expand or reduce them as needed for organizational changes, market demands and cyclical business models, and to respond to unexpected opportunities/challenges.  
  • Agility: Cloud services can lower IT barriers to innovation, enable the business to engage in rapid and low cost experimentation and change, and speed up time-to-market and time-to-value. The business does not have to procure an IT infrastructure and related resources for new or uncertain initiatives. Cloud services provide easy, quick and low-cost access to new technologies.  
  • Improved Service Quality and Business Productivity: Cloud services are provided by a specialist service provider, which should improve the quality of the core service as well as ancillary services (e.g. security, da ta backups, software updates and disaster/business continuity preparedness). Cloud services usually permit the business to remotely access the IT service from any location without specific hardware or software, which should save costs and enhance productivity. Cloud services allow the business to focus on its core operations, and enable its IT personnel (if any) to focus on supporting its initiatives.  

The basic characteristics of cloud computing that provide tremendous benefits can also present significant risks. Cloud computing can enable a business to outsource the procurement and management of IT services, but the business remains responsible and liable for regulatory compliance and performance of its legal obligations to investors, employees, customers and business partners. In addition, the business is often dependent and vulnerable, because the service provider usually has complete control over the quality and availability of the service and custody of the business’s sensitive business data (including third parties’ data).

Those circumstances can present potentially significant business and legal risks:  

  • Business Continuity: The business must rely on the service provider’s willingness and ability to provide the cloud service in a manner that meets the business’s needs, and to comply with the provider’ s contractual and legal obligations. If a cloud service is mission critical for business operations, deficient service may result in significant business disruption and financial loss. The business might not be able to easily or quickly implement a substitute service.  
  • Confidentiality: Cloud services often store the business’s confidential business information in geographically distributed data centres operated by the service provider or its subcontractors. The business must rely on the provider to maintain the security of the information and protect it against unauthorized access, use and disclosure. In addition, information stored in foreign da ta centres may be subject to search and seizure by foreign governments and law enforcement, and disclosure in foreign legal proceedings.
  • Regulatory/Privacy Compliance: Deficient cloud services may expose the business and its directors/officers to penalties for failure to comply with applicable laws. A significant concern for many businesses is compliance with statutory information security and privacy obligations (including laws regarding personally identifiable information, and personal health and financial information). In some circumstances, the use of a cloud service that stores data outside Canada can be a breach of applicable law. In addition, the business may require the service provider’s assistance to comply with other statutory or legal obligations, such as litigation document preservation and disclosure obligations, regulatory audits and responding to security breaches.
  • Liability/Reputation: Deficient cloud computing services may expose the business, and its directors/officers, to claims by and liabilities to its investors, employees, customers and business partners, and may tarnish its reputation.

THE PROCUREMENT CHALLENGE

Cloud computing is a form of outsourcing, but the procurement process is usually significantly different from traditional outsourcing. Outsourcing usually involves a formal procurement process and extensive negotiations over technical, business and legal issues and risk allocation. In contrast, for a variety of reasons (including the high volume, low value transactions business model typical of many cloud services), cloud service providers are often exceedingly reluctant to accept significant risk, and typically use standard form, take-it-or-leave-it, contracts that are one-sided and do not reasonably address the business’s most important business needs and legal requirements. The challenge for business is to procure cloud computing services in a way that facilitates a reasonable assessment of the potential benefits and countervailing risks, and allows the business to effectively manage those risks. In some circumstances, the potential benefits of cloud computing service will not justify the risks.