Cloud computing: It’s all Good – or Mostly Good

A ZDNet article entitled Cloud computing: Four reasons why companies are choosing public over private or hybrid clouds makes a case for the value of the public cloud.

The reasons:

  • Innovation comes as standard with the public cloud
  • Flexibility provides a business advantage
  • External providers are the experts in secure provision
  • CIOs can direct more attention to business change

This is all good – or mostly good.

The caveat is that the use of the cloud can fail if a business adopts the cloud without thinking it through from the perspectives of mission criticality, security, privacy, and continuity.  If a business runs mission critical systems in the cloud, and that system fails, the business could be out of business.

The IT Manager no longer has to consider day to day issues around keeping software and security up to date.  But they still have to consider higher level issues.

It is important to understand what the needs are for the situation at hand.  A system that is not mission critical, or does not contain sensitive information, for example, would not require as much scrutiny as a system that runs an e-commerce site.

Issues to consider include:

  • how mission critical the system is
  • what the consequences are of a short term and long term outage
  • how confidential or personal the information is in the system
  • can the information be encrypted in transit and at rest
  • how robust the vendor’s continuity plan is
  • the need for the business to have its own continuity plan – such as a local copy of the data
  • how robust the vendor’s security is
  • does the vendor have third party security validation to accepted standards
  • does the vendor’s agreement have provisions that back these issues up with contractual terms and service levels with meaningful remedies

Cross-posted to Slaw

8 Things to consider when using the Cloud

top legal issues for tech buscloud

The cloud is a fluffy concept, and takes many different forms, but basically means any computer services that are provided on systems that you access over the internet. Examples include things like gmail, dropbox, and Google docs. It can include sophisticated applications for accounting, document management, and other business processes. Other forms include just the physical infrastructure that you install and manage your own software on. The cloud can offer many advantages when used properly, but also carries risks that need to be managed.

Here are 8 things to consider when using the cloud.

  1. Consider how mission critical the cloud service is to your business. Far more diligence and care is required for a service that is crucial to the operation of your business.
  2. Make sure you have a backup or mirror of the data in case something goes wrong.
  3. If the application is mission critical, make sure you have a continuity plan in place to keep operational if the cloud service is temporarily out of service or permanently gone.
  4. Privacy, security and encryption are essential to consider. Look at what information is stored and manipulated, who has access to it and how they access it, and what the consequences are if that information was compromised. Encryption is a complex subject and requires the right questions to be asked. Is it only when at rest? Is it during transit? Who has the encryption key? While it is not always practical, a zero knowledge approach where the vendor can’t access the data is ideal.
  5. If you use platform or infrastructure as a service where you are in control of certain aspects of it, make sure you get expert technical advice to set it up to make sure it is done right.
  6. Pay close attention to the provider’s service agreement. For basic, commodity services, the agreements will be non-negotiable and will include limited or zero liability if something goes wrong. As the cloud service becomes more sophisticated, personalized, and costly, those agreements tend to become more negotiable. The terms of the service agreement can be a risk assessment factor.
  7. In some circumstances privacy laws can dictate where data is stored or manipulated, or what you have to tell customers. Or your customers may perceive an advantage for the data to be housed in Canada, even though from a practical basis the risks may not vary much amongst first world countries. If any of these apply to you, make sure the location is where you need it to be.
  8. All the promises a vendor makes about data location, service levels, and data security have no teeth unless they are referred to in the service agreement, and are meaningless if not backed up by some consequence.

The Cloud – Panacea or Perilous?

The cloud has been touted as a significant revolution in computing – providing scalable, secure, and cost effective alternatives to owing and managing your own computing infrastructure.  It has also been criticized for being insecure, unreliable, and a potential threat to the future of your business if something goes wrong.

So which is it?  It can be both, actually.

Done right – with the right application, the right vendor, the right agreement, and with proper attention to issues like security, encryption, privacy, and continuity – it can work very well.

Done wrong – without those details being considered – it has the potential to cause things ranging from spotty performance to embarrassing data leakage to a business ending catastrophic failure.

The key is to spend the time up front to get it right.

(Cross-posted to Slaw)

http://harrisonpensa.com/lawyers/david-canton

Smartphone revolution – ignore at your peril

That we are in the midst of a huge change in the way we communicate in our work and personal lives is no revelation.  But I think many of us don’t realize how rapidly this change is happening, and the many ways it will affect us.

It is a combination of things like mobile access, handheld computing power, inexpensive apps, cloud computing, location awareness, and social media.

Consider this: mobile devices are outselling PC’s, and digital media is equal to television in importance amongst ad executives. 

