Intellectual Property & Technology Webinar Cloud Computing - Reaping the Benefits and Avoiding the Pitfalls Stuart James & Delizia Diaz Birmingham Wednesday, 11 July 2012 37 Offices in 18 Countries
Speakers Stuart James Delizia Diaz Partner Associate T: +44 121 222 3645 T: +44 121 222 3383 M: +44 7825 171894 M: +44 7921 600022 E: stuart.james@squiresanders.com E: delizia.diaz@squiresanders.com 2
Webinar Agenda • An overview of Cloud Computing • Opportunities presented by the Cloud • Key risk areas • A silver lining for the Cloud? 3
Cloud Computing Overview (1) What is Cloud Computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics , three service models, and four deployment models.” * Subscribe, Plug In, Pay-per-Use Build Your Own 4 *National Institute of Standards and Technology (NIST), SP 800-145, September 2011.
Cloud Computing Overview (2) Well known Cloud Computing offerings 5
Cloud Computing Overview (3) CLOUD Deployment Models Customer Public Customer Customer Private VPN / leased line Single customer or Internet link Hybrid Community Multi-tenancy model 6
Cloud Computing Overview (4) CLOUD Service Models IaaS – Infrastructure PaaS – Platform as a SaaS – Software as as a Service Service a Service Infrastructure Infrastructure Infrastructure Platform Platform Application 7
Opportunities and Benefits Lower costs: Scalability No upfront investment in servers/data centres No software licensing No software updates for On-demand: customers/maintenance costs Pay for what you use (bandwidth/server space, etc.) Enhanced Faster Security implementation IT Team focus on Access to latest IT core business upgrades/developments 8
Cloud Computing - Key Risk Areas Cloud provider service commitments • Standard provider offering: “as is”, “as available” • Clear service specifications • Key service levels: Functionality Availability Performance Back-up – Disaster Recovery-Business Continuity • Measurement/Reporting • Remedies? (Service credits/other types of damages) 9
Cloud Computing - Key Risk Areas Data location and traceability • Retain some level of control over data location/storage • Regional/country offering • Traceability/audit trail requirements 10
Cloud Computing – Key Risk Areas Information Security - Security requirements • Data in Transit Secure encryption (SSL) • Data at Rest Physical Security Logical Security – Encryption (shortcomings?) – Access rights management/ audit trails – Virtual segregation/Multi-tenancy architecture – External intrusions/network attacks Staff access controls 11
Cloud Computing – Key Risk Areas Information Security (Cont’d) Assessment of compliance with security requirements Contractual commitments Audits Certifications • Incident response Notification Cooperation 12
Cloud Computing - Key Risk Areas Investigations and litigation • Accessing data: Cloud users: Ability to retrieve data (e.g. internal investigations, data protection request, internal or external audit requests, etc) Cloud providers - third party requests (e.g. subpoenas) • What are the provider’s obligations? 13
Cloud Computing - Key Risk Areas Regulatory and legal compliance • EU Data Protection compliance Consent Access requests Security of personal data Subcontractors Transfers outside of the EEA Data loss/breach notification 14
Cloud Computing - Key Risk Areas Regulatory and legal compliance (Cont’d) • State/country specific requirements US: Patriot Act, Sarbanes Oxley, Gramm Leach Bliley Act, Electronic Communications Privacy Act UK : Regulation of Investigatory Powers Act • Sector/organisation specific governance or compliance requirements (e.g. Health Insurance Portability and Accountability Act, Health Information Technology, for Economic and Clinical Health Act, FSA in UK, telecoms, etc) • Export/trade restrictions (e.g. encryption, EU dual use, etc) 15
Cloud Computing - Key Risk Areas Contractual (or externally imposed) limitations and restrictions • Audits required by cloud user’s customers • Restrictions on data location • Scope of software licences • Restrictions on indemnities (e.g. government contracts) • PCI DSS compliance 16
Cloud Computing - Key Risk Areas Lock- in, exit and service transfer Proprietary systems Loss of IT expertise Lock-in? Lack of exit support lock-in Risk mitigation: Open standards • Return of data • Data deletion • Migration support • Data back-up • Escrow • 17
Cloud Computing - Key Risk Areas Cloud provider’s liability • Standard terms – “take it or leave it” Limited warranties Wide exclusions of or caps on liability (including loss of profit) • Public vs Private Cloud 18
Cloud Computing - Key Risk Areas Insurance • Existing policies: business interruption insurance coverage? • Specific policies: cyber liability insurance 19
Recommended Steps • Assessment of business goals • What applications and data will be migrated to the Cloud? • Prior due diligence checks – is your provider financially viable and can they technically deliver? • Clear understanding of risks – what if it all goes wrong? • Technical and legal assurances provided by cloud providers (including security requirements) • Carefully negotiate contracts (focus on key business areas?) • Monitor compliance on a regular basis 20
A Silver Lining for the Cloud? • Competition between providers willingness to negotiate terms service offering market consolidation • Development of specific standards - industry codes & certifications • Privacy by design • Developments and adaptation of EU privacy laws to new technologies? • Insurance 21
Contacts Stuart James Delizia Diaz Partner Associate T: +44 121 222 3645 T: +44 121 222 3383 M: +44 7825 171894 M: +44 7921 600022 E: stuart.james@squiresanders.com E: delizia.diaz@squiresanders.com 22
Worldwide Locations North America Latin America Europe & Middle East Asia Pacific • Cincinnati • Northern Virginia • Bogotá+ • Beirut+ • Leeds • Beijing • Cleveland • Palo Alto • Buenos Aires+ • Berlin • London • Hong Kong • Columbus • Phoenix • Caracas+ • Birmingham • Madrid • Perth • Houston • San Francisco • La Paz+ • Bratislava • Manchester • Shanghai • Los Angeles • Tampa • Lima+ • Brussels • Moscow • Singapore • Miami • Washington DC • Panamá+ • Bucharest+ • Paris • Tokyo • New York • West Palm Beach • Rio de Janeiro • Budapest • Prague • Santiago+ • Frankfurt • Riyadh+ • Santo Domingo • Kyiv • Warsaw 23 + Independent Network Firm
Recommend
More recommend