Cloud Computing: What to Ask When the Clouds Roll In

Cloud Computing: What to Ask When the Clouds Roll In

Presentation to the ACC Information Technology & Ecommerce Committee
June 5, 2008

Randall S. Parks and James A. Harvey, Partners and Co-Chairs, and Roxanne
Esch, Associate, Global Technology, Outsourcing and Privacy Practice

Contact:
Randy Parks, rparks@hunton.com, 804.788.7375


Jim Harvey, jim.harvey@hunton.com, 404.888.4160

The following is a conversational outline of a presentation made on June 5, 2008, as
part of the Committee’s “Nutshell” program.
1.
What IS Cloud Computing and Where Did It Come From?
(a) Definition. The name derives from the common representation in
technical architectural diagrams of internet network resources as a
“cloud.” Forrester defines “cloud computing” as:
A pool of abstracted, highly scalable, and managed compute
infrastructure capable of hosting end customer applications and
billed by consumption. Forrester Research, May 2008.

By abstracted, Forrester means the key defining features of the cloud: the
infrastructure is entirely virtual, invisible to the user, potentially located
anywhere in the world and requires no client installations or special
hardware. In the cloud you have access to necessary infrastructure, but
the usual burdens of ownership, administration, maintenance and
operation of hardware and software fall to the cloud provider, not the end
user. Many references discuss the cloud model as a form of utility
computing, referring by analogy to the electric power grid. Generating
assets move in and out of the grid seamlessly and all the user knows is
that the light goes on when the switch is flipped and the bill comes every
month for the kilowatts consumed.

Some non-commercial clouds have been around for quite awhile, such as
SETI@home, which has created a 3 million member volunteer cloud used
to look for ET. Commercial clouds are owned by a single provider, though
at least one provider (3Tera) plans to offer the opportunity to sell excess
capacity to a multi-party cloud.
Hunton & Williams LLP

---

(b) Evolution. The term “cloud computing” is only a few years old. Key
enablers of the phenomenon have been:
(i)
High bandwidth, low cost network capacity. The cloud depends on
high throughput, reliable networks to enable remote computing and
storage.
(ii)
Open standards and open source software. The cloud depends on
highly flexible, low cost standard architectures to enable
virtualization of infrastructure. Most clouds are reported to run
Linux. Also, the cloud is most economically efficient when software
costs are low or non-existent and there are no licensing restrictions.
(iii)
Virtualization software and techniques. The cloud not only depends
upon, but is defined by the ability to create virtual machines for
every user.
(iv)
User acceptance of remote computing models. Years of using
Hotmail has trained a generation that a important application
needn’t be hosted on your own machines or maintained by your
own staff. SaaS evolution has brought us a step closer, as well.
2.
Implications of the Cloud
Cloud computing may be the disruptive technology of the next decade, as
enterprises follow individuals and small-business into the cloud. Players which have an
interest in maintaining proprietary software sales may find their market share eroded.
3.
Who Are the Players and What are They Offering?
Key players include web moguls, technology-based start-ups and the massively
multinational:
(a)
Amazon, clams 300,000 developers working with its “Elastic Compute
Cloud” (EC2), “Simple Storage Solutions” (S3), Amazon Simple DB and
other web services since 2002.
(b)
GoogleApps - claims to be signing up 3,000 businesses each day.
Offering cloud solutions in partnership with SalesForce and IBM.
(c)
SalesForce.com’s Force.com, 3Tera’s Cloudware, Rackspace’s Mozzo
and many, many others.
(d)
The big boys: Microsoft Windows Live, IBM Blue Cloud, IBM/Google
“Blue Business Platform,” Oracle Grid, Sun Hydrazine and more. Players
with massive infrastructures and marketing plans - and varying histories
and agendas.
-2-

---

4.
10 Questions to Ask About the Cloud
If you ask and answer these questions you’ll have covered most of the legal
issues associated with the cloud. I’ll use Amazon’s Web Services Agreement as
an example of how some of these issues are treated by a major commodity cloud
provider. Less commoditized solutions are available and some negotiation of
terms may be possible, though pricing models widely offered today don’t allow for
much customization.
(a)
What’s going into the cloud? Analysis of the legal issues depends on the
answers to these threshold questions:
(i) What
applications?
(ii) What
data?
With that information in hand, the follow up questions might include:
(b)
Do my application licenses permit hosting in the cloud? Do applicable
laws permit hosting of the application in the cloud (ITAR? Export
Administration Regulations (EAR)?)?
(c)
Do applicable laws permit hosting of the target data in the cloud? Some
providers explicitly state that there is no guarantee which data center will
house your data. Amazon’s new “Availability Zones” may give you some
control over this issue.
(d)
Do other data-related obligations permit hosting in the cloud? Consider,
among others:
(i)
contractual obligations to customers;
(ii) privacy
policies;
(iii)
interaction with the need for e-discovery.
(e)
What service levels are necessary and are they available? For example,
what level of application availability is required and can the provider
deliver? Amazon offers no SLAs and, in fact, notes that downtime is
possible and disclaims all remedies. Another major provider offers an
email availability SLA, though the related credit is additional days of
service which must be specifically requested.
(f)
What security commitments are necessary and are they available? For
example, must the infrastructure meet the PCI Data Security Standard?
How do you perform the penetration testing and quarterly scans that the
DSS requires? Amazon disclaims all responsibility for security, reserves
the right to disclose your data in response to a simple “request” of a
governmental body and to demand copies of applications for purposes of
verifying compliance.
-3-

---

(g)
Can you audit billing? Will the provider support such an audit? Is that
necessary for chargeback or internal control purposes?
(h)
“What Happens if They Lose Your Stuff?” When I explained this
presentation to my 14 year old daughter, her first question was “What
happens if they lose your stuff?” Well, what does happen if they lose your
stuff? What’s the risk of that happening (and are you sure you really know
the answer to that question)? Do you need explicit disaster recovery
requirements or special support to configure redundancy? Amazon
disclaims any responsibility for loss of data or security breach, but offers
tools to create redundancy.
(i)
How do you exit and transition? How easily is data recovered and
transmitted? Amazon will store data for retrieval for only 30 days and
retrieval is conditioned on payment of all fees and compliance with other
undefined terms they may specify. If you are terminated for cause, your
data may not be available. Assurances of post-termination assistance are
thin, at best.
(j)
Will the provider and the service be there tomorrow? Disruptive
technologies attract players who may not be around for the long term -- or
even the short term. Even the largest players hedge their bets: Amazon’s
Web Services Customer Agreement permits termination of paid services
on 60 days notice and change of terms of use on 15 days notice. Free
services can be terminated or changed with no notice. Other providers
reserve the right to terminate services at any time.
5.
What Is it Good For?
(a)
Joint ventures and short-term projects that need to stand-up quickly, but
have significant computing needs which can’t wait for internal resources
and where third-party pricing of those services is necessary to avoid
conflict over charge-back models.
(b)
Simple applications without need for active monitoring or management.
(c)
Small business and any other business than can tolerate commodity
service in exchange for the accessing high-quality shared infrastructure.
6.
What Isn’t It Good For?
(a)
Storage and processing of personal / sensitive information, at least not
without careful diligence as to the types of data and how they will be
treated.
(b)
Complex applications which require active monitoring and support.
(c)
Organizations not comfortable with self-service.
-4-

---

7.
How Does the Enterprise Respond to the Cloud?
(a)
Review current policies for coverage. Many of the issues presented may
already be addressed. If not, get ahead of the issue and develop a policy
addressing use of cloud-based services based on your unique risk profile.
Consider building a questionnaire to collect necessary data from business
units testing the cloud.
(b)
Investigate whether cloud computing already is in-use in the organization,
perhaps as part of a rogue deployment. You may be surprised. Cloud
use is particularly easy to accomplish outside the usual vetting process,
since its cheap and can be deployed with a credit card and without
engaging IT. Consider whether these deployments should continue or be
limited, based upon established risk guidelines.
-5-

---