Canada: Procuring Cloud Computing Services

INTRODUCTION

Cloud computing is widely recognized as one of the most important new strategic technology opportunities for business. Cloud computing enables a business to outsource its information technology ("IT") requirements to a specialist service provider who can provide required services in a better and more efficient and cost effective manner. Cloud computing allows a business to focus on its core competence and leave the IT stuff to the experts. For those reasons, cloud computing can provide significant benefits, but it can also present substantial risks. Following is a summary overview of cloud computing and its potential benefits and risks, and some guidance for the procurement of cloud computing services.

BASIC DEFINITION

Cloud computing is a business/technology/service model that treats IT resources (including networks, servers, data storage and software applications) and related services (including hardware and software maintenance and technical support) as a utility or consumption-based service. The term "cloud" is a metaphor for the Internet and an abstraction for the ill-defined underlying technologies used by a cloud service provider ("CSP") to provide the service.

There are various kinds of cloud computing services, but they generally have the following characteristics:

  • Pooled resources: The cloud service infrastructure is owned/licensed and managed by the CSP (not the customer), and is used by the CSP to efficiently provide services to multiple customers.
  • Broad access: The cloud services are accessible using standard, Internet-enabled devices.
  • Elastic/Scalable: The cloud services are flexible, and can be rapidly and elastically provisioned (increased and decreased) to meet the customer's changing requirements.
  • On-demand self-service: The customer can provision the cloud services as needed and without requiring human interaction with the CSP.
  • Measured service/fees: Fees for cloud services are based on usage, which is monitored, controlled and reported to the customer using appropriate metrics.

SERVICE AND DEPLOYMENT MODELS

Cloud computing services can be provided using various service and deployment (infrastructure) models. The basic service models are as follows:

  • Infrastructure as a Service (IaaS): The CSP procures and manages the IT infrastructure (e.g. networks, servers, data storage), and the customer provides the rest (e.g. operating system, software applications and related services). For example: Amazon Elastic Compute Cloud (EC2) and IBM Smart Business Development and Test.
  • Platform as a Service (PaaS): The CSP procures and manages everything except the software applications and related services. For example: Microsoft Azure, Google App Engine and Amazon Simple Storage Solution (S3).
  • Software as a Service (SaaS): The CSP procures and manages everything, including the software applications and related services. For example: Apple's iCloud, Gmail and Postini, SharePoint, WebEx and Salesforce.com.

The basic deployment (infrastructure) models are as follows:

  • Public Cloud: The cloud service infrastructure is used by all customers.
  • Private Cloud: The cloud service infrastructure is used by a single customer.
  • Community Cloud: The cloud service infrastructure is used by several related customers with shared requirements or other common interests.
  • Hybrid Cloud: The cloud service infrastructure is a combination of different kinds of clouds (public, private, community) that exchange data and applications.

WHY IT WORKS

Cloud computing works because of new technologies (e.g. grid computing, server virtualization and super-high speed Internet) and economies of scale. Cloud computing services often use one or more geographically distributed data centres that house powerful and flexible (quickly and easily configured) IT platforms used to maximum efficiency to process and store tremendous amounts of data for multiple customers. The data centres might be owned and operated by the CSP itself, or they might be owned by a third party (such as Google, Amazon, Oracle, IBM or Cisco) and used by multiple CSPs.

Cloud computing is similar to the way in which most businesses obtain electricity. Instead of having their own small power plant (which is like the traditional IT model), most businesses buy electricity from the local electric company, which operates one or more large power plants and distributes electricity to customers that pay based upon consumption. The customers don't have to buy their own power plant or hire skilled workers to maintain it (although some businesses do have their own power plants or backup generators, just in case). But the analogy is imperfect, because electrical utilities are regulated and generally do not have custody of their customer's sensitive business information and data (including data collected from third parties).

BENEFITS AND RISKS

The risks and benefits of a cloud computing service will depend upon the particular circumstances, including: the service and deployment model; the importance of the service to the customer; the source and sensitivity of the data created, processed or stored using the service; the character, quality and experience of the CSP; the nature of the customer and its business sector; the applicable legal/regulatory rules and requirements; and the availability and practicability of alternative services.

The benefits offered by many cloud computing services can be summarized as follows:

  • Lower Cost/Financial Risk: Cloud services usually use a pay-as-you-go / pay-as-you-grow pricing model. The customer pays for the services it needs when it needs them, subject to contractual usage commitments. The customer is not required to make any up-front capital investment to acquire or maintain IT infrastructure or related resources (including personnel). Costs are operating expenses rather than capital expenses, and those expenses are better aligned with returns. There is less financial risk and better cash flow, and greater return on the IT spend.
  • Elasticity/Scalability: Cloud services are usually flexible, and can be expanded/reduced by the customer as needed for organizational changes, market demands and cyclical business models, and to respond to unexpected opportunities/challenges.
  • Agility: Cloud services can lower IT barriers to innovation, enable the customer to engage in rapid and low cost experimentation and change, and speed up time-to-market and time-to-value. The customer does not have to procure an IT infrastructure and related resources for new or uncertain business initiatives. Cloud services provide easy, quick and low-cost access to new technologies.
  • Improved Service Quality and Customer Productivity: Cloud services are provided by a specialist service provider, which should improve the quality of the core service as well as ancillary services (e.g. security, data backups, software updates and disaster/business continuity preparedness). Cloud services usually permit the customer to remotely access the IT service from any location without specific hardware or software, which should save costs and enhance customer productivity. Cloud services allow the customer to focus on its core business, and enable the customer's IT personnel (if any) to focus on supporting the customer's business initiatives.