The explosion of smartphones and tablets enables us to get information about almost anything immediately wherever we are.  And to provide information to others just as quickly.  Tools like Google Goggles and Siri can do that by simply taking a picture of something, or speaking into our phones. (And really, the “phone” part of our phones is dwindling in importance to the rest of their features.)

All businesses and organizations should be thinking about how this is now affecting  them, and how it will affect them in the future – both in how it will challenge their current business models, and how they can use it to their advantage. 

And don’t forget to think about who your competitors will be.  For example, who is going to own the mobile payment space?  It might be the banks and credit card companies – but it could be telcos or Google.

It also raises interesting legal issues – like who owns the movie rights to a crowdsourced story, and how do privacy rights tie in with location aware services?

The one certain thing is that we ignore this revolution at our peril.

Cloud sevices – Is the bloom off the rose?

For the London Free Press – May 9, 2011

Read this on Canoe

Recent outages at Amazon and Sony’s PlayStation Network have left businesses and consumers without service for lengthy periods of time.

The tech press is full of articles suggesting the bloom is off the rose for cloud services and cloud providers are in denial about risks. These articles call on online providers to take financial responsibility and offer more than token services credits.

These outages have done more than just prevented gamers from playing. Services provided by Foursquare, Hootsuite, Discovr, the New York Times and others were affected by the “Amazonpocalypse”. Other businesses using Amazon were barely affected, as they designed their use with disaster prevention in mind.

One reason cloud services are inexpensive is that they come with no guarantees, and no liability on the part of the provider. That’s not meant to suggest online providers aren’t motivated to keep their services running. It’s bad for business if they don’t. But some are better than others, and problems can occur despite provider efforts.

If users expect financial responsibility and compensation for their losses in a failure, they can expect to pay more.

Online service provider user agreements contain limitation clauses that deny liability if the services don’t work. At most, there might be a refund for the cost of their services proportionate to the amount of downtime. If users want more, they can expect to pay for the provider’s insurance to back up the liability. And in practice. most users opt not to pay more for liability protection.

Anyone using online or cloud services needs to first consider how crucial the services are to them. What will the effect be if the service is disrupted for a short or long period of time, or if their online data is lost?

If such disruptions would have serious effects, then the user must take steps to control those risks.

For the risk of losing data, it might be as simple as keeping local backups, or keeping a mirrored copy at a different service provider at a different location.

To keep the service operating continuously, users should take a close look at how the service is provided, and plan their use in a way designed to survive failure.

In other words, assume things will fail, plan around that, and test to ensure the plan works.

Amazon, for example, has several “availability zones”. Amazon customers who were able to switch between them suffered only minor issues.

Another approach is to use multiple service providers based in different locations.

Our digital universe keeps expanding

For the London Free Press – Jan 17, 2011

Read this on Canoe

The sheer volume of digital information that we create is fast outstripping our ability to manage it all, report warns

The sheer volume of digital information continues to rapidly increase. According to a report by IDC entitled The Digital Universe Decade – Are You Ready?, commissioned by storage vendor EMC, the projected growth of the digital universe could outpace our ability to manage it, creating new challenges and opportunities.

Every time we send an e-mail, take a digital photo, blog, upload a video or download a song, we are contributing digital content. The report uses the term “digital universe” to mean the amount of digital information created and replicated each year.

This content is growing and is expected to increase exponentially. In 2009, the digital universe grew by a staggering 62% to about 800,000 petabytes (a million gigabytes).

In 2010, the digital universe was expected to grow to 1.2 million petabytes and reach 35 trillion gigabytes by 2020. That would fill a stack of DVDs that would reach half way to Mars.

The report says that over the course of the next 20 years, the digital universe will grow by 44 times, while the personnel and investment in resources to manage it will only grow by 1.4 times. This discrepancy will have real implications for both the organizations tasked with dealing with digital content and regular users and contributors to the digital universe.

Issues that arise include the amount of physical storage needed to contain all this data. This is in part attributable to the fact that only 25% of digital content being created is unique – the other 75% consists of things such as forwarded e-mails and other copies.

And backing up all that data so it won’t be lost if something goes wrong faces challenges from the sheer volume, and managing the most effective and cost-effective ways of doing that.

Individuals will use higher-capacity hard drives in their computers, external hard drives, and the cloud to store and back up their personal material.

The report suggests an increasing amount of data will be housed in the cloud. This goes beyond keeping our files or backups stored at Internet-based locations. Examples include watching on-demand Internet-based TV, such as Netflix online, instead of using DVDs, and using cloud-based software rather than installing and running it on our PCs.

