Bradley J Freedman, Borden Ladner Gervais
Cloud computing is widely recognised as one of the most important new strategic technology opportunities for business. Cloud computing enables a business to outsource its information technology requirements to a specialist service provider who can rovide required services in a better and more efficient and cost effective manner. Cloud computing allows a business to focus on its core competence and leave the IT stuff to the experts. For those reasons, cloud computing can provide significant benefits, but it can also present substantial risks. Following is a summary overview of cloud computing and its potential benefits and risks, and some guidance for the procurement of cloud computing services.
Cloud computing is a business/technology/service model that treats IT resources (including networks, servers, data storage and software applications) and related services (including hardware and software maintenance and technical support) as a utility or consumption-based service. The term 'cloud' is a metaphor for the internet and an abstraction for the ill-defined underlying technologies used by a cloud service provider (CSP) to provide the service.
There are various kinds of cloud computing services, but they generally have the following characteristics:
• Pooled resources: the cloud service infrastructure is owned or licensed and managed by the CSP (not the customer), and is used by the CSP to efficiently provide services to multiple customers.
• Broad access: the cloud services are accessible using standard, internet-enabled devices.
• Elastic/scalable: the cloud services are flexible, and can be rapidly and elastically provisioned (increased and decreased) to meet the customer's changing requirements.
• On-demand self-service: the customer can provision the cloud services as needed and without requiring human interaction with the CSP.
• Measured service/fees: fees for cloud services are based on usage, which is monitored, controlled and reported to the customer using appropriate metrics.
Service and deployment models
Cloud computing services can be provided using various service and deployment (infrastructure) models. The basic service models are as follows:
• Infrastructure as a Service: the CSP procures and manages the IT infrastructure (networks, servers, data storage), and the customer provides the rest (operating system, software applications and related services). For example, Amazon Elastic Compute Cloud (EC2) and IBM Smart Business Development and Test.
• Platform as a Service: the CSP procures and manages everything except the software applications and related services. For example, Microsoft Azure, Google App Engine and Amazon Simple Storage Solution (S3).
• Software as a Service: the CSP procures and manages everything, including the software applications and related services. For example, Apple's iCloud, Gmail and Postini, SharePoint, WebEx and Salesforce.com.
The basic deployment (infrastructure) models are as follows:
• Public cloud: the cloud service infrastructure is used by all customers.
• Private cloud: the cloud service infrastructure is used by a single customer.
• Community cloud: the cloud service infrastructure is used by several related customers with shared requirements or other common interests.
• Hybrid cloud: the cloud service infrastructure is a combination of different kinds of clouds (public, private, community) that exchange data and applications.
Why it works
Cloud computing works because of new technologies (grid computing, server virtualisation and super-high speed internet) and economies of scale. Cloud computing services often use one or more geographically distributed data centres that house powerful and flexible (quickly and easily configured) IT platforms used to maximum efficiency to process and store tremendous amounts of data for multiple customers. The data centres might be owned and operated by the CSP itself, or they might be owned by a third party (such as Google, Amazon, Oracle, IBM or Cisco) and used by multiple CSPs.
Cloud computing is similar to the way in which most businesses obtain electricity. Instead of having their own small power plant (which is like the traditional IT model), most businesses buy electricity from the local electric company, which operates one or more large power plants and distributes electricity to customers that pay based upon consumption. The customers don't have to buy their own power plant or hire skilled workers to maintain it (although some businesses do have their own power plants or backup generators, just in case). But the analogy is imperfect, because electrical utilities are regulated and generally do not have custody of their customer's sensitive business information and data (including data collected from third parties).
Benefits and risks
The benefits and risks of a cloud computing service will depend upon the particular circumstances, including: the service and deployment model; the importance of the service to the customer; the source and sensitivity of the data created, processed or stored using the service; the character, quality and experience of the CSP; the nature of the customer and its business sector; the applicable legal and regulatory rules and requirements; and, the availability and practicability of alternative services.
The benefits offered by many cloud computing services can be summarised as follows:
• Lower cost/financial risk: cloud services usually use a pay-as-you-go or pay-as-you-grow pricing model. The customer pays for the services it needs when it needs them, subject to contractual usage commitments. The customer is not required to make any up-front capital investment to acquire or maintain IT infrastructure or related resources (including personnel). Costs are operating expenses rather than capital expenses, and those expenses are better aligned with returns. There is less financial risk and better cash flow, and greater return on the IT spend.
• Elasticity/scalability: cloud services are usually flexible, and can be expanded/reduced by the customer as needed for organisational changes, market demands and cyclical business models, and to respond to unexpected opportunities or challenges.
• Agility: cloud services can lower IT barriers to innovation, enable the customer to engage in rapid and low cost experimentation and change, and speed up time-to-market and time-to-value. The customer does not have to procure an IT infrastructure and related resources for new or uncertain business initiatives. Cloud services provide easy, quick and low-cost access to new technologies.
• Improved service quality and customer productivity: cloud services are provided by a specialist service provider, which should improve the quality of the core service as well as ancillary services (security, data backups, software updates and disaster and business continuity preparedness). Cloud services usually permit the customer to remotely access the IT service from any location without specific hardware or software, which should save costs and enhance customer productivity. Cloud services allow the customer to focus on its core business, and enable the customer's IT personnel (if any) to focus on supporting the customer's business initiatives.
