An Introduction to Enterprise Cloud Computing for Attorneys

In a purely scientific sense clouds are “a visible mass of particles of condensed vapor (as water or ice) suspended in the atmosphere of a planet (as the earth) or moon.”1 Yet, to others, clouds are a source of lofty inspiration and whimsy, prompting Henry David Thoreau to request: “You must not blame me if I do talk to the clouds,”2 and Shakespeare to fret that “Clouds and eclipses stain both moon and sun.”3 But now, as we trek into the 21st Century, “cloud” has a pervasive, much more technical meaning referencing the location of data when it does not reside where it is used or created. This is the new world of cloud computing.

Cloud computing is not a new technology or methodology. In many ways, it is very similar to “hosted services,” a model in which servers, storage, and networking infrastructure are shared across multiple tenants and over a remote connection with the ability to scale (although scaling is done manually by calling or e-mailing the hosting provider). Cloud computing, however, is different. It is a new Information Technology “delivery model” where all computing and networking resources are delivered as “services” that are elastic (use as much or as little as you need at any given time), massively scalable, and that offer a pay-per-use model.

The term “cloud computing” appears to have first been defined in an academic context by Prof. Ramnath K. Chellapa, who described it in 1997 at the INFORMS Conference in Dallas as “a computing paradigm where the boundaries of computing will be determined by economic rationale rather than technical limits.” This description is clearly broader and less technical than many of the definitions in circulation today, but it is the U.S. National Institute of Standards and Technology (NIST) that provides the most recognized and neutral definition of cloud computing:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models:4

The essential characteristics that frame the definition of cloud computing refer to:5

  • On-demand self-service. Allowing a consumer to unilaterally without requiring human interaction with each service provider.
  • Broad network access. The capabilities offered are available over the network and accessed through common platforms.
  • Resource pooling. The service provider's computing resources are pooled to serve multiple consumers using a multitenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
  • Rapid elasticity. Capabilities that allow for the rapid ability to expand and reduce resources according to specific service requirements. For example, you may need a large number of server resources for the duration of a specific task. You can then release these server resources after you complete your task.
  • Measured service. Cloud systems automatically control and optimize resource use and can migrate workloads across servers—both inside a single data center and across multiple data centers (even in different geographic areas). This migration might be necessitated by cost (less expensive to run a workload in a data center in another country based on time of day or power requirements) or efficiency considerations (for example, network bandwidth). A third reason could be regulatory considerations for certain types of workloads. (e.g., storage, processing, bandwidth, and active user accounts).

Under the NIST definition, cloud services are also defined as having three specific service models, or methods by which cloud products may be delivered or accessed. These service models remain the industry standards:6

  • Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure.
  • The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface.
  • The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
  • Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.
  • The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems or storage.
  • The consumer does have control over the deployed applications and possibly configuration settings for the application hosting environment.
  • Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
  • The consumer does not manage or control the underlying cloud infrastructure.
  • The consumer does have control over operating systems, storage and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

These functionalities and services can be deployed by a cloud provider in different ways, depending on the organizational structure and the needs of the consumer. The NIST identifies four specific deployment models:

  • Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
  • Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or o_ their premises.
  • Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
  • Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Now, at this point we should note a distinction between what many know as the “personal cloud” (the cloud upon which you store your movies, music, and some documents) and the “enterprise cloud,” the topic that this chapter is intending to introduce. Generally speaking, a personal cloud is typically used by individuals outside a company's network to share _les and data from personal devices. While these clouds have their places, and their own risks,7 they are popular and now nearly required if you want to access many functionalities of home and mobile computing. As such, Gartner recently predicted that by 2018, fifty percent of IT organizations will wind up supporting personal cloud assets and services beyond their core set of business applications and services. We are becomingly increasingly addicted to—and physically attached to—access to our personal information. Rather than lose the fight to it, Gartner predicts, companies will be forced to embrace it.

By contrast, “enterprise” cloud offerings refer to an environment reached from within a corporation's firewall that delivers many of the same functionalities to which personal users have become accustomed, that is, access to software, infrastructure and platform services to an enterprise. These offerings generally allow numerous benefits to an organization, including higher speeds for and better utilization of IT resources, lower IT operational and infrastructure costs, and more flexibility in handling/managing IT resources. Furthermore, enterprise options tend to provide a safer computing environment, through the use of virtual servers and the ability to employ flexible data security policies that allow for a higher level of protection for important files and sensitive data.

By Alexander W. Major.  Alex Major is an associate in the Government Contracts, Investigations, and International Trade Group of Sheppard Mullin's Washington, D.C. office. Excerpted from Cloud Computing Legal Deskbook, 2016 ed., available for purchase on This practical guide serves as a compass to anyone navigating the complicated intersection of law and technology, providing an overview of definitions, models, and types of cloud computing services, along with discussion and analysis of current issues in cloud computing.

1 See (last visited Jan. 22, 2016).

2 Thoreau, To Mrs. L.C.B. March 2, 1842, Letters to Various Persons at 11, available at (last visited Jan. 22, 2016).

3 Shakespeare, Sonnet 35, in Shakespeare's Sonnets at 37 (2007).

4 NIST Special Publication 800-145, The NIST Definition of Cloud Computing (September 2011).

5 NIST Special Publication 800-145, The NIST Definition of Cloud Computing (September 2011).

6 NIST Special Publication 800-145, The NIST Definition of Cloud Computing (September 2011).

7 Personal clouds and their use at work may serve to compromise an employer's network. It is well recognized that such le sharing leaves data unprotected by company firewalls and may serve to expose company information to threats during transfers between the cloud and the device application. There are also additional security risks that could manifest while the data resides in the application on an employee's personal device. For more, see §§ 4:1 et seq.