Private Cloud, Public Cloud, Hybrid Cloud, Community Cloud. It’s getting pretty cloudy out there, isn’t it? As businesses start embracing cloud computing in its many forms, they are part of a paradigm shift that’s changing the way IT services are being consumed. The world is moving from a rich, client-centric computing and storage platform to a distributed one. This shift is creating economies of scale, lowering barriers of entry and presenting new opportunities for smaller companies. Cloud computing means different things to different people. It’s important to understand the distinctions between various models. Even more important is appreciating the legal ramifications of these new models. This issue of Pointers will address some of the most common legal aspects of entering into a cloud computing or SaaS agreement with a provider.
What is “Cloud Computing”? The National Institute of Standards in Technology (NIST) established the generally accepted definition for the “evolving paradigm” of cloud computing: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Key characteristics are self-service, availability, elasticity/scalability, and ease of optimization.
Service and Deployment Models. As much as we talk about “the cloud,” it’s important to keep in mind that there’s not just one cloud - there are many models and architectures. The three cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (Saas). With IaaS, the provider delivers the basic IT infrastructure of the traditional enterprise datacenter, including computation, storage and networking. The PaaS provider delivers the infrastructure plus an application development platform, where the consumer can develop applications using the provider’s standard environment and tools, such as Java and .Net. SaaS is perhaps the most familiar. The consumer runs the provider’s applications on a cloud infrastructure that is managed and controlled by the provider – think Gmail, Facebook, YouTube, and eCommerce sites like Amazon.com.
To further complicate things, there are public, community, private, and hybrid deployment models, which are correspond to the consumer’s particular needs. Public clouds are owned by a cloud services seller and made available to the general public. SaaS offerings are typically public clouds. Community clouds are shared by organizations with shared concerns such as privacy, security and regulatory compliance. Private clouds are operated solely for a specific organization and may even be onsite. Governments and enterprise IT customers usually choose community and private clouds. Hybrid clouds occur when public, private and/or community cloud entities are bound together as a unit, yet retain their separate identities.
Why so many cloud formations? With the cloud, it’s always a balancing act between threat of exposure and efficiency.
The shift from EULA to subscription service. Before the cloud era, the use of shrink-wrapped software was almost always governed by End User License Agreements (EULAs), requiring users to click “accept” before using the software. The EULA was usually tied to a specific machine or machines. In contrast, cloud consumers typically want the service to be ubiquitous – available and accessible from any location with internet access. Since a machine-specific license would run counter to that purpose, cloud service providers usually tie the license to a user account. The technology becomes analogous to a utility service delivered in the cloud and accessed via the internet.
SaaS providers usually license via subscription or pay-as-you-go service, (e.g., enterprise business applications like CRM; Google Apps), pay-per use or service on demand (e.g., TurboTax), or free online applications supported by advertisement and user-list sales (Hotmail and Facebook). Charging consumers per transaction becomes feasible with cloud computing since providers can measure usage of their infrastructure, platforms and/or applications – thereby metering usage on a granular level like a utility provider would. This licensing model is usually stored in a public cloud.
The technology sector has known for a long time that internet distribution of applications would impact licensing, particularly volume and enterprise licensing. The licensing models and pricing structure for applications and services in the cloud are constantly evolving, and likely will be for some time.
What should I watch out for in my cloud agreement? Cloud service providers and consumers enter into cloud agreements – including Service Level Agreements (SLAs) – to define the parties’ respective roles (See Microsoft’s SLAs for its new Office365 offering for some illustrations). These agreements should set out representations and warrantees that document speak to the following:
- Quality of service (QoS), including guarantees of performance and uptime, penalties for non-performance and downtime, response times and latency, incident/problem management and escalations policies;
- Deployment model, as discussed above;
- Data privacy policies and security capabilities, including:
- Physical security of datacenters, privileged user access and encryption;
- Regulatory compliance with local and international privacy laws – the Patriot Act, EU Data Protection Directive, U.S. Safe Harbor program, FISMA, HIPAA and SO – just to name a few;
- Policies concerning exposure and/or dispersal of data to local and foreign governments, subpoena/eDiscovery, and general data retention;
- Location and migration of data, often overlapping with the regulatory compliance issues mentioned above, since many companies are subject to governmental restrictions about where their data can reside;
- Portability of data, impacted when providers bind or “lock-in” stored data to a specific application, platform or operating system or their own technology, and data encryption data;
- Redundancy and Recovery, including disaster recovery, contingency planning, risk allocation and insurance provisions – even though decentralized data in the cloud often results in redundancy and therefore decreased vulnerability to man-made and natural disasters.
Intellectual Property Concerns
Trade secret protection. Third-party access to private information runs the risk of waiving trade secret protection. This risk can be mitigated by well-drafted contracts that include non-disclosure provisions, as well as actual implementation of privacy policies and security procedures. See here for more information about trade secrets.
Ownership of data in the cloud. Another cause for concern whether ownership of information shifts when it is sitting on the provider’s infrastructure. A controversy emerged in 2008 when Google Chrome’s EULA stated that consumers who submitted, posted or displayed hosted content gave Google a “perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content.” Google promptly removed the offending clause, simply stating that “You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services.” See Google’s current Chrome EULA here.
Please be aware that the above is a non-exhaustive list of important contractual elements that should be present in provider/consumer cloud agreements. Also note that most large cloud service providers require acceptance to their own SLAs, and smaller companies may not be successful in pushing back on standard provisions. However, having a competent attorney familiar with internet law review cloud agreements can help you make an informed commitment to a cloud service provider and avoid unnecessary risks for you and your clients.
Cloud computing offers enormous potential benefits – accessibility, enhanced collaboration, redundancy, cost-effective IT support, and scalability – to name a few that we’ve discussed. However, farming out control of data-center services to a cloud provider necessarily means that the consumer will lose some control over its proprietary and sensitive data. The largest and most trusted cloud providers can still fail. Privacy regulations and laws governing cloud are constantly changing. Attorney review of cloud agreements is best practice and basic due diligence. After all, despite its evolving controls and somewhat nebulous implications, cloud computing appears -ironically- to be the way to a sunnier computing future!