The Cloud Earl C. Rich, CRM We’re Gonna Talk About: • Define what The Cloud is • Review Cloud service-types IT Stuff • Discuss the different types of Clouds • Data Security issues in The Cloud • Legal challenges with The Cloud RIM Topics • RIM issues in The Cloud • Why IT likes The Cloud • Cloud Horror Stories More IT Stuff • Contracts are the key • Review Cloud Computing Agreements • Open Discussion / Questions Contracts What is “The Cloud”? “The Cloud” is a metaphor inspired by the cloud symbol used to represent the Internet in flow charts and diagrams. Real-World Definition: Cloud is a style of computing where scalable and elastic ITrelated capabilities are provided as a service to external customers using Internet technologies.¹ Techie Definition: Cloud computing describes the disruptive transformation of IT toward a service-based economy, driven by economic, technological, and cultural conditions.² 1: Gartner.com 2: Tom Jenkins, “Managing Content in the Cloud” (2011, October) Cloud Service-Types Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources. Apple iCloud or Google Drive Platform as a Service (PaaS) PaaS offerings typically include workflow facilities for application design, application development, testing, deployment and hosting. Google App Engine or Amazon EC2 Software as a Service (SaaS) Software is accessible via the client’s Web browser Instead of on a local network or hard-drive. Google Apps or webmail Cloud Computing Diagram Types of Clouds Types of Cloud Computing • Public Cloud – Traditional model where vendors dynamically allocate resources through web applications. • Private Cloud – Computing platform is dedicated to a single customer and can be housed internally or externally. • Hybrid Cloud – Your organization’s hardware interacts with a vendor-hosted service (e-mail archiving, web filtering, etc...). This model can also be used for “Cloud Bursting” where an organization’s infrastructure is used for normal computing needs, but cloud resources are used to carry peak loads. • Community Cloud – Infrastructure is shared between similar organizations (i.e., all agencies within a government), but not with other outside parties. This model may also be referred to as a “government cloud”. Public, Private and Hybrid Clouds So Far, So Good… right? “Cloud computing sounds so sweet and wonderful and safe ... we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mind-set.” - Ronald Rivest, MIT Computer Science Professor Source: computerworld.com The Notorious Nine: Cloud Computing Top Threats in 2013 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service (DOS) Attacks 6. Malicious Insiders 7. Abuse and Nefarious Use 8. Insufficient Due Diligence 9. Shared Technology Issues Data Security Concerns • HIPAA: – • FMLA and the ADA: – • If the data contains Protected Health Information (45 C.F.R. §160.103), then the two groups (yours and theirs) must enter into a “business associate contract” (45 C.F.R. §164.504(e)(2)) Both contain confidentiality provisions that restrict access to first aid and safety personnel, supervisors/managers, government officials, etc... (29 C.F.R. §825.500(g); 29 C.F.R. §1630.14 (c)(1)) Section 817.5681, Florida Statutes: – Breach of security for “personal information” (§817.5681(5), Fla Stat.) must be noticed to the owner of the data (you) within 10 days, and to residents of Florida within 45 days (§817.5681(1)(a); §817.5681(2)(a), Fla. Stat.) Legal Matters • Subpoenas: – • E-Discovery/Rule 26 and Destruction Holds: – • Cloud vendors may be directly served a subpoena (Section 215 of the U.S. Patriot Act) and may not be allowed to disclose the existence or nature of the subpoena. All data, regardless of where it is stored, must be disclosed (Rule 26(a), F.R.C.P. (2010)). A party is required to produce data in a reasonably usable form, and is required to preserve electronically stored information [ESI] once litigation is anticipated or has commenced (Rule 37(f), F.R.C.P. (2010)). Jurisdiction: – Both parties should agree on a “home” jurisdiction. If a cloud computing provider is located outside of the United States, it may be difficult to enforce any judgement of a U.S. court. RIM Issues • Public Records Issues: • – Data stored or created in The Cloud are records (whether F.O.R. or duplicate)! – The entity that “owns” the data is responsible for adhering to Chapter 119 – The data must be retrievable and in a meaningful format to fulfil PRR standards 1B-26.003, F.A.C. (1B-26): – • If the items are File of Record (F.O.R.), then 1B-26 requirements must be met (storage methods, security standards, maintenance methods, etc...) Records Retention and Destruction: – The Cloud provider must be able to maintain records for the prescribed lifecycle – The user (you, not them) must have the ability to initiate destruction of records Cloud Outages/Issues • Dropbox: January 10, 2013 – Length of Outage: 16 hours Users Impacted: 175,000,000+ • Facebook: January 28, 2013 – Length of Outage: 3 hours Users Impacted: 4,500,000 (estimated) • Amazon.com: January 31, 2013 – Length of Outage: 49 minutes Users Impacted: 2,600,000 (estimated) • Microsoft’s Bing.com: February 2 & 22, 2013 – Length of Outage: 2 hours & 12 hours Users Impacted: 313,000 (estimated) • Google Drive: March 18 - 19, 2013 – Length of Outage: 17 hours Users Impacted: 120,000,000+ Source: infoworld.com Quote of the Day “Clearly you’re not in control of your data, your information. It’s a major business interruption. I’m getting business interruption insurance tomorrow, believe me.” - Campbell McKellar, founder of Loosecubes.com Source: NYTimes.com Why IT Likes the Cloud 1. 2. Cloud Computing Value Pros & Cons of Cloud Computing A Good Contract is your Key to the Clouds The main point of this entire presentation is that care should be taken during the contracting process to make sure that RIM issues and concerns are addressed and fully negotiated in any contract or SLA. Review of two real-life Cloud Computing agreements Cloud Computing Roadmap Questions