Finding what we need in all this data will require continued advances in ways to manage it. That includes ways to know when to delete data, and search tools to find what we need.

The report also says that the amount of data that needs protecting will increase at even a faster rate. This includes confidential and personal information, such as financial and health data. It claims that less than 10% of the information about an individual is created by the individual – such as taking photos, using social media, sending e-mails, and getting cash from an ABM. The rest is created by others, such as credit records, surveillance photos and web-use histories.

Managing the security and privacy of all this will continue to be a challenge.

Don’t let privacy get lost in the clouds

For the London Free Press – July 12, 2010

Read this on Canoe

So-called ‘cloud computing’ can be valuable — but it can also come with risks

Cloud computing – essentially providing computer services over the Internet – is a growing trend.

Ontario’s privacy commissioner recently released a report dealing with privacy issues that arise from the cloud.

There are many definitions and debates over just what cloud computing is, but it entails storing your information and/or running software on computers belonging to others that you access over the Internet.

For example, instead of creating this column using word-processing software installed on a computer in my office and saving it here, it could be created and stored in the cloud from any computer using services such as Google Docs, or Microsoft Office Web apps.

It is a compelling model, as it can provide advantages in cost, simplicity, portability and scalability.

It can, though, pose issues around things like privacy, confidentiality, security, business continuity and disaster recovery. The importance of those issues vary depending on how the particular cloud product works, what it’s used it for, and how mission critical it is.

The privacy commissioner’s discussion paper – Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach – discusses relevant privacy issues.

The report discusses a variety of different models included in the term “cloud.”

The report sheds light on which types of risks are associated with different types of “clouds,” some of which are riskier than others from a privacy and security standpoint.

The decision to use cloud computing is one each individual or business must make bearing in mind the type and sensitivity of their information, how valuable that information might be and whether local copies can be saved.

Since the loss or compromise of sensitive data can be incredibly damaging to an organization, careful consideration is required.

It’s important for organizations to take time to review what type of cloud model they intend to use, and whether it’s adequate from various perspectives, including operational, cost, access and privacy.

The type of data stored by an organization may change over time. Organizations evolve and sensitivities change. Re-evaluation of an organization’s cloud model at regular intervals, or when major projects occur, will help ensure data is kept in an appropriate manner.

The bottom line is that it’s important for anyone using cloud-based services to understand how that particular service operates and what promises it makes concerning privacy, security and continuity of data. The importance of those factors will vary depending on the nature of the information involved, and how critical the service is to the user.

If it is not adequate, either negotiate to make it adequate, or go somewhere else.

This report, and a previous white paper entitled Privacy in the Clouds (both available on the web at ipc.on.ca) are helpful for potential users to understand and deal with privacy issues that arise from the cloud.

They are also useful to help anyone providing cloud-based services deal with privacy issues for their services.

Ideally, providers will design their services to be privacy-friendly from the outset – an approach the commissioner calls “privacy by design.”

Privacy Commissioner – public consultations on privacy and cloud computing

The Canadian Privacy Commissioner just invited interested parties to file written submissions on privacy issues surrounding cloud computing.  Also for expressions of interest from anyone wanting to take part in a formal panel discussion in June.

Cloud computing – however one defines it – can be a compelling model, as it can provide advantages in cost, simplicity, and scalability.

It can though, pose issues around things like privacy, confidentiality, security of data, business continuity, and disaster recovery.  The importance of those issues varies depending on how the particular cloud product works, what you use it for, and how mission critical it is.

Fanshawe eMarketing Conference – legal issues

Fanshawe College is putting on an eMarketing conference March1st entitled “Turning Clicks into Customers“.   The keynote speaker is Mitch Joel, author of  Six Pixels of Separation”.

I’m speaking at a breakout session on “Legal Issues for a Digital World” .

I’ll be commenting on issues including copyright, cloud computing, the Streisand effect, and social media and privacy.   

There are several factors that make digital law different from analogue law.  As I’m putting my presentation together, I’m realizing that the concept of  practical obscurity plays a big role in explaining some of the differences.

Google liberation front a welcome attitude on cloud computing

That’s the title of my Slaw post for today.  It reads as follows.

The cloud computing, or software as a service model has compelling attributes – such as low cost, ease of use, and scalability. But the downside is that there are issues around the security, integrity, and longevity of both the data and the software behind it.

Google has taken a step in the right direction with its promise that any cloud application it provides will have as a prime directive the ability of the user to pack up their data and take it anywhere, including a competitor.

At least that helps solve the issue of the risk of losing data, as it makes it easier to keep a local backup.