37 Offices in 18 Countries

Intellectual Property & Technology Webinar

Cloud Computing -

Reaping the Benefits and Avoiding thePitfalls

Stuart James & Delizia Diaz

BirminghamWednesday, 11 July 2012

2

Speakers

Stuart James Delizia Diaz

Partner Associate

T: +44 121 222 3645 T: +44 121 222 3383

M: +44 7825 171894 M: +44 7921 600022

E: stuart.james@squiresanders.com E: delizia.diaz@squiresanders.com

3

Webinar Agenda

• An overview of Cloud Computing

• Opportunities presented by the Cloud

• Key risk areas

• A silver lining for the Cloud?

4

Cloud Computing Overview (1)

What is Cloud Computing?

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand networkaccess to a shared pool of configurable computing resources (e.g., networks, servers,storage, applications, and services) that can be rapidly provisioned and released withminimal management effort or service provider interaction. This cloud model iscomposed of five essential characteristics, three service models, and four deploymentmodels.” *

Build Your Own

Subscribe, Plug In,

Pay-per-Use

*National Institute of Standards and Technology (NIST), SP 800-145, September 2011.

5

Cloud Computing Overview (2)

Well known Cloud Computing offerings

6

Cloud Computing Overview (3)

CLOUD Deployment Models

Public

Private

Hybrid

Community

Single customer

Customer

Customer

Customer

VPN / leased line

Multi-tenancy model

or Internet link

7

Cloud Computing Overview (4)

PaaS – Platform as aService

IaaS – Infrastructureas a Service

SaaS – Software asa Service

CLOUD Service Models

Infrastructure

Platform

Application

Infrastructure

Platform

Infrastructure

8

Opportunities and Benefits

Lower costs: No upfront investment in servers/data

centres

No software licensing

No software updates forcustomers/maintenance costs

Scalability

On-demand:Pay for whatyou use(bandwidth/serverspace, etc.)

IT Team focus oncore business

EnhancedSecurity Faster

implementation

Access to latest ITupgrades/developments

9

Cloud Computing - Key Risk Areas

Cloud provider service commitments

• Standard provider offering: “as is”, “as available”

• Clear service specifications

• Key service levels: Functionality

Availability

Performance

Back-up – Disaster Recovery-Business Continuity

• Measurement/Reporting

• Remedies? (Service credits/other types of damages)

10

Cloud Computing - Key Risk Areas

Data location and traceability

• Retain some level of control over data location/storage

• Regional/country offering

• Traceability/audit trail requirements

11

Cloud Computing – Key Risk Areas

Information Security - Security requirements

• Data in Transit Secure encryption (SSL)

• Data at Rest

Physical Security

Logical Security

– Encryption (shortcomings?)

– Access rights management/ audit trails

– Virtual segregation/Multi-tenancy architecture

– External intrusions/network attacks

Staff access controls

12

Cloud Computing – Key Risk Areas

Information Security (Cont’d)

Assessment of compliance with security requirements

Contractual commitments

Audits

Certifications

• Incident response

Notification

Cooperation

13

Cloud Computing - Key Risk Areas

Investigations and litigation

• Accessing data:

Cloud users: Ability to retrieve data (e.g. internal investigations, data

protection request, internal or external audit requests, etc)

Cloud providers - third party requests (e.g. subpoenas)

• What are the provider’s obligations?

14

Cloud Computing - Key Risk Areas

Regulatory and legal compliance

• EU Data Protection compliance

Consent

Access requests

Security of personal data

Subcontractors

Transfers outside of the EEA

Data loss/breach notification

15

Cloud Computing - Key Risk Areas

Regulatory and legal compliance (Cont’d)

• State/country specific requirements US: Patriot Act, Sarbanes Oxley, Gramm Leach Bliley Act, Electronic

Communications Privacy Act

UK : Regulation of Investigatory Powers Act

• Sector/organisation specific governance orcompliance requirements(e.g. Health Insurance Portability and Accountability Act, Health Information

Technology, for Economic and Clinical Health Act, FSA in UK, telecoms, etc)

• Export/trade restrictions(e.g. encryption, EU dual use, etc)

16

Cloud Computing - Key Risk Areas

Contractual (or externally imposed) limitationsand restrictions

• Audits required by cloud user’s customers

• Restrictions on data location

• Scope of software licences

• Restrictions on indemnities (e.g. government contracts)

• PCI DSS compliance

17

Cloud Computing - Key Risk Areas

Lock- in, exit and service transfer

Proprietary systems

Loss of IT expertise

Lack of exit support lock-in

Risk mitigation:

• Open standards

• Return of data

• Data deletion

• Migration support

• Data back-up

• Escrow

Lock-in?

18

Cloud Computing - Key Risk Areas

Cloud provider’s liability

• Standard terms – “take it or leave it” Limited warranties

Wide exclusions of or caps on liability

(including loss of profit)

• Public vs Private Cloud

19

Cloud Computing - Key Risk Areas

Insurance

• Existing policies: business interruption insurancecoverage?

• Specific policies: cyber liability insurance

20

Recommended Steps

• Assessment of business goals

• What applications and data will be migrated to the Cloud?

• Prior due diligence checks – is your provider financiallyviable and can they technically deliver?

• Clear understanding of risks – what if it all goes wrong?

• Technical and legal assurances provided by cloud providers(including security requirements)

• Carefully negotiate contracts (focus on key business areas?)

• Monitor compliance on a regular basis

21

A Silver Lining for the Cloud?

• Competition between providers willingness to negotiate terms

service offering

market consolidation

• Development of specific standards - industry codes &certifications

• Privacy by design

• Developments and adaptation of EU privacy laws to newtechnologies?

• Insurance

22

Contacts

Stuart James Delizia Diaz

Partner Associate

T: +44 121 222 3645 T: +44 121 222 3383

M: +44 7825 171894 M: +44 7921 600022

E: stuart.james@squiresanders.com E: delizia.diaz@squiresanders.com

23

Worldwide Locations

• Cincinnati

• Cleveland

• Columbus

• Houston

• Los Angeles

• Miami

• New York

• Northern Virginia

• Palo Alto

• Phoenix

• San Francisco

• Tampa

• Washington DC

• West Palm Beach

• Bogotá+

• Buenos Aires+

• Caracas+

• La Paz+

• Lima+

• Panamá+

• Rio de Janeiro

• Santiago+

• Santo Domingo

• Beirut+

• Berlin

• Birmingham

• Bratislava

• Brussels

• Bucharest+

• Budapest

• Frankfurt

• Kyiv

• Leeds

• London

• Madrid

• Manchester

• Moscow

• Paris

• Prague

• Riyadh+

• Warsaw

• Beijing

• Hong Kong

• Perth

• Shanghai

• Singapore

• Tokyo

North America Latin America Europe & Middle East Asia Pacific

+ Independent Network Firm