Cloud Adoption: Managing the Legals Richard Kemp and Deirdre - PowerPoint PPT Presentation

Breakfast seminar Cloud Adoption: Managing the Legals Richard Kemp and Deirdre Moynihan 27 June 2018

Agenda 09.00-09.05: Welcome, Richard 09.05 - 09.15: Context: the cloud at scale – legal and regulatory issues, Richard 09.15 - 09.40: Current cloud contracting issues, Deirdre 09.40 – 09.55: Coffee/networking 09.55 – 10.20: Towards a legal checklist for cloud contracting, Richard 10.20 – 10.30: Q&A/discussion

Context: Enterprise IT – Segment Projections (2017-2026, $bn) $1,600 Public Cloud - SaaS $1,400 Enterprise Cloud Public Cloud - IaaS $1,200 Public Cloud - PaaS (10% in 2017, Private Cloud Enterprise Operational IT Staff Projected 45% in 2026) $1,000 $800 Traditional Application Software & Support $600 Traditional Infrastructure Services ‘Traditional’ Enterprise IT $400 (90% in 2017, Traditional Hardware (+ Software & Support) $200 Projected 55% in 2026) $0 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 Source: Wikibon

Context: enterprise cloud service continuum Traditional enterprise Private/public cloud

Context: security of data in the cloud – the key issue • As IT workloads migrate to the cloud, the benefits must be weighed and managed against the risks • The security of data in the cloud remains the central preoccupation of both cloud service providers (CSPs) and their customers • NCSC – cyber threat to UK business, 2017-2018 report (10 April 2018): “Only 40% of all data stored in the cloud is access secured, although the majority of companies report they are concerned about encryption and security of data in the cloud. As more organisations decide to move data to the cloud (including confidential or sensitive information) it will become a tempting target for a range of cyber criminals. They will take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored” • IDC’s Data Age 2025 White Paper (2017) – the role of data and the cloud will intensify: “All this data from new sources open up new vulnerabilities to private and sensitive information. There is a significant gap between the amount of data being produced today that requires security and the amount of data that is actually being secured, and this gap will widen — a reality of our data-driven world. By 2025, almost 90% of all data created in the global datasphere will require some level of security, but less than half will be secured.”

Context: a structured approach to managing cloud security risks Cloud/data security: the legal, technical, Context: cloud security – legal and regulatory aspects 5 Applicable operational and governance controls that an cloud duties organisation puts in place to ensure desired security outcomes 4. Cloud/data governance framework … more than just papering … 3. Cloud security principles Structured approach: 2. Other CSP documents 1. CSP contract Ts & Cs 2. Other CSP documents 1. CSP 3. Cloud security best practices and principles Contract Ts&Cs 4. Cloud/data governance framework 5. Applicable cloud security duties

Current Cloud Contracting Issues Access Access Rights/Scope of Rights/Scope of License License Performance Performance Standards & Warranties & Pricing Pricing & Liability Compliance Compliance Issues Issues Due Diligence/Pre- Contractual CSP Legal Terms Considerations Remedies if Data Security & Step- Data Security things go wrong Integrity In/Escrow/Exit (ATOMs) CSP Relationships Relationships with suppliers with Suppliers and customers

Current Cloud Contracting Issues – Considerations when moving from on-premise Advantages scalable, durable – modern/state of the easier to deal with art assets underpin spikes in processing the cloud power/data storage infrastructure costs generally cheaper are lower if opting than on premise Disadvantages for a multi-tenant solution solution concerns about what loss of control over concerns about data happens if things go underlying integrity and wrong or if the CSP more agile – easier infrastructure/assets security fails to move suppliers analytics services and data (?) limited/no input into inability to control service design and updates/upgrades offering, beholden to CSP’s terms

