SlideShare une entreprise Scribd logo

Cloud computing: identifying and managing legal risks

C
Cloud Legal Project

Slides for talk by Prof Christopher Millard on "Cloud computing: identifying and managing legal risks" at Google's Oxford Internet Institute Learned Lunches, Brussel, February 2011

Technologie
1  sur  13
Télécharger pour lire hors ligne
Google / OII, Brussels 8 Feb 2011 Cloud computing Google / Oxford Internet Institute Brussels, 8 February 2011 Cloud computing: identifying and managing legal risks Professor Christopher Millard Queen Mary, University of London / c.millard@qmul.ac.uk Oxford Internet Institute / christopher.millard@oii.ox.ac.uk Some questions we will tackle today… •  Why is cloud computing such a hot topic? •  Is cloud computing ‘mature’ and is it ‘safe’? •  Who is responsible for data in clouds? •  What should you watch out for in ‘off the shelf’ cloud contracts? •  Can you negotiate custom deals for cloud computing? •  Whose laws apply if you have a cloud dispute? •  Can you control where your data are stored in clouds? •  What practical steps can be taken to manage cloud-related risks? •  And finally… “What’s the forecast?” Christopher Millard 1
Google / OII, Brussels 8 Feb 2011 Cloud computing But first… what is cloud computing? •  It usually involves the provision of scalable IT resources (data storage, application hosting, etc.) on demand, delivered via the Internet •  As many concepts and definitions as cloud vendors, consultants and researchers but a common starting point is often this Gartner definition: “A style of computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies” •  Prominent examples include: • Amazon Web Services • Gmail and GoogleApps • IBM Smart Business + CloudBurst (previously Blue Cloud) • Microsoft Hotmail + Office 365 + Windows Azure • Safesforce.com • AND …Facebook, Apple, PayPal and other cloud app platform providers Why is cloud computing such a hot topic? •  Various factors are transforming remote computing, including high-bandwidth low-cost connectivity, development of large server farms and enabling techniques such as virtualisation and sharding •  In the current economic climate, cloud computing may be attractive as a means of: •  achieving rapid outsourcing efficiencies •  cost reduction / converting capex to opex •  simplifying hardware and software maintenance •  smoothing fluctuations in demand levels •  delivering public sector services more efficiently, see eg.   In the UK - Digital Britain and the G-Cloud   In the US - apps.gov Christopher Millard 2
Google / OII, Brussels 8 Feb 2011 Cloud computing So, everyone must think cloud computing is great! “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign” Richard Stallman (Founder of the Free Software Foundation) “If you believe the hype, cloud computing is the future. Hype aside, cloud computing is nothing new.” Bruce Schneier, writing in the Guardian, June 2009 “‘Cloud computing’ takes hold as 69% of all internet users have either stored data online or used a web-based software application” Pew Internet & American Life Project, September 2008 “The rise of the cloud is more than just another platform shift that gets geeks excited. It will undoubtedly transform the information technology industry, but it will also profoundly change the way people work and companies operate. It will allow digital technology to penetrate every nook and cranny of the economy and of society, creating some tricky political problems along the way.” The Economist, October 2008 Christopher Millard 3
Google / OII, Brussels 8 Feb 2011 Cloud computing Is cloud computing ‘mature’ and is it ‘safe’? •  Some vendors are major players with resilient service offerings backed by robust Service Level Agreements (SLAs) •  Cloud processes may be more secure than local processing, especially for SMEs and individuals (and, history suggests, some governments!) •  Plenty of cloud offerings are, however, provided by startups which may, or may not, prove to be reliable •  Many cloud services, both consumer and business, are launched while still in development and are often provided long-term on an “as is” basis remaining in ‘Beta’ for a very long time •  Many services, again both consumer and business, are wholly dependent on third-party owned / controlled infrastructure •  So … whether a particular cloud computing service arrangement is appropriate in a particular case will depend on many factors Some key concepts and terminology… •  Infrastructure as a Service (IaaS) = delivery of servers, software, storage, etc as a fully outsourced service, typically billed on a utility computing basis (eg. Amazon Web Services) •  Platform as a Service (PaaS) = web-based environment for developing applications (eg. Microsoft Azure or Force.com which provides a set of tools and applications for customising the Salesforce.com apps) •  Software as a Service (SaaS) (eg. Oracle CRM on demand) •  Storage as a Service (also SaaS!) = convenient way of storing / backing- up data online (eg. box.net) •  Virtualisation = many things but in this context mainly involves multiple “virtual machines” running on shared hardware via the Internet •  Private, Community, Public and Hybrid Clouds Christopher Millard 4
