Cloud Computing With Your Feet on the Ground Judi Lamble, VP - Technology & International Claims

A Member of OneBeacon Insurance Group

Cloud Computing

With Your Feet on the Ground

Judi Lamble, VP - Technology & International Claims

Cloud computing refers to outsourcing electronic data storage, processing, security, development and hosting to web-accessed services and servers. Based on a recent survey, CIOs rank cloud computing first among their 2011 technology priorities.1 _{While computing} in the cloud offers scalability, flexibility, and cost savings, among other advantages, it also presents unique exposures for which both providers and users must prepare.

While marketers portray the cloud as a revolution in computing, it has been gaining traction for some time: consider the services offered by GMail, iTunes, and Twitter. Although the cloud is still immature, it is emerging as big business. The worldwide market for cloud computing services is estimated to reach nearly $150 billion by 2014.2

The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”3 _{The most-often cited cloud services are:}

• Software as a Service (SaaS) - software applications accessible through an interface like a web browser. SaaS enables users essentially to rent software and data storage space from a provider (e.g., Google docs);4

• Platform as a Service (PaaS) - platforms to host, test, or maintain developers’ code (e.g., Force.com);5

• Infrastructure as a Service (IaaS)- outsourced infrastructure on which users may deploy their own operating systems and applications, (e.g., Amazon Web Services, Rackspace, IBM’s various IaaS cloud offerings).6

If SaaS, PaaS, and IaaS are familiar concepts, then you may also be aware of some of their offspring: Development as a Service (DaaS), Application Platform as a Service (aPaaS), Software Infrastructure as a Service (SIaaS), Cloud Enabled Application Platform (CEAP), Business as a Service (BaaS), and Gaming as a Service (GaaS).7 _{As the cloud market} matures, its choices are mushrooming.

Similarly, multiple business models for cloud computing are emerging, such as the public cloud, private cloud, community cloud and hybrid cloud. The public cloud is available and marketed to the general public and employs a mega-scale infrastructure. Developers and non-IT business leaders, especially, are rushing to embrace the public cloud.8 _{The private} cloud focuses on IaaS and is owned or leased by a single enterprise (diminishing the scalability benefits of cloud computing but allowing users more control). The community

Executive Summary

Cloud Computing

cloud serves, and is shared by, a defined, limited constituency of users. And the hybrid cloud is a creative blend of one or more of the previous options.9

There are often numerous advantages to outsourcing one’s IT needs to the cloud. Moving from a PC or internal server(s) to an offsite, more accessible and probably shared server with state-of-the-art IT support offers:

• Access to cloud-based data, apps, platforms, etc. from any computing device anywhere

• Cost savings on hardware, licensing fees, upgrades, etc.

• Increased data storage capacity

• Elimination of maintenance and update disruptions

• Enhanced data security

• Flexibility to respond to changing resource demands and limitations (both electronic and human)

Perhaps most important, cloud computing offers scalability – the ability to do what you do in a bigger way.10 _{The cloud allows users to do more, faster, and at a more complex level} – without increasing the cost.11

The concentration of data, applications and systems on mega-servers maintained by remote personnel brings to mind the early mainframes whose disadvantages led to the development of more nimble PCs. Cloud computing has advantages that PCs and internal corporate IT departments may not be able to match, but cloud providers and users must also recognize its risks.

• Loss of Service. Loss-of-service headlines pepper the media (e.g., Intuit ‘s QuickBooks Payroll service on 6/1/2011;12 _{Yahoo!Mail on 4/28/11;}13 _Amazon’s Elastic Compute Cloud and Elastic Block Storage on 4/21-22/11;14 _{Gmail in late} February 2011,15 _{Twitter during the World Cup in 2010).}16 _{Interestingly, the} reported causes are often familiar: errors in upgrades (Amazon), bugs in updates (Gmail), and plain old heavy traffic (Twitter). The damage of service outages can extend beyond inconvenience as business interruption costs money and disrupts operations (as when Intuit’s business customers were unable to pay their employees).17 _{The loss of goodwill is palpable – and visible – on vendor} chatboards.

• Loss of Data. To date, most data losses in the cloud have been temporary with no significant fear of permanent loss, but try telling that to affected users.18 _Incidents of permanent data loss are rare, but they do occur. This past April, Amazon acknowledged to a fortunately small percentage of its customers “the impact to your business” when its hardware failed and it was unable to restore their data.19 Cloud users must consider the potentially catastrophic consequences that could follow data loss.

