24
Speaker Background • Communications and security consultant for 36
years • Speaker at Enterprise Connect, ITExpo and 100s
of user conferences • Article and blog sites:
o www.nojitter.com o www.webtorials.com o www.telecomreseller.com o www.networkworld.com o www.acuta.org o www.searchunifiedcommunications.com
2 © Delphi, Inc. 2014
Cloud Cycle
What Lawyers Tell Lawyers • “Reasonable care requires a lawyer, at a minimum, to ensure that the
service provider has an obligation to keep data confidential. The lawyer is duty bound to investigate whether or not the provider has adequate security in place (including technology in place to thwart hackers), has the ability to erase data when needed, can shift data to a different provider if necessary. A lawyer is further required to obtain the provider’s agreement to notify the lawyer if a subpoena is served seeking access to a data stored with the provider. The committee also added that a lawyer should from time to time reconfirm that the provider meets the applicable requirements in light of technological advancements. Additionally, a lawyer needs to monitor legal developments to ensure that a given use of cloud computing resources does not compromise the client’s privilege as the law evolves.”
• Source: “N.Y. Bar Association Provides Opinion on ‘Cloud Computing” by Phillip D. Robben http://westlawnews.thomson.com/nationallit/Blog/ViewBlog.aspx?id=7354&blogid=1316&terms=%40ContentID64+%3E+0.
Where is the Demarc? • The demarcation point is extremely important. • The cloud service contract may only cover the
provider’s site. • The access network, most likely the Internet,
will probably not be included. • Does the cloud service provide any software that
must run at the consumer locations? Will this be covered by the contract?
Search Warrants and Data Subpoenaed
• The service provider must notify the consumer if the provider receives a search warrant or subpoena for information.
• What if the consumer’s data is stored on the same systems as other customers?
• What if the data was stored on one of the servers or you had co-located equipment at one of these sites. You could be out of business through no fault of your own.
Security - Notorious Nine • Data breaches • Data loss • Account or service traffic hijacking • Insecure interfaces and APIs • Denial of service • Malicious insiders • Abuse of cloud services • Insufficient due diligence • Shared technology vulnerabilities • Source: Cloud Security Alliance • https://cloudsecurityalliance.org/download/the-
notorious-nine-cloud-computing-top-threats-in-2013/
E-Discovery • The Federal Rules of Civil Procedure
http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/2010%20Rules/Civil%20Procedure.pdf require an organization to be able to produce electronically stored information (ESI) that has been preserved by the organization and can demonstrate that the ESI has been in their possession, custody and control. When the cloud is involved, then this is a joint, organization and cloud provider, responsibility.
E-Discovery Advice • E-mail may be well covered by the cloud
contracts. Other media may not, voice mail, IM, video/web conferencing.
• Know where your ESI is stored at all times. • Cloud subscriptions are easy to implement.
Watch out for business units that go their own way outside of IT.
• Plan for E-discovery. Don’t just respond to an E-discovery request when it arises.
Litigation Risks • Customers using cloud services may put themselves at
risk of patent litigation. • The risk is low but the customer should address this
issue in the contract to ensure that they are protected. • "One model of enforcing patents says I can go after the
manufacturer, but once I do I'm done because then all his sales are licensed," Goldberg said. "But if I keep going after all his customers, I can keep going forever and the customer is really not in the best position to fight back. So it creates increased risk." Source: Nolan Goldberg a patent and trade secret litigation attorney for Proskauer Rose LLP in New York.
Cloud in Europe • The European definition of personal data is far
broader than in the U.S. Even names, addresses and phone numbers are considered personal data.
• The European Data Privacy Directive that governs the laws relating to privacy generally prohibits the movement of data outside the EU.
• “Essential guide: EU Data Protection Regulation” http://www.computerweekly.com/guides/Essential-guide-What-the-EU-Data-Protection-Regulation-changes-mean-to-you
Subcontractors in the Cloud
• The service provider may hire subcontractors to supply products and/or services that are then offered to the consumer through the provider.
• Usually when a company that is subcontracting on projects, the subcontracting agreement is solely with the prime contractor.
• The subcontractor has no contractual relationship with the customer.
• Check with the service provider about their use of subcontractors and their part in the prime contract with the customer.
