Bringing Cloud Computing Down to Earth

WEBINAR Q&A

BRINGING CLOUD COMPUTING DOWN TO EARTH

Presented by Professor Christina L. Kunz

March 14, 2012

1) How does one control and maintain upgrades for hardware and software?

A: In general (especially in SaaS), the cloud provider is responsible for both of these tasks. The consumer-provider contract should set standards for how up-to-date the provider needs to keep the hardware and software. The contract’s metrics may also play a role in compelling the provider to furnish additional updates in order to meet the required metrics. Remember that the provider has responsibility for the hardware in this contract, except for the devices that the consumer uses to access the provider’s services.

In particular, in an SaaS contract, the software (application) is the provider’s responsibility too, so it’s totally a service contract (see slide 35). In PaaS, the provider runs the software that provides the components of the platform, as well as the operating system, but the consumer can deploy onto the cloud infrastructure its own applications (software) (see slide 37), so this is the kind of cloud that’s suited for consumers who are software (application) developers, testers, deployers, or administrators (see slide 38). In this setting, the consumer may well be generating the updates and putting them on the cloud. The parties’ contract should sort this out. In IaaS, even more control is given over to the consumer (see slides 39-41). But the cloud hardware is always the provider’s responsibility.

2) How do you handle backup of data? It appears to be fairly expensive

A: A cloud contract often provides data back-up as one of the services. However, if your cloud provider is charging too much for this service, you could bring that function back in-house, or you could locate another cloud provider to furnish that service so that the cloud data is regularly transported to the back-up vendor for storage. A cloud broker may be able to help you find and aggregate these cloud services (see slide 23).

3) If escrow is requested, is this cost shared amongst all of the consumers on the cloud?

A: Generally no. You want your data to continue to be isolated from the data of other consumers on the same cloud, and you don’t want to be at the mercy of other consumers who might later be in breach of the cloud contract, so that the provider tries to deny your right to the escrow. You also want the escrow contract to be specific to you so that it has the full protection from any later bankruptcy by the provider (under the automatic stay section 365(n)). I suppose there might be a community cloud for which a joint escrow might be a good idea in some community cloud—such as a group of not-for-profit corporations who have the same general standards of security, trust each other, and want to keep costs down. But even then, there might be problems.

4) How would you recommend researching the best countries for data retention and the laws for those countries? Are there resources you could recommend to a global buyer?

A: The research on these data retention laws seems to be mostly locked up in books (easy to find in an Amazon or Google search), subscription services (like BNA Blomberg), and subscription websites. Many companies have a chief privacy officer (CPO) to sort out issues involving data privacy, security, retention, and protection, because it’s more than a full-time job for a global company. Fortunately, the EFF (bless them!) has an up-to-date site discussing countries with mandatory data retention laws: Note that the European Union directive on data retention directs the member states to enact laws requiring providers to store telephone, e-mail and Internet usage data, as well as the location of mobile phones for at least six months. Many EU member states have enacted those laws, but some have been overturned as unconstitutional.