Insight

Cloud Computing: An Exercise in Architecting Trust

Rather than the cloud being a thing, it is actually a process.

Cloud Computing
Kelly L. Frey Sr.

Kelly L. Frey Sr.

December 19, 2017 02:16 PM

Cloud computing is a misnomer of arcane origin. Originally the “cloud” was literally just a technology doodle (beyond the then-available lexicon or the plastic templates of systems architects 40 years ago).1 The billowing shape was used in system schematics to represent something beyond the computationally and conversationally stunted devices of the time (reminiscent of the ancient cartographers’ “terra incognita”). But over time, and especially with the dawning of the gigabyte era, the image/term has been co-opted to visually/linguistically represent what NIST has defined as “a model for enabling ubiquitous access to shared pools of configurable resources (such as computer networks, servers, storage, applications, and services).”2

Rather than the cloud being a thing, it is actually a process.

So how do you cloud compute? You enlist the aid of applications, platforms, and resources owned and controlled by third parties, when and as needed. Whether infrastructure as a service (IaaS), platform as a service (PaaS), and/or software as a service (SaaS), you (the consumer of cloud services) hand over management and control of critical information technology infrastructure to third-party vendors (who legally become your agent[s]). From a legal perspective, that means you delegate responsibility for performance to your agent, by contract (whether negotiated, click-through, or any variation in between). However, despite such delegation of performance you (as principle) still retain primary legal liability for anything that your agent does during such performance. It is important, therefore, that the contract with the agent/vendor adequately and equitably allocates the risks you retain as principle. And that is where most legal issues occur: as a failure to adequately address or allocate such risks.

Part of the risk concerns come from most cloud vendors’ perspective that since they are providing a standardized suite of services to all customers, the contract for such services should also be standardized (i.e., a form contract). These form contracts always seem to disproportionately favor the vendor (and if the cloud vendor has market power, it can force such unfavorable terms across its customer base). What this form-based contracting ignores is that risk is most efficiently allocated in an open marketplace to the party that has control. In the cloud environment, the vendor by definition has control (of the activity), but the form contract avoids and minimizes shifting the risks related to this control, thereby negating the actual monetary consequence of whatever choices the vendor may have made in architecting or operating its cloud. This can be done in the form agreement via:

  • limitations of liability and/or caps on liability (that, while proportionate to the value to the vendor of the contract-for-service, have no relationship to the absolute risk of and costs to the cloud customer);
  • limited indemnification provisions (leaving the principle exposed to disproportionate third-party risks, even if covered for the customer’s own first-party risks); and/or
  • disclaimers of the true equitable and/or monetary damages the customer may experience from a vendor’s activities in favor of service credits (that represent only a fractional or variable cost to the vendor, with little proportionality to the actual customer risks and damages).

However, even when contracts for cloud services are negotiated, attorneys sometimes forget that these negotiations must be mapped against their client’s enterprise vulnerability, which must account for both the probability of disruption or liability and the severity of the consequences.3

Intentional risks grab headlines (and disproportionate mindshare in cloud contracts).

Certainlythe nefarious activities of hackers involved in cybercrimes and security breaches are problematic, require contract allocation of risks, and are prime candidates for risk-sharing with insurance underwriters of cyber insurance.

But cyberterrorism and cyberwarfare are now equally an issue of risk allocation.4 Similarly, the intentional acts of the vendor in architecting, implementing, and/or operating its cloud infrastructure based around appropriate standards (and certification and residual auditing around such standards) need to be addressed in negotiations (and run the gamut from the esoteric to the more mundane aspects of cloud operation, such as employee background checks and the physical security of locked doors and drawers).

Negligent risks are more familiar territory for attorneys. Such risks begin with a duty, such that the first issues in cloud contracting are to properly and adequately define the vendor’s duty in the agreement (and make such duty both legally and practically enforceable). Once such duty is articulated in the contract, then the task turns to not only allocating the risks of loss from failure to adhere to that defined duty, but also monitoring for lapses of that duty over the term of the contract. So, for example, shifting uptime responsibility to a vendor and allocating the monetary losses from a breach of such duty is essential in the contract. But however necessary that may be, it is insufficient unless there is appropriate responsibility for monitoring in place of the contract to compensate against a breach of such uptime duty (i.e., the vendor has a much better ability to assess when its infrastructure is working than the customer, so it is legally appropriate to place an affirmative obligation on the vendor to monitor, report, and automatically credit for downtime rather than requiring the customer to either notice and/or report downtime).

