Cloud Computing and the Law: The Basics

The Benefits and Challenges of Enterprise Cloud Computing

As reflected in the NIST definition of cloud computing, the most appealing aspect of using the cloud is the effective scalability, and therefore elastic cost, of the service. Quite often with cloud computing, this elasticity means that IT and data center costs can be reduced and tied directly to usage, increasing or decreasing as needs go up or down. In terms of general overhead, the elasticity offered by enterprise cloud computing also allows companies, and startups in particular, to avoid the costs associated with configuration, expansion and replacement of traditional on-site IT systems and components. In sum, the promises of cloud computing can provide an optimal framework for faster and cheaper delivery of IT services within an enterprise.

Of course, as this book will proceed to describe, cloud computing is not an enterprise panacea. In some situations cloud computing may not be the right fit for an enterprise. In some industries and countries currently, regulation and legal considerations may dictate that the enterprise house, secure, and control data in a specific location or geographical area. Furthermore, access to the enterprise data might need to be restricted to a limited set of applications, all of which need to be internal. Assessing the propriety of cloud computing for an enterprise boils down to just how much control the enterprise must maintain over their systems and their data. Additional key issues to consider include the following:

  • Compliance requirements—The use of cloud computing services may affect compliance audit requirements. Issues arise surrounding data location, cloud computing security policy transparency, privacy and personal identifying information laws, Payment Card Industry (PCI) requirements, and financial reporting laws.
  • Commingled data—A benefit that can turn sour, application sharing and multi-tenancy of data is one of the key characteristics associated with cloud computing. But while some Cloud Service Providers (CSPs) have multi-tenant applications that are secure, scalable and customizable, security and privacy issues are still often concerns for enterprises. This may require an additional investment in data encryption to support data confidentiality.
  • Cloud security policy/procedures transparency— Some CSPs may have less transparency than others about their information security policy so as to protect their proprietary data or methods. Such policies may create a conflict with the enterprise's information compliance requirements and would require the enterprise to have a detailed understanding of the service level agreements (SLAs) that stipulate the level of security provided by the CSPs and demanded by the customer.
  • Post-Contract Transfer—Many CSPs may adopt a proprietary interface that could hinder cloud services transitions from one CSP to another CSP. This is an issue that should be examined and identified even before the services are started.
  • Disaster recovery—Enterprises should be very clear on the CSP's data recovery plan. Since data may be commingled and scattered around multiple servers and geographical areas, there is a possibility that data for a specific point of time may be lost or unidentifiable. In traditional hosting, the enterprise knows exactly where its data resides, to be rapidly retrieved in the event of disaster recovery. In the cloud computing model, the primary CSP may outsource capabilities to third-parties, who may also outsource the recovery process.

Understanding the Implications of “Multi-Tenancy”

One of the key elements that makes cloud computing so effective is the aspect of “multi-tenancy.” Precise definitions may vary, but the term generally refers to the ability of multiple users/ customers to use the same software and interfaces in order to configure resources while isolating customer-specific traffic and data. Or, to put a finer point in it, multi-tenancy requires:

  • Use of the same application/set of applications;
  • A shared architecture across all tenants; and
  • Distinct separation between the instances run for each tenant.

As such, in practice, within a multi-tenancy environment, multiple users who do not share or see each other's data are able to share the same applications while running on the same operating system, using the same hardware and the same data storage device. In contrast, a more “traditional” model exists where software is loaded on the computers of individual employees or on a dedicated company server. Under this growingly antiquated method, companies tend to spend a significant sum for underused servers, underutilized resources, and difficult and diffuse maintenance. By employing a multitenant cloud source, a company allows multiple users to share servers and applications resulting in cheaper licensing costs, higher resource utilization, easier data governance, and simplified maintenance and upgrades.

In practice, therefore, multi-tenancy is the cornerstone of affordability for any cloud model and it can apply to all three layers of a cloud: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Obviously, the level and type of multi-tenancy employed by an enterprise will vary depending on your business, its usage needs, and the type of data the enterprise holds. As there are varying degrees and definitions of multi-tenancy among cloud providers, companies assessing their cloud options should ensure they address multi-tenancy when comparing their internal needs with the cloud vendor's offerings.

As will become increasingly apparent in the following chapters, the key to a successful cloud computing implementation is proper prior preparation, that is, a careful consideration of the relevant risks in the early stages of planning. The “end”—whether it be of the end of the data, the end of the data center, or the end of the contract—should not be an afterthought. It is imperative that the enterprise employ a sound risk management strategy and perform insightful due diligence because the cloud computing standards in the industry are currently being developed and refined. In this regard, legal input may help enterprises with their selection process. Knowledgeable counsel can help enterprises identify and address legal risks—where possible—in negotiations with the provider and through appropriate risk mitigation strategies.

 

Cloud Computing Legal Deskbook, 2016 ed.

By Alexander W. Major.  Alex Major is an associate in the Government Contracts, Investigations, and International Trade Group of Sheppard Mullin's Washington, D.C. office. Excerpted from Cloud Computing Legal Deskbook, 2016 ed., available for purchase on ThomsonReuters.com. This practical guide serves as a compass to anyone navigating the complicated intersection of law and technology, providing an overview of definitions, models, and types of cloud computing services, along with discussion and analysis of current issues in cloud computing.