Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know

Posted on March 6, 2011 by Sam Conforti

 

Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know

Intellectual Property Magazine asked me to write an article for their March 2011 issue. We discussed various topics and ultimately settled on the subject matter in the title of this Blog posting above. Our arrangement allows me to publish my work in my Blog. The graphics in the published article are really quite amazing. What follows is the text of my article minus the graphics:

 

Cloud Computing: What In-House Counsel Needs to Know

The only constant is change. I remember being at an Oktoberfest back in the late ‘80’s. My friends and I noticed a young man wearing a phone on his belt. We laughed and thought how self-important he must think he is. Well, I confess that today I do not leave the house without my Smart-Phone firmly attached to my belt. I can make and receive calls, send and receive emails, surf the net, and even take a picture if needed. The old adage “Change, embrace it” holds true in today’s technological environment. 

It is said that the speed of processing chips doubles every 18 months. There does not seem to be an end in sight in the growth in sales for the ubiquitous mobile phones. Apple’s iPad is all the rage and the Apple stores cannot keep them on the shelves. The number of applications to be written for all mobile computing devices in the coming year is staggering. So the next phase in innovation in this burgeoning IT industry is Cloud Computing. The term “Cloud” gives the concept a rather nebulous tone. Studies show the sales in the Cloud Computing marketplace have doubled in the last few years and there is no slowdown in sight. Let’s first define exactly what Cloud Computing is in order to rid ourselves of the uncertainty and then examine its advantages and disadvantages.

Cloud Computing – What is it?

Software as a Service, also known as SaaS or On-Demand, is the term most closely associated with Cloud Computing. The key word is “Service”. SaaS acts similar to a linked network of computers, or a cluster of linked networked computers, to perform different functions. This cluster of networked computers acts as a virtual supercomputer. Each person working on his or her own laptop computer is provided with the exact application they need to work and perform the tasks on their part of a project or to perform their assigned tasks in their area of work in the corporate entity. These applications are provided to that person via the internet. The user can work remotely and the applications needed are accessed by them from the internet through their web-browser. It is a seamless delivery system and it appears to the user that the applications are installed on their lap-top. The software and the data generated are not stored on the premises or the user’s own hard drive, but rather on shared servers at the vendor’s site.

What are its advantages?

The major reason usually given for Cloud Computing is that SaaS is faster to get up and running into a productive environment when compared to a full blown enterprise wide implementation and therefore a much less expensive alternative. Hand in hand with the touted speed to productivity is the claim that the enterprise can avoid the upfront capital expenditures for additional or specialized hardware that are usually required in most Enterprise Resource Planning (“ERP”) implementations. The servers are not on premises. It is a shared server array at the software vendor’s site. Since it is a service, the pricing is based on a per seat use rate and so the millions in the initial cash outlay for the software suite are non-existent. The theory is that the enterprise pays for what one uses and no more. Depending on the application, the pricing might not be exactly pay as you go, but a hybrid. The software vendor may have a subscription based pricing for the estimated number of users or hits required over a shorter period of time. This pricing model can then be adjusted as events require. Another advantage to this delivery model is that it is easily scalable and provides flexibility as projects or the enterprise at large experiences growth. Users, storage space, and upgrades to new versions and releases to the software can all be dealt with as the needs arise.

What are its disadvantages?

Security is the paramount concern. Where’s my software? Where’s my data? We have government regulations to adhere to. There are new banking regulations and new privacy rules. What about protecting non-public personal information? How do you assure me that my data does not get mixed up with another entity’s data? And the list can go on and on. 

How do we address these concerns?

Cloud Computing is inevitable. Given the centralized nature of Cloud Computing, security becomes more efficient. Instead of fighting the concept, it might be wiser to prepare for its eventual acceptance and implementation.  It is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made. One way to approach this matter is to initiate trials for your personnel by creating an innovation sandbox in the cloud. Contractually, this is the time when in-house counsel needs to lean on the “techies” on the business team. Actually both sides must feel comfortable with the solutions to the security issues. Let the business teams gather all the questions and all the means to address those concerns. Then it is the contract draftsman’s job to memorialize these areas of concern and the consequences into the contract to be signed if such matters are not met. 