Trust is the extent to which one party relinquishes control to another party on the belief that it will fulfill tasks and responsibilities the grantor values. In the cloud, our clients relinquish control. Unfortunately, the cloud was never architected for trust; it is completely agnostic, in that each bit is valued the same as every other bit. So much of what attorneys must do in the cloud environment is architect such trust between the client and a cloud vendor. And this must be done with the sole tool available: appropriate contract language that requires an alignment between the cloud vendor’s values and the client’s values (as set out in the tasks and responsibilities a vendor must assume, by contract, to implement such client values).

----------------------------

1 See www.retroist.com/2009/01/11/ibm-flowcharting-template/ for example of an early plastic template used for system analysis.

2 SP 800-145, The NIST Definition of Cloud Computing, at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

3 See generally, Sheffi, The Resilient Enterprise, MIT Press, 2005.

4 See Frey, Cyber-warfare, cyber-terrorism, and cyber-crime, Financier Worldwide, April, 2013; www.financierworldwide.com/cyber-warfare-cyber-terrorism-and-cyber-crime/#.WgnxjMJPqUk.

Related Articles

Bringing Cloud Liability Down to Earth


by Jim Steinberg and Lance McCord

Unlike most traditionally licensed software, cloud solutions also put the customer at risk by transmitting, storing, and processing the customer’s data outside of the customer’s networks.

Cloud Liability

Into the Breach


by John Ettorre

Data breaches have become inevitable. Here’s what you can do to respond.

Data Breaches

How Does Your Firm Measure Up?


by Best Lawyers

BL Intelligence provides your firm with valuable industry data.

Best Lawyers 27th Edition Stats

2019 Women in the Law at a Glance


by Best Lawyers

2019 "Women in the Law" by the numbers.

What Practices Grew the Most in 2019?

My Data My Rules: An Overview of Data Protection in Brazil


by Fábio Pereira

My Data My Rules

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Trending Articles

The Best Lawyers in South Africa™ 2023


by Best Lawyers

Best Lawyers proudly announces lawyers recognized in South Africa for 2023.

South African flag

Announcing the 2023 The Best Lawyers in America Honorees


by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

Best Lawyers Voting Is Now Open


by Best Lawyers

Voting has begun in several countries across the globe, including the United States, the United Kingdom and Europe. Below we offer dates, details and answers to voting-related questions to assist with the voting process.

Hands holding smartphone with five stars above phone

Best Lawyers: Ones to Watch in America for 2023


by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

Rising Transfer Taxes


by Angus C. Beverly

Transfer taxes in California are becoming a statewide trend with potentially national implications. Here is a breakdown of the effects in several cities.

State of California in orange with city in backdrop

Announcing The Best Lawyers in Australia™ 2023


by Best Lawyers

The results include an elite field of top lawyers and firms from Australia.

The Best Lawyers in Australia™ 2023

Announcing the 2023 The Best Lawyers in Canada Honorees


by Best Lawyers

The Best Lawyers in Canada™ is entering its 17th edition for 2023. We highlight the elite lawyers awarded this year.

Red map of Canada with white lines and dots

Could Reign Supreme End with the Queen?


by Sara Collin

Canada is revisiting the notion of abolishing the monarchy after Queen Elizabeth II’s passing, but many Canadians and lawmakers are questioning if Canada could, should and would follow through.

Teacup on saucer over image of Queen's eye

Famous Songs Unprotected by Copyright Could Mean Royalties for Some


by Michael B. Fein

A guide to navigating copyright claims on famous songs.

Can I Sing "Happy Birthday" in Public?

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

The Upcycle Conundrum


by Karen Kreider Gaunt

Laudable or litigious? What you need to know about potential copyright and trademark infringement when repurposing products.

Repurposed Products and Copyright Infringemen

Caffeine Overload and DUI Tests


by Daniel Taylor

While it might come as a surprise, the over-consumption of caffeine could trigger a false positive on a breathalyzer test.

Can Caffeine Cause You to Fail DUI Test?

Wage and Overtime Laws for Truck Drivers


by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

Best Law Firms® Research Has Begun


by Best Lawyers

Best Law Firms® rankings are annually produced awards recognizing the top law firms across the United States. We are here to offer insight into the submission process for all eligible firms.

Black background with colorful squares and faces

Choosing a Title Company: What a Seller Should Expect


by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

Thirteen Years of Excellence


by Best Lawyers

For the 13th consecutive year, “Best Law Firms” has awarded the most elite and talented law firms across the country through a thorough and trusted data review process.

Red, white and blue pipes and writing on black background