Google / OII, Brussels 8 Feb 2011 Cloud computing The public / private cloud mix… Do things actually go wrong? Christopher Millard 5
Google / OII, Brussels 8 Feb 2011 Cloud computing Do things actually go wrong? What happened? [Ma.gnolia founder] Halff informed users that a specialist had been unable to recover any data from the corrupted hard drive. “Unfortunately, database file recovery has been unsuccessful and I won’t be able to recover members’ bookmarks from the Ma.gnolia database,” he wrote. With the benefit of hindsight… •  It turns out that Ma.gnolia was pretty much a one-man operation, running on two Mac OS X servers and four Mac minis •  Don’t assume that online services have plenty of staff, lots of servers and secure backups. If it matters, take due diligence + contracts seriously Cloud services and data can indeed evaporate… On 2 March 2010, G.ho.st sent this email to its users: Dear Ghost User We hope you have been enjoying our free Ghost service. Regrettably changes in the marketplace mean that it is no longer economical for us to host the Ghost service and we will be closing down the service on or around March 15. We will instead be focusing on licensing or selling our technology to larger companies. We advise you to migrate ALL important folders, files and emails to another secure place before March 15. You might like to consider Google Docs or Microsoft SkyDrive for files and services such as Gmail or Yahoo! Mail for email. Some instructions for migrating data are included below. We are really sorry for any inconvenience this may cause you and are very grateful for the fantastic support we had from our community. Christopher Millard 6
Google / OII, Brussels 8 Feb 2011 Cloud computing Major cloud players have substantial infrastructure… •  Massive data centres are being built, often containing sealed shipping containers, themselves containing pre-configured servers: “The trucks back ’em in, rack ’em and stack ’em” (Ray Ozzie: Microsoft’s Chief Software Architect) •  Huge requirements for power / cooling / connectivity •  Google has patented a “water-based data center” - a system that includes “a floating platform-mounted computer data center comprising a plurality of computing units, a sea-based electrical generator in electrical connection with the plurality of computing units, and one or more sea-water cooling units for providing cooling to the plurality of computing units.” So, jus So just when we thought we had identified all the technical, commercial and legal risks associated with outsourcing and offshore data processing … …we have to tackle maritime law …and the risk of meeting real pirates on the high seas! Christopher Millard 7
Google / OII, Brussels 8 Feb 2011 Cloud computing “Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services”, Bradshaw, Millard & Walden (2010) •  Work began as a data gathering exercise to support analysis of specific legal issues relating to cloud computing •  It quickly became clear that examination and assessment of the terms and conditions would be a substantial exercise in its own right •  We reviewed 31 sets of standard T&Cs (defined broadly) •  An initial overview survey highlighted 20 main categories into which T&C elements fell •  Each set of T&C was then mapped against these categories •  During the detailed analysis further patterns emerged “Contracts for clouds” (continued) •  Hypothesis = that where significant variations exist between terms of service, differences would correlate significantly to: •  Type of service •  Target market •  Commercial and technological legacy (if any) of the provider •  Key findings include: •  The T&C for particular services could be predicted in advance to a significant extent based on the variables above •  The relative immaturity of the market for cloud computing services is reflected in contracts that are currently in widespread use which include many clauses that appear to be inappropriate and / or unenforceable and in some cases illegal •  Cloud infrastructure and services are often complex (often with multiple dependencies) and few contracts reflect this adequately Christopher Millard 8
Google / OII, Brussels 8 Feb 2011 Cloud computing ‘Off the shelf’ cloud computing arrangements •  Many cloud service providers use ‘click-wrap’ terms of business •  Such terms of business sometimes state, for example, that: •  the service provider has minimal, or even no, liability for loss or damage caused by failure of the cloud computing service •  subcontracting may be unrestricted •  the service may be modified or be discontinued without cause, without notice and without liability to users •  customers may have limited / no ability to recover data following termination of service •  Depending on the circumstances, the enforceability of some of these terms may be subject to challenge (!) Who is responsible for data in clouds? “...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” Q. Will that be good enough? A. It depends what you are going to use the service for (and how) Christopher Millard 9