The teams must agree on the specifications of how the data is to be isolated and protected. Include language that allows and mandates that the customer’s data is retrievable in a format that is desirable and safe. The ability to retrieve your data in the right format should be part of any Disaster Recovery language and the policies and procedures discussed and inserted into the contract. Your data should be backed-up periodically on a regular basis and copies of the back-ups should be stored off-site at another secure facility. Support levels and upgrades are part of the selling feature of any SaaS initiative and so these must be clearly spelled out in the contract, usually via a separate Support Schedule attached to the terms and conditions and incorporated by reference. In addition to clearly defining what is included in Support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a Software Support Response Schedule for inclusion into the contract. Such a Response Schedule should have up-time availability percentages for the Productive System and a sufficient penalty if these availability percentages are not met. Do not be afraid to include tough penalties for failure to achieve the agreed upon up-time availability to adequately incentivize the On-Demand vendor to meet their promised availability times. These penalties usually are a dollar percentage credit to the customer’s monthly or quarterly use fees. The teams should work on clearly defining different levels of priority and the times to respond to such calls for support (e.g. Level 1 is Very High Priority due to Productive System Shutdown. Response time after reported is 1 hour).   The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract. It should go without saying, but verify that all of the promises made have been confirmed by a team from the customer by an on-site visit to the vendor’s facilities. The on-site visit should be able to confirm all the physical security claims and the policies and procedures discussed in the contract negotiations. Once the promised savings materialize due to reduced costs on maintenance and upfront costs for specialized hardware, the enterprise can use these funds and direct its efforts to more innovative ways of running the business.

Is complete surrender the only alternative?

Depending on the type of business your company is engaged in, considering the move to Cloud Computing and the nature of the data to be processed, the concerns over security might be just too high a hurdle to overcome. The new Privacy Laws and computer hacking and new government regulations sometimes present an insurmountable obstacle.  Another approach is to perform a cost benefit analysis of just certain parts of your business and the results might make the transition to Cloud Computing more palatable. On-demand service providers, another name of SaaS software vendors, are coming up with hybrid delivery approaches to Cloud Computing. If the enterprise has a myriad of smaller customer interfacing transactions at a multitude of cites, why not make use of the Cloud with all its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach. This allows the enterprise to take advantage of the cost savings of using Cloud Computing while still maintaining the integrity of the more sensitive data stored on premises.

Where do we go from here?

The worldwide recession has kept the lid on software vendors raising prices. But this economic downturn cannot last forever. During this time, there has been a consolidation of software developers in the ERP industry. In April 2009 Oracle purchased Sun Microsystems. This purchase alone gave Oracle, one of the prime players in the ERP market space, access to not only Sun’s premiere hardware capabilities, but also the keys to some of Sun’s stalwart software applications, most importantly the Java programming language. Along with Oracle’s purchase of Sun came the Solaris operating system asset as well. With all the assets of the Sun Microsystems purchase, including both the software and hardware, Oracle has placed itself in a position to provide the foundation to build its SaaS and Cloud Computing services. 

SAP, who has been partnering with IBM since the late 90’s, plans on developing along with IBM a product that will facilitate the creation of an in-house cloud. SAP’s new endeavor, the “Reservoir” cloud computing project’s aim is to spread the utilization of requested applications across the enterprise’s servers thus addressing under utilization and spikes in usage.

Intel, the world’s prime chip manufacturer, purchased McAfee, a leader in network security industry. With this purchase Intel hopes to integrate security directly into the architecture of its chip. If this is accomplished, Intel’s potential to enter such new markets as network security, smart phones, and PC tablets is boundless.  

Google, purveyor of the prime search engine of choice, has recreated itself into a vendor of mobile devices, operating systems, and Cloud Computing. Other big IT players such as CISCO, IBM, and HP, now flush with cash and seeing the impending paradigm shift in the industry, have gone on a shopping spree purchasing unified communications vendors, and network security companies, and business intelligence vendors. Oddly enough all of these companies apparently are perceived as being outside of the acquirer’s original area of expertise.  

With this consolidation in the market many of the potential ERP customer’s choices will be eroded as only a handful of ERP vendors will remain. It’s a fair assumption that prices will be on the rise. Your IT budgeters should expect the need to request increases in funding for the usual items that accompany an ERP Business Suite purchase such as increased costs for support, higher rates for users, and the ever burdensome costs of a full blown enterprise wide implementation with all its foibles and miscues.   One way to counteract the consolidation in the ERP market space is to examine the alternative methods for deployment of the needed IT services. Cloud Computing, Software as a Service, a hybrid approach, or Managed Services are options your IT department should be considering. As I have discussed the insurmountable hurdles to Cloud Computing can be overcome. With the right contracting model, adequate assurances and protections, along with sufficient penalties to incentivize adherence to agreed upon terms of protection, Cloud Computing can be the viable alternative for your IT department. Change is coming. Embrace it.

