Intellectual Property & Technology Webinar Cloud Computing - Reaping the Benefits and Avoiding the Pitfalls Stuart James & Delizia Diaz 37 Offices in 18 Countries Birmingham Wednesday, 11 July 2012
Speakers Stuart James Delizia Diaz Partner Associate T: +44 121 222 3645 T: +44 121 222 3383 M: +44 7825 171894 M: +44 7921 600022 E: stuart.james@squiresanders.com E: delizia.diaz@squiresanders.com 2
Webinar Agenda An overview of Cloud Computing Opportunities presented by the Cloud Key risk areas A silver lining for the Cloud? 3
Cloud Computing Overview (1) What is Cloud Computing? Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. * Build Your Own Subscribe, Plug In, Pay-per-Use 4 *National Institute of Standards and Technology (NIST), SP 800-145, September 2011.
Cloud Computing Overview (2) Well known Cloud Computing offerings 5
Cloud Computing Overview (3) CLOUD Deployment Models Public Customer Customer Customer Private VPN / leased line or Internet link Single customer Hybrid Community 6 Multi-tenancy model
Cloud Computing Overview (4) CLOUD Service Models IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service Infrastructure Infrastructure Platform Infrastructure Platform Application 7
Opportunities and Benefits Lower costs: No upfront investment in servers/data centres No software licensing No software updates for customers/maintenance costs Scalability On-demand: Pay for what you use (bandwidth/server space, etc.) Enhanced Security Faster implementation IT Team focus on core business Access to latest IT upgrades/developments 8
Cloud Computing - Key Risk Areas Cloud provider service commitments Standard provider offering: as is, as available Clear service specifications Key service levels: Functionality Availability Performance Back-up Disaster Recovery-Business Continuity Measurement/Reporting Remedies? (Service credits/other types of damages) 9
Cloud Computing - Key Risk Areas Data location and traceability Retain some level of control over data location/storage Regional/country offering Traceability/audit trail requirements 10
Cloud Computing Key Risk Areas Information Security - Security requirements Data in Transit Secure encryption (SSL) Data at Rest Physical Security Logical Security Encryption (shortcomings?) Access rights management/ audit trails Virtual segregation/multi-tenancy architecture External intrusions/network attacks Staff access controls 11
Cloud Computing Key Risk Areas Information Security (Cont d) Assessment of compliance with security requirements Contractual commitments Audits Certifications Incident response Notification Cooperation 12
Cloud Computing - Key Risk Areas Investigations and litigation Accessing data: Cloud users: Ability to retrieve data (e.g. internal investigations, data protection request, internal or external audit requests, etc) Cloud providers - third party requests (e.g. subpoenas) What are the provider s obligations? 13
Cloud Computing - Key Risk Areas Regulatory and legal compliance EU Data Protection compliance Consent Access requests Security of personal data Subcontractors Transfers outside of the EEA Data loss/breach notification 14
Cloud Computing - Key Risk Areas Regulatory and legal compliance (Cont d) State/country specific requirements US: Patriot Act, Sarbanes Oxley, Gramm Leach Bliley Act, Electronic Communications Privacy Act UK : Regulation of Investigatory Powers Act Sector/organisation specific governance or compliance requirements (e.g. Health Insurance Portability and Accountability Act, Health Information Technology, for Economic and Clinical Health Act, FSA in UK, telecoms, etc) Export/trade restrictions (e.g. encryption, EU dual use, etc) 15
Cloud Computing - Key Risk Areas Contractual (or externally imposed) limitations and restrictions Audits required by cloud user s customers Restrictions on data location Scope of software licences Restrictions on indemnities (e.g. government contracts) PCI DSS compliance 16
Cloud Computing - Key Risk Areas Lock- in, exit and service transfer Proprietary systems Loss of IT expertise Lack of exit support lock-in Lock-in? Risk mitigation: Open standards Return of data Data deletion Migration support Data back-up Escrow 17
Cloud Computing - Key Risk Areas Cloud provider s liability Standard terms take it or leave it Limited warranties Wide exclusions of or caps on liability (including loss of profit) Public vs Private Cloud 18
Cloud Computing - Key Risk Areas Insurance Existing policies: business interruption insurance coverage? Specific policies: cyber liability insurance 19
Recommended Steps Assessment of business goals What applications and data will be migrated to the Cloud? Prior due diligence checks is your provider financially viable and can they technically deliver? Clear understanding of risks what if it all goes wrong? Technical and legal assurances provided by cloud providers (including security requirements) Carefully negotiate contracts (focus on key business areas?) Monitor compliance on a regular basis 20
A Silver Lining for the Cloud? Competition between providers willingness to negotiate terms service offering market consolidation Development of specific standards - industry codes & certifications Privacy by design Developments and adaptation of EU privacy laws to new technologies? Insurance 21
Contacts Stuart James Delizia Diaz Partner Associate T: +44 121 222 3645 T: +44 121 222 3383 M: +44 7825 171894 M: +44 7921 600022 E: stuart.james@squiresanders.com E: delizia.diaz@squiresanders.com 22
Worldwide Locations North America Latin America Europe & Middle East Asia Pacific Cincinnati Northern Virginia Bogotá+ Beirut+ Leeds Beijing Cleveland Palo Alto Buenos Aires+ Berlin London Hong Kong Columbus Phoenix Caracas+ Birmingham Madrid Perth Houston San Francisco La Paz+ Bratislava Manchester Shanghai Los Angeles Tampa Lima+ Brussels Moscow Singapore Miami Washington DC Panamá+ Bucharest+ Paris Tokyo New York West Palm Beach Rio de Janeiro Budapest Prague Santiago+ Frankfurt Riyadh+ Santo Domingo Kyiv Warsaw 23 + Independent Network Firm