cloud computing - allen & · pdf file2 cloud computing – a great tool ... cloud is...
TRANSCRIPT
Cloud computing – A great tool | 20152
© Allen & Overy LLP 2015
“The worldwide cloud computing market will grow at a 36% compound annual growth rate (CAGR) through 2016, reaching a market size of USD19.5bn by 2016.” Predicting Enterprise Cloud Computing Growth, Gartner, September 2013
www.allenovery.com
3
Put simply, a cloud is a huge collection of hardware and software, connected via the internet. It is the infrastructure that enables a new business model. This model offers on-demand, easily scalable computing services to multiple users at flexible prices. It is quite a simple idea: instead of everyone buying their own systems that can handle a peak load (but which is required only a limited amount of time, and thus not otherwise fully used), everyone shares these resources and systems in the cloud. There is no need to
buy the systems (ie hardware and software) individually – you can just use it “as a service” on an as-needed basis.
Cloud is not a new phenomenon but it does represent a fundamental shift in behaviour in the ways consumers and enterprise consume IT. Cloud also underpins many of the disruptive megatrends in the TMT sector today including mobility, big data/advanced analytics and social.
What is cloud computing?
“This magic circle firm has excellent global coverage, which includes both local specialists and a well-developed network of international desks. Its expertise in the technology sector encompasses a broad spectrum of areas, including data protection, cloud computing and online liability. The group’s regulatory know-how is frequently engaged for major crossborder transactions.”Chambers Global 2013 (Technology & Communications: Globalwide)
Cloud computing – A great tool | 20154
© Allen & Overy LLP 2015
The four main types of cloud
On demand, scaleable resources delivered as-a-service to multiple users (consumers and enterprise) at flexible prices.
Public Cloudsare commercially available cloud services open to all
Community Cloudscan be set up for use by a particular group or industry
with similar needs
Private Cloudsare closed clouds dedicated
to one or more user
Hybrid Cloudsinvolve a mixture of public and
private services allowing users to take advantage of the cheap unit
prices of public clouds while ensuring mission-critical services
are more tightly ring-fenced within private services
Business Process- as-a-Service (BPaaS)Horizontal or vertical business
processes provided on a subscription basis
Software-as- a-Service (SaaS)
Software applications hosted in the cloud and provided on a
subscription basis
Platform-as- a-Service (PaaS)
Virtualised application development and run
time platform
Infrastructure-as- a-Service (IaaS)CPU, memory, storage, network etc available on
an as-needed basis
Primary delivery methods
Everything-as-a-service (XaaS)
Source: “Where Cloud Meets Reality”, Accenture 2012
www.allenovery.com
5
Organisations are turning to the cloud for a number of reasons:
– Cost
– Anywhere, anytime access
– Reduced service provider interaction (a “serve yourself ” model)
– Speed of provisioning
– Flexibility and elasticity
– Opportunities for better security and back-up
– Reduced pressure on internal systems
– Potentially limitless storage, combined with enhanced computing power
– A “greener” solution
Cloud computing – A great tool | 20156
© Allen & Overy LLP 2015
Standards and regulatory environment
SecurityPrivacy
and data protection
Conflict of laws Liability
Copyright Portability and interoperability
Integration with vertical regulation
In a rapidly evolving market, regulation and best practices are struggling to keep up. Particular areas of uncertainty exist around:
In particular, a lack of international standards and divergent regulation across key global markets may inhibit the fundamental advantage of cloud computing: the flexible optimisation of a global data infrastructure.
“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”The NIST Definition of Cloud Computing, NIST Special Publication 800-145, US National Institute for Standards and Technology
www.allenovery.com
7
Article 29 Working PartyIn July 2012 the Article 29 Working Party (a European advisory body made up of representatives of the various EU national privacy authorities) issued an opinion on data protection aspects of cloud computing. This opinion was the first European-wide legal guidance on how to deal with the data protection challenges in cloud computing.
International Trade Administration (ITA)In April 2013, ITA (part of the U.S. Department of Commerce) issued a paper clarifying how the U.S. – EU safe harbour framework applies to cloud computing. Prepared in part to respond to Article 29 working party opinion of July 2012, the paper concludes that cloud computing is not a radically new business model and does not represent unique issues for the safe harbour. ITA says that existing safe harbour principles are comprehensive and flexible enough to deal with any issues raised by cloud computing model.