Google / OII, Brussels 8 Feb 2011 Cloud computing What about disclosure of your data to third parties? Would you feel more comfortable signing up to this… “The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.” … or this? “You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.” Whose laws apply if you have a cloud dispute? Choice  of  law  specified  by  cloud  provider…   Number  *   US  State:  California  (most  common),  Massachuse6s  (Akamai),   15   Washington  (Amazon),  Utah  (Decho),  Texas  (The  Planet)   English  law,  probably  because  service  provider  based  there   4   English  law,  for  customers  in  Europe  /  EMEA   4   Other  EU  jurisdicAons  (for  European  customers):  eg.  Ireland  (Apple),   2   Luxembourg  (some  MicrosoN  services)   ScoBsh  law  (Flexiant)   1   The  customer’s  local  law   2   No  choice  of  law  expressed  or  implied,  or  ambiguous  choice     3   (eg.  “UK  Law”  for  g.ho.st)   *  Number  in  each  category  is  out  of  31  contracts  analysed  by  QMUL  Cloud  Legal  Project   h?p://www.cloudlegal.ccls.qmul.ac.uk/   Christopher Millard 10
Google / OII, Brussels 8 Feb 2011 Cloud computing Can you control where your data are stored in clouds? •  It depends! •  Some service providers can’t, for technical reasons, or won’t, for commercial reasons, let you choose •  Other service providers are designing their clouds so as to offer customers a choice between ‘regions’ (eg. Amazon Web Services) •  Other service providers, if asked, say they currently store customer data by default in the customer’s local region (eg. Decho Mozy Inc) •  Geolocation may become a critical differentiator for customers concerned about where their data are stored (eg. because of disclosure risks associated with litigation or regulators) or subject to restrictions on data transfers (such as national rules based on Articles 25 + 26 of the DP Dir.) •  An amorphous cloud may not be appropriate for regulated data, eg. if you don’t know where the data will be processed and by whom Contracting in the clouds: custom deals •  Although not generally advertised, major cloud vendors with standard contracts are prepared to go off piste if a deal merits it •  One-off contracts are usually confidential but… •  A high-profile negotiated deal, for which extensive documentation has been published, is the CSC / Google / City of LA transaction. This includes provisions that appear to depart in significant ways from Google’s ‘standard’ position, including: “Google agrees to store and process Customer’s email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States.” (cl. 1.7) Christopher Millard 11
Google / OII, Brussels 8 Feb 2011 Cloud computing Practical tips for managing cloud-related risks… •  Read the contract! (inc. TOS, T&C, SLA, Privacy Policy, AUP, etc) •  Consider due diligence questions like these… •  Is the infrastructure multi-layered and, if so, in what way? •  Where will your data be processed (inc. storage / replication)? •  Who is running the critical infrastructure (and from where)? •  How easily can third parties get access to your data? •  What happens if your cloud provider / their provider goes bust? •  How easily could you move your data to another cloud service (or back to your own systems) and how long would it take? •  How confident are you that you could regain control of your data without leaving behind copies and / or key metadata? Forecast: cloudy and changeable… but bright! •  Putting data / processes into clouds may save money and facilitate risk management but it may also have unintended adverse effects •  Physical location can remain highly significant in virtual environments and legal / regulatory obligations certainly don’t end when data are handed over to one or more cloud service providers •  Some cloud service providers are much more sophisticated than others in terms of security (eg. encryption options) and facilitating compliance (eg. providing commitments regarding data location, if required, and support for audit, mandatory disclosure processes, etc) •  Risks of compelled disclosure and other external disruptions are real – eg. SWIFT and now Wikileaks (involving Amazon / PayPal / Twitter / etc) •  It may take some time and effort to get regulators (privacy and others) comfortable with specific cloud arrangements •  Cloud contracts may evolve rapidly in response to competitive positioning, customer demands and interventions by regulators and courts Christopher Millard 12
Google / OII, Brussels 8 Feb 2011 Cloud computing Thanks for listening! Any questions… ‘Contracts for Clouds’ is at: http://ssrn.com/abstract=1662374 http://www.cloudlegal.ccls.qmul.ac.uk/ Google / Oxford Internet Institute Brussels, 8 February 2011 Cloud computing: identifying and managing legal risks Professor Christopher Millard Queen Mary, University of London / c.millard@qmul.ac.uk Oxford Internet Institute / christopher.millard@oii.ox.ac.uk Christopher Millard 13

