The use of cloud computing technology has grown significantly as IT departments have sought to extend their existing capabilities without investing significantly in new infrastructure or training new personnel.
What is cloud computing?
Cloud computing means using multiple Internet-based services via a digital network as though they were one computer. This shared use differs from outsourcing, which uses the infrastructure of the customer, managed by a third party. It is also a departure from the traditional enterprise license of software or purchase of on-premises hardware equipment.
Why the cloud?
The most important reason for the accelerating interest in cloud computing is that Internet users increasingly find themselves using multiple computers and other devices and thus require a shared data center that can be accessed anywhere. For businesses, cloud computing enables applications to be deployed more efficiently and saves on costly software and IT. The costs associated with the people, products and facilities to run cloud computing are substantially lower than the traditional enterprise-based licensing model.
Cloud computing allows resource pooling, dynamically assigning resources according to demand; flexible access across platforms; and provision of services rapidly and even automatically.
What kind of cloud do you want?
Cloud service can be provided in many ways, but four options have emerged as the most prominent:
Private clouds: Dedicated cloud computing resources are made available to a specific customer through negotiated service agreements. Because the resources are dedicated, capital investment may be greater.
Hybrid clouds: This model may be used by a customer who desires the ease of use of a public cloud, but also wants some level of dedicated resources afforded by a private cloud.
Managed clouds: This model is actually similar to outsourcing, but rather than having the customer own the infrastructure and outsource its management to a third party, the customer owns the cloud computing capability and outsources management to a third party.
Each of these methods can encompass the three basic cloud computing business models, including Infrastructure as a Service (IaaS) – where customers receive access to IT infrastructure often shared with others; Platform as a Service (PaaS) – where customers can develop and operate applications by accessing a computing platform; and Software as a Service (SaaS) – where customers receive access to a suite of software applications remotely and on-demand.
Developing cloud service level agreements
The service level a customer receives from a vendor is usually set forth in terms that can be part of the cloud computing agreement or appear in a separate service level agreement incorporated by reference. Here are some considerations in developing service level agreements:
Level of effort: Vendors should consider whether they want their performance under the agreement to be absolute or subject to a less than absolute standard, such as “commercially reasonable efforts.”
Nature of obligations: Most service level agreements focus on service availability, but vendors should also be prepared to respond to requests for commitments on performance, such as response times and bandwidth.
Definition of uptime: Service level agreements should clearly define such variables as how uptime will be measured; what constitutes downtime; the nature of permitted downtime; and circumstances that do not constitute downtime.
Ability to suspend services: A cloud computing vendor may at times need to suspend services, such as if a customer’s use of the services creates a security risk. While it is reasonable for the vendor to retain this right, it will be important for the vendor to consider the nature of the notice that may be given to customers.
Service credits: Vendors must consider the amount of service credits available to customers, whether customers are automatically entitled to credits and whether there are circumstances under which the vendor may provide an actual refund.
Customers repeatedly cite data protection and security as a barrier for moving to the cloud.
Privacy: Privacy concerns pose unique issues in the cloud environment because of the intensely local and varying nature of statutes regarding protection of personal information. A realistic approach may be for customers and service providers to work together to ensure that any data is collected, stored and processed in accordance with applicable privacy laws.
Security: Many vendors try to limit their security obligations to “standard industry practices” and further limit the scope of obligations to the use of “reasonable commercial efforts” to meet that standard. Because such standards are not yet firmly established, this approach is dangerous. One risk is the use of multi-tenancy, with numerous tenants on a single server, potentially allowing tenants access to third-party data. A customer should negotiate with the provider for specific security obligations, including monitoring for problems and adhering to the most up-to-date standards.
Here to stay
Cloud computing may be young, but it is here to stay. Offering new efficiencies and cost savings, it is the future of outsourced data handling. However, as companies and other institutions continue to explore alternative IT sourcing strategies, they need to plan with the cloud’s inherent legal issues – interruption risks, data security and privacy – in mind, to mitigate risk and ensure effective practices and solutions.
For more information about cloud computing and your business, please contact Victoria Lee.
For an expansive look into cloud computing, including interviews with business leaders and counsel across Europe, read the DLA Piper report Shifting Landscapes: Cloud Computing.