An Introduction to the Technology
and Ethics of Cloud Computing
Jack Newton
Co-founder and President
Themis Solutions Inc. (Clio)
what is
software-as-a-service?
traditional computing model
The Internet
Local Area Network
cloud computing model
The Internet
Local Area Network
traditional software distribution
cloud computing distribution
why
software-as-a-service?
freedom
available from any device
security
terminology
• Secure Sockets Layer (SSL)
Industry standard protocol
for securing Internet
communications
Banks, e-commerce sites
(Amazon.com, etc.) all use
SSL for secure
communications
without ssl
Information exchanged is insecure
Please give me my bank account balance
$2,031.34
Your Computer
Your Bank’s Server
with ssl
Information exchanged is encrypted for security
01101010001010110101010100101010
11010001110
Your Computer
Your Bank’s Server
verifying ssl connections
A sealed lock icon indicates a secure connection
Internet Explorer:
Firefox:
Safari:
server security
Are third-party audits being performed?
server security
server security
privacy
privacy
• Does the SaaS provider have a published
privacy policy?
• Need to ensure you own your data
• The private client information stored with
your SaaS provider cannot be used for any
other purposes
facebook privacy policy
You hereby grant Facebook an irrevocable, perpetual, non-exclusive,
transferable,
sublicense)
fully
to
(a)
paid,
use,
worldwide
copy,
license
publish,
(with
stream,
the
right
store,
to
retain,
publicly perform or display, transmit, scan, reformat, modify, edit,
frame,
translate,
excerpt,
adapt,
create
derivative
works
and
distribute (through multiple tiers), any User Content you (i) Post
on or in connection with the Facebook Service or the promotion
thereof subject only to your privacy settings.
You may remove your User Content from the Site at any time. If you
choose to remove your User Content, the license granted above will
automatically expire, however you acknowledge that the Company may
retain archived copies of your User Content.
TRUSTe
How is sensitive information being handled?
“TRUSTe’s program requirements are based
upon the Fair Information Principles and OCED
Guidelines around notice, choice, access,
security, and redress - the core foundations of
privacy and building trust.
Sealholders are
required to undergo a rigorous review process
to assess the accuracy of privacy disclosures
and compliance with TRUSTe’s requirements in
order to obtain certification.”
data availability
internal backup policies
• How many times per day is data backed up?
• Is data backed up to multiple offsite locations?
external backup provisions
• Can you perform an export of your data?
Comma Separated Values (CSV)
Extensible Markup Language (XML)
Microsoft Excel (XLS)
business continuity
What if the SaaS provider goes out of business?
option 1: data export
Comma Separated Values (CSV)
Extensible Markup Language (XML)
Microsoft Excel (XLS)
Cross your fingers and hope you’re up to date…
newton’s first law of backups:
If it isn’t
automated
you’ll forget
to do it
option 2: data escrow
saas provider
escrow provider
saas user
terms of service /
service level agreement
terms of service
• ToS
• Outlines the conditions
under which you agree to
use the service
• Ensure you’ve reviewed and
accepted your provider’s
terms of service
service level agreement
•
•
•
•
SLA
Outlines guaranteed uptime percentages
E.g. 99.9%
Usually providers for some kind of
compensation if downtime exceeds SLA
guarantee
geography
data geography
• Where is data stored?
• Are there provisions preventing data export?
total cost of ownership
TCO
total cost of ownership
Assessment of both direct and indirect costs
associated with software and hardware solutions
traditional desktop software tco
original
software purchase
annual
software renewal
technical support
contract
traditional desktop software tco
original
hardware purchase
networking /
virtual private network
backups/
data redundancy
traditional desktop software tco
saas tco
google apps vs. exchange
cost comparison
• Discovered the business
community is largely
unaware of the costs of
running an e-mail account
• Many companies surveyed
gave guesses from $2 to
$11 per user, although a
detailed accounting showed
that the costs were often
several times that
google apps vs. exchange
cost comparison
ethics of cloud
computing
North Carolina Ethics Inquiry
• First ethics opinion in North America
specifically focused on use of cloud computing
in a law firm
• Hot off the presses – committee met April
15th
North Carolina Ethics Inquiry
Is it within the Rules of Professional
Conduct for an attorney/law firm to use
online ("cloud computing") practice
management programs (e.g., the Clio
program) as part of the practice of law?
These are instances where the software
program is accessed online with a password
and is not software installed on a computer
within the firm's office.
North Carolina Proposed Formal
Ethics Opinion
Yes, provided steps are taken effectively to
minimize the risk of inadvertent or unauthorized
disclosure of confidential client information and to
protect client property, including file information,
from risk of loss.
North Carolina Proposed Formal
Ethics Opinion
Yes, provided steps are taken effectively to
minimize the risk of inadvertent or unauthorized
disclosure of confidential client information and to
protect client property, including file information,
from risk of loss.
North Carolina Proposed Formal
Ethics Opinion
Although a lawyer has a professional obligation to protect confidential information
from unauthorized disclosure, the Ethics Committee has long held that this duty
does not compel any particular mode of handling confidential information nor
does it prohibit the employment of vendors whose services may involve the
handling of documents or data containing client information. See RPC 133 (no
requirement that firm’s waste paper be shredded if lawyer ascertains that persons or
entities responsible for the disposal employ procedures that effectively minimize the
risk that confidential information may be disclosed). Moreover, the committee has
held that, while the duty of confidentiality extends to the use of technology to
communicate, “this obligation does not require that a lawyer use only infallibly
secure methods of communication.” RPC 215. Rather, the lawyer must use
reasonable care to select a mode of communication that, in light of the
circumstances, will best protect confidential communications and the lawyer must
advise effected parties if there is reason to believe that the chosen communications
technology presents an unreasonable risk to confidentiality.
www.goclio.com | [email protected] | twitter: @goclio