An Introduction to the Technology and Ethics of Cloud Computing

Jack NewtonCo-founder and President

Themis Solutions Inc. (Clio)

what is software-as-a-

service?

traditional computing model

The Internet Local Area Network

cloud computing model

The Internet Local Area Network

traditional software distribution

cloud computing distribution

whysoftware-as-a-

service?

freedom

available from any device

security

terminology

• Secure Sockets Layer (SSL)Industry standard protocol

for securing Internet communications

Banks, e-commerce sites (Amazon.com, etc.) all use SSL for secure communications

without ssl

Information exchanged is insecure

Please give me my bank account balance

$2,031.34

Your Computer Your Bank’s Server

with ssl

11010001110

01101010001010110101010100101010

Your Computer Your Bank’s Server

Information exchanged is encrypted for security

Firefox:

A sealed lock icon indicates a secure connection

Internet Explorer:

verifying ssl connections

Safari:

server security

Are third-party audits being performed?

server security

server security

privacy

privacy

• Does the SaaS provider have a published privacy policy?

• Need to ensure you own your data• The private client information stored with

your SaaS provider cannot be used for any other purposes

facebook privacy policyYou hereby grant Facebook an irrevocable, perpetual, non-exclusive,

transferable, fully paid, worldwide license (with the right to

sublicense) to (a) use, copy, publish, stream, store, retain,

publicly perform or display, transmit, scan, reformat, modify,

edit, frame, translate, excerpt, adapt, create derivative works and

distribute (through multiple tiers), any User Content you (i) Post

on or in connection with the Facebook Service or the promotion

thereof subject only to your privacy settings.

You may remove your User Content from the Site at any time. If you

choose to remove your User Content, the license granted above will

automatically expire, however you acknowledge that the Company may

retain archived copies of your User Content.

How is sensitive information being handled?

TRUSTe

“TRUSTe’s program requirements are based

upon the Fair Information Principles and OCED

Guidelines around notice, choice, access,

security, and redress - the core foundations of

privacy and building trust. Sealholders are

required to undergo a rigorous review process

to assess the accuracy of privacy disclosures

and compliance with TRUSTe’s requirements in

order to obtain certification.”

data availability

internal backup policies

• How many times per day is data backed up?• Is data backed up to multiple offsite locations?

external backup provisions

• Can you perform an export of your data?

Comma Separated Values (CSV)

Extensible Markup Language (XML)

Microsoft Excel (XLS)

business continuity

What if the SaaS provider goes out of business?

option 1: data export

Cross your fingers and hope you’re up to date…

Comma Separated Values (CSV)

Extensible Markup Language (XML)

Microsoft Excel (XLS)

newton’s first law of backups:

If it isn’t automated you’ll forget to do it

option 2: data escrow

saas provider escrow provider

saas user

terms of service /service level agreement

terms of service

• ToS• Outlines the conditions

under which you agree to use the service

• Ensure you’ve reviewed and accepted your provider’s terms of service

service level agreement

• SLA• Outlines guaranteed uptime percentages• E.g. 99.9%• Usually providers for some kind of

compensation if downtime exceeds SLA guarantee

geography

data geography

• Where is data stored?• Are there provisions preventing data export?

total cost of ownership

total cost of ownershipAssessment of both direct and indirect costs

associated with software and hardware solutions

TCO

traditional desktop software tco

annualsoftware renewal

original software purchase

technical supportcontract

traditional desktop software tco

networking / virtual private network

original hardware purchase

backups/data redundancy

traditional desktop software tco

saas tco

google apps vs. exchange cost comparison

• Discovered the business community is largely unaware of the costs of running an e-mail account

• Many companies surveyed gave guesses from $2 to $11 per user, although a detailed accounting showed that the costs were often several times that

google apps vs. exchange cost comparison

ethics of cloud computing

North Carolina Ethics Inquiry

• First ethics opinion in North America specifically focused on use of cloud computing in a law firm

• Hot off the presses – committee met April 15th

North Carolina Ethics Inquiry

Is it within the Rules of Professional Conduct for an attorney/law firm to use

online ("cloud computing") practice management programs (e.g., the Clio

program) as part of the practice of law? These are instances where the software

program is accessed online with a password and is not software installed on a

computer within the firm's office.

North Carolina Proposed Formal Ethics Opinion

Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information,

from risk of loss.

North Carolina Proposed Formal Ethics Opinion

Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information,

from risk of loss.

North Carolina Proposed Formal Ethics Opinion

Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics Committee has long held that this duty does not compel any particular mode of handling confidential information nor

does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information. See RPC 133 (no

requirement that firm’s waste paper be shredded if lawyer ascertains that persons or entities responsible for the disposal employ procedures that effectively minimize the

risk that confidential information may be disclosed). Moreover, the committee has held that, while the duty of confidentiality extends to the use of technology to

communicate, “this obligation does not require that a lawyer use only infallibly secure methods of communication.” RPC 215. Rather, the lawyer must use

reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential communications and the lawyer must advise effected parties if there is reason to believe that the chosen communications

technology presents an unreasonable risk to confidentiality.

www.goclio.com | jack@goclio.com | twitter: @goclio