This article is part of the PLC multi-jurisdictional guide to outsourcing. For a full list of contents, please visit www.practicallaw.com/outsourcing-mjg.
The potential advantages of cloud computing are compelling, and will undoubtedly push more businesses, large and small, to consider using cloud services to replace or enhance current computing and application resources.
Increasingly, adopting cloud computing requires consideration of the basic principles and concepts of an outsourcing transaction, as the business relies on the provision of data processing and other technological services 'from the cloud'. Chief among them is that concepts relating to sales of goods or licensing concepts have little or no application, as the cloud consists primarily of a provision of services. This provides unique challenges for companies adopting cloud computing arrangements, as well as the lawyers advising them.
Against this background, this article examines the following:
What is cloud computing?
Cloud computing arrangements.
Cautions when using cloud computing.
The cost of maintaining and installing a company's hardware and software structure is shifting to a web-based, metered-use, automatically provisioned shared system, commonly referred to as cloud computing. Low capital cost and higher deployment and scaling efficiencies provide a competitive edge to many businesses. Accessing data through the internet using off-premises software and hardware can also allow a business' customers to access and analyse up-to-date data on demand, and can improve the speed and ease with which information can be collected and used.
''a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
A key concept of cloud computing is that the service is provided through the internet using shared infrastructure. Another important feature of cloud computing is scalability, meaning that the services and resources of the business can be scaled up or down based on demand, and on an automatically provisioned and metered-use basis. Scalability allows businesses greater flexibility in terms of costs of maintaining an IT infrastructure.
There are three broad categories of cloud services: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).
The IaaS market was estimated to be worth about US$3 billion (as at 1 February 2012, US$1 was about EUR0.8) in 2011 and is estimated to grow to about US$7 billion by 2013. Examples of companies operating IaaS include Amazon and Qwest.
IaaS consists of cloud-based, usually virtualised servers, networking, and storage, which the customer is free to manage as required. Billing is typically on a utility or metered-use computing model: the more of each that you use, the more you pay.
In this model the customer can obtain from one or more cloud providers the network, storage, processing and other essential computing infrastructure resources. The customer does not manage or control the data centre or network but the customer may have control over the data and operating systems placed into the infrastructure sourced from the IaaS providers.
The PaaS market was estimated to be worth about US$2 billion in 2011 and is estimated to grow to US$8 billion by 2013. Examples of companies operating PaaS are Microsoft and Google.
In a PaaS scenario, the customer can use its own applications on the cloud service provider's infrastructure. The customer does have control over the data and the applications and in some cases the hosting environment. The rest is provided as a shared-resource metered service.
SaaS is the largest and most common cloud-based service. The SaaS market was estimated to be worth about $15 billion in 2011 and is estimated to grow to about US$17.5 billion by 2013. Examples of companies operating IaaS are Salesforce, Intuit, Webex, Geminare, Syncapse and NRX.
In a SaaS arrangement, the customer accesses the cloud provider's software applications through the internet. This is also a common model for consumer cloud services.
Unlike a conventional outsourcing, many more parties are involved in typical cloud computing arrangements. These can include:
The commercial customer.
The cloud service provider.
An auditor of the quality of the services being offered.
A platform provider.
A provider of servers.
A data centre provider and operator.
An operating system provider.
Applications software providers.
The carrier or provider of data connectivity.
A reseller, distributor or broker who may be involved in managing the relationship between the customer and the cloud service provider.
Consultants who can address implementation and configuration.
Additionally, a business will often engage with a disaster recovery or business continuity provider, as those functions will operate differently in a cloud service model than would be usual in an owner or outsourced model. It is not unusual for one cloud provider to use other cloud providers as subcontractors.
Complicating matters for the customer, there is no contractual privity between the customer and the many other parties who may provide elements of the overall service. Similarly, there are issues surrounding governing law and jurisdictional restrictions, and enforcement of contract and mitigation of breach (such as of privacy or data protection regulations, or compliance with the users' local laws).
Typical contract structures in a cloud service arrangement include:
Terms of service.
Service level agreement (SLA).
Acceptable use policies.
End user licence agreements.
The contracting environment is complex and often more difficult in cloud services scenarios. The fundamental nature of cloud service offerings rely on high degrees of automation of provisioning and metering of use, which in turn require high degrees of standardisation of the services being offered. This militates toward highly standardised and non-negotiable contract terms.
The advantages of cloud computing services are undeniable. They include being quickly scalable, subscription or metered-use based rather than capital intensive, are maintained and provided without adding any additional infrastructure and staff, are readily deployable, and promise to be very innovative and up-to-date.
Moving to these 'as a service' cloud systems (SaaS, IaaS, and PaaS) can be a nearly irresistible urge. For the right applications it can be done safely and securely, if done properly. However not all business functions can or should be moved to the cloud, and none without careful forethought and planning.
What needs be remembered is that cloud services are inherently different from provider-owned systems. It is also significant that many cloud services are aimed at consumers and not business or government users. This means that the system designs of such consumer-focused services may be built for consumer grade uses, and are not built for mission-critical business or government applications. Similarly, service levels and service contract terms and conditions are aimed at consumers.
