Insight

Cloud Computing: An Exercise in Architecting Trust

Rather than the cloud being a thing, it is actually a process.

Cloud Computing
Kelly L. Frey Sr.

Kelly L. Frey Sr.

December 19, 2017 02:16 PM

Cloud computing is a misnomer of arcane origin. Originally the “cloud” was literally just a technology doodle (beyond the then-available lexicon or the plastic templates of systems architects 40 years ago).1 The billowing shape was used in system schematics to represent something beyond the computationally and conversationally stunted devices of the time (reminiscent of the ancient cartographers’ “terra incognita”). But over time, and especially with the dawning of the gigabyte era, the image/term has been co-opted to visually/linguistically represent what NIST has defined as “a model for enabling ubiquitous access to shared pools of configurable resources (such as computer networks, servers, storage, applications, and services).”2

Rather than the cloud being a thing, it is actually a process.

So how do you cloud compute? You enlist the aid of applications, platforms, and resources owned and controlled by third parties, when and as needed. Whether infrastructure as a service (IaaS), platform as a service (PaaS), and/or software as a service (SaaS), you (the consumer of cloud services) hand over management and control of critical information technology infrastructure to third-party vendors (who legally become your agent[s]). From a legal perspective, that means you delegate responsibility for performance to your agent, by contract (whether negotiated, click-through, or any variation in between). However, despite such delegation of performance you (as principle) still retain primary legal liability for anything that your agent does during such performance. It is important, therefore, that the contract with the agent/vendor adequately and equitably allocates the risks you retain as principle. And that is where most legal issues occur: as a failure to adequately address or allocate such risks.

Part of the risk concerns come from most cloud vendors’ perspective that since they are providing a standardized suite of services to all customers, the contract for such services should also be standardized (i.e., a form contract). These form contracts always seem to disproportionately favor the vendor (and if the cloud vendor has market power, it can force such unfavorable terms across its customer base). What this form-based contracting ignores is that risk is most efficiently allocated in an open marketplace to the party that has control. In the cloud environment, the vendor by definition has control (of the activity), but the form contract avoids and minimizes shifting the risks related to this control, thereby negating the actual monetary consequence of whatever choices the vendor may have made in architecting or operating its cloud. This can be done in the form agreement via:

  • limitations of liability and/or caps on liability (that, while proportionate to the value to the vendor of the contract-for-service, have no relationship to the absolute risk of and costs to the cloud customer);
  • limited indemnification provisions (leaving the principle exposed to disproportionate third-party risks, even if covered for the customer’s own first-party risks); and/or
  • disclaimers of the true equitable and/or monetary damages the customer may experience from a vendor’s activities in favor of service credits (that represent only a fractional or variable cost to the vendor, with little proportionality to the actual customer risks and damages).

However, even when contracts for cloud services are negotiated, attorneys sometimes forget that these negotiations must be mapped against their client’s enterprise vulnerability, which must account for both the probability of disruption or liability and the severity of the consequences.3

Intentional risks grab headlines (and disproportionate mindshare in cloud contracts).

Certainlythe nefarious activities of hackers involved in cybercrimes and security breaches are problematic, require contract allocation of risks, and are prime candidates for risk-sharing with insurance underwriters of cyber insurance.

But cyberterrorism and cyberwarfare are now equally an issue of risk allocation.4 Similarly, the intentional acts of the vendor in architecting, implementing, and/or operating its cloud infrastructure based around appropriate standards (and certification and residual auditing around such standards) need to be addressed in negotiations (and run the gamut from the esoteric to the more mundane aspects of cloud operation, such as employee background checks and the physical security of locked doors and drawers).

Negligent risks are more familiar territory for attorneys. Such risks begin with a duty, such that the first issues in cloud contracting are to properly and adequately define the vendor’s duty in the agreement (and make such duty both legally and practically enforceable). Once such duty is articulated in the contract, then the task turns to not only allocating the risks of loss from failure to adhere to that defined duty, but also monitoring for lapses of that duty over the term of the contract. So, for example, shifting uptime responsibility to a vendor and allocating the monetary losses from a breach of such duty is essential in the contract. But however necessary that may be, it is insufficient unless there is appropriate responsibility for monitoring in place of the contract to compensate against a breach of such uptime duty (i.e., the vendor has a much better ability to assess when its infrastructure is working than the customer, so it is legally appropriate to place an affirmative obligation on the vendor to monitor, report, and automatically credit for downtime rather than requiring the customer to either notice and/or report downtime).

