Upload
summit-professional-networks
View
367
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Technology Agreements
via Cloud Computing
Dan Anixt
Assistant General Counsel
Verizon/Terremark
May 7, 2013
Introduction:
What is the Cloud?
Three Basic Models of Service
Software as a Service
Platform as a Service
Infrastructure as a Service
Software as a Service
Allows users to access and utilize software installed by the cloud provider
Process is transparent to the user
An example is Google Aps
Platform as a Service
Providers deliver a platform to users with an operating system,
programming language environment, and server
Allows users to develop software without incurring underlying software and
hardware costs
Infrastructure as a Service
Providers deliver virtual and/or physical infrastructure to customers
Allows customers to deploy software applications and data into the
cloud
Allows scaling of services to accommodate customer needs
Provides the option of a public or private cloud depending on needs
and security requirements
The focus today will be on transactions involving Infrastructure as a
Service
Benefits of the Cloud
Reduced infrastructure costs reducing or eliminating the need to
maintain software and systems
Reduced capital expense by shifting it to operational costs
Reduced labor costs
The Verizon Terremark Model
ACCELERATING
INNOVATION
A market leader in infrastructure,
cloud and security services
3,000+ employees with facilities in 19
countries
Full portfolio of high value capabilities
ACCELERATING INNOVATION
10
Terremark Services Portfolio
Globally Delivered from World-Class Facilities
Challenges of Negotiating Cloud Agreements
Software Licenses
SLAs
Network Security
State and Federal Regulations
EU Regulations
Discovery
Software Licenses
The cloud offers major costs savings by outsourcing application and
data storage plans
The assumption that many make is that their existing enterprise
software application licenses can be ported to the cloud
This assumption can be costly
Issues that can arise when the terms of existing licenses are not
properly understood include:
Costly audits
License revocation
Potential breach of contract litigation for breaching the terms of the license
Software Licenses (continued)
Steps that can be taken to mitigate the risk of software licenses:
Know the licenses you have - how flexible are the terms when it comes to
porting software onto the cloud?
Understand the license rights that the cloud service provider has secured.
What does the provider’s license cover? More important, what does it not
cover?
Negotiating the Software License
If a new license proves necessary, the following strategies can
minimize/mitigate the cost:
See what credit can be applied from existing enterprise licenses with the
vendor
Look at alternative pricing models such as pricing that varies with usage
which nicely dovetails this with the flexible capacity of the cloud
Leverage the relationship with the cloud provider – often the provider can
secure better pricing terms with the software vendor due to its relationship
with the software vendor
SLAs
Like any outsourcing service level agreements (SLAs) are critical in
the cloud
At a minimum SLAs should provide for:
system uptime
redundancy of systems
data protection and backup
Note that the level of SLAs provided will depend on whether data and
applications are in a private or public cloud.
Private clouds which are dedicated to the customer are more secure
and tend to have stronger SLAs, but cost more than the public cloud
SLAs (continued)
In determining whether the public or private cloud is preferable, the
customer should look at how critical the data and applications are
Key data and applications should be in the private cloud
Less critical data and applications such as archives should be in the
public cloud
Intellectual Property (“IP”) Protection
In negotiating with a cloud provider, it is critical to negotiate IP
ownership rights particularly when using the cloud to develop
applications
Knowing what IP protections and rights to demand depends largely
on what the customer intends to use the cloud for once applications
and data are operating on it
When using the cloud carefully vet IP indemnity protections as cloud
providers will often disclaim liability for third party IP, such as third
party software
If the cloud provider does not provide third party software
indemnities (or only passes through limited indemnities), it may be
necessary to directly negotiate them with the software provider
Network Security Assurance
When selecting a cloud provider, due diligence of the level of security
of the provider is key
For example, Verizon/Terremark offers a full suite of network security
services in conjunction with its cloud offering
Carefully vet the physical and logical security of the cloud vendor
Questions to ask:
What security software is in place?
What network security standards are used?
What security audit rights are permitted?
What is the physical security like at the data centers?
State and Federal Laws and Regulations
When porting data onto the cloud, several state and federal
regulations come into play
Federal laws/regulations include:
Gramm-Leach-Bliley (“GLB”) which governs storage of private financial
data
The Health Insurance Portability and Accountability Act (“HIPAA”) which
covers storage and protections of medical records
Federal Trade Commission regulations on identity theft
Massachusetts data privacy regulations governing encryption of personal
information
EU Regulations
EU Directive 95/46/EC governs collection, processing, and transfers
of personal data and can present significant issues for multinational
companies using the cloud
Recent enhancements proposed in 2012 include even more stringent
penalties and rules for data protection
Handling Data – Legal and Regulatory Risks
Key questions to ask:
What data is going on the cloud? (e.g. financial, healthcare records, other
individual personal data)
Where is the data coming from and where is it going? (EU data protection
rules are critical here.)
What is the plan for securing and complying with data security and privacy
rules
When negotiating with the cloud provider, inquire about its baseline data
privacy and security policies to make sure they are sufficient
Once in the cloud, take steps to monitor and inventory what is going in the
cloud and make sure protections are in place to make the storage and
handling of data legally compliant
Discovery
As with all information in the possession of a company, data in the cloud is subject to e-discovery
It is key to know where data is stored and what data is stored in the cloud
The ability to fully retrieve and search data in the cloud is key
Many cloud providers, such as Verizon Terremark, provide e-discovery software services for the cloud
Carefully thought out procedures for litigation holds, document retrieval, and processing should mitigate the risk of discovery sanctions
Furthermore, once litigation commences, it may be advisable to maintain such discoverable data on a private cloud to enhance security
Questions