Presentation is loading. Please wait.

Presentation is loading. Please wait.

Demystifying the Hype - Cloud Computing Key Legal & Commercial Issues Dr Sam De Silva, FCIPS Partner - Head of IT & Outsourcing, Manches LLP CIPS Global.

Published byAdam Lang Modified over 8 years ago

Similar presentations

Presentation on theme: "Demystifying the Hype - Cloud Computing Key Legal & Commercial Issues Dr Sam De Silva, FCIPS Partner - Head of IT & Outsourcing, Manches LLP CIPS Global."— Presentation transcript:

1

2 Demystifying the Hype - Cloud Computing Key Legal & Commercial Issues Dr Sam De Silva, FCIPS Partner - Head of IT & Outsourcing, Manches LLP CIPS Global Board of Trustees

3 Outline Setting the scene Difference with other IT contracts Key contractual issues Checklist

4 What is Cloud Computing? “The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. […] Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?” Larry Ellison, Oracle OpenWorld, 25 September 2008

5 What is Cloud Computing? It is not new! – Search is a cloud application – Gmail, other Internet-based email services are cloud applications – Social networking sites are cloud applications – Similar to time-sharing and service bureau services from the mainframe days, or ASP’s from the 90’s Essential characteristics – on-demand – broad network access – resource pooling – rapid elasticity

6 Cloud Computing Service Models Software as a Service (SaaS) Application development platform sold as a service (PaaS) IT infrastructure – hardware, storage, network – sold as a service (IaaS)

7 Software as a Service (SaaS)

8 Platform as a Service (PaaS)

9 Infrastructure as a Service (IaaS)

10 Deployment Models Private Cloud – Single tenant, owned and managed by organisation itself or external provider Community Cloud – Exclusive use by a specific community Public Cloud – Multi-tenant, massive scale, pay for use, exists on premises of cloud provider Hybrid Cloud – Use of more than one type of cloud

11 Difference with other IT contracts (1) Cloud computing contracts different from SaaS, ASP, outsourcing, hosting contracts? (not really) – similar issues depending on type of cloud computing services – additional contractual issues following “cloud aspects” – “packaging” of different types of IT contracts Structure of the contracts – cloud computing contracts resemble typical software licenses – given the subject matter should be more closely related to hosting or (strategic) outsourcing contracts Low barrier to entry – “click-wrap agreements” are legally enforceable – often presented as less or no “legalese” contracts – but appearances may be deceiving

12 Difference with other IT contracts (2) Standard commoditised offering, therefore limited flexibility or ability to change – shift in mentality – contract evaluation should be a key part of provider selection Test – will a standard offering with its standard terms meet my needs? – selection between different contracts as opposed to contract negotiations – critical data or strategic services may not be suited for the cloud unless appropriate contract terms can be agreed upon

13 Key Contractual Issues in the Cloud Security compliance Limited supplier obligations Liability Data protection Suspension and termination clauses Vendor lock-in and transitioning Service levels and service credits

14 Security Compliance Due diligence Security questionnaire – who owns and controls infrastructure – deployment and delivery methods – security controls in place – physical location of infrastructure elements – reliability reports Provider’s response – confidential – security policy – security standards

15 Limited Supplier Obligations Typical obligations, warranties or other safeguards of sourcing or hosting contracts are not included in cloud computing contracts Due to their commoditized approach, cloud computing contracts typically contain less onerous obligations on the supplier Undertake “gap” analysis

16 Liability Limiting liability of cloud provider to a level that is not in line with the potential risk Risk with limiting the liability of the cloud provider to the amount paid Issues include: – almost total exclusion of liability – limited financial cap – exclusion of certain types of loss (e.g. direct losses (US contracts) indirect loss and/or data loss) – force majeure definition

17 Data Protection (1) Where is my data? (do I actually care?) Three examples of problems: – Who is controller? legislation makes fundamental distinction between data controller (party that defines the purpose and the means of data processing) and the data processor (“dumb performer”) both customer and cloud provider define the “means” of processing distinction is crucial to know who is responsible data controller is liable towards data subjects data controller must choose appropriate data processors and must seek adequate contractual protection from them – Transfer outside of EU? Principle: no transfer of data to countries outside the EEA that do not offer “adequate level of protection” Exceptions

18 Data Protection (2) Onward transfers – Cloud provider engaging a subcontractor – 4 permutations Cloud provider ControllerProcessor SubcontractorControllerSubcontractor also needs to sign standard clauses with customer Not permitted ProcessorPermitted under Set II of Model Clauses (2010) Yes, but difficult, no “processor to processor” Model Clauses

19 Suspension or Termination Pitfalls of suspension clauses – impact on continuity – low barrier for suspension of services/unplanned interruptions – minor non-compliance may lead to significant remedy for the supplier Termination for convenience by the supplier – notice period – exit obligations Termination for convenience by the customer – typically cloud computing contracts allow for easy exit for the customer – check contracts for termination for convenience because not always the case or such exit does not come cheap Risk of cloud provider going out of business or restructuring its service portfolio

20 Vendor Lock-in and Transition Usefulness of termination for convenience No implied obligation to assist in data transfer and disengagement Everything depends on your contractual agreement Pricing