The basic characteristics of cloud computing that provide tremendous benefits can also present significant risks. Cloud computing can enable the customer to outsource the procurement and management of IT services, but the customer remains responsible and liable for regulatory compliance and performance of its legal obligations to investors, employees, customers, and business partners. In addition, the customer is often dependent and vulnerable, because the CSP usually has complete control over the quality and availability of the service and custody of the customer's sensitive business data (including data collected from third parties). Those circumstances can present potentially significant business and legal risks, which may be summarized as follows:

  • Business Continuity: The customer must rely on the CSP's willingness and ability to provide the cloud service in a manner that meets the customer's needs, and to comply with the CSP's contractual and legal obligations. If a cloud service is mission critical for the customer's business operations, deficient service may result in significant business disruption and resulting financial loss to the customer. The customer might not be able to easily or quickly implement a substitute service.
  • Confidentiality: Cloud services often store the customer's confidential business information in geographically distributed data centres operated by the CSP or its subcontractors. The customer must rely on the CSP to maintain the security of the information and protect it against unauthorized access, use and disclosure. In addition, information stored in foreign data centres may be subject to search and seizure by foreign governments and law enforcement and disclosure in foreign legal proceedings.
  • Regulatory/Privacy Compliance: Deficient cloud services may expose the customer and its directors/officers to penalties for failure to comply with applicable laws. A significant concern for many customers is compliance with statutory information security and privacy obligations (including laws regarding personally identifiable information, personal health information and financial information). In some circumstances, the use of a cloud service that stores data outside Canada can be a breach of applicable law. In addition, the customer may require the CSP's assistance to comply with other statutory or legal obligations, such as litigation document preservation and disclosure obligations, regulatory audits and responding to security breaches.
  • Liability/Reputation: Deficient cloud computing services may expose the customer and its directors/officers to claims and liabilities to the customer's investors, employees, customers and business partners, and may tarnish the customer's reputation.

THE PROCUREMENT CHALLENGE

Cloud computing is a form of outsourcing, but the procurement process is usually significantly different from traditional outsourcing transactions. Traditional outsourcing usually involves a formal procurement process and extensive negotiations over technical, business and legal issues and risk allocation. In contrast, for a variety of reasons (including the high volume, low value transactions business model typical of many cloud services), CSPs are often exceedingly reluctant to accept significant risk, and typically use standard form, take-it-or-leave-it contracts that are one-sided and do not reasonably address the customer's most important business needs and legal requirements. The challenge for businesses is to procure cloud computing services in a way that facilitates a reasonable assessment of the potential benefits and countervailing risks, and allows the business to effectively manage those risks. In some circumstances, the potential benefits of cloud computing service will not justify the risks.

Following is a summary of some of the most important issues customers should consider when procuring cloud computing services.

  1. Due Diligence: The customer should conduct appropriate (documented) due diligence investigations of the CSP and its services, so that the customer can make an informed decision to establish a dependency/reliance relationship with the CSP. Where appropriate, the customer's senior officers and directors should review the due diligence process and its results.
  2. Regulatory Restrictions/Compliance: The customer should consider whether its use of the cloud service is permissible under laws of general application and laws specific to the customer or its industry, and what each of the customer and CSP must do to ensure compliance with those laws.
  3. Value Proposition: The customer should assess the total cost of the cloud service (including the basic service as well as required ancillary services), and obtain appropriate contractual price protection promises from the CSP.
  4. Standard Form Contracts: The customer should determine at the outset whether the CSP is willing to negotiate changes to its standard form contract. Many standard form contracts fail to adequately address the customer's most important business needs and legal requirements, but CSPs are often reluctant to negotiate changes. In some circumstances, this might be a showstopper for the customer.
  5. Service Availability/Quality: The customer should assess the CSP's contractual promises regarding the availability and quality of the cloud service (both basic service and ancillary services), and the customer's remedies if the service is deficient. Service availability/quality guarantees (often called "SLAs" or "service level agreements") may be of little value if they are ambiguous or difficult to monitor and measure, or if the customer does not have meaningful, cost-effective, practical remedies for deficient service.
  6. Business Continuity/Disengagement: The customer should assess its ability to effectively transition to a substitute service if necessary (e.g. if there is a temporary service disruption or service termination), and consider planning and preparing for those events. The customer should attempt to avoid or minimize the risk of technology lock-in, and obtain appropriate contractual promises from the CSP to provide disengagement/transition services.
  7. Risk Allocation/Insurance: The customer should assess the contractual allocation of risk (including the CSP's liability for the customer's own losses and responsibility to protect/indemnify the customer against third party claims/liabilities). CSPs are notoriously reluctant to accept risk for the potentially significant losses/liabilities a customer might suffer as a result of deficient service or other misconduct by the CSP. The customer also should consider whether its own insurance coverage is adequate for the nature and magnitude of the risks presented by using the cloud service.
  8. Security/Confidentiality/Privacy: The customer should assess the CSP's contractual promises regarding internal and external security measures, the security and confidentiality of the customer's data/information, and the protection of sensitive third party data/information (e.g. personal information, financial information, and health information).
  9. Ownership/Proprietary Rights: The customer should obtain appropriate contractual promises and effective remedies regarding the customer's ownership of its data and other materials (including software) processed, created or stored using the cloud service, and the customer's right to access its data and materials (before and after service termination) and to continue to use the CSP's specialized software applications during disengagement.
  10. Governance/Oversight/Enforcement: The customer should obtain appropriate contractual promises to allow the customer to monitor the service and the CSP's performance and compliance with its obligations, to facilitate compliance audits and regulatory inspections, and to effectively enforce the CSP's timely performance of key obligations.

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Collins Barrow National Incorporated
Torkin Manes LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Collins Barrow National Incorporated
Torkin Manes LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions