Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know
Intellectual Property Magazine asked me to write an article for their March 2011 issue. We discussed various topics and ultimately settled on the subject matter in the title of this Blog posting above. Our arrangement allows me to publish my work in my Blog. The graphics in the published article are really quite amazing. What follows is the text of my article minus the graphics:
Cloud Computing: What In-House Counsel Needs to Know
The only constant is change. I remember being at an Oktoberfest back in the late ‘80’s. My friends and I noticed a young man wearing a phone on his belt. We laughed and thought how self-important he must think he is. Well, I confess that today I do not leave the house without my Smart-Phone firmly attached to my belt. I can make and receive calls, send and receive emails, surf the net, and even take a picture if needed. The old adage “Change, embrace it” holds true in today’s technological environment.
It is said that the speed of processing chips doubles every 18 months. There does not seem to be an end in sight in the growth in sales for the ubiquitous mobile phones. Apple’s iPad is all the rage and the Apple stores cannot keep them on the shelves. The number of applications to be written for all mobile computing devices in the coming year is staggering. So the next phase in innovation in this burgeoning IT industry is Cloud Computing. The term “Cloud” gives the concept a rather nebulous tone. Studies show the sales in the Cloud Computing marketplace have doubled in the last few years and there is no slowdown in sight. Let’s first define exactly what Cloud Computing is in order to rid ourselves of the uncertainty and then examine its advantages and disadvantages.
Cloud Computing – What is it?
Software as a Service, also known as SaaS or On-Demand, is the term most closely associated with Cloud Computing. The key word is “Service”. SaaS acts similar to a linked network of computers, or a cluster of linked networked computers, to perform different functions. This cluster of networked computers acts as a virtual supercomputer. Each person working on his or her own laptop computer is provided with the exact application they need to work and perform the tasks on their part of a project or to perform their assigned tasks in their area of work in the corporate entity. These applications are provided to that person via the internet. The user can work remotely and the applications needed are accessed by them from the internet through their web-browser. It is a seamless delivery system and it appears to the user that the applications are installed on their lap-top. The software and the data generated are not stored on the premises or the user’s own hard drive, but rather on shared servers at the vendor’s site.
What are its advantages?
The major reason usually given for Cloud Computing is that SaaS is faster to get up and running into a productive environment when compared to a full blown enterprise wide implementation and therefore a much less expensive alternative. Hand in hand with the touted speed to productivity is the claim that the enterprise can avoid the upfront capital expenditures for additional or specialized hardware that are usually required in most Enterprise Resource Planning (“ERP”) implementations. The servers are not on premises. It is a shared server array at the software vendor’s site. Since it is a service, the pricing is based on a per seat use rate and so the millions in the initial cash outlay for the software suite are non-existent. The theory is that the enterprise pays for what one uses and no more. Depending on the application, the pricing might not be exactly pay as you go, but a hybrid. The software vendor may have a subscription based pricing for the estimated number of users or hits required over a shorter period of time. This pricing model can then be adjusted as events require. Another advantage to this delivery model is that it is easily scalable and provides flexibility as projects or the enterprise at large experiences growth. Users, storage space, and upgrades to new versions and releases to the software can all be dealt with as the needs arise.
What are its disadvantages?
Security is the paramount concern. Where’s my software? Where’s my data? We have government regulations to adhere to. There are new banking regulations and new privacy rules. What about protecting non-public personal information? How do you assure me that my data does not get mixed up with another entity’s data? And the list can go on and on.
How do we address these concerns?
Cloud Computing is inevitable. Given the centralized nature of Cloud Computing, security becomes more efficient. Instead of fighting the concept, it might be wiser to prepare for its eventual acceptance and implementation. It is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made. One way to approach this matter is to initiate trials for your personnel by creating an innovation sandbox in the cloud. Contractually, this is the time when in-house counsel needs to lean on the “techies” on the business team. Actually both sides must feel comfortable with the solutions to the security issues. Let the business teams gather all the questions and all the means to address those concerns. Then it is the contract draftsman’s job to memorialize these areas of concern and the consequences into the contract to be signed if such matters are not met.
The teams must agree on the specifications of how the data is to be isolated and protected. Include language that allows and mandates that the customer’s data is retrievable in a format that is desirable and safe. The ability to retrieve your data in the right format should be part of any Disaster Recovery language and the policies and procedures discussed and inserted into the contract. Your data should be backed-up periodically on a regular basis and copies of the back-ups should be stored off-site at another secure facility. Support levels and upgrades are part of the selling feature of any SaaS initiative and so these must be clearly spelled out in the contract, usually via a separate Support Schedule attached to the terms and conditions and incorporated by reference. In addition to clearly defining what is included in Support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a Software Support Response Schedule for inclusion into the contract. Such a Response Schedule should have up-time availability percentages for the Productive System and a sufficient penalty if these availability percentages are not met. Do not be afraid to include tough penalties for failure to achieve the agreed upon up-time availability to adequately incentivize the On-Demand vendor to meet their promised availability times. These penalties usually are a dollar percentage credit to the customer’s monthly or quarterly use fees. The teams should work on clearly defining different levels of priority and the times to respond to such calls for support (e.g. Level 1 is Very High Priority due to Productive System Shutdown. Response time after reported is 1 hour). The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract. It should go without saying, but verify that all of the promises made have been confirmed by a team from the customer by an on-site visit to the vendor’s facilities. The on-site visit should be able to confirm all the physical security claims and the policies and procedures discussed in the contract negotiations. Once the promised savings materialize due to reduced costs on maintenance and upfront costs for specialized hardware, the enterprise can use these funds and direct its efforts to more innovative ways of running the business.
Is complete surrender the only alternative?
Depending on the type of business your company is engaged in, considering the move to Cloud Computing and the nature of the data to be processed, the concerns over security might be just too high a hurdle to overcome. The new Privacy Laws and computer hacking and new government regulations sometimes present an insurmountable obstacle. Another approach is to perform a cost benefit analysis of just certain parts of your business and the results might make the transition to Cloud Computing more palatable. On-demand service providers, another name of SaaS software vendors, are coming up with hybrid delivery approaches to Cloud Computing. If the enterprise has a myriad of smaller customer interfacing transactions at a multitude of cites, why not make use of the Cloud with all its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach. This allows the enterprise to take advantage of the cost savings of using Cloud Computing while still maintaining the integrity of the more sensitive data stored on premises.
Where do we go from here?
The worldwide recession has kept the lid on software vendors raising prices. But this economic downturn cannot last forever. During this time, there has been a consolidation of software developers in the ERP industry. In April 2009 Oracle purchased Sun Microsystems. This purchase alone gave Oracle, one of the prime players in the ERP market space, access to not only Sun’s premiere hardware capabilities, but also the keys to some of Sun’s stalwart software applications, most importantly the Java programming language. Along with Oracle’s purchase of Sun came the Solaris operating system asset as well. With all the assets of the Sun Microsystems purchase, including both the software and hardware, Oracle has placed itself in a position to provide the foundation to build its SaaS and Cloud Computing services.
SAP, who has been partnering with IBM since the late 90’s, plans on developing along with IBM a product that will facilitate the creation of an in-house cloud. SAP’s new endeavor, the “Reservoir” cloud computing project’s aim is to spread the utilization of requested applications across the enterprise’s servers thus addressing under utilization and spikes in usage.
Intel, the world’s prime chip manufacturer, purchased McAfee, a leader in network security industry. With this purchase Intel hopes to integrate security directly into the architecture of its chip. If this is accomplished, Intel’s potential to enter such new markets as network security, smart phones, and PC tablets is boundless.
Google, purveyor of the prime search engine of choice, has recreated itself into a vendor of mobile devices, operating systems, and Cloud Computing. Other big IT players such as CISCO, IBM, and HP, now flush with cash and seeing the impending paradigm shift in the industry, have gone on a shopping spree purchasing unified communications vendors, and network security companies, and business intelligence vendors. Oddly enough all of these companies apparently are perceived as being outside of the acquirer’s original area of expertise.
With this consolidation in the market many of the potential ERP customer’s choices will be eroded as only a handful of ERP vendors will remain. It’s a fair assumption that prices will be on the rise. Your IT budgeters should expect the need to request increases in funding for the usual items that accompany an ERP Business Suite purchase such as increased costs for support, higher rates for users, and the ever burdensome costs of a full blown enterprise wide implementation with all its foibles and miscues. One way to counteract the consolidation in the ERP market space is to examine the alternative methods for deployment of the needed IT services. Cloud Computing, Software as a Service, a hybrid approach, or Managed Services are options your IT department should be considering. As I have discussed the insurmountable hurdles to Cloud Computing can be overcome. With the right contracting model, adequate assurances and protections, along with sufficient penalties to incentivize adherence to agreed upon terms of protection, Cloud Computing can be the viable alternative for your IT department. Change is coming. Embrace it.
Epilogue : My editor asked me to develop a “To Do” list for the readers. The graphics in the published piece consist of a yellow legal pad with the following bullet points:
To-do-list
· When implementing cloud computing, it is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made.
· In addition to clearly defining what is included in support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a software support response schedule for inclusion into the contract.
· The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract.
· Make use of the cloud with its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach.