To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?

December 28, 2011

As briefly as possible, let us consider the essential pros and cons of Cloud Computing, so that you can be better informed to make a decision on whether or not to join the club.  A detailed analysis on each point and its many sub-points could easily run into a multi-volume treatise.  Hence, I will try to give you enough to get the right questions asked.

ADVANTAGES (potential):

Floor Space: Of course, when you cut down on the amount of space you need for your own servers, wiring, HVAC, and individual desktops with full monitor and CPU packages, you can re-dedicate the space to other internal purposes and business units, earn revenues by sub-leasing (to the extent the landlord lets you), or move to a smaller location.  These are increasingly pertinent considerations in any cost-conscious climate.

Operational Efficiencies: Cloud providers allow clients to pay for only that amount of service that they actually use, in addition to any standby or contingent services that are retained as available for purposes of surge capacity, emergencies, or other events whether or not specified.  This allows for the streamlining of staff and functions, a slimmer I.T. department, and a clearer focus on essential, mission-critical business functions.

Capex to Opex: What would formerly have been capital expenditures for I.T. equipment, including servers, setup and administration costs, and repairs and replacements, can now be expensed as operational costs.  Even with the loss of those once available depreciation allowances, the CFO should be happier with the cleaner budget, and greater cost control through a better defined and appropriately confined predictability of outflows.  Software licensing costs do not have to be so closely monitored and temperamental legacy servers running dedicated software in-house that can or cannot be easily upgraded and updated, can be downgraded in priority, as Cloud Vendors can often accommodate a variety of Cloud subscription fee arrangements including per-seat, per use, per tier, and so forth.

Ubiquity: As defined by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”[1]  The key word here, is “ubiquitous”, with a one to many service model available anywhere, to any or all persons, and at one or all times.  Wireless and satellite Internet access, and portable hotspots where no fixed-site or sufficiently secure or reliable Internet on-ramp exists, make this all possible.  However, this ubiquity comes with costs, as I will outline under the Disadvantages, below; specifically under the Legal and Liability Issues section.

Scalability: The prudent and professional Cloud Vendor will generally maintain sufficient spare capacity to handle the surge requirements of all of its clients.  Certain industries and business models, as well as regular business events – such as for accounting and regulatory filings at the end of a month, quarter, or year – and the happening of special or otherwise distinctive events (public offerings, mergers, bankruptcies, or litigation), will generally lead to a heightened usage requirement due to the additional activities and actors that will be brought online.   That is “really” not the time, if ever, for a Cloud Vendor to say that there is no more to give, or that the capacity to handle such an expected spike was never actually considered or built-in, to the service model.  This nightmare scenario will invariably lead to side litigation on the main instigation, and nervous General Counsel calls to insurers, counterparties, and regulators.  But, we are still listing the Pros; yes?!  Always, always, discuss your actual, anticipated, and remotely potential needs, thoroughly, with the Cloud Vendor, so that “your” package fits “you”.  Besides which, savvy parties are already moving to put adequate and secure capacity in place[2], to ground the infrastructure for this promising but tricky new platform.

DISADVANTAGES (potential):

Vendor Inelasticity: Once you have decided on a particular Vendor, with its services and cost structure, it can be hard to move.  There will always be costs associated with any change in vendor, and it may take quite some time to have the same service or a comparable or better service (depending, of course, on the reason for your relocation), up and running in the successor location, including potentially significant unanticipated costs and delays.  Once you are in, then you should plan to be there for the long-haul.  This is why, one again, due diligence and a mutuality of party good faith, are essential.  In Cloud and outsourcing contracts that I have drafted, I provide for open party communication lines, detailed ADR clauses, and a means to address any failure to meet agreed SLAs.  In addition – always a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible.  Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.

Access to Data: There are at least 5 (“five”) viewpoints on this issue, depending on whether you are talking about source code, backup and contingency planning, customers in the third-party, server location, or insolvency.

(a) The cloud vendor will be very reluctant to escrow its source code, the very essence of its competitive advantage, as we now often see touted by many a commentator.  Onlookers argue that such an escrow arrangement is essential to providing the customer with the peace of mind that their data will always be accessible, and that the service will be replicable, should any calamity befall their Cloud Vendor or a related provider in the chain.  Indeed, there is more than one way to provide peace of mind.