Recommandé

Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...Cloud Legal Project
 
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud ComputingData Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud ComputingCloud Legal Project
 
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?Cloud Legal Project
 
Cloud computing: opportunities and risks
Cloud computing: opportunities and risksCloud computing: opportunities and risks
Cloud computing: opportunities and risksCloud Legal Project
 
Information ownership in the cloud
Information ownership in the cloudInformation ownership in the cloud
Information ownership in the cloudCloud Legal Project
 
Cloud computing 102711 - ccap
Cloud computing 102711 - ccapCloud computing 102711 - ccap
Cloud computing 102711 - ccapWilliam Mann
 
About Cloud Computing
About Cloud ComputingAbout Cloud Computing
About Cloud ComputingNaman Talati
 
Cloud Computing Technology_Usman
Cloud Computing Technology_UsmanCloud Computing Technology_Usman
Cloud Computing Technology_UsmanUsman Sait
 

Recommandé

Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...Cloud Legal Project
 
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud ComputingData Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud ComputingCloud Legal Project
 
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?Cloud Legal Project
 
Cloud computing: opportunities and risks
Cloud computing: opportunities and risksCloud computing: opportunities and risks
Cloud computing: opportunities and risksCloud Legal Project
 
Information ownership in the cloud
Information ownership in the cloudInformation ownership in the cloud
Information ownership in the cloudCloud Legal Project
 
Cloud computing 102711 - ccap
Cloud computing 102711 - ccapCloud computing 102711 - ccap
Cloud computing 102711 - ccapWilliam Mann
 
About Cloud Computing
About Cloud ComputingAbout Cloud Computing
About Cloud ComputingNaman Talati
 
Cloud Computing Technology_Usman
Cloud Computing Technology_UsmanCloud Computing Technology_Usman
Cloud Computing Technology_UsmanUsman Sait
 
Demystifying the cloud
Demystifying the cloudDemystifying the cloud
Demystifying the cloudDean Bonehill ♠Technology for Business♠
 
Accenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingAccenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingNgy Ea
 
Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Ngy Ea
 
Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptxProfRajivKumarShobhi
 
F ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityF ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityEuroCloud
 
Briefing 47
Briefing 47Briefing 47
Briefing 47Srinivas Reddy Manda
 
Cloud computing and libraries sndt
Cloud computing and libraries sndtCloud computing and libraries sndt
Cloud computing and libraries sndtVishwas Taralekar
 
Cloud computing
Cloud computingCloud computing
Cloud computingKshitij Mittal
 
29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computingabbu03oct
 
Cloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectCloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectMohamed Shorbagy
 
Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?ITpreneurs
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameJanine Anthony Bowen, Esq.
 
BEN Event - Guijarro
BEN Event - GuijarroBEN Event - Guijarro
BEN Event - GuijarroBath & Bristol Enterprise Network
 
Collaboration In The Cloud Presentation
Collaboration In The Cloud PresentationCollaboration In The Cloud Presentation
Collaboration In The Cloud PresentationPatrick Huang
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..manoj kumar
 
Cloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudCloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudMicrosoft Private Cloud
 
The Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingThe Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingMike Tase
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computingvishnu varunan
 
Cloud computing 1
Cloud computing 1Cloud computing 1
Cloud computing 1Sagar Kumar
 
Privacy Issues In Cloud Computing
Privacy Issues In Cloud ComputingPrivacy Issues In Cloud Computing
Privacy Issues In Cloud Computingiosrjce
 
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...InnoTech
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingSamit Kumar Kapat
 

Contenu connexe

Tendances

Accenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingAccenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingNgy Ea
 
Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Ngy Ea
 
F ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityF ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityEuroCloud
 
Cloud computing and libraries sndt
Cloud computing and libraries sndtCloud computing and libraries sndt
Cloud computing and libraries sndtVishwas Taralekar
 
29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computingabbu03oct
 
Cloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectCloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectMohamed Shorbagy
 
Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?ITpreneurs
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameJanine Anthony Bowen, Esq.
 