European CommissionIn September 2012 the European Commission released its new strategy for “Unleashing the potential of cloud computing in Europe”, outlining actions to deliver a net gain of 2.5 million new European jobs and an annual boost of EUR160bn by 2020. Emphasis was placed on cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility; supporting EU-wide certification of vendors; development of model contract terms, including Service Level Agreements; and measures to harness the public sector’s buying power and shape the European cloud market.
European Commission /Obama AdministrationIn February 2013 the European Commission launched a cybersecurity strategy for the EU aimed at increasing capabilities and preparedness towards security incidents such as hacking or technical failures. Cloud computing providers are specifically targeted by the framework. Hard on the heels of the EU’s efforts to promote a culture of security risk management, President Obama’s administration introduced an Executive Order on Improving Critical Infrastructure Cybersecurity in the U.S. The U.S. and EU initiatives both focus on cybersecurity risks to critical infrastructure and have at their heart a drive to encourage greater cooperation and information sharing between relevant agencies and also with those who suffer attacks.
Sopot MemorandumThis is a working paper issued in April 2012 by the International Working Group on Data Protection in Telecommunications led by the Berlin Commissioner for Data Protection and Freedom of Information. The paper contains a number of recommendations and best practices intended to ensure that the adoption of cloud computing does not lead to a lowering of data protection standards as compared with conventional data processing. Among other things, these recommendations emphasise transparency and the need for contractual standards.
STAR certification programmeThe Cloud Security Alliance (CSA) and BSI, the business standards company, in September 2013 announced the launch of the STAR Certification program, a third party independent assessment of the security of a cloud service provider.
The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Control Matrix, a specified set of criteria that measures the capability levels of the cloud service.
GCHQ guidance on security risk managementPublished in May 2014, GCHQ’s guidance suggests that organisations should seek “adequate assurance” from cloud providers over claims those providers make about their compliance with information security principles. The guidance also outlines a step-by-step risk management strategy for cloud security.
Guidelines on Service Level AgreementsIn June 2014, the European Commission published “Cloud Service Level Agreement Standardisation Guidelines”. These Guidelines are described as being designed “to help business users save money and get the most out of cloud computing services through SLAs”. Aimed at professional cloud users rather than consumers, the guidelines set out several overarching principles for the development of Cloud SLA standards, provide definitions of commonly used terms and suggest some targets for service levels. The working group behind the guidelines is also liaising with the International Organization for Standardization (ISO) Cloud Working Group to input the EU position and to contribute to the ISO/IEC 19086 project (which also relates to SLAs).The Guidelines are a useful first step in the process that was set out by the Commission Strategy document in 2012 to develop model terms, but they do not yet deliver all they need to.
Recent developments
Cloud computing – A great tool | 20158
© Allen & Overy LLP 2015
Allen & Overy & cloud computing
We recognise the importance of cloud computing to our clients.
To respond to our clients’ needs, we set up an internal cross border working group to focus on the legal services we provide in relation to cloud, to share best practices and make sure our lawyers have the right skills to respond to the changing IT market our clients operate in.
We believe that, for the most part, the issues encountered when implementing cloud solutions are not new, being
equally relevant in many other IT transactions. We also understand that getting comfortable with new IT bases which use cloud technologies will be a requirement for companies looking to embrace other game changing technological developments such as advanced analytics, context-based services and social driven IT. We offer practical support to our clients to help them turn IT innovation into successful business reality.
Our representative matters in this area include advising:
Proofpoint a NASDAQ listed leader in cloud-based information security and governance software, on the English law aspects of its acquisition of all of the shares in Mail Distiller, a European-based provider of SaaS email security solutions.
SAP on its USD3.4bn acquisition of NYSE-listed cloud computing leader Success Factors.
Novartis on a global 7-year application development and infrastructure cloud transaction with Microsoft. We focused on developing contractual mechanisms to mitigate the risks for Novartis as much as possible in relation to security and regulatory compliance.
Amazon on strategic copyright issues across the European Union in relation to its Cloud Drive service.
Cisco Systems on aspects of its USD1.2bn purchase of San Francisco-based Meraki, a provider of cloud-managed networking equipment and services.
A multinational company in the energy sector on the implementation of a SaaS project with Microsoft.
An international information technology services company on general matters (including on the application of the U.S. Patriot Act to cloud computing services, Regulatory, HR and IT).