21 Service Level Agreements Often not part of standard offering SLA without “teeth” Level of service offered (typically a choice – gold, silver, bronze) Points of attention: – how is the availability calculated by the provider? e.g. 10 outages of 6 minutes versus 1 outage of 1 hour – point of measurement servers that host application user’s computers cloud termination point – service measurement period

22 Availability (1) Definition "Gold Standard" is "five-nines" = 99.999% Permitted downtime by the 9s Difference between 99.99% and 99.0% – measured annually – measured daily Period availability is measured – 99% allows 14 mins over a 24 hour period – 99% allows 7 mins over a 12 hour day Core periods/non-core periods AnnualMonthlyDaily (24 hours) 99.999%5.259 min0.438 min0.0144 min 99.99%52.59 min4.38 min0.144 min 99.9%8 h 45.6 min43.8 min1.4 min 99%3 days 15 hours7 hours 18 min14.4 min

23 Availability (2) Availability Formula The Supplier will ensure that the System is Available 99.9% of the time 24 hours a day, 7 days a week, 365 days a year ("Available Hours"). Availability will be measured monthly. Availability for the relevant month will be calculated using the following formula: % Availability = (1- (a / b)) x 100 where: a = total hours the System was unavailable during the Available Hours in the relevant month (excluding the time in respect of Problems with the public telecommunications network or scheduled maintenance or outage that commences outside Support Hours) b =number of Available Hours during the relevant month. Worked Example: System unavailable for 10 hours in a month Number of Available Hours in 1 month (assuming 30 days): 24 x 30 = 720 (1 – (10 / 720)) x 100 = 98.6%

24 Service Credits Service credits/rebates Characterisation Calculation Cap on Service Credits “Holiday” period Sole and exclusive remedy Interplay with liability cap

25 Checklist of Items to Consider (1) Understand cloud provider’s information security management systems Plan for bankruptcy or unexpected termination of the relationship and orderly return of disposal of data/applications – Vendor will want right to dispose of your data if you don’t pay Contract should include agreement as to desired service level and ability to monitor it Negotiate restrictions on secondary uses of data and who at the provider has access to sensitive data

26 Checklist of Items to Consider (2) Ensure that you have ability to audit on demand and regulatory and business needs require Make sure that cloud provider policies and processes for data retention and destruction are acceptable Provide for regular backup and recovery tests Consider data portability application lock-in concerns Understand roles and notification responsibilities in event of a breach

27 Checklist of Items to Consider (3) Understand and negotiate where your data will be stored, what law controls and possible restrictions on cross-border transfers Consider legal and practical liability for force majeure events – Must be part of disaster recovery and business continuity plan There is no substitute for careful due diligence

28 Contact Details Dr Sam De Silva Email: sam.desilva@manches.com DDI: +44 (0) 1865 813 735

Download ppt "Demystifying the Hype - Cloud Computing Key Legal & Commercial Issues Dr Sam De Silva, FCIPS Partner - Head of IT & Outsourcing, Manches LLP CIPS Global."

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the.
SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:

3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
Communications Briefing: Navigating the clouds Sam Parr and Ian Walden Wednesday 21 October 2009, 12.00 – 2.00 pm.

Communications Briefing: Navigating the clouds Sam Parr and Ian Walden Wednesday 21 October 2009, – 2.00 pm.
Legal Issues in SaaS SwANH InfoXchange 2007 Legal Issues in SaaS SwANH InfoXchange 2007 Claire R. Howard, Esq. Getman, Stacey, Schulthess & Steere, P.A.

Legal Issues in SaaS SwANH InfoXchange 2007 Legal Issues in SaaS SwANH InfoXchange 2007 Claire R. Howard, Esq. Getman, Stacey, Schulthess & Steere, P.A.
Presented by: Rajdeep Biswas Roll No.: 0104IT071082; Branch: IT (VII Sem.) R.K.D.F. Institute of Science & Technology Cloud Computing When Outsourcing.

Presented by: Rajdeep Biswas Roll No.: 0104IT071082; Branch: IT (VII Sem.) R.K.D.F. Institute of Science & Technology Cloud Computing When Outsourcing.
Cloud computing (and Google AppEngine) material adapted from slides by Indranil Gupta, Jimmy Lim, Christophe Bisciglia, Aaron Kimball, & Sierra Michels-Slettvet,

Cloud computing (and Google AppEngine) material adapted from slides by Indranil Gupta, Jimmy Lim, Christophe Bisciglia, Aaron Kimball, & Sierra Michels-Slettvet,
Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.
Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.

Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.
Cloud computing Alessandro Galtieri, Senior Lawyer, Colt Technology Services, London, UK Pavel Klimov, General Counsel EMEA, Unisys, London, UK Severin.

Cloud computing Alessandro Galtieri, Senior Lawyer, Colt Technology Services, London, UK Pavel Klimov, General Counsel EMEA, Unisys, London, UK Severin.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011.

Cloud Computing Risk Assessments Donald Gallien March 31, 2011.
Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams

Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams
Discussion on LI for Mobile Clouds

Discussion on LI for Mobile Clouds
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?

Similar presentations

Ads by Google