the business case for cloud: critical legal, business, & diligence considerations
DESCRIPTION
An overview of the considerations a business must think through prior to moving to cloud computing.TRANSCRIPT
The Business Case forCloud: Critical Legal,Business & DiligenceConsiderationsPresented byJanine Anthony Bowen, Esq., CIPP/[email protected](678) 823-6611December 7, 2012
Janine Anthony Bowen, Esq., CIPP/USYour Presenter
• With 2 degrees in Industrial Engineeringfrom Clemson University and almost adecade working in technologycompanies, Janine is an engineer-turned-lawyer who knows technology,intellectual property, and the law well.
• She specializes in helping her clientsnegotiate technology deals with Fortune500 companies.
©2012 Jack Attorneys & Advisors. All Rights Reserved 2
And JACK does what…
• Jack Attorneys & Advisors is the technology law boutique of choicefor clients seeking an expert, pragmatic, high touch experience. Wespecialize in technology, privacy, cloud computing, mobile,intellectual property, and commercial contracts.
What’s the Cloud, really?
http://www.fatcow.com/data-center/photos - You are allowed to copy, distribute, transmit the work and to adapt the work.Attribution is not required. You are prohibited from using this work in a stand alone manner.
©2012 Jack Attorneys & Advisors. All Rights Reserved 4
Agenda
I. Business ConsiderationsII. Evaluation ConsiderationsIII. Privacy & Security ConsiderationsIV. Contractual ConsiderationsV. Concluding Thoughts
©2012 Jack Attorneys & Advisors. All Rights Reserved 5
Business Benefits of CloudComputing
• CostAvoidance/Deferral
• ImprovedOrganizational Agility
• Focus on CoreBusiness rather than IT
©2012 Jack Attorneys & Advisors. All Rights Reserved 6
Cost Avoidance/Deferral – You Decide
• Gartner says…IaaS isn’t less expensive, but it increasesoperational agility (1)
• Computerworld says…Prepare for the real costs of cloudcomputing (2)– Moving and storing data, integrating apps from multiple
vendors, testing software, rent & utilities
• CIO says…CFOs and cloud computing have a love-haterelationship (3)– Variable pricing messes up cash flow projections– Capex vs. Opex
• Booz Allen Hamilton says…savings range from 50% to 75% (4)• CloudU says…savings from 13% to 25% (5)
7©2012 Jack Attorneys & Advisors. All Rights Reserved
Cost Avoidance/Deferral – You Decide(cites)(1) Lydia Leong, research VP at Gartner Group
http://www.formtek.com/blog/?p=2696, January 12th, 2012
(2) “Preparing for the real costs of cloud computing” Computerworldhttp://www.computerworld.com/s/article/359383/The_Real_Costs_of_Cloud_Computing
(3) “Why CFOS and Cloud Computing Have a Love-Hate Relationship” CIOMagazinewww.cio.com/article/print/702074
(4) “The Economics of Cloud Computing”http://www.boozallen.com/media/file/Economics-of-Cloud-Computing.pdf
(5) “Cloudonomics: The Economics of Cloud Computing”http://broadcast.rackspace.com/hosting_knowledge/whitepapers/Cloudonomics-The_Economics_of_Cloud_Computing.pdf
©2012 Jack Attorneys & Advisors. All Rights Reserved 8
Total Cost of OwnershipCost of Cloud
• Cloud providers givetransparent pricing based ondifferent usage metrics – RAM,storage, bandwidth, amongothers
• Pricing is frequently fixed perunit of time. Customers gaincertainty over pricing and arethen able to readily calculatecosts based on several differentusage estimates
©2012 Jack Attorneys & Advisors. All Rights Reserved 9
Source: Cloudonomics: The Economics of Cloud Computing, CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum
Total Costs of OwnershipHidden Cost of On-Premise Technology
• The direct costs that accompany running a server: power,floor space, storage, and IT operations to manage thoseresources.
• The indirect costs of running a server: network and storageinfrastructure and IT operations to manage the generalinfrastructure.
• The overhead costs of owning a server: procurement andaccounting personnel, not to mention a critical resource inshort supply: IT management and its attention.
©2012 Jack Attorneys & Advisors. All Rights Reserved 10
Source: Cloudonomics: The Economics of Cloud Computing, CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum
Improved Organizational Agility
• Use of Public Clouds or Virtual Private Clouds giveorganizations the ability to scale up or down when necessary
• IT expense can be matched to:– Seasonal or cyclical requirements
– Organizational growth or decline
• Mobile workforce/workplace solutions may improveorganizational productivity
• Cloud environments support experimentation and ability tofail with low penalty
©2012 Jack Attorneys & Advisors. All Rights Reserved 11
Focus on Core Business
• Organizations can focus onbuilding the business theyknow
• Organizations can leveragethe best of breed in IT (andnot try to be best of breedthemselves)
• Potentially better disasterrecovery strategies utilizingcloud-based options
©2012 Jack Attorneys & Advisors. All Rights Reserved 12
©2012 Jack Attorneys & Advisors. All Rights Reserved 13
Evaluating Cloud Options
©2012 Jack Attorneys & Advisors. All Rights Reserved 14
Preliminaries
• The onus is on the customer to perform extensiveevaluation of a cloud provider before entering intothe relationship.
• The nature of the cloud relationship drives therequirements of evaluation. Considerationsinclude:– The criticality of the cloud implementation
– The sensitivity of the data/processes beingoutsourced to the cloud provider
– The scale of the implementation
Checklist for Cloud Readiness
•Business Drivers– Do you have staff working remotely?
– Do you have plans to increase your IT infrastructure needs?
– Is your infrastructure reaching end of life?
