The uptake of Cloud Computing

 A “cloud service provider” is the business entity that offers the Cloud service. Well-known examples of Cloud Computing providers currently include: Amazon, Google, Microsoft, Dell and Salesforce. Definitions of the “cloud”vary, but one commonly-cited definition is that proposed by the US analysts Gartner:

“A style of computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies.”

Cloud Computing customers do not own the physical infrastructure, thus avoiding capital expenditure by renting usage from a third-party provider. The vast majority of clouds consume internet resources as a service, and customers pay only for the resources that they use. Many

Gartner further estimates that, over the course of the next five years, businesses will spend $112 billion cumulatively on Cloud Computing. The US share of the worldwide Cloud services market was 60% in 2009, and will be about 58% by the end of 2010. By 2014, this is estimated to be diluted to 50%, as other countries and regions begin to adopt Cloud services in more significant volumes.

In August 2010, a survey by the IT consultants Spiceworks found that SMEs appear to be driving the uptake of Cloud Computing. In the first half of 2010, 14% of SMEs reported using Cloud Computing services, and another 10% reported plans to deploy Cloud-based solutions. The BBC website on 7 December 2010, in fact, even announced 2011 as “the year of the Cloud”, based on a recent report.

Features of Cloud Computing

There are a number of features of Cloud Computing which are considered advantageous to the Cloud Computing customer. Key advantages include agility in restructuring computer infrastructure, greatly reduced capital expenditure, reliability, security, maintenance and the requirement of minimal IT skills.

There are further features of note:

• Location independence enables users to access systems using a web browser regardless of their location.
• Metering means that cloud computing resources usage should be measurable and should be metered per client and application on a daily, weekly, monthly, and yearly basis.
• Scalability: the key observation is that the ability of Cloud Computing to add or remove resources at a fine level and with a processing time of minutes (rather than weeks), allowing the matching of resources to workload with enormous subtlety.

It may not be immediately obvious to a SME director that there are threats posed by Cloud Computing about legal advice can be sought. My research found that, whilst the SME directors’ interests appear to be protected by Rights which are aspirational, the creation of an agreement, offered by a provider, in return for pay-per-use services, may fulfill the requirements of a contract in law. This contract is bilateral in nature (typical for sale of goods and services), as the parties exchange mutual promises. This contract may potentially protect the client before, during, and after any dispute, should one occur.

I conducted an original study to explore the beliefs, concerns and expectations of SME directors towards Cloud Computing. The relatively recent starting point for my reseafrch was the proposal by Gartner in July 2010 that Cloud Computing customers should have six “Rights” in their service.

Respondents were invited randomly through recruitment advertisements on the discussion board of the Institute of Directors LinkedIn page, Implu LinkedIn page and the main Ecademy discussion board. These internet social-networking sites allow UK directors to engage with topical issues from the business community, and much of the audience are technologically-minded. Only individuals at Director level were invited to respond to the survey.

The majority of respondents were directors of very small businesses with 1-5 members (39%), about a half were already using Cloud Computing (55%), but the vast majority had already heard of Cloud Computing (90%). The sample stated that they had most familiarity with SaaS computing (52%).

To ensure that the Directors were informed about the subject sufficient to answer the questions meaningfully, all respondents were invited to read the current Wikipedia entry on Cloud Computing. These same Directors were then invited to rate a range of features of Cloud Computing as being of particular importance to them, using a rating scale of 3 = most important and 0 = least important.

In descending order, the most important features in a list of ten were deemed to be as follows (figure in brackets denoting the mean number of points): reliability of services (2.6), security of services (2.5), ease of maintenance of services (2.2), cost (2.1), scalability of services (2.1), flexibility in future computer infrastructure organisation (2.1), device and location independence (2.0), ability to meter services (1.8), minimum IT skills involved (1.5) and multi-tenancy architecture (1.3). The two most important factors, reliability of the services and security of services, are arguably very important issues about which a lawyer can give good-quality advice to a commercial client.

The SWOT analysis of the overall business strategy readily identifies the risks of the business to be predominantly the legal risks which need to be managed through a successful risk strategy. Data privacy and security have consistently remained the key areas of concern for Cloud Computing customers at all levels. SMEs can now exploit high-end applications such as business analytics that were hitherto unavailable opportunities to them. Finally, concerns have traditionally centred on the lack of standards, but, in fairness, Cloud Computing providers are fast adopting standards, possibly in an attempt to avoid intervention by the lawyers.

Building trust with a client is now thought to be essential both for the work of a commercial lawyer to succeed, and for the lawyer to progress to the top of his profession. In the Parks model, trust between the client and the lawyer has been proposed to be essential for the relationship to progress from imparting knowledge and expertise to the initiation of a dialogue, and can greatly improve the success of a commercial lawyer in acting as a legal advisor.

The Avande gobal study of cloud computing of 2009 described the opinions of 502 respondents, consisting of C-level executives, business leaders and IT decision-makers from 16 different jurisdictions towards Cloud Computing. Interestingly, the survey identified that, as the economy went from uncertainty to collapse in the nine months between surveys, an increasing proportion of the respondents wished to take up Cloud Computing services.

In my research, I found that a much higher proportion of company directors were found wishing to embrace “service as a software” (SaaS) Cloud Computing (79%). The vast majority had experienced Cloud Computing anyway, and therefore it was very promising that satisfaction was very high (90%).

The Legal Services Act 2007 was enacted with the intention of liberalising and regulating the legal services profession in England and Wales, specifically to encourage more competition and to provide a new route for consumer complaints. The Act allows the customer, potentially, to access high quality legal advice relating to business, and has had the effect of greater convergence between commerce and the law. It is now relatively straightforward for multi-disciplinary teams specialising in commerce, finance, accounting and law to work together in understanding the needs of SMEs, start-ups and not for profit organisations.

