Cloud Computing, SaaS and Outsourcing

Transcription

1 Cloud Computing, SaaS and Outsourcing Michelle Perez, AGC Privacy, IPG Bonnie Yeomans, VP, AGC & Privacy Officer, CA Technologies PLI TechLaw Institute 2017: The Digital

2 Agenda Introduction to the Cloud What exactly is cloud computing? SaaS Characteristics Comparisons to traditional outsourcing Benefits and Risks of SaaS Gating Questions for SaaS Contracting SaaS Contracts What s negotiable? Key Standards

3 Introduction to the Cloud Parallels to the creation of early 20th century electrical utilities (Nicholas Carr) Efficiencies of moving data processing from behind customers firewalls to a shared set of computing resources Major implications and disruption for both consumers and providers of data processing Promises and Trade-offs of the Cloud

4 Types of Cloud Offerings least to most comprehensive Infrastructure as a Service (IaaS) Vendor handles processing, storage and networking. Customer responsible for OS and Application Layer, e.g. AWS, Microsoft Azure, Google Cloud Platform as a Service (PaaS) Vendor handles IAAS plus the OS. Customer responsible for Application Layer, e.g. Amazon E2, Salesforce App Cloud Software as a Service (SaaS) SaaS combines IaaS and PaaS plus the Application Layer, with no Customer responsibilities at any layer. Examples include Salesforce, Dropbox, Workday, Gmail

5 Cloud Deployment Public Cloud -- Resources, such as applications and storage, available to the general public (outside customer s firewall) over the Internet Private Cloud -- Generally behind a Customer s firewall, having attributes of both on-premises software and taking advantage of some of the advantages of a cloud offering Hybrid Cloud -- Cloud offerings located both inside and outside a Customer s firewall

6 SaaS Characteristics Delivered as a Subscription Service SaaS is truly a service offering, not software On Demand/Self Service Self-provisioning and scaling usage and fees Broad Network Access Available over a network and accessed by use of heterogeneous client platforms Resource Pooling Provider s computing resources are pooled to serve multiple customers using a multi-tenant model with dynamic provisioning

7 SaaS Characteristics Rapid Elasticity Capabilities can be rapidly scaled up and down Measured Service Metering tracks use and helps optimize services Common Service all users typically using the same instance of the software

8 Comparison to Traditional Outsourcing Services provided by actual third party resources rather than a pre-packaged offering Ability to customize to accommodate customer needs and specifications Customer control over data processor either through contract or ability to direct activity Long Term relationship with exit plans and change of control provisions vs. walk away Often Dedicated Infrastructure, sometimes built by customer inhouse and then moved out vs. shared multi-tenant environment

9 SaaS Advantages/Opportunities Cost reduced for customer due to savings on human capital, physical space, electricity and support. Cost shifts to vendor/provider. Opex rather than Capex Security is considered more robust in part because customer environments are often complex and hard to fully control, but vendor dependent Maintenance applications do not need to be installed on each user's computer and vendor can apply updates and upgrades universally and at scale Reliability well-designed cloud computing suitable for business continuity and disaster recovery

10 SaaS Advantages/Opportunities Access is much faster. Software is essentially already installed and running Device and location independence improves, enabling users to access systems using a web browser regardless of their location or what device they are using Big Data Analytics collection of anonymized meta data and metering can improve service and lead to important insights into customer base

11 SaaS Disadvantages/Risks Uniformity of Offering limited flexibility to configure Security need to make sure vendor has appropriate controls if data is sensitive Cost Over Time may be higher Data Localization country by country or customer by customer Control of Data to ensure data is accurate, breach notice, deletion of data all should be addressed in contract

12 Gating Questions for SaaS Contracting Importance of SaaS Customer and Vendor understanding each other Form Agreements The Nature of Service and Sensitivity of Data Matter Customer-form Security Addendum vs. Vendor Security Policy

13 SaaS Contracts What s negotiable? Security Service Organization Controls (SOC) Certifications Security, Availability, Processing Integrity, confidentiality of privacy controls covered by SOC 2 Access to certification but not actual SOC 2 report Outside auditor review Audit rights Encryption in transit vs at rest

14 SaaS Contracts What s negotiable? Data Protection and Use Understand Business Continuity and Disaster Recovery capabilities Recovery Point Objective for data loss Portability of data after exit Data destruction Vendor data use Limitation of Liability and Indemnities LOL typically a multiple of trailing revenues for SaaS 3 rd party infringement indemnity standard Special Indemnities rarer

15 SaaS Contracts What s negotiable? Service Levels Uptime requirements for the service Potential credit or termination remedies Heavily dependent on the nature of the SaaS and its mission criticality Subcontractors Vendor passing on obligations to subcontractors Subcontractor consent right?

16 SaaS Contracts What s negotiable? Privacy Often governed by statutes and regulations Breach notification provisions understanding where data stored and processed compliance with regulatory regimes EU Privacy Shield and General Data Protection Regulation (GDPR coming May 2018)

17 Key Standards SSAE-16 SOC 1, 2, 3 NIST Cybersecurity Framework ISO By Industry Vertical: FedRAMP US Federal Government Payment Card Industry (PCI) HIPAA/HITECH, HITRUST Health Care GLBA -- Banking