Collaboration In The Cloud Presentation
Collaboration In The Cloud PresentationCollaboration In The Cloud Presentation
Collaboration In The Cloud PresentationPatrick Huang
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..manoj kumar
 
Cloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudCloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudMicrosoft Private Cloud
 
The Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingThe Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingMike Tase
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computingvishnu varunan
 
Cloud computing 1
Cloud computing 1Cloud computing 1
Cloud computing 1Sagar Kumar
 
Privacy Issues In Cloud Computing
Privacy Issues In Cloud ComputingPrivacy Issues In Cloud Computing
Privacy Issues In Cloud Computingiosrjce
 

Tendances (20)

Demystifying the cloud
Demystifying the cloudDemystifying the cloud
Demystifying the cloud
 
Accenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingAccenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computing
 
Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10
 
Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptx
 
F ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityF ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiity
 
Briefing 47
Briefing 47Briefing 47
Briefing 47
 
Cloud computing and libraries sndt
Cloud computing and libraries sndtCloud computing and libraries sndt
Cloud computing and libraries sndt
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing
 
Cloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectCloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation Project
 
Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the Game
 
BEN Event - Guijarro
BEN Event - GuijarroBEN Event - Guijarro
BEN Event - Guijarro
 
Collaboration In The Cloud Presentation
Collaboration In The Cloud PresentationCollaboration In The Cloud Presentation
Collaboration In The Cloud Presentation
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..
 
Cloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudCloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the Cloud
 
The Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingThe Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud Computing
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computing
 
Cloud computing 1
Cloud computing 1Cloud computing 1
Cloud computing 1
 
Privacy Issues In Cloud Computing
Privacy Issues In Cloud ComputingPrivacy Issues In Cloud Computing
Privacy Issues In Cloud Computing
 

Similaire à Cloud computing: identifying and managing legal risks

The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...InnoTech
 
Trends in recent technology
Trends in recent technologyTrends in recent technology
Trends in recent technologysai krishna
 
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New... The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New...InnoTech
 
Moving enterprise IT to the cloud
Moving enterprise IT to the cloudMoving enterprise IT to the cloud
Moving enterprise IT to the cloudJan Wiersma
 
Cloud for beginners
Cloud for beginnersCloud for beginners
Cloud for beginnersQwikSkills .
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computingHossam Zein
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentationAdrian Hall
 
What is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete GuideWhat is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete GuideMarianne Harness
 
Enabling Cloud Computing
Enabling Cloud ComputingEnabling Cloud Computing
Enabling Cloud Computingtntsa1972
 
Cloud Computing Michael Davis 2008 Aug17
Cloud Computing Michael Davis 2008 Aug17Cloud Computing Michael Davis 2008 Aug17
Cloud Computing Michael Davis 2008 Aug17MJD Management Group
 
What is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete GuideWhat is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete GuideAlaina Carter
 
International journal of computer science and innovation vol 2015-n2-paper2
International journal of computer science and innovation vol 2015-n2-paper2International journal of computer science and innovation vol 2015-n2-paper2
International journal of computer science and innovation vol 2015-n2-paper2sophiabelthome
 
History of Cloud Computing.pptx
History of Cloud Computing.pptxHistory of Cloud Computing.pptx
History of Cloud Computing.pptxvarshaJujare1
 
Cloud computing assignment
Cloud computing assignmentCloud computing assignment
Cloud computing assignmentACCA Global
 
Teja pp matter
Teja pp matterTeja pp matter
Teja pp matter9505567198
 

Similaire à Cloud computing: identifying and managing legal risks (20)

The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New ...
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Trends in recent technology
Trends in recent technologyTrends in recent technology
Trends in recent technology
 
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New... The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New...
The Future Paradigm Shifts of the Cloud and Big Data: Security Impacts & New...
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Moving enterprise IT to the cloud
Moving enterprise IT to the cloudMoving enterprise IT to the cloud
Moving enterprise IT to the cloud
 
Cloud for beginners
Cloud for beginnersCloud for beginners
Cloud for beginners
 
Cloud Computing Essays
Cloud Computing EssaysCloud Computing Essays
Cloud Computing Essays
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computing
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
 
What is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete GuideWhat is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete Guide
 
Enabling Cloud Computing
Enabling Cloud ComputingEnabling Cloud Computing
Enabling Cloud Computing
 
Cloud Computing Michael Davis 2008 Aug17
Cloud Computing Michael Davis 2008 Aug17Cloud Computing Michael Davis 2008 Aug17
Cloud Computing Michael Davis 2008 Aug17
 
What is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete GuideWhat is Cloud Computing? A Complete Guide
What is Cloud Computing? A Complete Guide
 
International journal of computer science and innovation vol 2015-n2-paper2
International journal of computer science and innovation vol 2015-n2-paper2International journal of computer science and innovation vol 2015-n2-paper2
International journal of computer science and innovation vol 2015-n2-paper2
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
History of Cloud Computing.pptx
History of Cloud Computing.pptxHistory of Cloud Computing.pptx
History of Cloud Computing.pptx
 
Cloud computing assignment
Cloud computing assignmentCloud computing assignment
Cloud computing assignment
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Teja pp matter
Teja pp matterTeja pp matter
Teja pp matter
 

Dernier

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Dernier (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Cloud computing: identifying and managing legal risks

  • 1. Google / OII, Brussels 8 Feb 2011 Cloud computing Google / Oxford Internet Institute Brussels, 8 February 2011 Cloud computing: identifying and managing legal risks Professor Christopher Millard Queen Mary, University of London / c.millard@qmul.ac.uk Oxford Internet Institute / christopher.millard@oii.ox.ac.uk Some questions we will tackle today… •  Why is cloud computing such a hot topic? •  Is cloud computing ‘mature’ and is it ‘safe’? •  Who is responsible for data in clouds? •  What should you watch out for in ‘off the shelf’ cloud contracts? •  Can you negotiate custom deals for cloud computing? •  Whose laws apply if you have a cloud dispute? •  Can you control where your data are stored in clouds? •  What practical steps can be taken to manage cloud-related risks? •  And finally… “What’s the forecast?” Christopher Millard 1
  • 2. Google / OII, Brussels 8 Feb 2011 Cloud computing But first… what is cloud computing? •  It usually involves the provision of scalable IT resources (data storage, application hosting, etc.) on demand, delivered via the Internet •  As many concepts and definitions as cloud vendors, consultants and researchers but a common starting point is often this Gartner definition: “A style of computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies” •  Prominent examples include: • Amazon Web Services • Gmail and GoogleApps • IBM Smart Business + CloudBurst (previously Blue Cloud) • Microsoft Hotmail + Office 365 + Windows Azure • Safesforce.com • AND …Facebook, Apple, PayPal and other cloud app platform providers Why is cloud computing such a hot topic? •  Various factors are transforming remote computing, including high-bandwidth low-cost connectivity, development of large server farms and enabling techniques such as virtualisation and sharding •  In the current economic climate, cloud computing may be attractive as a means of: •  achieving rapid outsourcing efficiencies •  cost reduction / converting capex to opex •  simplifying hardware and software maintenance •  smoothing fluctuations in demand levels •  delivering public sector services more efficiently, see eg.   In the UK - Digital Britain and the G-Cloud   In the US - apps.gov Christopher Millard 2
  • 3. Google / OII, Brussels 8 Feb 2011 Cloud computing So, everyone must think cloud computing is great! “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign” Richard Stallman (Founder of the Free Software Foundation) “If you believe the hype, cloud computing is the future. Hype aside, cloud computing is nothing new.” Bruce Schneier, writing in the Guardian, June 2009 “‘Cloud computing’ takes hold as 69% of all internet users have either stored data online or used a web-based software application” Pew Internet & American Life Project, September 2008 “The rise of the cloud is more than just another platform shift that gets geeks excited. It will undoubtedly transform the information technology industry, but it will also profoundly change the way people work and companies operate. It will allow digital technology to penetrate every nook and cranny of the economy and of society, creating some tricky political problems along the way.” The Economist, October 2008 Christopher Millard 3
  • 4. Google / OII, Brussels 8 Feb 2011 Cloud computing Is cloud computing ‘mature’ and is it ‘safe’? •  Some vendors are major players with resilient service offerings backed by robust Service Level Agreements (SLAs) •  Cloud processes may be more secure than local processing, especially for SMEs and individuals (and, history suggests, some governments!) •  Plenty of cloud offerings are, however, provided by startups which may, or may not, prove to be reliable •  Many cloud services, both consumer and business, are launched while still in development and are often provided long-term on an “as is” basis remaining in ‘Beta’ for a very long time •  Many services, again both consumer and business, are wholly dependent on third-party owned / controlled infrastructure •  So … whether a particular cloud computing service arrangement is appropriate in a particular case will depend on many factors Some key concepts and terminology… •  Infrastructure as a Service (IaaS) = delivery of servers, software, storage, etc as a fully outsourced service, typically billed on a utility computing basis (eg. Amazon Web Services) •  Platform as a Service (PaaS) = web-based environment for developing applications (eg. Microsoft Azure or Force.com which provides a set of tools and applications for customising the Salesforce.com apps) •  Software as a Service (SaaS) (eg. Oracle CRM on demand) •  Storage as a Service (also SaaS!) = convenient way of storing / backing- up data online (eg. box.net) •  Virtualisation = many things but in this context mainly involves multiple “virtual machines” running on shared hardware via the Internet •  Private, Community, Public and Hybrid Clouds Christopher Millard 4
