The Keys to the Cloud: The Essentials of Cloud Contracting

(1)

The Keys to the

Cloud:

The Essentials of

Cloud Contracting

Bert Kaminski

Assistant General Counsel, Oracle North

America Ken Adler

Partner, Loeb & Loeb LLP

Akiba Stern

(2)

■

_{CLOUD TECHNOLOGY EXPLAINED}

■

_{KEY ISSUES IN THE CLOUD}

(3)

(4)



PART I: CLOUD TECHNOLOGY EXPLAINED



PART II: KEY ISSUES IN THE CLOUD

(5)

NIST Definition: “Cloud computing is a model for

enabling ubiquitous, convenient, on-demand

network access to a shared pool of configurable

computing resources (e.g., networks, servers,

storage, applications, and services) that can be

rapidly provisioned and released with minimal

management effort or service provider

(6)

Characteristics

■

On demand self-service

■

Broad network access

■

Resource pooling

■

Rapid elasticity

(7)

Software-as-a-Service (SaaS)

 Access standard software over the internet  Not a customized solution, with the

software used by many

 No “version control;” new versions implemented to all users

 Software configuration limits set by the supplier

Platform-as-a-Service (PaaS)

 Customer ability to access/build applications on supplier defined architecture

 Ability to deploy and access custom software solution over the internet  Supplier established programming

capability limits Infrastructure-as-a-Service (IaaS)

 Ability to move applications and operating system software to a cloud platform

 Supplier established infrastructure configuration

(8)

Private Cloud

 Provisioned for exclusive use by a single organization comprising multiple end users

 Owned/operated by the organization or a third party supplier

 Can be located on or off premises

Public Cloud

 Provisioned for use by the general public, not specific organization  Owned/operated by a third party

supplier

 Located at the service provider or third party locations

Hybrid Cloud

 A combination or 2 or more cloud infrastructures

(9)



PART I: CLOUD TECHNOLOGY EXPLAINED



PART II: KEY ISSUES IN CLOUD CONTRACTS

(10)

Enterprise Risk v. Commodity Transaction

The “enterprise” customer historically:

■

Negotiated the transaction to address its own risk profile

■

Used the transaction to maintain a competitive advantage

■

Maintained “control” over the services

The cloud computing supplier:

■

Standardizes its own risk profile/contract terms

■

Standardizes the services across its customer base

■

Need to distinguish cloud from Application Service Provider

and IT Outsourcing Services

(11)

Need to address key issues and risks:

■

Entering into the transaction

■

Ongoing services

(12)

Terms and Conditions

How are cloud contacts structured?

■

Service Agreements

■

Vendor paper is based on commodity offering

■

Clickwraps

■

Linked terms

■

Pass through terms

(13)

Service Levels

■

What service levels apply to the Cloud?

–

Availability

–

Scalability

–

Response time

–

Problem escalation/resolution

(14)

Interoperability and

Ongoing Compatibility

■

Version control

■

Backward and ongoing compatibility

–

Data formats

–

Interfaces

(15)

Testing

■

Ensuring the service works in accordance with

specifications

■

Testing the “back end” to ensure the system is

properly implemented and integrates with other

systems

■

Ongoing testing of updates/regulatory changes

(16)

Cross-Cloud Concerns

Understanding the Interaction Between Clouds

■

Cloud architecture and topography

–

Private, public, hybrid, dedicated

■

General integration issues across clouds

■

Consistent standards

(17)

Law and Regulatory Compliance

■ Compliance with law

– Which laws/regulations apply?

– Impact of regulatory “guidance” and commentary

– International concerns

– Cloud services may be provided from multiple, unknown jurisdictions

– “Follow the sun” support services

(18)

Law and Regulatory Compliance

■ Particular Concerns of a regulated entity

– Definition of “laws”

– Regulatory consents/approvals

– Governmental authority audits

– Mandatory regulatory “flow downs”

(19)

Privacy Issues

■ Compliance with law

– U.S. , EU, others?

– Industry-specific

– HIPAA, Gramm-Leach-Bliley

– Where is the data transmitted and stored?

– Distinction between the “controller” and “processor” not as clear in cloud services

■ Restrictions on use by the service provider and third parties?

(20)

Data Security Issues

■ Data security requirements

– Encryption

– Physical and electronic security, including storage

– Private cloud (dedicated) or public cloud

– Cross-cloud concerns

■ Back-up and redundancy

– Where located?

– Provider or third party contractor?

■ Location of, processing and storage of data

– Where located? General geography or street address

■ Flow downs to subcontractors

(21)

Data Retention Issues

■ Document retention requirements

– Vendor may have limited or no policy

■ Regulatory compliance

– Solution not designed for regulated use

– WORM drive

■ Data destruction requirements

– Certification

– Destruction of data/wiping of drives

(22)

Data Ownership and Use

■ Ownership of:

– Data input by the customer or its customers

– Data processed and stored in the cloud

– Derivative data

■ Customer right to use supplier data

(23)

eDiscovery and Data Preservation

■ Full cooperation to the company and its electronic discovery provider

■ Access to all data, in acceptable file formats

– Ability to run keyword searches

■ Responding to Third-Party Requests (Subpoena)

(24)

Audit Rights and Audit Obligations

■ Books and Records

■ Required Provider Audit

– SSAE 16 (replaced SAS70) SOC 1 Report

■ Data Security

– Locations/Data Centers

(25)

Liability Issues

■ Limitation on Liability

■ Disclaimer of Consequential Damages

■ Limited or no exceptions to provider liability

– Indemnification obligations

– Confidentiality breaches

– Data security failures

– (including breach notification costs)

– Gross Negligence/Willful Misconduct

(26)

Subcontractors and Suppliers

■ Client’s Approval Rights

■ Audit and Oversight

■ Flow-down Contract Provisions

(27)

Disentanglement

■ Required Termination Assistance

– Continued provision of services

– Return of data

– Assistance to customer or its new supplier

– Right to use supplier materials/data

(28)



PART I: CLOUD TECHNOLOGY EXPLAINED



PART II: KEY ISSUES IN CLOUD CONTRACTS

(29)

Tactical Review Pre-Contract

■ Understand the technology to be implemented and access methods, as well as data movement, processing and storage

– Map the data-flows, data storage and technology infrastructure across geographies

(30)

(31)

Tactical Review Pre-Contract

■ Determine whether the solution complies with:

– Legal and regulatory requirements for privacy and data security

– Privacy policies

(32)

Tactical Review Pre-Contract

■ Who should participate?

– Legal

– Business Stakeholders

– IT

– Compliance

– Sourcing

■ What is the required output of the tactical review?