• Invasion of Privacy. Privacy exposures in the cloud most frequently arise out of hacking and litigation. Hacking is most feared. Despite cloud providers’

assurances of data security, hackers are an ingenious lot. Sony learned the hard way when an intruder accessed the data of some 70 million users of its PlayStation network.20 _{Ditto Comodo, a too-big-to-fail entity providing certificates of site} authenticity to web browsers. Comodo was hacked in March 2011, compromising

Advantages of Cloud Computing

Cloud Computing Exposures

Cloud Computing

the security of numerous household-name web browsers that relied on the certificates in determining whether to allow access to sites.21

Privacy issues also arise from the voluntary production of cloud-stored information incident to litigation, whether in response to formal discovery requests or court-authorized subpoenas. A number of courts have addressed whether the Stored Communications Act (a legacy from the 1980s) prevents disclosure of cloud-based information. So far the decisions are split,22 _{which means cloud providers and users} must be prepared for the possibility that otherwise private data, once stored in the cloud, may no longer be deemed private.

• Traditional Business Disputes. As with any “hot” new product, the cloud is populated with competitors aggressively challenging each other’s intellectual property rights,23 _{sales practices,}24 _{as well as theft of trade secrets and the} employees who know them.25 _{The cloud also promises traditional contract} disputes, as vendors and their customers fight to allocate losses due to service interruption, security shortcomings and alleged poor performance.

• Compliance Issues. Cloud users, not their providers, are responsible for compliance with state and federal laws related to data privacy like HIPAA, the Gramm-Leach-Bliley Act, and the Federal Information Security Management Act.26 Likewise, compliance with e-discovery requests in litigation falls to the parties of a lawsuit, not their cloud providers. A cloud user may be subject to sanctions if it cannot disclose required electronically-stored information.27 _{Since there are} currently no universally accepted standards for cloud computing providers to follow in storing and maintaining information (although various groups are looking to develop them),28 _{passing the risk of noncompliance on to providers may be} impossible.

Perhaps most significant, the desire for cloud computing may create or exacerbate a disabling disconnect between IT and IT leaders within an organization. Generally, non-IT business leaders are eagerly endorsing the public cloud while non-IT leaders are taking a measured approach.29 _{Jumping into the cloud without the full commitment of IT may be} like operating an electric saw – if you’re not careful, someone’s going to get hurt. To operate safely in the cloud, users and providers must employ aggressive risk

management solutions. Users are learning that outsourcing IT to the cloud is not the same as transferring risk. Prudent business practices for users therefore include:

• Heightened due diligence in selecting cloud providers – with review of privacy policies, security measures, disaster recovery plans, and all aspects of the provider’s electronic infrastructure. For those new to the cloud, the NIST’s Guidelines on Security and Privacy may provide a useful starting point for that analysis.30

• Ensuring that the user’s own privacy policies, litigation holds, and other data-driven protocols take their cloud activities into account.

• Considering the value of the “extras” – like data recovery services and redundant servers – when purchasing cloud services.

• Careful evaluation of contractual transfers of risk (warranties and indemnity provisions). Typical cloud service contracts will include an indemnity provision that favors the service providers and provisions that limit damages to the cost of service, enhancing the cloud user’s need for contract negotiation.

Managing Risk in the Cloud

Cloud Computing

For cloud providers, best practices will include:

• making security measures and rigorous disaster recovery/business continuity plans a centerpiece of their design.

• maintaining favorable indemnity provisions and damage limitations.

For providers and users, alike, appropriate data protection and errors or omissions insurance coverage is a must.

To learn more about how OneBeacon Technology Insurance can help you manage cloud computing and other technology risks, please contact Lloyd Takata, Vice President of OneBeacon Technology Insurance at [email protected] or (706) 474-9003.

