Moderator: Rakesh Madhava Nextpoint

Moderator: Rakesh Madhava NextpointPanelists: Martin Tully Katten Muchin Rosenman LLP

Paul Starkman Pedersen & HouptKeith Chval Protek International

Heidi Fessler Merrill Corp.

I see a sailboat. No wait, it’s a pony!

• “Cloud Computing” can mean different things– SaaS, PaaS, IaaS

• Public Definitions:– NIST– Berkeley– ABA Legal Tech

Resource Center• Service & Deployment

Models:– Private, Public,

Hybrid

How is this any different than boxes stored at Iron

Mountain?

How Cloud Differs

• Access• Data Location• Greater Custody

andControl Differentiation

• Multi-Tenancy Capability

Cloudy Questions• Location issues• Operation issues• Legislative/Regulatory

issues• 3rd party contractual

limitations• Security/Privacy issues• Litigation/Investigative

issues• Authenticity/Admissibility

issues

E-Discovery Implications• Custody & Control– Fed. R. Civ. P. • 34(a)(1)• 26(a)(1)(A)(ii)• 37(e)• 45

– Flagg v. City of Detroit, 252 FRD 346 (E.D. Mich. 2008)

• Cross-border issues

• Preservation• Litigation hold

management• Analysis & Collection• Spoliation risk & cost• Privilege issues• Authenticity &

Admissibility

Spoliation in the Cloud: When Bad Things Happen To Good

Evidence

• General Considerations

• Potential Liability for Spoliation– Minimize Risk by

Addressing Up Front the Need to Preserve and Produce ESI

• Remedies for Spoliation

How do you conduct a forensic examination in the

Cloud?

Cloud Computing Service Level Agreement Considerations

• Use of data/Security• Location of data• No change of terms• Destruction• Ownership

(assignment)• Subpoena response• Regulatory

requirements• Insurance/

Indemnity• Audits

SLA should contain:

• The list of services the provider will deliver and a complete definition of each service.

• Metrics to determine whether the provider is delivering the service as promised

• Auditing mechanism to monitor the service. • Responsibilities of the provider and the consumer • Remedies available to both provider and client if the terms

of the SLA are not met. • A description of how the SLA will change over time.

Service Level Agreement (SLA)

• Security: Client and CSP must understand security requirements. • Data encryption: Data must be encrypted while it is in motion and while it is

at rest. The details of the encryption algorithms and access control policies should be specified.

• Privacy: Basic privacy concerns are addressed by requirements such as data encryption, retention, and deletion. An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment.

• Data retention/deletion: How does CSP prove they comply with retention laws and deletion policies?

• Hardware erasure/ destruction: Same as #4. • Regulatory compliance: If regulations must be enforced because of the type

of data, CSP must be able to prove compliance. • Transparency: For critical data and applications CSP must be proactive in

notifying client when the terms of the SLA are breached including infrastructure issues like outages and performance problems as well as security incidents.


• Certification: CSP should be responsible for proving required certification and keeping it current.

• Performance definitions: Defining terminology such as uptime and other contractual metric terms (i.e. – uptime could mean all servers on continent are available or only one designated server is available.)

• Monitoring: Responsible party for monitoring including identification of any third-party organization designated to monitor performance of the provider.

• Audit Rights: To monitor for any data breaches including loss of data and availability issues. SLA should clarify when and how the audits will take place.

• Metrics: to be monitored in real-time and audited after occurence. Metrics of an SLA must be objectively and unambiguously defined.

• Human interaction: On-demand self-service is one of the basic characteristics of cloud computing, but SLA should provide customer service when needed.

Review and summary of cloud service level agreements, From "Cloud Computing Use Cases Whitepaper" Version 4.0,


Reality – Contract Issue• Currently, the standard contracts offered by

cloud computing providers are one-sided and service provider-friendly, with little opportunity to change terms. • Few offer meaningful service levels or assume

any responsibility for legal compliance, security or data protection. Many permit suspension of service or unilateral termination, and disclaim all or most of the provider's potential liability. • In addition, some cloud computing providers

emphasize low cost offerings, which leave little room for robust contractual commitments or customer requirements.

Before you go “TO THE CLOUD!”

Security & Control •No uniform standard for security and compliance among cloud providers. This may be bad - if you have evolved mature security and control discipline; or it may be a good thing, if you are looking for an external provider to help you with best practices. •Cloud is not, per se, either secure or insecure. You simply need to set your own standards, be aware of what your cloud provider can and cannot deliver, and choose according to your desired level of risk.


Portability & Compatibility •Not all cloud providers are able to provide the same level of portability and compatibility.•Extracting and restoring data may be a slow manual process due to API limitations and other restrictions. May be impossible to accomplish in a timely manner due to common limitations such as bandwidth. •Applications may require significant changes to be compatible with storage in a non-specific location that changes in case of emergency. •Be aware of your use cases, and make sure your recovery plan allows for the mobility of data the cloud will enable.


Longevity & Accessibility •Consider and verify the longevity of CSP to ensure data will be accessible when and how, needed before committing to CSP as sole source for data recovery.•During an analyst keynote speech at the 2010 CA InfoXchange event in Malaysia, the speaker estimated that a substantial number of current cloud providers will be out of business within 2 years. •CSPs talked about 99.999 per cent uptime, or the equivalent of five minutes' downtime per year. This is the Holy Grail of cloud computing but achieving it requires multi million-dollar investments in redundant infrastructure.

Where does your data reside?• EU Data Privacy Concerns• Which laws apply, country of origin or

country where data resides?


Essential Power Contracts to Retain Realtime feed from data intrusion detection systems to

permit monitoring of the security systems performance.

Performance standards mandating maximum downtime and platform stability.

Auditing rights – access to monitoring dashboard to see metrics on function of the system. Also onsite visits to provider.

Remediation power – including monetary penalties for downtime, termination in the event of security violations and notice of any breach.

Freedom to Move – contract must make it clear that the data owner retains all ownership of the data as well as access to the data. There should be a defined time frame for giving back all the data once request has been made as well as definition of the format for the data if it is to be moved or returned to the client to avoid any additional cost to reformat data to be moved to a new provider.

Preservation of metadata – what metadata will be maintained and any impact of the system upon that metadata.

Access to information for e-discovery – how accessible the data will be including time to extract.

Essential Contract Powers to Retain

Questions?

Rakesh Madhava [email protected] Starkman [email protected]

Heidi Fessler [email protected] Tully [email protected]

Keith Chval [email protected]

Documents

Moderator: Rakesh Madhava Nextpoint