Agfa-Gevaert, one of the largest players in the field of imaging systems and IT solutions, on a major cloud computing outsourcing transaction with Service Now, a leading provider of cloud-based services that automate enterprise IT operations.
Microsoft on the data protection aspects of their Office 365 cloud computing offering and on the Belgian and international regulatory restrictions applicable to cloud computing in the financial sector.
Novartis on a SaaS agreement with Box.Net for cloud-based storage services.
T-Systems on a contract to provide global data centre and SAP infrastructure services to healthcare, lifestyle and lighting giant Philips Electronics. The transaction involved the adoption of a SAP SaaS model, using a private cloud.
A global IT consultancy on the implementation of a SaaS platform for a multinational company in the manufacturing sector. Caisse des dépôts et consignation the French sovereign fund, on its investment in the French cloud computing joint venture Numergy with Bull and SFR.
Luxcloud on contractual and IT issues on cloud computing.
SFR on its acquisition of shares in G Cluster Global, a cloud-based video gaming service.
www.allenovery.com
9
Systemat on its complete suite of cloud computing contract templates for use with its customers.
Allen Systems Group on the takeover of visionapp AG, a German SaaS and cloud platform provider.
Novartis on the drafting of a SaaS template.
Randstad on the legal aspects of cloud computing and email solutions.
A global manufacturer of specialty chemicals on the data protection aspects of migration of HR data from more than 20 jurisdictions to a centralised platform managed by a U.S. based cloud provider.
ServiceNow a SaaS provider of IT Service management software, on the acquisition of Mirror 42, a Dutch developer of performance management software.
Stichting Centraal Informatie Systeem (CIS) a Dutch Foundation which manages and stores the insurance data of consumers, insurance companies and intermediaries in a central database, on the renegotiation of a SaaS contract with Solera, a U.S. technology supplier.
SFG Australia on its cloud computing outsourced services contract.
A major internet shopping platform on the review of terms and conditions on cloud services, notably from a data protection law perspective.
Cloud computing – A great tool | 201510
© Allen & Overy LLP 2015
Charlotte MullarkeySenior PSL – LondonTel +44 20 3088 [email protected]
Key contacts
Filip Van ElsenPartner – AntwerpTel +32 3 287 73 [email protected]
Ahmed BaladiPartner – ParisTel +33 1 40 06 53 [email protected]
Catherine Di LorenzoSenior Associate – LuxembourgTel +352 444 455 [email protected]
Herald JongenPartner – AmsterdamTel +31 20 674 [email protected]
Gary CywieIP/IT Counsel – LuxembourgTel +352 44 44 5 5203 [email protected]
Jane Finlayson-BrownPartner – LondonTel +44 20 3088 [email protected]
Neville CordellPartner – LondonTel +44 20 3088 [email protected]
Nigel ParkerPartner – LondonTel +44 20 3088 [email protected]
Belgium Luxembourg
Netherlands UK
France
Rose HallBusiness Development – LondonTel +44 20 3088 [email protected]
UK
www.allenovery.com
11
Will McAuliffePartner – Hong KongTel +852 2974 [email protected]
Connell O’NeillSenior Associate – SydneyTel +612 9373 [email protected]
Greater China Australia
Peter HarwichPartner – New YorkTel +1 212 610 [email protected]
U.S.
FoR MoRE INFoRMATIoN, PlEASE CoNTACT:
Allen & Overy LLP One Bishops Square London E1 6AD United Kingdom
Tel +44 20 3088 0000 Fax +44 20 3088 0088
London
www.allenovery.com
Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee
or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP’s affiliated undertakings.
GLOBAL PRESENCE
Allen & Overy is an international legal practice with approximately 5,000 people, including some 527 partners, working in 45 offi ces worldwide. Allen & Overy LLP or an affi liated undertaking has an offi ce in each of:
Abu DhabiAmsterdamAntwerpBangkokBarcelonaBeijingBelfastBratislavaBrussels
Bucharest (associated offi ce)
BudapestCasablancaDohaDubaiDüsseldorfFrankfurtHamburgHanoi
Ho Chi Minh CityHong KongIstanbulJakarta (associated offi ce)
JohannesburgLondonLuxembourgMadridMilan
MoscowMunich New YorkParisPerthPragueRiyadh (associated offi ce)
RomeSão Paulo
SeoulShanghaiSingaporeSydneyTokyoTorontoWarsawWashington, D.C.Yangon
© Allen & Overy LLP 2015 I CS1210_CDD-4171_ADD-55229