Trust is the extent to which one party relinquishes control to another party on the belief that it will fulfill tasks and responsibilities the grantor values. In the cloud, our clients relinquish control. Unfortunately, the cloud was never architected for trust; it is completely agnostic, in that each bit is valued the same as every other bit. So much of what attorneys must do in the cloud environment is architect such trust between the client and a cloud vendor. And this must be done with the sole tool available: appropriate contract language that requires an alignment between the cloud vendor’s values and the client’s values (as set out in the tasks and responsibilities a vendor must assume, by contract, to implement such client values).

----------------------------

1 See www.retroist.com/2009/01/11/ibm-flowcharting-template/ for example of an early plastic template used for system analysis.

2 SP 800-145, The NIST Definition of Cloud Computing, at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

3 See generally, Sheffi, The Resilient Enterprise, MIT Press, 2005.

4 See Frey, Cyber-warfare, cyber-terrorism, and cyber-crime, Financier Worldwide, April, 2013; www.financierworldwide.com/cyber-warfare-cyber-terrorism-and-cyber-crime/#.WgnxjMJPqUk.

Related Articles

Bringing Cloud Liability Down to Earth


by Jim Steinberg and Lance McCord

Unlike most traditionally licensed software, cloud solutions also put the customer at risk by transmitting, storing, and processing the customer’s data outside of the customer’s networks.

Cloud Liability

Into the Breach


by John Ettorre

Data breaches have become inevitable. Here’s what you can do to respond.

Data Breaches

How Does Your Firm Measure Up?


by Best Lawyers

BL Intelligence provides your firm with valuable industry data.

Best Lawyers 27th Edition Stats

2019 Women in the Law at a Glance


by Best Lawyers

2019 "Women in the Law" by the numbers.

What Practices Grew the Most in 2019?

My Data My Rules: An Overview of Data Protection in Brazil


by Fábio Pereira

My Data My Rules

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Trending Articles

Announcing the 2022 Best Lawyers® in the United States


by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

Announcing the 2023 The Best Lawyers in America Honorees


by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

2021 Best Lawyers: The Global Issue


by Best Lawyers

The 2021 Global Issue features top legal talent from the most recent editions of Best Lawyers and Best Lawyers: Ones to Watch worldwide.

2021 Best Lawyers: The Global Issue

The U.S. Best Lawyers Voting Season Is Open


by Best Lawyers

The voting season for the 31st edition of The Best Lawyers in America® and the 5th edition of Best Lawyers: Ones to Watch® in America is officially underway, and we are offering some helpful advice to this year’s voters.

Golden figures of people standing on blue surface connected by white lines

How To Find A Pro Bono Lawyer


by Best Lawyers

Best Lawyers dives into the vital role pro bono lawyers play in ensuring access to justice for all and the transformative impact they have on communities.

Hands joined around a table with phone, paper, pen and glasses

The Best Lawyers in Australia™ 2024 Launch


by Best Lawyers

Best Lawyers is excited to announce The Best Lawyers in Australia™ for 2023, including the top lawyers and law firms from Australia.

Australian Parliament beside water at sunset

How Palworld Is Testing the Limits of Nintendo’s Legal Power


by Gregory Sirico

Many are calling the new game Palworld “Pokémon GO with guns,” noting the games striking similarities. Experts speculate how Nintendo could take legal action.

Animated figures with guns stand on top of creatures

Inflation Escalation


by Ashley S. Wagner

Inflation and rising costs are at the forefront of everyone’s mind as we enter 2023. The current volatile market makes it more important than ever to understand the rent escalation clauses in current and future commercial lease agreements.

Suited figure in front of rising market and inflated balloon

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

The Upcycle Conundrum


by Karen Kreider Gaunt

Laudable or litigious? What you need to know about potential copyright and trademark infringement when repurposing products.

Repurposed Products and Copyright Infringemen

Best Lawyers: Ones to Watch in America for 2023


by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

A Celebration of Excellence: The Best Lawyers in Canada 2024 Awards


by Best Lawyers

As we embark on the 18th edition of The Best Lawyers in Canada™, we are excited to highlight excellence and top legal talent across the country.

Abstract image of red and white Canada flag in triangles

Wage and Overtime Laws for Truck Drivers


by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

Choosing a Title Company: What a Seller Should Expect


by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

IN PARTNERSHIP

Bentley & More LLP: Beacon of Hope


by Bentley & More

With a unique blend of expertise in trial advocacy and workers’ compensation, Bentley & More LLP has established itself as a beacon of hope for injured workers.

Bentley & More LLP: Beacon of Hope for Injured Employees

8 Different Types of Criminal Defenses in Law


by Best Lawyers

Learn about the different types of criminal defenses available in law, including innocence, self-defense, insanity and more. Protect your rights today.

Silver handcuffs laying on finger printed papers