Epilogue : My editor asked me to develop a “To Do” list for the readers. The graphics in the published piece consist of a yellow legal pad with the following bullet points:

To-do-list

·         When implementing cloud computing, it is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made. 

·         In addition to clearly defining what is included in support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a software support response schedule for inclusion into the contract.

·         The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract.

·         Make use of the cloud with its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach. 

 

Tags: , , , , , , , , , , , , , , , , , ,

Recommended Strategies for the CIO Considering Cloud Computing

Posted on April 19, 2010 by Sam Conforti

 

As many of you know, SandHill.com is the online resource created for enterprise software executives. Kamesh Pemmaraju heads cloud research for the SandHill Group and writes a weekly report on the latest happenings influencing the cloud computing community. His latest report entitled Top 5 Cloud Strategies for CIOs is based on a survey of 511 software executives. The survey deals with these executive’s perceptions of cloud computing, their initiatives, implementation issues, and any perceived benefits. His report presents the top 5 strategies CIOs should follow when considering cloud computing. I will present a brief synopsis of those findings here as follows:

1.       Treat this decision like any other business decision:  Pemmaraju simply means to look at all the alternatives and do a traditional compare and contracts analysis. Look at the ROI and weigh the risks.

2.       The cloud is coming – Embrace it: Pemmaraju quotes one executive, “The cloud will come - it's happening now even if it is coming with a lot of hype and a lot of buzzwords. It's a very logical transition - like we are going from individual car craftsmanship into the era of the industrialization of IT services.” A large amount of the survey respondents have already started trials and pilot projects to jump start the learning curve for their personnel.

3.       A sandbox spurs innovation: Create an innovation sandbox in the cloud. The drag on spending due to maintenance is lifted. This new found freedom allows IT departments to redirect efforts from infrastructure constraints to more creative ways to run the business model.

4.       Cloud computing is a furtherance of Outsourcing trend: With this in mind, Pemmaraju presents a short checklist when evaluating whether to move in this direction:

a.       Perform your due diligence and pick a good cloud computing vendor.

b.      Confirm that support levels are adequate.

c.       Obtain copies of vendor certifications (i.e. SAS 70 etc.)

d.      Is your data retrievable in your desired format?

e.      How is your data isolated and protected from others?

5.       Retrain your IT staff: As one CIO respondent succinctly stated, “The jobs of people who sit there patching thousands of servers each time there is a change—those jobs are going away.” The focus will turn from infrastructure to vendor management, and program management, and business analysis.

Pemmaraju concludes his report with an analysis of the impact open source is having on cloud computing. He states that proprietary licenses are lagging in their offerings for cloud computing and so many cloud platforms are run on top of open source stacks. This will have an effect on hardware sales as most companies will be trying to avoid the big expenditures on infrastructure.

 

 

Tags: , , , , , , , , , , , , , ,

SaaS Customer: A Checklist of What You Need to Know Before Selecting the Vendor

Posted on December 15, 2008 by Sam Conforti

 

Bahan Sadegh, CEO and co-founder of NETtime Solutions and a veteran of the on-demand software industry, has written an article with the SMB Customer in mind.  Sadegh has created a list of questions for the SMB to consider before choosing its SaaS Vendor entitled 10 Questions To Ask A Potential SaaS Vendor.  His list is very informative and it would be wise to keep handy when considering which SaaS Vendor to select.  I cannot attest to the fact that this is an inclusive list, but I will tell you that his discussion of the points he has identified gives the reader enough information to perform their due diligence and ask more questions and there really are more than 10 points to know if one includes all the “sub-points” Sadegh includes.  I will try to provide a brief synopsis of his 10 Questions below:

1.     Billing should be pay-as-you-go: We all know there is a business cycle and your invoice should reflect this cycle.  Also, there should never be any maintenance fee on your invoice.

 

2.     Security:  Sadegh has a very good list of questions to ask in this very important area.  Instead of trying to paraphrase his words, I think it best to directly quote him on this matter:

“Ask your potential SaaS vendor:

-       Does the data center that is housing the servers have physical security 24/7?

 

-       Is the perimeter of the data center secured (do guards walk the perimeter at least once per 24 hours)?

