The Cloud has been around for a few years now, but it has only been in the last 12 months that the Cloud has finally achieved critical mass in the commercial mainstream. And with the launch of Apple’s iCloud, awareness and use of the Cloud will only continue to grow.
What is the Cloud?
Simply put, the Cloud is a collection of IT services that are managed and housed by a third party; in other words, outsourced IT. Typically the Cloud is a huge conglomeration of powerful, lightening fast servers (sometimes called “server farms”) situated in one or more locations.
Why migrate to the Cloud?
Outsourcing of any function is usually done because the outsourcer can perform those functions faster, better and cheaper. Outsourcing to the Cloud has a similar rationale. If you are an SME or law firm, there are definite benefits to outsourcing your IT services to the Cloud. In the Cloud you can access your data from anywhere at any time from any device. The Cloud is scalable – you are able to quickly scale your IT needs up or down. The Cloud allows you to reduce your upfront capital costs for servers, network infrastructure, software licences as well as the staff resources to configure servers, and redeploy that capital to other areas of your business. Software upgrades in the Cloud are performed automatically and seamlessly making it easier to migrate to another platform in the Cloud environment. In short, for SMEs and law firms, IT services in the Cloud are far superior to those that could ever be cost-effectively created in-house.
The concept behind the Cloud is to share space in order to achieve a higher level of service. But sharing space means losing control – and you need to be comfortable with that. However, depending upon your business, you need to weigh the loss of control against the business risk of not migrating to the Cloud. In other words, not moving to the Cloud may be a bigger risk than moving to it, especially if your competitors are already using the Cloud.
How do you know if a Cloud provider is right for your business?
Migration to the Cloud should not be taken lightly and proper planning is required in order to ensure that the move achieves your goals. As a first step, every business must ensure that the Cloud provider not only provides physical and electronic security for data, but that it also assures regulatory compliance. There is a common misconception that the Cloud makes your data less secure and less compliant. In fact, the Cloud may actually make your data more secure and more compliant. Think about it this way. The Cloud provider’s core business is providing a secure and compliant server farm. Is data security and compliance your core business? Or, is your core business something else but you dabble with IT in order to make that core business run well? In other words, is your security really better than that of a Cloud provider? Are your compliance procedures really better than that of a Cloud provider? Are your back-ups, redundancies and disaster recovery really better than that of a company whose core business is to deal with these matters?
Beyond security and compliance issues, keep in mind that there are no legal regulations currently in place for Cloud providers. There is no Cloud Act that spells out the rules, regulations and liabilities around Cloud computing. And, there are no reported court decisions that set out what judges think about Cloud computing liability.
In terms of industry standards, there are only two that apply to Cloud providers: (1) the Statement on Auditing Standards No. 70 (SAS 70) which allows an auditor to evaluate and issue an opinion on the Cloud provider’s controls; and (2) an ISO 27001 certification. However, neither of these is mandatory and Cloud providers can still operate their businesses without them.
I highly recommend that you spend a great deal of time working out your Cloud strategy and decide what it is that you are going to send to the Cloud, why you want to send it there and what you hope to achieve. Some companies start slowly and place only non-mission critical business processes and applications (such as email, human resources and customer relationship management) in the Cloud. Others move whole hog into the Cloud. Choose the path that makes you the most comfortable.
When selecting a Cloud provider, you should also perform the same due diligence on it that you would do with any other business partner. How long has it been in business? What security breaches have there been? What does its current clients say about its service?
Once you selected a specific Cloud provider, you will review two critical documents that govern every Cloud relationship; the Cloud Contract, which sets out the terms of the relationship; and the Service Level Agreement (SLA). You must be fully aware of all the terms in each of these agreements and carefully consider how those terms impact your business.
The following is a sample of issues to consider when reviewing the Cloud Contract:
- Do you have the ability to audit the Cloud provider or get copies of their SAS 70 or other audits?
- Who owns your data in the Cloud?
- What does the Cloud provider do with its usage logs or other statistical data it collects on data and clients? Is it sold to third parties?
- What are the Cloud provider’s policies on access to data, including staff, outside consultants or other Cloud tenants?
- What are the Cloud provider’s security protocols for data protection, privacy, physical security and application security?
- Where is the data being stored (given that your data may be spread across many servers in many locations)?
- Is your data kept separate from that of other Cloud clients?
- Who owns the Cloud back-ups and who has access to them?
- What are the Cloud provider’s disaster recovery processes?
- How often does the Cloud provider back-up its servers? What is its redundancy?
- What regulations can the Cloud provider verify that it adheres to?
- If data needs to be transferred back to my business, in what form will it be delivered?
- What happens to my data when the Cloud provider goes bankrupt?
- What are the notification procedures when the Cloud provider goes bankrupt, merges, amalgamates, or sells its business?
- What are the Cloud provider’s notification procedures for security breaches, either physical or electronic?
- Does the Cloud provider pay your costs of notifying your clients of a cloud security breach?
- What happens when I need to transfer data to another Cloud provider? What format will it be in? How long will it take? What assistance will be provided and is there a cost?
- What indemnification, if any, is available if the Cloud provider does not comply with those regulatory requirements to which your business is subject?
- What penalties are in place for a breach of terms of the Cloud contract? Are these penalties strong enough to motivate the Cloud provider to prevent breaches? In 2011, any penalties for breaches of the Cloud contract will likely be limited to the reimbursement of Cloud fees paid, or out-of-pocket expenses, if a Cloud client gets sued by its customers.
The Cloud provider’s SLA is the other important document governing your relationship and should also be read carefully. The SLA should be negotiated and tailored to reflect the regulatory issues impacting your business, if any, as well as your specific day-to-day business needs.
SLAs will cover the following key areas:
Uptime: What does the Cloud provider consider to be “uptime”? Are there any exclusions to uptime, such as scheduled maintenance? How does any downtime impact your business?
Performance: How is performance defined by the Cloud provider? What performance do you require in order to operate your business? Determine which parts of your business you cannot afford to be without and negotiate specific terms for those areas.
Service/support performance: What are the hours for customer support? What support are you entitled to? What support do you require for your business? What are the performance metrics for support (call back in 15 minutes or 24 hours)?
Once you have selected an appropriate Cloud provider and negotiated the Cloud Contract and the SLA to a point with which you are comfortable, you will come to the final “gut-check” moment as you stand on the precipice of Cloud migration: it will not be possible or practical to migrate back to your old method of personally housing servers. Once you are in the Cloud, your business needs and your IT culture will have inexorably shifted to a new paradigm making it impossible to migrate back. In short, once you let the toothpaste out of the tube, you can’t put it back in.
Mitch Kowalski is an innovative thinker, lawyer, writer, lecturer, consultant and entrepreneur. He maintains a boutique law practice in Toronto and writes on a variety of legal and non-legal topics including The National Post’s blog, Legal Post.