(b) Sensible backup and contingency planning requires multiple levels of redundancy, and the United States Securities and Exchange Commission (SEC),[3] for one, has issued guidance on the disclosure of Cybersecurity risks by issuers.  In time, this may expand to non-issuers in that and other jurisdictions.  I would advise that the customer, and the Cloud Vendor must have and share, and coordinate, their disaster management policies, plans, and procedures.  To the extent that this will require that the customers of a specific Cloud Vendor all know one another and thereby decrease their mutual security, or that a third-party “security coordinating group or consultant” intervenes to preserve some anonymity, or some other solution or suite of solutions is developed for this requirement of mutually assured security and stability, will remain to be seen.

(c) In some industries, such as healthcare in the United States,[4] and generally under the Privacy laws of Canada,[5] the patient (or data subject, as appropriate) of the Cloud Vendor’s client – and therefore who is not in direct privity of contract with the Cloud Vendor – will have a right to access, and track, and by implication correct errors in, their own personal data.  In a growing number of jurisdictions, the right of governments to access data on individuals with or without warrants, and with or without notification to the subject individual, is expanding.  Without a doubt, new legislation will be created, or existing legislation will be interpreted, to permit the accessing of this information in the hands of the Cloud Vendor, without notice to the Customer, or to the third-party customer as patient, for example.  This complicated mix of privacy, information technology, National Security, and contract, should be closely watched, bracketed and predicted and controlled by appropriate and adequate insurance and drafting, and disclosed in advance by all parties collecting or holding information on individuals, and to all parties considering the use or offering of Cloud-based or Cloud-amenable services.

(d) Server location, is a critical issue that may feed or impede point (c).  Having your data in the jurisdiction or jurisdictions that you know, will always let you more easily manage those hiccups that may occur from time to time.  Going after your data in a jurisdiction where you don’t speak the language, where you are unfamiliar with the laws, or where there is hostility to you or one or more of your Cloud Vendors or your government, will always make data recovery and re-custody, that much harder.[6]  Some commentators and practitioners in the field have alerted others to the danger of employees and contractors working with Trade Secrets and other critical information on mobile media and otherwise through the Cloud, including by backing-up devices; even going do far as to say that “no” Trade Secrets should ever be put on the Cloud, at least not yet.[7]  This is a legitimate concern, and cannot be lightly dismissed, because, as they point-out, nobody really wants to be that first test case.  However, with many industries, including the legal profession,[8] moving to the Cloud – albeit cautiously – I think the genie is already pretty much out of that lamp.

(e) Insolvency can be a very complex area with regard to a Cloud Vendor, itself in distress, or when a holder of Intellectual Property Rights (I.P.R.) or an I.P.R. licensee is in distress and a Cloud Vendor gets caught in the middle.  Under recent caselaw in the United States of America, we have seen that sometimes the court will decide that the proper venue is that where the injury is deemed to have taken place and thereby where the I.P.R. claimed to have been violated, were originally held.[9]  Where does this leave the Cloud Vendor that provides the means to access that material across jurisdictions?  Sometimes, the court will refuse to permit a foreign licensor in receivership or a similar insolvency situation, to disclaim or otherwise curtail or constrain the I.P.R. licenses granted to United States entities.[10]  Where does this leave the Cloud Vendor who can be sued by one or both sides for compliance and non-compliance alike, and for contributory infringement,[11] or as an accessory to, or as a first party in, I.P.R. infringement?[12]  Foresight, experience, broad practice area knowledge, and good drafting can address some, but not all of the potentially very serious wrinkles that might very easily arise.

Uptime and SLAs: Service Level Availability agreements run from light, through adequate, to (almost) iron-clad.  Some Cloud Vendors will want to exclude mandatory downtime for maintenance and upgrades, or for addressing user-generated issues (such as hacks and malicious code), and the customer, depending on its business model and leverage, may or may not agree or even be comfortable with this.  In addition, many Cloud Vendors will want to limit available remedies for failing to meet stated or contracted-for SLAs, to service credits, exclusively.  Hence, SLAs must always be cautiously and thoughtfully negotiated.  However, some Cloud Vendors will offer a set menu from which to choose, in which case a potential customer should choose wisely, because when things go wrong, as they well may,[13] downtime could be extensive.[14]

