It started with Application Service Providers (ASP) - businesses turning over a small portion of their computing needs to third parties to handle. As that practice became more common, we dubbed it Software as a Service (SaaS). But now, the sky's the limit - or rather, the "cloud's" the limit - as businesses have begun turning over all of their computing needs to third parties. In this brave new world of so-called "cloud computing," is the forecast for sunny days ahead or scattered showers with a chance of rain?
What is cloud computing?
In the broadest sense, "cloud computing" refers to the delivery, upgrade and maintenance of information technology (IT) services over the Internet - a delivery method that eliminates the need to host such resources locally and rely on new software, hardware and license agreements to implement each addition or upgrade. The IT resources delivered include applications and services, the infrastructure on which they operate, and the support needed to keep everything running. A "private cloud" is a dedicated network or data center that supplies hosted services to a particular business or limited number of people, whereas a "public cloud" makes services available to anyone on the Internet - and usually for a fee. Private clouds dedicate servers to specific customers; public clouds do not.
a. Savings. Cloud computing requires minimal hardware and software: all that is necessary is a means to access and navigate the Internet. There is no need for extensive servers, hardware, software, upgrades or support staff. Also, businesses would only pay for the resources they actually use, thereby eliminating the need to purchase resource packages or hire IT support for unnecessary requirements.
b. Scalability. Cloud computing allows for on demand expansion and upgrade of IT resources.
c. Availability. Cloud computing makes IT resources immediately available and accessible around the clock.
d. Resiliency. Cloud computing allows for sustainable IT resources during times of disasters or extremely heavy use, and eliminates the need for internal or remote company disaster backup servers.
e. Efficiency. Cloud computing shifts IT headaches to third parties, allowing companies to devote their personnel and financial resources to marketing, delivery of products and services, and research and development.
a. Dependence on a third party provider. A business using cloud computing will not be in control of its IT resources, and will have limited control over the storage and availability of its data. This factor underscores the importance of selecting a qualified, dependable provider with a proven reputation and expertise.
b. Confidentiality. The data of a business using cloud computing is stored in a remote data center over which the business has no control. Indeed, that data could be stored in multiple locations, or possibly even outside the United States. Moreover, data center personnel and other third parties likely will have access to that data. As such, the risk of a data breach is potentially increased. While this concern applies to all businesses, it is of even greater significance to businesses that must comply with various privacy laws, such as HIPAA. Also, a business' ability to protect its data is compromised if governmental or law enforcement authorities search the business' service provider.
c. Downtime. Although all cloud computing agreements should contain provisions limiting the amount of downtime, actual control over downtime is out of the business' hands. There is always a possibility that the service provider will encounter difficulties that make the IT resources - and the business' data - unavailable for a period of time.
d. Content ownership and intellectual property rights and management. With a business' content and data in someone else's control, issues could arise as to who actually owns some or all of the content and data — particularly if the content and data is generated through the efforts of the third party. This issue often comes to a head when a business seeks to change service providers, and in response the service provider shuts down the business' web site or refuses to turn over certain data.
e. Data integrity, storage and backup. When a business gives up control over its data, there is always a risk that data could be lost, or manipulated improperly. These issues can be particularly significant where laws require appropriate audit trails and the like. Also, there could be limitations on the amount of data a business can store on a third party system. A business considering cloud computing also will need to ensure that its service provider offers adequate data back-up, including appropriate disaster recovery plans.
Cloud computing has many advantages over a traditional in-house computing model, including cost savings and simplified internal systems. On the other hand, there are a number of increased risks associated with this format, including loss of control over data and confidentiality issues. Before venturing into a cloud computing arrangement, it is very important to have an appropriate written agreement in place to minimize the above-described risks and to address appropriate protections and remedies. Other significant matters to consider are compliance with applicable laws and regulations pertaining to privacy, use and exchange of data, as well as service level commitments, and costs. Finally, finding an experienced, financially sound, and trustworthy vendor is critical to making your cloud computing participation a success. You can have your head in the clouds, but make sure you have your feet on the ground.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.