Current Cloud Contracting Issues – Considerations when moving from on-premise license to a SAAS solution Set-up Costs & Costs of Use Cases and Scope of Security & Data Risk/Liability Running Cloud and On- License Integrity Prem in parallel • 2x fees during • nature of user rights • data transformation • may be more reliant transition? needs to be the same and transfer – on CSP/SAAS provider as those available on migration tools for support & • is SAAS better value prem maintenance for money longer • data security (during term? • no perpetual rights to transfer and once in • what happens if use software/service the cloud) – ATOMS, CSP/SAAS provider offered by CSP certification, policies fails to perform? Step- and CSP’s liability in and Exit rights? • license/access rights typically cease on • duration and cost • CSP/SAAS provider will termination – can lead generally seek to cap • responsibility/liability to lock-in/reluctance all liability (outside of for loss/damage to switch providers what can’t legally be • back-up excluded and liability under its IPR indemnity

Current Cloud Contracting Issues – Considerations when moving from on-premise license to a SAAS solution • Legacy Agreements • Existing core terms and conditions with some cloud SAAS providers (e.g. Microsoft, Oracle, SAP) may be in place for 10+ years • Originally drafted for on premise offerings, not SAAS • Need to consider whether legacy Ts&Cs are appropriate for SAAS or whether a move to a new set of Ts&Cs is appropriate - this may lead to re-negotiation of existing agreements/terms Worldwide Perpetual Irrevocable

Current Cloud Contracting Issues – Key Terms Overview • Access Rights • Performance Warranties, Compliance Issues & Audits Authorised/Named User Access Generally SLAs are linked to availability only • • Access Hierarchies – different users can have different rights Limited warranties given by CSPs • • and permissions (e.g., read, write) CSPs generally resist customer drafted audit provisions • • Cloud Platform accessed via the Internet “anytime” and “anywhere” Liability • Scope of License & Pricing Generally capped at a percentage of fees • • 100% - 150% is usual • • License typically non-exclusive & terminates on termination • Liability for data loss/damage, privacy/GDPR issues typically Authorised/Named User Charge subject to monetary cap • Data Storage Charges • Software Package Fees Exit • • Process Charges (e.g., for performing calculations or for • communications from the cloud to other systems/software) • Post-termination assistance is unusual CSPs generally allow a short period post-termination for • Data Security & ATOMS customers to download data • CSPs offer standardised approach to security and apply the Escrow • • same ATOMs to all customers Standards & certification increasingly common and usually Typically not offered by CSP • • required by customers Can be used as a way to audit security •

Current Cloud Contracting Issues – Customer Mandated Terms Equality & Anti- Audit Confidentia Modern Equal GDPR HR InfoSec TUPE bribery Rights lity Slavery Treatment SAAS Provider standard terms v. Customer’s required terms • limited scope/ability to negotiate with SAAS Provider • SAAS Provider [somewhat] beholden to data centres’/hosting providers’ underlying terms • GDPR • Controller v Processor • Article 28(3) clauses • Data Transfers • Policy Wars – last shot prevails? Or, say yes now and sort out any issues later? •

Current Cloud Contracting Issues – Data Security & Integrity ATOMs (Appropriate Technical & Organisational Measures) • Customers want transparency, detailed information about security and ATOMs, a data law compliant solution, • remedies for breach CSPs will: • “implement reasonable and appropriate measures designed to help you secure Your Content against accidental • or unlawful loss, access or disclosure” (AWS Ts&Cs) “maintain appropriate technical and organizational measures, internal controls, and data security routines • intended to protect Customer Data against accidental loss or change, unauthorized disclosure or access, or unlawful destruction” (Microsoft Azure Ts&Cs) What are “appropriate” TOMs and who decides? • Due Diligence Key – security assessments, detailed description of ATOMs should be made available by CSP, pen • testing, BC/DR policies, standards & certification

Current Cloud Contracting Issues – Avoiding Lock-In Fixed Price + Fixed Fee Increases (by reference to CPI/RPI) Access Rights Performance Warranties/SLAs Termination Rights Step-In Rights Exit Rights Data Return

Current Cloud Contracting Issues – Standards Standards & Audits • ISO27000 family - information security • management systems NIST Standards • SSAE 16 SOC Type 2 audit • ISAE3402 audit • GDPR audits? •