Legal and Liability Issues: There are an appreciable number of legal and liability grey areas that remain to be addressed by contract or legislation, and I have addressed some of these in the foregoing.  Now, the transfer of personal data between jurisdictions in North America and the Pacific Rim has also been eased by the recent establishment of the Asia-Pacific Economic Cooperation (APEC) Privacy Rules, involving 21 (“twenty-one”) nation-parties.[15]

Technical Issues: These mainly revolve around security, privacy, and e-Discovery.  The truth of the matter, actually, is that most people are already using, often heavily, some form of Cloud.  Examples include BlackBerry,[16] Google,[17] Hotmail,[18] and Gmail,[19] for a host of social media, email, regimented,[20] and telecommunications (“Smert”) applications.  2011, alone, has seen technical challenges identified for all of these 4 (“four”), some other known or knowable risks,[21] and spectacular failures to failover.[22]

In terms of privacy and security, the potential to use a Cloud service for wrongdoing[23] has heightened the awareness of the public, of legislators, and of law enforcement and national security entities and their operatives, globally,[24] as to the obvious security and privacy challenges presented by this platform.

Indeed, with the move to criminalize so much misconduct involving e-Commerce and the Internet, a test case will surely come when an as yet unknown Cloud Vendor in e-Discovery, and using a 5th Amendment argument,[25] finally and successfully refuses to turn-over discoverable records that are clearly within its possession or control – whether or not those records are ultimately its own – that may, or indeed, would, tend to incriminate it for some bad act or acts, whether in doing a thing, failing to do a thing, or having a wanton or reckless disregard for risks of harm from doing or not doing a thing.[26]

SUMMARY? (in a way, somewhat):

I say “in a way”, because this fast-moving business platform that touches so many areas of law, as I described in an earlier blog,[27] cannot be so easily summarized.  Many honest I.T. professionals will tell you that their skills can be fast outpaced by the market, very easily, if they do not work very hard to stay current and abreast of developments in the industry.  I do not think you can identify too many weather systems, if any (at least not on this planet of ours), that just stay over the same spot of geography with clouds, rain, high winds, thunder, and lightning that does not stop, waver, or let the sun in now and then.

The above, however, is still a handy checklist to have and consider when looking at the Cloud industry and its development over the coming little while.  The Cloud Vendor contracts may be or become quite complex, if you are a potential Cloud customer, and the customer demands or prerequisite requirements may be or become almost impossible to meet, if you are a prospective Cloud Vendor.  However, seasoned and knowledgeable legal counsel, properly structured insurance coverage, and due diligence coupled with stringent and zealously enforced internal controls, including Social Media usage policies, may still let some or all of those involved, sleep soundly.

Sweet dreams, then, count the sheep well, and don’t forget to set your alarm.  Happy New Year, 2012.

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1]Peter Mell and Timothy Grance.  Computer Security Resource Center of the National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology.  Published in September, 2011, at Section 2.  Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

[2]Greg Markey.  Ottawa Business Journal.  Building data storage capacity.  Published on December 21, 2011.  Available at: http://www.obj.ca/Technology/2011-12-21/article-2844044/Building-data-storage-capacity/1

[3] Division of Corporation Finance, United States Securities and Exchange Commission (SEC). CF Disclosure Guidance: Topic No. 2 – Cybersecurity. Released October 13, 2011.  Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

[4] Under Section 13405 of the HITECH Act, an individual has rights: in subsection (a), to restrict a Covered Entity’s disclosure of their Electronic Health Records (EHR) including Protected Health Information (PHI) and electronic Protected Health Information (ePHI) in certain cases; in subsection (c), to request and receive an accounting of all disclosures of their PHI and ePHI by a Covered Entity; in subsection (d), to be protected against the sale of their PHI and ePHI without “a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual”; and, in subsection (e), to request and receive a copy of their EHR, PHI and ePHI, or designate that said records in the hands of a HIPAA Covered Entity be sent or transmitted to “an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.”  See: Section 13405, Title XIII ELECTRONIC HEALTH RECORDS. American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5, as signed into law on February 17. 2009.

[5] As provided in 4.9, Principle 9 (Individual Access), of Canada’s federal Personal Information and Protection of Electronic Documents Act (PIPEDA): “Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.See generally PIPEDA, SCHEDULE 1 (Section 5). PRINCIPLES SET OUT IN THE NATIONAL STANDARD OF CANADA ENTITLED MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96.