• The prime should have some form of flow-down clause to ensure that the subcontractor is equally liable as the provider.
The Exit Clause • The customer needs a legal path to cancel the cloud
service. • Providers change their terms and conditions unilaterally. • The contract should contain an exit clause that protects
the customer if the arrangement does not work to the customer’s satisfaction or the service provider goes out of business or is sold to another provider.
• This clause should also ensure that the data stored can be returned without delay.
• A specified data format should also be defined in the exit clause.
Provider Lock In • What can a customer expect when it
wants to move applications and data to another provider?
• Provider lock-in exists if the customer can not move an application and data from one system to another easily.
• What if the provider goes out of business, acquired or merged with another provider?
Contracting for Performance
• The SLA is most important when the traffic busy hour occurs.
• The service subscriber would like 99.99+% availability for the service.
• The Service Level Agreement (SLA) for a cloud service may be measured over a long period of time, possibly weeks, leading to a better service level than experienced during busy times.
• What is not included in the SLA is very important. • If an outage occurs, can the customer qualify for
meaningful credit?
Cloud UC Gotchas • Missing costs in the business case (3rd party
management service, WAN access, SIP trunks, loss of discounts)
• Adopting inflexible terms (features , mix, reduced usage, not best technologies)
• Inadequately protecting data • Failing to address access to emergency services • Tripping over telecom regulations who can use
and where, PSTN connection, charge back from multiple entities)
Customer Bill of Rights (1) • The service customer should retain ownership and
control of their data (bankruptcy, acquisition, merger).
• The Service Level Agreement (SLA) must address the liabilities, business outcomes, and remediation when there are limitations or loss of service.
• The enterprise has the right to be informed in advance of any changes that will affect their use of the service and business processes.
Customer Bill of Rights (2) • The cloud customer must be provided with the information to
understand the technical limitations of the service. • The customer must be made fully aware of the legal
jurisdictions where the provider operates. Where is the data stored? Does the data move from one jurisdiction to another? Will the data stored in a jurisdiction help or hinder the enterprise from meeting their legal and regulatory requirements?
• The security processes that the provider follows must be known by the enterprise.
• The provider should offer continuity service that meets the enterprise requirements.
Contract Questions (1) • Where are the data and applications stored, in or outside the
U.S.? This could be constantly changing in a virtualized environment.
• If there is a requirement for forensic analysis for e-discovery or subpoenas, how will this work?
• What government regulations (HIPAA, Graham-Leach, SOX) will the cloud provider have to adhere to in the U.S.? If the data is stored in another country, what regulations apply?
• What happens if the provider looses information or releases the data without the customer’s permission or through hacking?
• How does the provider support e-discovery in an accurate and timely manner?
• Is the customer protected from fines and/or sanctions because of a provider problem?
Contract Questions (2) • How is the data on individual users protected and used
by the provider? Can the provider sell the data? • Is the traffic information that is sent and received
protected as well? • Can user presence information be sold to third parties? • Will the provider use their access to the customer’s users
to send out information (sales and marketing) created by third parties?
• Is the provider able to sell profile information of the cutsomer’s users?
Cautions • Beware of the long term contract • Prepay for what? • Investigate seats vs. traffic volume • Watch for the business unit that goes
around IT • Buy what you need when you need it • Watch the volume discount and penalties
Advice to the Enterprise The trust in a cloud service provider is only as good as the contract terms and conditions. Moving to the cloud may be best for the organization but remember you are giving your most value information assets to another to maintain and protect.
Resources • The Legal Side of the Cloud: Worrisome?
http://www.nojitter.com/post/229402393/the-legal-side-of-the-cloud-worrisome
• Cloud UC Availability: Is Five-Nines Real? http://www.nojitter.com/post/240002040/cloud-uc-availability-is-fivenines-real
• The Cloud and E-discovery: A Complex Challenge http://www.nojitter.com/post/240002885/the-cloud-and-ediscovery-a-complex-challenge
More Resources • Gotchas with Cloud UC
http://www.nojitter.com/post/240158964/gotchas-with-cloud-uc
• Moving to the Cloud: The Contract http://www.nojitter.com/post/240168941/moving-to-the-cloud-the-contract
• A Cloud Buyer's Bill of Rights? http://www.nojitter.com/post/240142862/a-cloud-buyers-bill-of-rights
