Overview

• what is cloud computing?

• types of cloud computing services

• benefits of cloud computing

• key risks associated with cloud computing

• technical, financial, contractual, regulatory and other

• the long arm of the US lawman (the CLOUD Act)

• data privacy and cloud computing

• developing a cloud strategy

What is cloud computing?

• “cloud” refers to networks but primarily to the internet.

• traditionally, when drawing network diagrams, networks were cumbersome to depict so engineers represented them as clouds and in time the cloud shape was adopted as a symbol for all networks, including the internet.

What is cloud computing?

3

What is cloud computing?

• there is no universal definition for cloud computing

• refers to the provision of computing services over a network, typically over the internet

• at its most basic it refers to users being able to access software, data and/or IT services through the internet on supplier servers rather than having and maintaining their own IT infrastructure for this purpose

• everyday examples include Gmail, iCloud, YouTube and Dropbox

Types of cloud computing services

• SaaS – Software as a Service

• IaaS – Infrastructure as a Service

• PaaS – Platform as a Service

• Cloud computing is offered through:

• public clouds

• private clouds

• hybrid clouds

Benefits of cloud computing (in theory)

• potential cost savings / reduced IT spend

• scalability / elasticity: cloud users pay for capacity which they use, which can be adjusted due to fluctuations in resource demand

• allows data to be portable and instantly accessible from anywhere

• collaboration efficiency / workforce mobility

• business continuity / improved support and maintenance

• almost zero upfront infrastructure investment no capex required?

Risks and challenges to embracing the cloud

• storm clouds?

Risks and challenges to embracing the cloud cont…

• Technical including

• lack of customisation

• network dependency

• lack of compatibility with existing systems

• business continuity e.g. on insolvency of cloud providers

• lack of stability

• insufficient protection against malicious and unwanted software

• loss of control

• cybersecurity

• Contractual

• not always negotiable

• poor service levels

• onerous vendor contractual provisions

• supplier lock-in

• liability clauses not favourable

Risks and challenges to embracing the cloud cont…

Financial

• network costs

• non-scalable models

• bundled or “tied” purchases

• professional services costs

• data migration costs

• licensing models not always favourable – per user, per named user, volume-based

• switching costs

Risks and challenges to embracing the cloud cont…

Other Risks

• supplier lock-in (non-contractual)

• lack of transparency

• sharing of infrastructure / mixing of data

• post termination transfers and risks

• IP issues when migrating

• lack of experience / knowledge

• lack of audit rights / weak audit right rights

Regulatory

• access to data by foreign authorities (e.g. the Cloud Act)

• regulatory hurdles and constraints (e.g. The SARB Directive and Guidance Note)

• data protection

Regulatory – US CLOUD ACT

• SA companies concerned about access by foreign governments

• Patriot Act already has far reaching implications

• The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018

• Through the CLOUD Act, U.S. law enforcement officials at any level, from local police to federal agents, can force tech and other companies to turn over user data regardless of where the company stores the data.

• The CLOUD Act also gives the US executive branch the ability to enter into “executive agreements” with foreign nations, which could allow each nation to get its hands on user data stored in the other country, no matter the hosting nation’s privacy laws.

• Some larger cloud companies can appear to be trustworthy providers if they have data centre's located in South Africa. But location means nothing if these companies are American-owned.

12

Your cloud strategy

Your cloud strategy

First, take one step back

• reminder: IT Governance is a Board imperative

• your data is NOT a commodity

Ingredients of a dangerous cocktail

• ignoring IT Governance

• the “I Accept” Button

• the Corporate Credit Card

• supplier Terms and Conditions not vetted / no risk analysis conducted

• a “cowboy” IT guy

13

Your cloud strategy cont…

• know your supplier

• deal with data risks

• ensure that you receive a quality service

• understand the total costs of the transaction

• cyber Insurance

• contracting process

• understanding set up and migration risks

14

Your cloud strategy cont…

know your supplier

• cut through the sales talk

• due diligence

• subcontractors

• client testimonials

• site inspections

• proof of concept

• review terms and conditions

• other mechanisms

• policies and procedures

Your cloud strategy cont…

data – the new oil!

• migration and migration costs

• location

• data export restrictions / data sovereignty

• handling personal information

• integrity

• security (including testing)

• back ups and retention

• accessibility - authentication

• dealing with requests – regulatory, customer and PAIA

• regulatory compliance (including POPI)

• transfers upon termination (including metadata)

• policies and procedures – including sensitive databases, cybersecurity / off-site hosting, remote access, password policies, data retention policies, BYOD, data request procedures, security compromises policy

• POPI – Operator Agreement / GDPR – Data Processor Agreement

Your cloud strategy cont…

ensuring quality

• service levels –

• you get what you pay for!

• availability

• call logging?

• support?

• reporting?

• redundancy

• DR and BCP

• audit rights

• contractual mechanisms such as warranties

Your cloud strategy cont…

• financials –

• understand set up costs

• importance of negotiation

• minimum volume commitments?

• billing accuracy

• billing terms

• total cost - pay-as-you-go versus committed costs

• indirect costs

• cloud / cyber insurance

• other issues to be addressed

• audit rights – regulated industries such as banks

• open source software

• IPR (including third party software restrictions)

• liability provisions and exclusion clauses

• termination provisions

• termination / expiration assistance…transition services

Your cloud strategy

Contracting process

• importance of a strong contract

• vendor or customer’s paper?

• importance of backing up with your own policies and procedures

• monitoring, governance and enforcement

• reporting

• having your own risk matrix – essential!

ENSafrica’s Cloud Risk Matrix

• developed on a compare, comply and explain basis – ie gap analysis

• factors in risk assessment on all risks identified

• factors in your companies specific policies

• used as a basis for crafting own agreement or determining mark ups to supplier agreement

• documents your key risks

Concluding remarks

“(T)he rise of the cloud is more than just another platform shift that gets geeks excited. It will undoubtedly transform the information technology industry, but it will profoundly change the way people work and companies operate. It will allow digital technology to penetrate every nook and cranny of the economy and of society, creating some tricky political problems along the way.” – The Economist

• loads of benefit in entering the cloud but not without risk

• a well developed cloud strategy and risk management practise is essential

• importance of contracts, policies and procedures – ie matrix

• training and awareness is critical before embracing the cloud