– Are you constrained in terms of Capital Expenditure?
– Does your organization have a high level of softwaretest/development?
– Does your organization struggle to obtain IT talent internally?
– Is 24*7 support important for your organization?
©2012 Jack Attorneys & Advisors. All Rights Reserved 15
Source: Appendix in “You Want to Put my Database Where? CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum
Checklist for Cloud Readiness
•Technical Drivers– Is your application workload highly variable?
– Do you need automatic infrastructure scaling andprovisioning?
– Do you have a need for complex IT redundancy andresiliency that you struggle to obtain internally?
– Have you faced issues around IT security?
©2012 Jack Attorneys & Advisors. All Rights Reserved 16
Source: Appendix in “You Want to Put my Database Where? CloudUhttp://www.rackspace.com/knowledge_center/cloudu/curriculum
List of Potential Cloud ProviderEvaluation Criteria
Functionality of solution Pricing
Uptime Response time
Quality of service Data Security/Privacy
Backup and disaster recovery Customization capability
Ability to personalize Integration with existing systems
Data access Customer service/support
Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises”http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf
©2012 Jack Attorneys & Advisors. All Rights Reserved 17
©2012 Jack Attorneys & Advisors. All Rights Reserved 18
Evaluation Considerations:Disaster Recovery
• How are backup systems architected?– Complete redundancy? Multiple redundancies? Duplicate
systems? Real-time backup?
• Where are backup systems located geographically?
• Are third party backup systems utilized (partially/totally)?
• How long would a catastrophic event at a data center affectsystem availability?
• Concerns for physical assets based on geography
• Ultimately, whose responsibility is it anyway?
Evaluation Considerations:Transition Issues – Lock In
• All the typical softwaremigration issues
• Plus:– Data ownership
•Raw data•Resultant information
– Professional servicesto migrate to newprovider
©2012 Jack Attorneys & Advisors. All Rights Reserved 19
Privacy and Security
©2012 Jack Attorneys & Advisors. All Rights Reserved 20
4 Immutable Laws of Cloud Security• “These are things that will always be, things that will never change,
and it is a state of being.”
– First is an understanding that if your data is hosted in the cloud, you nolonger directly control its privacy and protection.
– when your data is burst into the cloud, you no longer directly controlwhere the data resides or is processed.
– if your security controls are not contractually committed to, then you maynot have any legal standing in terms of the control over your data or yourassets.
– if you don't extend your current security policies and controls in the cloudcomputing platform, you're more than likely going to be compromised
– Tari Schreider, HP chief architect of HP Technology Consulting and ITAssurance Practice.
“Security and the Cloud: The Great Reconciliation”, eCommerce Times, 14 May 2012http://www.ecommercetimes.com/story/Security-and-the-Cloud-The-Great-
Reconciliation-75094.html
©2012 Jack Attorneys & Advisors. All Rights Reserved 21
Issues with Cloud Computing:Privacy and Security
22
• Data location issues
• Location of users accessing data
• Movement and storage of data
• Use of subcontractors
• Use of multiple platforms
• Lack of transparencyand control
• Data breach issues
• Data destruction issues
• Ability to impose security andprivacy requirements
©2012 Jack Attorneys & Advisors. All Rights Reserved
Regulatory Landscape:Data Privacy Compliance
©2012 Jack Attorneys & Advisors. All Rights Reserved 23
• State Information Security Laws
• State Data Breach Laws
• Gramm Leach Bliley
• HIPAA/HITECH Act
• Electronic CommunicationsPrivacy Act (Gov’t Access toData)
• USA PATRIOT Act (Gov’tAccess to Data)
Contractual Requirements:Gap Analysis
©2012 Jack Attorneys & Advisors. All Rights Reserved 24
Customer Needs vs. Vendor Offerings
CustomerRequirement
Public Cloud
Response to datasecurity incidents
Standardized offering, use of sub-processors and other limits may delaydiscovery of breaches, and ability toprovide information regarding extent ofbreach
Audit rights Typically not available, especially notfor sub-processors
Proper disposaland destruction ofdata
No guarantee all data will be found anderased or returned
Change Control Provider may make changes withoutnotice or consent
25©2012 Jack Attorneys & Advisors. All Rights Reserved
Customer Needs vs. Vendor Offerings
CustomerRequirement
Public Cloud
EstablishedContract Terms
Incorporation of additionalonline terms, subject to changeby provider
Provider hassome liabilityexposure forbreaches andnon-compliance
Extremely limited liability
Controls ondata andsecuritystandards
Standardized offering with useof cloud provider controls
26©2012 Jack Attorneys & Advisors. All Rights Reserved
Liability Considerations – VendorPerspective
• For vendor, risk of data security breach is greatest risk
• Multi-tenancy enables single breach incident to affectthousands of customers
• Vendors must think through worst-case scenarios, andreevaluate as company grows and evolves– Types of harm
– Damages available
– Settlement values
– Insurance coverage
©2012 Jack Attorneys & Advisors. All Rights Reserved 27
Cloud is here to stay, so…
• Plan for success andplan for failure.
• Know and mitigate yourbusiness andtechnology risk.
• There are no silverbullets, shortcuts, oreasy answers.
©2012 Jack Attorneys & Advisors. All Rights Reserved 28
Q&AContact Me
• Janine Anthony Bowen, Esq., CIPP/[email protected]/in/jdabowen
• 678-823-6611
• Twitter - @cloudlawyer
• www.jack-law.com
• Facebook – www.facebook.com/JackAttorneys
JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It.
©2012 Jack Attorneys & Advisors. All Rights Reserved 29
©2012 Jack Attorneys & Advisors. All Rights Reserved 30