The implications are that service guarantees, uptime and security, data integrity, and compliance with privacy and other regulatory requirements are not typically "baked in" to the terms and conditions of the SLAs or licence terms. That means that care must be taken when engaging business or governmental computing functions with cloud services.
In many cases there can be a mis-match between the cloud services provided, and how they are understood or implemented by customer organisations. The following points should be considered:
Goods versus services. Systems that are owned and controlled, even if via outsourced infrastructure providers, are operated specifically by or for the organisation. This means that data in the systems and the operation of the systems, the surrounding security and integrity, and control over users and uses, are all provided by the organisation at the direction of the organisation. Decisions about outages, updates and add-in capabilities are made by the organisation, with an eye to the organisation's sole benefit and its needs and regulatory constraints.
This is different about cloud computing: instead of a direct control relationship with the systems and equipment, the relationship is one of 'purchaser of shared services'. So instead of buying computers and licensing software, the business is buying services from a service provider, with no tangible assets in the mix. As a result, the custom features and handling available for an owned (or outsourced) system are replaced by the service provider's approach, systems and practices.
Relationships and trust. Cloud users are, of necessity, at the mercy of the service provider. Data as well as processing facilities and software reside outside of the physical control of the company using the cloud services. The service provider may well subcontract infrastructure, security, access, physical computing resources, software, maintenance, training, configuration, and so on to third parties, often also cloud-based operators, with whom the company has no contractual relationship, and some or all of whom may be in other jurisdictions. This means that there must be a higher level of due diligence, audit, privacy review, data ownership, failover and backup, and similar concerns addressed before and in the contractual relationships between the user organisation and the cloud provider. Special care should be applied to the transition out arrangements.
Social networking collaboration services. An ancillary part of cloud computing is that a lot of the services in the cloud are social networking and collaboration tools or add-ons. When layered on top of concerns with cloud service contracting, contracting for social networking collaboration services adds another level of complexity to the company's analysis of security, privacy, access, information integrity, logging and audit, performance, and ownership and control of information and data.
Similarly, social networking and collaboration systems in the cloud are generally aimed at consumers, with similar consumer grade concerns with respect to contractual and system-design protections for mission-critical and sensitive data and systems. Business users need to address any mismatch needed for their mission-critical applications and data.
There are, of course, many differently nuanced concerns that should be addressed during any proposed move to embrace cloud computing in mainstream business operations. The following list provides a sample of some terms that a company may wish to include in a cloud computing contract, beyond the standard terms and conditions:
Services are to be provided in a "good and workmanlike" or "professional" manner.
Data belongs to the customer (or customer's customers) and will be returned on demand in a useable format.
Prohibition against suspension of service without sufficient notice from provider; fee disputes will not be a sufficient reason to suspend the service.
No deletion of dormant accounts without sufficient notice to customer.
Termination assistance: cloud provider is required to provide transition and conversion assistance so that data and functionality can be moved to another system after termination (usually at the customer's cost, but at the vendor's normal rates).
Caps on fee increases year over year.
Litigation or regulatory change co-operation assistance (such as changes to privacy laws, breach reporting requirements, and so on) usually at the customer's cost, but at the vendor's normal rates.
Systems perform to specifications, which are rational. In SLA terms: watch percentage uptimes. 99% uptime is equal to 3.65 days downtime per year. Take care in definitions.
System as operated will not infringe third party IP rights.
Vendor bears some responsibility for data losses (not included in limitation of liability clauses) and obligation to provide disaster recovery plan (beforehand) and assistance (afterward) at no additional cost.
Vendor is obliged to identify third party service providers and subcontractors, and the customer has the right to audit. (There is not much else the customer can do.)
Vendor to permit the customer to audit security, subcontracts, data recovery and backup plans (periodically).
Vendor duty to report (auditable) service level compliance (uptime, lag and latency, and so on).
Data Location. Some agencies are regulated as to where data can reside or be processed or stored (for example, healthcare, financial services, and public bodies.) This must be imposed on the vendor (who must impose it on subcontractors).
No secondary commercial use or disclosure of customer data (or the customer's customers' data) by cloud provider or its subcontractors.
Compatible applicable law, dispute resolution procedures, and so on.
Regulatory and customer enquiry or complaint "pass-through" obligations (on the vendor) so that the customer is not blind-sided.
Qualified. Canada (Alberta),1985; Trademark Agent, 1985; Queen's Counsel, 2009
Areas of practice. Outsourcing; intellectual property; information technology; licensing and technology transactions; procurement; data protection; privacy; e-commerce; technology and intellectual property M&A.
Qualified. Canada (Ontario), 1984; Bermuda, 1984
Areas of practice. Outsourcing; procurement transactions; technology.
Qualified. Canada (Alberta), 1979; Trademark Agent, 1994; Patent Agent, 2001; Queen's Council, 2008
Areas of practice. Information technology; licensing and transactional intellectual property; agency; licensing and commercialisation; litigation support healthcare; information technology and data protection; transactions privacy and data protection; regulatory compliance and response (transaction-related).