1 _{“Gartner Executive Programs Worldwide Survey of More Than 2,000 CIOs Identifies Cloud Computing} as Top Technology Priority for CIOs in 2011,” January 2011, gartner.com/it/page.jsp?id=1526414 2_Id. 3 _{nist.gov/itl/cloud/upload/cloud-def-v15.pdf} 4 _{pcmag.com/encyclopedia_term/0,2542,t=SaaS&i=56112,00.asp} 5 _{iamondemand.com/post/5392248191/the-paas-market-overview-definitions-} 6 blogs.forrester.com/frank_gillett/11-03-24-informal_buyers_of_iaas_cloud_computing_are_driving_the_market_not_formal_it_buyers_vendor_strateg 7 _{iamondemand.com/post/5392248191/the-paas-market-overview-definitions-;} ingurus.com/cloud-tsunami-saas-paas-iaas-private-public-and-hybrid-clouds-theres-one-for-everyone

8 _{Forrester Research, Inc., “Ignoring Cloud Risks: A Growing Gap Between I&O And The Business,”}

3/24/11, at 1 (forrester.com). 9 _{ingurus.com/cloud-tsunami-saas-paas-iaas-private-public-and-hybrid-clouds-theres-one-for-everyone;} technology.ezinemark.com/differentiating-public-private-and-hybrid-cloud-computing-environments-31cc22eae8b.html 10 _{royans.net/arch/what-is-scalability} 11 cloudtweaks.com/2011/06/cloud-computing-survey-finds-scalability-and-cost-savings-driving-cloud-adoption 12 _{zdnet.com/blog/btl/intuits-quickbooks-payroll-suffers-outage-users-miffed/49830} 13 _{asia.cnet.com/crave/users-cry-foul-over-yahoo-email-service-disruption-62208438.htm} 14 _{“Amazon’s Trouble Raises Cloud Computing Doubts,” New York Times, April 23, 2011.}

15 crn.com/slide-shows/cloud/229402443/amazons-not-alone-10-notable-cloud-outages-in-the-last-year.htm;jsessionid=Tfm+mj1jQEr92rkJXRHJzw**.ecappj03?pgno=4 16 _{datacenterknowledge.com/archives/2010/06/16/twitter-struggles-with-world-cup-traffic/} 17_{zdnet.com/blog/btl/intuits-quickbooks-payroll-suffers-outage-users-miffed/49830} 18 windowsteamblog.com/windows_live/b/windowslive/archive/2011/01/03/hotmail-email-access-issue-now-resolved.aspx 19 _{businessinsider.com/amazon-lost-data-2011-4} 20_{computerworld.com/s/article/9216191/Sony_warns_users_of_data_loss_from_PlayStation_network_hack} 21 _{“An Attack Sheds Light on Internet Security Holes,” The New York Times, April 7, 2011.}

22_{See Crispin v. Christian Audigier, Inc., C.D. Cal. 2010 (holding the Stored Communications Act protects} information on social media sites from production in litigation) and contrary cases cited therein. See also, Robison, W.J., “Free at What Cost?: Cloud Computing Privacy Under the Stored Communications Act,” Georgetown Law Journal, April 2010.

23_{See, e.g., Microsoft v. Salesforce.com, No. 2:10-CV-00825 (W.D. Wash) (2010 patent dispute over} programs to facilitate cloud computing); Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp.2d 1006 (N.D. Cal. 2009) (trademark dispute between cloud competitors).

24_{See Google, Inc. v. U.S., 95 Fed.Cl. 661 (2011) (preliminary injunction awarded based on allegation that} Dept. of Interior unfairly restricted competition in the bidding process for an online e-mail contract awarded to Microsoft).

Cloud Computing

25_{See, e.g., IBM v. Johnson, 2009 WL 2356430(S.D.N.Y. 2009) (noncompete dispute to prevent} disclosure of cloud computing trade secrets known by former employee who went to competitor). 26 _{Patrick Cunningham, “Three Cloud Computing Risks to Consider,” Information Security Magazine,} June 2009, at 7.

27 _{W. Michael Ryan & Christopher Loeffler at Kelley Drye & Warrant LLP, “Insights into Cloud} Computing,” Intellectual Property & Technology Law Journal, November 2010.

28_{See, e.g., opendatacenteralliance.org/publications (on 6/14/11, IT leaders from over 250 global firms} jointly identified as the Open Data Center Alliance released the Open Data Center Usage Models, industry standards for use in procuring cloud computing services); snia.org/cloud (posting 4/4/11 press release in which the Storage Network Industry Association catalogs the movement toward universal acceptance of its Cloud Data Management Interface).

29 _{Forrester Research, Inc., “Ignoring Cloud Risks: A Growing Gap Between I&O And The Business,”}

3/24/11, at 2 (forrester.com).