executive briefing: strategic issues surrounding cloud services
DESCRIPTION
TRANSCRIPT
EXECUTIVE BRIEFING:
STRATEGIC ISSUES SURROUNDING CLOUD
SERVICES
April 11, 2013
EXECUTIVE BRIEFING: STRATEGIC ISSUES
SURROUNDING CLOUD SERVICES
BRIEF INTRODUCTION TO CLOUD COMPUTING
April 11, 2013
3
CLOUD DEFINITION
Public Private Hybrid CommunityCloud Types
Service TypesSoftware as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Key Characteristics On-Demand
Self ServiceGlobal Secure
AccessUtility Billing
Elastic ScaleAutomation Orchestration
Thanks to Geoff Sinn and Dimension Data for certain slides. NIST = The National Institute of Standards and Technology
4
TRADITIONAL VS. CLOUD COMPUTING
5
BASIC DEFINITIONS: CLOUD TYPESPrivate Cloud
Public Cloud
Hosted Private Cloud
Virtual Private Cloud
Hybrid Cloud
Community Cloud
• A Cloud architecture that is deployed for the sole use of a single enterprise – and resides on the enterprise premise (i.e. on-premise)
• A Cloud architecture that is deployed for the sole use of a single enterprise – but hosted by a cloud services provider (i.e. off-premise)
• A Cloud architecture that is deployed for the provision of public cloud services – a cloud architecture that serve multiple enterprises – hence sharing of underlying infrastructure elements occur (to varying degrees, based on the actual service type).• A dedicated partition within a Public Cloud architecture that is allocated to a single enterprise – hence certain elements of the architecture are shared, while others are dedicated to a single enterprise (related to the service type).
• A Cloud architecture that is made up of a combination of previous Cloud Types – most often a combination of Private and Public Cloud Architectures (once again related to the service types).
• A Public Cloud Architecture for the provision of cloud services to a specific or limited community or segment or vertical.
6
BREAKDOWN OF PRIVATE CLOUD
Source: Gartner 2011
7
BREAKDOWN OF PUBLIC CLOUD
Source: Forrester Research Inc.
Finished Application that you rent and customize
Developer Platform that abstracts the infrastructure, OS and middleware to drive developer productivity
Deployment platform that abstracts the infrastructure
•
•
•
8
THE ABC’S OF CLOUD – “XAAS”
AaaS – Architecture BaaS – Backend CaaS – Call Center DaaS – Data EaaS – Email FaaS – Frameworks GaaS – Governance HaaS – Hardware IaaS – Infrastructure JaaS – Java Authentication Kaas – Knowledge LaaS – Lending
MaaS – Monitoring NaaS – Networks OaaS – Office PaaS – Platform QaaS – Data Quality RaaS – Recovery SaaS – Software TaaS – Telephony Uaas – Unification Vaas – Value-Added-Services XaaS – Anything Yaas – Yield Optimization ZaaS – Zebra
Credit: Updata Partners
BUSINESS DRIVERS OF CLOUD COMPUTING
• Business continuity
• Technology independence
• Operational complexity
• Specialized skills
Risk Optimization
• Time-to-market
• Innovation
• New business models
• Resource leverage
Strategic Agility
• No capex, less assets
• Pay-as-you-use
• On-demand capacity
• Elasticity
• Economies of scale
• Time-to-value
Cost Optimization
9
10
ECONOMICS OF CLOUD COMPUTING/SAAS
Recommend resources from VC firm Updata Partners (Carter Griffin) web site: http://www.updatapartners.com/resources/12/SEVC-Cloud-Presentation/
SE Venture Conference 2013 Presentation on Cloud Computing Growth in Cloud market from $14B in 2010 to
$60B in 2016 SMB’s are early adopters
Cloud Computing: GMPP, rCAC and the Importance of Component Level Analysis -- Key metrics for measuring and managing a SaaS business
Cloud Computing: A Closer Look at Churn -- a deeper analysis of churn and its impact on SaaS businesses
11
EXECUTIVE BRIEFING: STRATEGIC ISSUES
SURROUNDING CLOUD SERVICES
MANAGING LEGAL RISK IN THE CLOUD
April 11, 2013
12
Main areas of legal risk: Keeping data “secure” to:
Manage personal information in compliance with growing number of laws and regulations, and
Maintain trade secrets/other IP Avoiding contract risk and the customer-
supplier “gap”
CLOUD COMPUTING AND SECURITY
Data Dispersal
Data Fragmentation
Secure Data Centers
Multiple Customer Demands
Easier Patching and Updates
Lack of Transparency
Lack of Responsiveness
“Trading Market” of Subcontractors
Vendor Lock-In
Advantages Disadvantages
13
14
UPDATES IN PRIVACY AND SECURITY LAW
HIPAA Updates This month – 10 year anniversary for HIPAA 2009 Hi-Tech imposed obligations on vendors (“Business Associates”) New Omnibus Rule effective March 26, 2013; compliance required generally by
September 23, 2013. Enhanced obligations on Business Associates and increased penalties.