  • 5. Google / OII, Brussels 8 Feb 2011 Cloud computing The public / private cloud mix… Do things actually go wrong? Christopher Millard 5
  • 6. Google / OII, Brussels 8 Feb 2011 Cloud computing Do things actually go wrong? What happened? [Ma.gnolia founder] Halff informed users that a specialist had been unable to recover any data from the corrupted hard drive. “Unfortunately, database file recovery has been unsuccessful and I won’t be able to recover members’ bookmarks from the Ma.gnolia database,” he wrote. With the benefit of hindsight… •  It turns out that Ma.gnolia was pretty much a one-man operation, running on two Mac OS X servers and four Mac minis •  Don’t assume that online services have plenty of staff, lots of servers and secure backups. If it matters, take due diligence + contracts seriously Cloud services and data can indeed evaporate… On 2 March 2010, G.ho.st sent this email to its users: Dear Ghost User We hope you have been enjoying our free Ghost service. Regrettably changes in the marketplace mean that it is no longer economical for us to host the Ghost service and we will be closing down the service on or around March 15. We will instead be focusing on licensing or selling our technology to larger companies. We advise you to migrate ALL important folders, files and emails to another secure place before March 15. You might like to consider Google Docs or Microsoft SkyDrive for files and services such as Gmail or Yahoo! Mail for email. Some instructions for migrating data are included below. We are really sorry for any inconvenience this may cause you and are very grateful for the fantastic support we had from our community. Christopher Millard 6
  • 7. Google / OII, Brussels 8 Feb 2011 Cloud computing Major cloud players have substantial infrastructure… •  Massive data centres are being built, often containing sealed shipping containers, themselves containing pre-configured servers: “The trucks back ’em in, rack ’em and stack ’em” (Ray Ozzie: Microsoft’s Chief Software Architect) •  Huge requirements for power / cooling / connectivity •  Google has patented a “water-based data center” - a system that includes “a floating platform-mounted computer data center comprising a plurality of computing units, a sea-based electrical generator in electrical connection with the plurality of computing units, and one or more sea-water cooling units for providing cooling to the plurality of computing units.” So, jus So just when we thought we had identified all the technical, commercial and legal risks associated with outsourcing and offshore data processing … …we have to tackle maritime law …and the risk of meeting real pirates on the high seas! Christopher Millard 7
  • 8. Google / OII, Brussels 8 Feb 2011 Cloud computing “Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services”, Bradshaw, Millard & Walden (2010) •  Work began as a data gathering exercise to support analysis of specific legal issues relating to cloud computing •  It quickly became clear that examination and assessment of the terms and conditions would be a substantial exercise in its own right •  We reviewed 31 sets of standard T&Cs (defined broadly) •  An initial overview survey highlighted 20 main categories into which T&C elements fell •  Each set of T&C was then mapped against these categories •  During the detailed analysis further patterns emerged “Contracts for clouds” (continued) •  Hypothesis = that where significant variations exist between terms of service, differences would correlate significantly to: •  Type of service •  Target market •  Commercial and technological legacy (if any) of the provider •  Key findings include: •  The T&C for particular services could be predicted in advance to a significant extent based on the variables above •  The relative immaturity of the market for cloud computing services is reflected in contracts that are currently in widespread use which include many clauses that appear to be inappropriate and / or unenforceable and in some cases illegal •  Cloud infrastructure and services are often complex (often with multiple dependencies) and few contracts reflect this adequately Christopher Millard 8
  • 9. Google / OII, Brussels 8 Feb 2011 Cloud computing ‘Off the shelf’ cloud computing arrangements •  Many cloud service providers use ‘click-wrap’ terms of business •  Such terms of business sometimes state, for example, that: •  the service provider has minimal, or even no, liability for loss or damage caused by failure of the cloud computing service •  subcontracting may be unrestricted •  the service may be modified or be discontinued without cause, without notice and without liability to users •  customers may have limited / no ability to recover data following termination of service •  Depending on the circumstances, the enforceability of some of these terms may be subject to challenge (!) Who is responsible for data in clouds? “...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” Q. Will that be good enough? A. It depends what you are going to use the service for (and how) Christopher Millard 9