 

-       Who has permission to the access these servers (only internal employees or do contractors also have access)?

 

-       Is there a log that captures who came in and when they left? If so then how often are those logs audited?

 

-       Does the application use industry standard 128-bit encryption?

 

-       If multiple customers are housed on the same server then are they logically/physically separated to ensure your data is not viewed by unauthorized eyes?

 

-       Has the staff of the SaaS vendor who has access to your data gone through a criminal background check? It’s important to know whether or not convicted felons have access to your sensitive personal data.

 

-       Does the vendor have a formal BCP (Business Continuity Plan)? Is the vendor willing to share it with you and does it satisfy your concerns?”

 

 

3.     Solution must be web based:  There should be no requirement to install an application on any computer.     Also any SaaS application should be able to run on any platform and any browser.  In the event of a computer crash, you must have access to your application.

 

4.     An experienced vendor:  Make sure the vendor has experience in hosting.  A vendor experienced in hosting has already addressed such issues as scalability and security and is not merely repackaging their application as SaaS. (NOTE:  See point 8 below regarding MSP’s).

 

5.     Upgrades should be automatic:  You want to be on the latest version and have the most current functionality.  There should be no need to retrain your users.  The upgrades should be seamless.

 

6.     Integration:  You should have the ability to transfer between the web based applications and any on-premise applications.

 

7.     Data must be backed up regularly:  Nightly onsite back-ups and weekly offsite back-ups should be the minimum.  Does the vendor test how to restore their database?

 

8.     Who is hosting the solution:  Is this an in-house hosting arrangement or has the SaaS vendor contracted out with a Managed Service Provider (“MSP”)?  Get a SAS 70 report and verify that in the data center every system has at least one independent backup to ensure availability in the event of system failure; this is known as N+1 configuration.

 

9.     Scalabilty:  Can the SaaS vendor grow as your company grows?  Ask about their largest customer and ask them about their plans for growth.

 

10.  Is the SaaS system monitored:  An easily overlooked question.  Do they have monitoring software and do they test their firewalls?

 

Sadegh concludes his checklist by suggesting that the SaaS Customer perform a bi-annual review of their service with the above checklist in mind.

 

 

Tags: , , , , , , , , , , , , , , ,

SaaS Vendors: A Legal Checklist

Posted on December 1, 2008 by Sam Conforti

 

Due to the differences between traditional “on premise” software licensing and the newer software as a service (“SaaS”) offering, there were bound to be required adjustments on how the software customer contracted for these services.  We owe a debt of gratitude to Gene Landy with the law firm of Ruberto, Israel & Weiner, P.C. in Boston, MA.   Landy has put together a list of 8 items in his article 8 Legal Tips for SaaS Vendors that should be considered by the SaaS Vendor while developing their SaaS offering.  Including some or all of these tips in your contract may be a smart decision.  Here is a brief summary of those legal tips:

1.     Look for restrictions in your own software licenses:  As you develop your offering, do your licenses prohibit use as a service bureau or are there restrictions on remote access or use as an Application Service Provider.  You wouldn’t want your SaaS application to be in violation of any of these restrictions.

 

2.     Has your contract model evolved:  Initially the SaaS offering came in a 2 part form - first a software license and then a hosting agreement.  Today the more common contract model is to view this as a subscription and not mention licensing in the agreement.

 

3.     The Tax Man:  Your customers may be interested to know that most states do not levy a tax on services as they do for the sale of a license.

 

4.     Trials:  The SaaS Vendor could include a trial period bundled into the subscription agreement.

 

5.     Required upgrades limit the SaaS vendor’s maintenance costs:  Require customers to upgrade and eliminate having to maintain prior releases.

 

6.     Security:  It is fine to tout your security measures, but never promise 100% guaranteed data protection.  This is IT after all and you are using the internet.

 

7.     Consider SAS 70 as a selling feature:  You can provide your customers with an extra level of comfort and some of your customers may actually require a SAS 70 certification.  This is a certification performed by an outside accounting firm which attests to the accuracy and security a vendor provides.  The certification states that the controls are adequate.

 

8.     Data Breach Notification:  In the event of a data breach most states require a notification be sent out to the subjects of such a breach.  Make sure that your customers do not attempt to place such obligation upon you.  The costs could be prohibitive.

This is by no means an inclusive list, but Landy has hit some key issues. I found it very informative and helpful.

 

 

Tags: , , , , , , , , , ,