200 likes | 342 Views
Moderator: Rakesh Madhava Nextpoint Panelists: Martin Tully Katten Muchin Rosenman LLP Paul Starkman Pedersen & Houpt Keith Chval Protek International Heidi Fessler Merrill Corp. I see a sailboat. No wait, it’s a pony!.
E N D
Moderator: Rakesh Madhava Nextpoint Panelists: Martin Tully Katten Muchin Rosenman LLP Paul Starkman Pedersen & Houpt Keith Chval Protek International Heidi Fessler Merrill Corp.
I see a sailboat. No wait, it’s a pony! • “Cloud Computing” can mean different things • SaaS, PaaS, IaaS • Public Definitions: • NIST • Berkeley • ABA Legal Tech Resource Center • Service & Deployment Models: • Private, Public, Hybrid
How is this any different than boxes stored at Iron Mountain?
How Cloud Differs • Access • Data Location • Greater Custody andControl Differentiation • Multi-Tenancy Capability
Cloudy Questions • Location issues • Operation issues • Legislative/Regulatory issues • 3rd party contractual limitations • Security/Privacy issues • Litigation/Investigative issues • Authenticity/Admissibility issues
E-Discovery Implications • Custody & Control • Fed. R. Civ. P. • 34(a)(1) • 26(a)(1)(A)(ii) • 37(e) • 45 • Flagg v. City of Detroit, 252 FRD 346 (E.D. Mich. 2008) • Cross-border issues • Preservation • Litigation hold management • Analysis & Collection • Spoliation risk & cost • Privilege issues • Authenticity & Admissibility
Spoliation in the Cloud: When Bad Things Happen To Good Evidence • General Considerations • Potential Liability for Spoliation • Minimize Risk by Addressing Up Front the Need to Preserve and Produce ESI • Remedies for Spoliation
Cloud Computing Service Level Agreement Considerations • Use of data/Security • Location of data • No change of terms • Destruction • Ownership (assignment) • Subpoena response • Regulatory requirements • Insurance/Indemnity • Audits
Service Level Agreement (SLA) SLA should contain: • The list of services the provider will deliver and a complete definition of each service. • Metrics to determine whether the provider is delivering the service as promised • Auditing mechanism to monitor the service. • Responsibilities of the provider and the consumer • Remedies available to both provider and client if the terms of the SLA are not met. • A description of how the SLA will change over time.
Service Level Agreement (SLA) • Security: Client and CSP must understand security requirements. • Data encryption: Data must be encrypted while it is in motion and while it is at rest. The details of the encryption algorithms and access control policies should be specified. • Privacy: Basic privacy concerns are addressed by requirements such as data encryption, retention, and deletion. An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment. • Data retention/deletion: How does CSP prove they comply with retention laws and deletion policies? • Hardware erasure/ destruction: Same as #4. • Regulatory compliance: If regulations must be enforced because of the type of data, CSP must be able to prove compliance. • Transparency: For critical data and applications CSP must be proactive in notifying client when the terms of the SLA are breached including infrastructure issues like outages and performance problems as well as security incidents.
Service Level Agreement (SLA) • Certification: CSP should be responsible for proving required certification and keeping it current. • Performance definitions: Defining terminology such as uptime and other contractual metric terms (i.e. – uptime could mean all servers on continent are available or only one designated server is available.) • Monitoring: Responsible party for monitoring including identification of any third-party organization designated to monitor performance of the provider. • Audit Rights: To monitor for any data breaches including loss of data and availability issues. SLA should clarify when and how the audits will take place. • Metrics: to be monitored in real-time and audited after occurence. Metrics of an SLA must be objectively and unambiguously defined. • Human interaction: On-demand self-service is one of the basic characteristics of cloud computing, but SLA should provide customer service when needed. Review and summary of cloud service level agreements, From "Cloud Computing Use Cases Whitepaper" Version 4.0,
Reality – Contract Issue • Currently, the standard contracts offered by cloud computing providers are one-sided and service provider-friendly, with little opportunity to change terms. • Few offer meaningful service levels or assume any responsibility for legal compliance, security or data protection. Many permit suspension of service or unilateral termination, and disclaim all or most of the provider's potential liability. • In addition, some cloud computing providers emphasize low cost offerings, which leave little room for robust contractual commitments or customer requirements.
Before you go “TO THE CLOUD!” Security & Control • No uniform standard for security and compliance among cloud providers. This may be bad - if you have evolved mature security and control discipline; or it may be a good thing, if you are looking for an external provider to help you with best practices. • Cloud is not, per se, either secure or insecure. You simply need to set your own standards, be aware of what your cloud provider can and cannot deliver, and choose according to your desired level of risk.
Before you go “TO THE CLOUD!” Portability & Compatibility • Not all cloud providers are able to provide the same level of portability and compatibility. • Extracting and restoring data may be a slow manual process due to API limitations and other restrictions. May be impossible to accomplish in a timely manner due to common limitations such as bandwidth. • Applications may require significant changes to be compatible with storage in a non-specific location that changes in case of emergency. • Be aware of your use cases, and make sure your recovery plan allows for the mobility of data the cloud will enable.
Before you go “TO THE CLOUD!” Longevity & Accessibility • Consider and verify the longevity of CSP to ensure data will be accessible when and how, needed before committing to CSP as sole source for data recovery. • During an analyst keynote speech at the 2010 CA InfoXchange event in Malaysia, the speaker estimated that a substantial number of current cloud providers will be out of business within 2 years. • CSPs talked about 99.999 per cent uptime, or the equivalent of five minutes' downtime per year. This is the Holy Grail of cloud computing but achieving it requires multi million-dollar investments in redundant infrastructure.
Before you go “TO THE CLOUD!” Where does your data reside? • EU Data Privacy Concerns • Which laws apply, country of origin or country where data resides?
Essential Power Contracts to Retain • Realtime feed from data intrusion detection systems to permit monitoring of the security systems performance. • Performance standards mandating maximum downtime and platform stability. • Auditing rights – access to monitoring dashboard to see metrics on function of the system. Also onsite visits to provider. • Remediation power – including monetary penalties for downtime, termination in the event of security violations and notice of any breach.
Essential Contract Powers to Retain • Freedom to Move – contract must make it clear that the data owner retains all ownership of the data as well as access to the data. There should be a defined time frame for giving back all the data once request has been made as well as definition of the format for the data if it is to be moved or returned to the client to avoid any additional cost to reformat data to be moved to a new provider. • Preservation of metadata – what metadata will be maintained and any impact of the system upon that metadata. • Access to information for e-discovery – how accessible the data will be including time to extract.
Questions? Rakesh Madhava rmadhava@nextpoint.com Paul Starkman pestarkman@pedersenhoupt.com Heidi Fessler heidi.fessler@merrillcorp.com Martin Tully martin.tully@kattenlaw.com Keith Chval kchval@protekintl.com