  • 10. Google / OII, Brussels 8 Feb 2011 Cloud computing What about disclosure of your data to third parties? Would you feel more comfortable signing up to this… “The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.” … or this? “You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.” Whose laws apply if you have a cloud dispute? Choice  of  law  specified  by  cloud  provider…   Number  *   US  State:  California  (most  common),  Massachuse6s  (Akamai),   15   Washington  (Amazon),  Utah  (Decho),  Texas  (The  Planet)   English  law,  probably  because  service  provider  based  there   4   English  law,  for  customers  in  Europe  /  EMEA   4   Other  EU  jurisdicAons  (for  European  customers):  eg.  Ireland  (Apple),   2   Luxembourg  (some  MicrosoN  services)   ScoBsh  law  (Flexiant)   1   The  customer’s  local  law   2   No  choice  of  law  expressed  or  implied,  or  ambiguous  choice     3   (eg.  “UK  Law”  for  g.ho.st)   *  Number  in  each  category  is  out  of  31  contracts  analysed  by  QMUL  Cloud  Legal  Project   h?p://www.cloudlegal.ccls.qmul.ac.uk/   Christopher Millard 10
  • 11. Google / OII, Brussels 8 Feb 2011 Cloud computing Can you control where your data are stored in clouds? •  It depends! •  Some service providers can’t, for technical reasons, or won’t, for commercial reasons, let you choose •  Other service providers are designing their clouds so as to offer customers a choice between ‘regions’ (eg. Amazon Web Services) •  Other service providers, if asked, say they currently store customer data by default in the customer’s local region (eg. Decho Mozy Inc) •  Geolocation may become a critical differentiator for customers concerned about where their data are stored (eg. because of disclosure risks associated with litigation or regulators) or subject to restrictions on data transfers (such as national rules based on Articles 25 + 26 of the DP Dir.) •  An amorphous cloud may not be appropriate for regulated data, eg. if you don’t know where the data will be processed and by whom Contracting in the clouds: custom deals •  Although not generally advertised, major cloud vendors with standard contracts are prepared to go off piste if a deal merits it •  One-off contracts are usually confidential but… •  A high-profile negotiated deal, for which extensive documentation has been published, is the CSC / Google / City of LA transaction. This includes provisions that appear to depart in significant ways from Google’s ‘standard’ position, including: “Google agrees to store and process Customer’s email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States.” (cl. 1.7) Christopher Millard 11
  • 12. Google / OII, Brussels 8 Feb 2011 Cloud computing Practical tips for managing cloud-related risks… •  Read the contract! (inc. TOS, T&C, SLA, Privacy Policy, AUP, etc) •  Consider due diligence questions like these… •  Is the infrastructure multi-layered and, if so, in what way? •  Where will your data be processed (inc. storage / replication)? •  Who is running the critical infrastructure (and from where)? •  How easily can third parties get access to your data? •  What happens if your cloud provider / their provider goes bust? •  How easily could you move your data to another cloud service (or back to your own systems) and how long would it take? •  How confident are you that you could regain control of your data without leaving behind copies and / or key metadata? Forecast: cloudy and changeable… but bright! •  Putting data / processes into clouds may save money and facilitate risk management but it may also have unintended adverse effects •  Physical location can remain highly significant in virtual environments and legal / regulatory obligations certainly don’t end when data are handed over to one or more cloud service providers •  Some cloud service providers are much more sophisticated than others in terms of security (eg. encryption options) and facilitating compliance (eg. providing commitments regarding data location, if required, and support for audit, mandatory disclosure processes, etc) •  Risks of compelled disclosure and other external disruptions are real – eg. SWIFT and now Wikileaks (involving Amazon / PayPal / Twitter / etc) •  It may take some time and effort to get regulators (privacy and others) comfortable with specific cloud arrangements •  Cloud contracts may evolve rapidly in response to competitive positioning, customer demands and interventions by regulators and courts Christopher Millard 12
  • 13. Google / OII, Brussels 8 Feb 2011 Cloud computing Thanks for listening! Any questions… ‘Contracts for Clouds’ is at: http://ssrn.com/abstract=1662374 http://www.cloudlegal.ccls.qmul.ac.uk/ Google / Oxford Internet Institute Brussels, 8 February 2011 Cloud computing: identifying and managing legal risks Professor Christopher Millard Queen Mary, University of London / c.millard@qmul.ac.uk Oxford Internet Institute / christopher.millard@oii.ox.ac.uk Christopher Millard 13