Cloud Computing, SaaS and Outsourcing Michelle Perez, AGC Privacy, IPG Bonnie Yeomans, VP, AGC & Privacy Officer, CA Technologies PLI TechLaw Institute 2017: The Digital
Agenda Introduction to the Cloud What exactly is cloud computing? SaaS Characteristics Comparisons to traditional outsourcing Benefits and Risks of SaaS Gating Questions for SaaS Contracting SaaS Contracts What s negotiable? Key Standards
Introduction to the Cloud Parallels to the creation of early 20th century electrical utilities (Nicholas Carr) Efficiencies of moving data processing from behind customers firewalls to a shared set of computing resources Major implications and disruption for both consumers and providers of data processing Promises and Trade-offs of the Cloud
Types of Cloud Offerings least to most comprehensive Infrastructure as a Service (IaaS) Vendor handles processing, storage and networking. Customer responsible for OS and Application Layer, e.g. AWS, Microsoft Azure, Google Cloud Platform as a Service (PaaS) Vendor handles IAAS plus the OS. Customer responsible for Application Layer, e.g. Amazon E2, Salesforce App Cloud Software as a Service (SaaS) SaaS combines IaaS and PaaS plus the Application Layer, with no Customer responsibilities at any layer. Examples include Salesforce, Dropbox, Workday, Gmail
Cloud Deployment Public Cloud -- Resources, such as applications and storage, available to the general public (outside customer s firewall) over the Internet Private Cloud -- Generally behind a Customer s firewall, having attributes of both on-premises software and taking advantage of some of the advantages of a cloud offering Hybrid Cloud -- Cloud offerings located both inside and outside a Customer s firewall
SaaS Characteristics Delivered as a Subscription Service SaaS is truly a service offering, not software On Demand/Self Service Self-provisioning and scaling usage and fees Broad Network Access Available over a network and accessed by use of heterogeneous client platforms Resource Pooling Provider s computing resources are pooled to serve multiple customers using a multi-tenant model with dynamic provisioning
SaaS Characteristics Rapid Elasticity Capabilities can be rapidly scaled up and down Measured Service Metering tracks use and helps optimize services Common Service all users typically using the same instance of the software
Comparison to Traditional Outsourcing Services provided by actual third party resources rather than a pre-packaged offering Ability to customize to accommodate customer needs and specifications Customer control over data processor either through contract or ability to direct activity Long Term relationship with exit plans and change of control provisions vs. walk away Often Dedicated Infrastructure, sometimes built by customer inhouse and then moved out vs. shared multi-tenant environment
SaaS Advantages/Opportunities Cost reduced for customer due to savings on human capital, physical space, electricity and support. Cost shifts to vendor/provider. Opex rather than Capex Security is considered more robust in part because customer environments are often complex and hard to fully control, but vendor dependent Maintenance applications do not need to be installed on each user's computer and vendor can apply updates and upgrades universally and at scale Reliability well-designed cloud computing suitable for business continuity and disaster recovery
SaaS Advantages/Opportunities Access is much faster. Software is essentially already installed and running Device and location independence improves, enabling users to access systems using a web browser regardless of their location or what device they are using Big Data Analytics collection of anonymized meta data and metering can improve service and lead to important insights into customer base
SaaS Disadvantages/Risks Uniformity of Offering limited flexibility to configure Security need to make sure vendor has appropriate controls if data is sensitive Cost Over Time may be higher Data Localization country by country or customer by customer Control of Data to ensure data is accurate, breach notice, deletion of data all should be addressed in contract
Gating Questions for SaaS Contracting Importance of SaaS Customer and Vendor understanding each other Form Agreements The Nature of Service and Sensitivity of Data Matter Customer-form Security Addendum vs. Vendor Security Policy
SaaS Contracts What s negotiable? Security Service Organization Controls (SOC) Certifications Security, Availability, Processing Integrity, confidentiality of privacy controls covered by SOC 2 Access to certification but not actual SOC 2 report Outside auditor review Audit rights Encryption in transit vs at rest
SaaS Contracts What s negotiable? Data Protection and Use Understand Business Continuity and Disaster Recovery capabilities Recovery Point Objective for data loss Portability of data after exit Data destruction Vendor data use Limitation of Liability and Indemnities LOL typically a multiple of trailing revenues for SaaS 3 rd party infringement indemnity standard Special Indemnities rarer
SaaS Contracts What s negotiable? Service Levels Uptime requirements for the service Potential credit or termination remedies Heavily dependent on the nature of the SaaS and its mission criticality Subcontractors Vendor passing on obligations to subcontractors Subcontractor consent right?
SaaS Contracts What s negotiable? Privacy Often governed by statutes and regulations Breach notification provisions understanding where data stored and processed compliance with regulatory regimes EU Privacy Shield and General Data Protection Regulation (GDPR coming May 2018)
Key Standards SSAE-16 SOC 1, 2, 3 NIST Cybersecurity Framework ISO 27001 By Industry Vertical: FedRAMP US Federal Government Payment Card Industry (PCI) HIPAA/HITECH, HITRUST Health Care GLBA -- Banking