The basic characteristics of cloud computing that provide tremendous benefits can also present significant risks. Cloud computing can enable the customer to outsource the procurement and management of IT services, but the customer remains responsible and liable for regulatory compliance and performance of its legal obligations to investors, employees, customers, and business partners. In addition, the customer is often dependent and vulnerable, because the CSP usually has complete control over the quality and availability of the service and custody of the customer's sensitive business data (including data collected from third parties). Those circumstances can present potentially significant business and legal risks, which may be summarised as follows:
• Business continuity: the customer must rely on the CSP's willingness and ability to provide the cloud service in a manner that meets the customer's needs, and to comply with the CSP's contractual and legal obligations. If a cloud service is mission critical for the customer's business operations, deficient service may result in significant business disruption and resulting financial loss to the customer. The customer might not be able to easily or quickly implement a substitute service.
• Confidentiality: cloud services often store the customer's confidential business information in geographically distributed data centres operated by the CSP or its subcontractors. The customer must rely on the CSP to maintain the security of the information and protect it against unauthorised access, use and disclosure. In addition, information stored in foreign data centres may be subject to search and seizure by foreign governments and law enforcement and disclosure in foreign legal proceedings.
• Regulatory/privacy compliance: deficient cloud services may expose the customer and its directors and officers to penalties for failure to comply with applicable laws. A significant concern for many customers is compliance with statutory information security and privacy obligations (including laws regarding personally identifiable information, personal health information and financial information). In some circumstances, the use of a cloud service that stores data outside Canada can be a breach of applicable law. In addition, the customer may require the CSP's assistance to comply with other statutory or legal obligations, such as litigation document preservation and disclosure obligations, regulatory audits and responding to security breaches.
• Liability/reputation: deficient cloud computing services may expose the customer and its directors/officers to claims and liabilities to the customer's investors, employees, customers and business partners, and may tarnish the customer's reputation.
The procurement challenge
Cloud computing is a form of outsourcing, but the procurement process is usually significantly different from traditional outsourcing transactions. Traditional outsourcing usually involves a formal procurement process and extensive negotiations over technical, business and legal issues and risk allocation. In contrast, for a variety of reasons (including the high volume, low value transactions business model typical of many cloud services), CSPs are often exceedingly reluctant to accept significant risk, and typically use standard form, take-it-or-leave-it contracts that are one-sided and do not reasonably address the customer's most important business needs and legal requirements. The challenge for businesses is to procure cloud computing services in a way that facilitates a reasonable assessment of the potential benefits and countervailing risks, and allows the business to effectively manage those risks. In some circumstances, the potential benefits of cloud computing service will not justify the risks.
Following is a summary of some of the most important issues customers should consider when procuring cloud computing services.
• Due diligence: the customer should conduct appropriate (documented) due diligence investigations of the CSP and its services, so that the customer can make an informed decision to establish a dependency/reliance relationship with the CSP. Where appropriate, the customer's senior officers and directors should review the due diligence process and its results.
• Regulatory restrictions/compliance: the customer should consider whether its use of the cloud service is permissible under laws of general application and laws specific to the customer or its industry, and what each of the customer and CSP must do to ensure compliance with those laws.
• Value proposition: the customer should assess the total cost of the cloud service (including the basic service as well as required ancillary services), and obtain appropriate contractual price protection promises from the CSP.
• Standard form contracts: the customer should determine at the outset whether the CSP is willing to negotiate changes to its standard form contract. Many standard form contracts fail to adequately address the customer's most important business needs and legal requirements, but CSPs are often reluctant to negotiate changes. In some circumstances, this might be a showstopper for the customer.
• Service availability/quality: the customer should assess the CSP's contractual promises regarding the availability and quality of the cloud service (both basic service and ancillary services), and the customer's remedies if the service is deficient. Service availability and quality guarantees (often called service level agreements) may be of little value if they are ambiguous or difficult to monitor and measure, or if the customer does not have meaningful, cost-effective, practical remedies for deficient service.
• Business continuity/disengagement: the customer should assess its ability to effectively transition to a substitute service if necessary (e.g. if there is a temporary service disruption or service termination), and consider planning and preparing for those events. The customer should attempt to avoid or minimise the risk of technology lock-in, and obtain appropriate contractual promises from the CSP to provide disengagement and transition services.
• Risk allocation/insurance: the customer should assess the contractual allocation of risk (including the CSP's liability for the customer's own losses and responsibility to protect and indemnify the customer against third party claims and liabilities). CSPs are notoriously reluctant to accept risk for the potentially significant losses and liabilities a customer might suffer as a result of deficient service or other misconduct by the CSP. The customer also should consider whether its own insurance coverage is adequate for the nature and magnitude of the risks presented by using the cloud service.
• Security/confidentiality/privacy: the customer should assess the CSP's contractual promises regarding internal and external security measures, the security and confidentiality of the customer's data/information, and the protection of sensitive third party data/information (eg personal information, financial information, and health information).
• Ownership/proprietary rights: the customer should obtain appropriate contractual promises and effective remedies regarding the customer's ownership of its data and other materials (including software) processed, created or stored using the cloud service, and the customer's right to access its data and materials (before and after service termination) and to continue to use the CSP's specialised software applications during disengagement.
• Governance/oversight/enforcement: the customer should obtain appropriate contractual promises to allow the customer to monitor the service and the CSP's performance and compliance with its obligations, to facilitate compliance audits and regulatory inspections, and to effectively enforce the CSP's timely performance of key obligations.