[6] Rob McCauley and Ming-Tao Yang.  Finnegan, Henderson, Farabow, Garrett & Dunner, LLP.  Rob McCauley and Ming Yang Discuss the Impact of Cloud, Mobile, and Social Technologies on Trade Secret Law, Podcast, released on December 5, 2011. Available at:  http://www.finnegan.com/lawyers/bio.aspx?lawyer=8a4f9668-a2be-4fc9-8700-800969d07a0&mode=podcasts

[7]Id.

[8]See, e.g. United Kingdom, Information Commissioner’s Office (ICO), Advocate’s legal files lost after unencrypted laptop theft. News release: 16 November, 2011.  Available at: http://www.ico.gov.uk/news/latest_news/2011/advocates-legal-files-lost-after-unencrypted-laptop-theft-16112011.aspx  Lawyers may well be moving to the Cloud, but even offline, significant risks remain that need to be addressed.

[9]See, generally Penguin Group (USA) Inc. v. American Buddha, 16 N.Y. 3d 295 (2011), No. 7, 2011 WL 1044581 (N.Y. Mar. 24, 2011), where the New York Court of Appeals first noted that §302(a)(3)(ii) of the New York, Civil Practice Law and Rules (C.P.L.R.) gave 3 options to determine the situs of the injury, being: “(i) any place where plaintiff does business; (ii) the principal place of business of the plaintiff; and (iii) the place where plaintiff lost business” (16 N.Y.3d at 304).  But then, the New York Court of Appeals determined that due to the ubiquity of the internet and the potential for global and near instantaneous infringement, the best choice was (ii), the principal place of business of the I.P.R. holder, for purposes of establishing personal jurisdiction in that modern-day copyright infringement case (16 N.Y.3d at 307).

[10] In the United States Bankruptcy Court for the Eastern District of Virginia, the court found that it would be against United States public policy to permit the domestic application, in America, of the result of a German insolvency proceeding that would have deprived U.S. I.P.R. licensees of the use of patents granted by a foreign entity that was no longer solvent, under German law.  See In Re Qimonda AG, 433 B.R. 547 (E.D. Va. 2010); decided on October 28, 2011.

[11] Thankfully, [t]he Supreme Court of Canada (SCC) recently ruled that linking to a libelous blog, was not, without more, sufficient to hold the linker additionally liable for “publication” of that defamation.  See Crookes v. Newton, 2011 SCC 47 (CanLII); decided on October 19, 2011.  Perhaps a Cloud Vendor so implicated under Canadian law, might find a way to avail itself of this very solid precedent; which may also one day be analogized and/or stretched to work with “like”, “friend”, and “follow”, but for obvious reasons, perhaps not with “retweets”.   Available at: http://www.canlii.org/eliisa/highlight.do?text=crookes+v+newton&language=en&searchTitle=Search+all+CanLII+Databases&path=/en/ca/scc/doc/2011/2011scc47/2011scc47.html

[12] Amazon recently introduced the Cloud Drive and Cloud Player services, that permit “customers to upload music files to private, user-specific online drives (the Cloud Drive) and then listen to these files remotely using the Cloud Player”.  Questions have been raised, and linger, about issues of I.P.R. management and infringement in relation thereto.  See generally Nickolas B. Solish. The Law of Tomorrow Today.  Is Amazon’s Head in the Clouds?  Published on May 4, 2011.  Available at: http://lawoftomorrow.com/2011/05/04/is-amazon%E2%80%99s-head-in-the-clouds/

[13] On Thursday, April 21, 2011, the Amazon Web Service (AWS) suffered a significant outage as a result of an incorrectly performed capacity upgrade.  A cascading failure of attempted but incomplete re-mirroring efforts resulted in a number of Amazon Elastic Block Stores (EBS) becoming stuck and failing to receive or transmit further instructions, and an even larger impact on the Relational Database Service (RDS), which utilizes multiple EBS.  Amongst the lessons learned, Amazon stated an intention to: alter its procedures (increasing automation to reduce the chance of future human error); modify its platform (for more robust capacity planning and alarming and redundancies to better deal with large scale failures); and its processes (finding and fixing hitherto unknown bugs that causes the events to cascade to such an elevated degree of systemic severity).  See generally Amazon.comSummary of the Amazon EC2 and Amazon RDS Service Disruption in the US East Region; Undated.  Available at: http://aws.amazon.com/message/65648/