Massachusetts Data Security Act Effective March 2010; contract requirements effective March 2012 Requires contract terms with vendors; written security policy; and that certain
personal information to be encrypted
New COPPA Regulations Published December 2012; compliance required July 1, 2013 Now covers third-party plugins, ad networks Expands what constitutes personal information (e.g. IP Addresses)
15
UPDATES IN PRIVACY AND SECURITY LAW
EU Data Protection Proposed Regulations In January 2012, detailed revisions proposed to make the law more
uniform across the EU, and increases protections and possible penalties
US companies seeking to transfer personal information from EU to US must follow a safe harbor certification/filing approach or other rules to comply with EU regulations
FTC: Concerns have increased from use and sale of personal information, to
use of IP addresses, device identifiers, and other information not normally considered as personally identifiable
Breach Notification Laws: NC Identity Theft Protection Act of 2005 Virtually all states have adopted similar statutes
16
SECURITY POLICY
Legal Requirement to have a Written Information Security Policy:
NC law: All companies must have written procedures relating to the destruction of personal records as official policy
Mass. Data Security Act: organizations that handle information about Mass. residents must have a comprehensive written information security program
HIPAA/Hi-Tech: Also requires a written information security program Federal Trade Commission: Failure to protect personal information by using
reasonable security can be an unfair and deceptive trade practice Other Good Reasons for a “WISP”
Complying with breach notification laws Assuring compliance with required privacy notices (e.g. California requirement) Protecting intellectual property Satisfying officer and director fiduciary obligations Complying with contracts Increasing value of company to buyers Dealing with subpoenas and related requests for electronic information in
discovery
Typically service agreements, not licenses Often offered via “click and accept”
agreements Sometimes incorporate by reference other
terms of use and policies Sometimes purport to be changeable without
notice by the vendor
17
CONTRACTING IN THE CLOUD
CONTRACT TERMS: SECURITY AND PRIVACY
Confidentiality Obligation to maintain reasonable and effective
physical, technical and administrative security measures
Compliance with all applicable data privacy and security laws
Right to review security/disaster recovery policies Right to audit and test security
18
Notification in the case of breach Indemnification for breaches/payment of
costs of required notices to customers Require use of encryption Restrictions on use of subcontractors and
downstream sharing of information Restrictions on where data can be stored
19
CONTRACT TERMS: SECURITY AND PRIVACY
Ownership and Use of Data Disposition of Data on Termination Location of Data Legal / Government Request to Access Data
20
CONTRACT TERMS: DATA ISSUES
Uptime
Performance & Response Time
Error Correction Time
Infrastructure / Security
Performance Credits
Use of Measurement Technology
Notice/Reporting Obligations
21
CONTRACT TERMS: SLA’S
Monthly service fees
Per user or provider, or based on transactions?
When does it start?
Implementation fees
Commitment to start date?
Add-on pricing
Payment terms
Caps on increase in fees
22
CONTRACT TERMS: PRICING
Length Termination Rights Termination Penalties Data Rights upon Termination Vendor Termination or Suspension Automatic Renewal
23
CONTRACT TERMS: TERM & TERMINATION
24
KEY TAKEAWAYS
Companies (vendors and users) should: review the laws applicable to their situation,
and update security practices, policies and procedures as needed
perform appropriate due diligence and contract negotiations for important cloud contracts
review insurance policies and possibility for additional insurance