The Gartner Rights and SMEs: legal implications

Gartner have proposed in 2010 six Rights ‘protecting’ the Cloud Computing customer.

The Directors were invited to rate each of the six Gartner Rights as being of particular importance to them, using a rating scale of 3 = most important and 0 = least important. In descending order, the most important features in a list of ten were deemed to be as follows (figures in brackets denoting the mean number of points):

• the Right to retain ownership, use and control one’s own data (2.5),
• the Right to know what security processes the provider follows (2.4),
• the Right to service-level agreements that address liabilities remediation and business outcomes (2.3),
• the Right to notification and choice about changes that affect the service consumers’ business processes (2.3),
• the Right to understand the technical limitations or requirements of the service up front (2.3),
• the Right to understand the legal requirements of jurisdictions in which the provider operates (2.1).

That the data implications of Cloud Computing are reported to be the most important to the Cloud Computing customers of this PFD survey is possibly of no great surprise, given the amount of media attention there is to data protection and security in both the general and specialist press.

It is worth noting that many customers appear prepared to read all the clauses of the SLA; I found 93% of respondents ready to do so. Nonetheless, the survey results also provided that SME directors believe that the service level agreement (“SLA”) should be written in ‘black-and-white’ law (69%), implying that business clients do not expect the law to be open to ‘wild’ interpretation.

At the end of the negotiation process, provider and consumer commit to an agreement. In SOA terms, this agreement is referred to as a SLA. This SLA is the foundation for the expected level of service between the consumer and the provider. It includes four important themes: the business, technical limitations and requirements, data and jurisdiction. It is essential the client optimises this SLA, and, as will be clear from the following discussion, it is hard to see how the client can achieve this without the professional advice from a specialist lawyer. 64% of respondents in the PFD study were concerned that some of the clauses may be non-negotiable.

A further potential solution for customers might be for them to have an exit strategy from these agreements in the form of clear termination Rights. If termination for convenience cannot be negotiated, an alternative strategy might be to negotiate termination Rights for poor performance, for example a “substantial service level failure”. An example of this might be, for example, failing to be available at least 95% in a given month, which would be extremely poor performance by almost anyone’s standard.

According to my research, the quality of service expected by customers is actually extremely high – a very high proportion of respondents  (93%) expected the provider from being prohibited from suspending or terminating the services suddenly, and all respondents expected that the Cloud Computing provider should provide termination assistance when the contract ends. Also, in the PFD survey, 86% of respondents were interested in negotiating termination Rights for poor performance of the provider. By paying attention to termination Rights, it is possible for a customer to mitigate some of the risk in these smaller, non-critical, agreements.

Another main way in which ‘power’ can become shifted in favour of the provider is when the provider passes on the customer’s data to subcontractors with lower performance standards. Cloud customers are often surprised to learn that many providers rely on sub-contracts to increase physically the size of their own Clouds. I found that 79% of respondents would be concerned if the work were subcontracted, and all of the respondents replied that they expected their Rights in any subcontracting relationship to be explained in full.

It is perhaps unavoidable that Cloud service providers may need to take down its systems, interrupt its services or make other changes at some stage, in order to increase capacity and otherwise ensure that its infrastructure serves its consumers adequately in the long term. However, this Right recognises that customers need to be given details to guide their own business processes (for example, including advanced notification of major upgrades or system changes), and to be granted some control over when the provider makes the switch.

However, perhaps the greatest concerns that customers face when using a Cloud Computing solution are those relating to security and privacy. Once data are transferred to the Cloud, customers are forced to rely on the physical and information security of the whole provider to protect their valuable information. The providers are under obligation to comply with the data protection laws, but there has been no formal study of the understanding of people in SMEs regarding these laws, and their understanding of what protection they afford for their Cloud Computing services.

Where a business is located in the UK, it will be subject to the Data Protection Act 1998 (the Act) when handling personal data. As a result, if that business decides to use Cloud Computing, it will need to ensure that the Cloud Computing services comply with the Act. Under this Act, the data collector is the customer who is solely responsible for compliance with the Act. This includes the obligation to ensure that the customer retains close control over its personal data, even when the data is being processed by a third party on the customer’s behalf. It is likely that the Cloud Computing service provider will consider itself to be a data processor for the purposes of the Act.

Cloud Computing services in the UK may involve the transfer of personal data to data centres within countries outside the European Economic Area (EEA) To transfer personal data to a country outside the EEA, the data controller must first consider whether there is an adequate level of protection in that country and whether appropriate safeguards are in place.

Gartner has also provided seven principles of identifying security risks, such that customers can raise with providers before selecting a Cloud provider, including privileged user access, data security, recovery, long-term viability and and investigative support. In the present study, company directors believed regulatory compliance to be the most important factor (86%), but the actual location of the data the least important governing data security (64%). In relation to this, lawyers should provide advice that Cloud customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider; however, the Cloud Computing providers accordingly should provide details of their regulatory compliance.

If the Cloud provider stores or transports the consumer’s data in or through a foreign country, the service consumer becomes subject to laws and regulations it may know nothing about. Customers therefore need to consider whether they have become subject to the laws of a specific jurisdiction, even if their data has been stored there on a temporary basis. The present (preliminary) survey found that 71% of company directors were aware of this fact. In relation to the governing law, the parties will usually expressly provide that the Cloud Computing contract is to be governed in accordance with the laws of a particular jurisdiction.

© LegalAware 2011