[14] From one commentator closely following that April, 2011 Amazon outage, we learn that EBS are spread across multiple Availability Zones (AZ), within each Region of operation.  The above-referenced Amazon outage was especially significant in its impact on those multiple AZ, and therefore upon clients of Amazon’s Elastic Compute Cloud (EC2) that should have been insulated from one another and from any failure in a distinct subsection of a platform that was, logically if not geographically, so widely distributed.   See Cade Metz in San Francisco.  Infrastructure.  Amazon outage spans clouds ‘insulated’ from each other – not what it says on the tin.  Published on April 21, 2011.  Available at: http://www.theregister.co.uk/2011/04/21/amazon_web_services_outages_spans_zones/print.html

See also Cade Metz in San Francisco.  Infrastructure.  Amazon cloud still on fritz after 36 hours “All hands on deck”.  Published on April 22, 2011. http://www.theregister.co.uk/2011/04/22/amazon_elastic_compute_cloud_still_experiencing_problems/print.html

[15] The United States Federal Trade Commission (FTC) announced the inauguration of the APEC Cross-Border Privacy Rules on November 14, 2011.  The 21 (“twenty-one”) APEC members, are: Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States of America, and Vietnam.  Press Release available at: http://www.ftc.gov/opa/2011/11/apec.shtm  As separately implemented, developed, and enforced by each jurisdiction of application, the APEC Privacy Rules are to generally adhere to the 7 (“seven”) principles underlying the E.U. Directive on the Protection of Personal Data, being: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.  It is interesting to note that while the emphasis is or appears to be on greater monitoring and controls on the Western side of the Atlantic, there is a tendency on the eastern side of the Atlantic to favor a more liberal model.  See e.g. Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL C-70/10; decided on November 24, 2011 (I.S.P.s cannot be obligated to implement a general monitoring or filtering policy, as it would infringe fundamental rights and Directives applicable in the E.U.)

[16] There was a service outage in the BlackBerry service of Research In Motion (RIM), in October, 2011.  See e.g. Research In Motion. BlackBerry Service Update; visited on December 27, 2011.  Available at: http://www.rim.com/newsroom/service-update.shtml.  See also Charles Arthur.  guardian.co.uk. BlackBerry outage: RIM boss’s YouTube apology in full, with transcript.  Published on Thursday, October 13, 2011.  Available at: http://www.guardian.co.uk/technology/2011/oct/13/blackberry-outage-rim-apology-youtube

[17] There was a service outage at Google on September 7, 2011, where again, as with Amazon, an attempted upgrade exposed a hitherto unforeseen technical issue.  See e.g. Official Google Enterprise Blog. What Happened to Google Docs on Wednesday.  Published on Friday, September 9, 2011. Available at: http://googleenterprise.blogspot.com/2011/09/what-happened-wednesday.html

[18] There was a service outage at Microsoft’s hotmail service on December 31, 2010, where user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a glitch in system test procedures, and left undetected for a length of time due to a subsequent failing in the customer issue management matrix.  See generally  Mike Schackwitz.  Inside Windows Live.  What happened in the recent Hotmail outage.  Published on January 6, 2011.  Available at: http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/01/06/what-happened-in-the-recent-hotmail-outage.aspx

[19] There had been an earlier service outage involving Gmail and Google Apps on February 27, 2011.  Again, as with the Hotmail outage, user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a bug “inadvertently introduced in a Gmail storage software update.” See e.g. Google Apps Masters.  Google Apps Tips.  Google Gmail Outage – February 27, 2011 – What happened to my E-mail?  Published on March 10, 2011.  Available at: http://blog.gappsmasters.com/2011/03/google-gmail-outage-february-27-2011-what-happened-to-my-e-mail/

[20] Social Media can be used for a variety of things, including networking, play, jobsearch, and actual work.  Whether one works from home, virtually, on the road, or in a bricks and mortar establishment, there will always be some boundaries, caveats, deliverables, and regulations.  This is why I use the term “regimented”, here, to mean something that has a structure, or some boundaries and rules.  It therefore covers whatever is left of the work-space.

[21] On June 22, 2011, Microsoft’s Business Productivity Online Suite (BPOS), a cloud service, suffered an outage that one commentator described as its “fourth in two months”; wherein users could not use the Exchange email servers or use the Online Web Access (OWA) browser client.  The same commentator reports that Microsoft alluded to the cause being a hardware issue.  See. The Microsoft Update. Julie Bort.  Networkworld.  Microsoft confirms BPOS cloud outage.  Published, on Wednesday, June 22, 2011.  Available at: http://www.networkworld.com/community/blog/microsoft-confirms-bpos-cloud-outage

Later, on August 17, 2011, Microsoft’s Office 365 and Skydrive, additional cloud offerings and with Office 365 having been designed, launched on June 28, 2011, and marketed as a more robust successor to BPOS, suffered service outages.  Once again, access to email and calendars was disrupted, and this time Microsoft declined to give a reason or the cause for the outage.  The company did, however, issue a letter of apology and offer a credit to its customers.  See generally  Mary Jo Foley.  All About Microsoft.  Microsoft: Here’s what caused our cloud outage this week. Published on August 19, 2011.  Available at: http://www.zdnet.com/blog/microsoft/microsoft-heres-what-caused-our-cloud-outage-this-week/10381

[22] The Cloud Foundry outage of April 25, 2011, was initially traced by the company, in total candor and transparency, to a partial loss of the power supply for a systems storage cabinet.  Then, in what was supposed to be a dry-run, tabletop exercise to establish an improved protocol for dealing with the types of events caused by that first outage, someone touched their keyboard, in unmistakable human error, leading to a second outage of April 26, 2011; and as again explained by the company in total candor and transparency.  See Dekel Tankel. Cloud Foundry Forums.  Analysis of April 25 and 26, 2011 Downtime.  Published on April 29, 2011.  Available at: http://support.cloudfoundry.com/entries/20067876-analysis-of-april-25-and-26-2011-downtime

Still on the subject of power supplies, a utility company outage in Dublin, Ireland, on August 7, 2011, first caused a service disruption in the cloud offerings of both Amazon and Microsoft, which have established significant data center facilities in that jurisdiction.  Ordinarily, backup generators would have taken-over and immediately started to supply power.  However, due to the strange nature of the outage – which a number of parties including both Microsoft and Amazon had originally and erroneously blamed on a lightning strike – their emergency backup system failed.  See Rich Miller. Data Center Knowledge. Dublin Utility: Power Outage Not caused by Lightning Strike.  Published on August 10, 2011.  Available at: http://www.datacenterknowledge.com/archives/2011/08/10/dublin-utility-power-outage-not-caused-by-lightning-strike/

[23]Dan Goodin.  Security.  Researcher cracks Wi-Fi passwords with Amazon cloud.  Return of the Caveman attack.  Published on January 11, 2011.  Available at: http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/print.html

[24] An after-hours raid by the United States Federal Bureau of Investigation (FBI) on a Reston, Virginia data centre, and targeting the Lulz Security group, on Tuesday, June 21, 2011, managed to disrupt services for multiple and non-targeted, innocent users.  Where one serves many, a raid on a few can still inconvenience more than the one, as discomfort is passed along.  Whether a warrant was used, I cannot say.  However, it was fortunate that the gag and delay orders on warrantless and warranted searches under antiterrorism and other laws, were not.  Otherwise, the data center operator would not have been able to explain to the client what happened when the client called from Switzerland, or explain where the missing servers had gone, when someone was sent to physically determine why the services that they hosted were all down.  A report of a theft, an insurance claim, or a call to the police, would have had somewhat interesting consequences with regard to jurisdiction issues, and investigating the “disappearance”.  Would that make a false claim or report, one filed on incomplete information, or both?  For an account of that Lulz Security raid, see Verne G. Kopytoff.  NYTimes bitsblogs. F.B.I. Seizes Web Servers, Knocking Sites Offline.  Published on June 21, 2011.  Available at: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

[25] The Fifth Amendment to the Constitution of the United States of America provides, inter alia, that a person charged with a criminal offence under U.S. law shall not suffer compulsory self-incrimination.  To date, no corporate entity has been permitted to use this “individual” right.

However, as the proliferation of rich clients and thin clients means that Electronically Stored Information (ESI) that may be relevant to the litigation is in the custody or control of multiple, third-party data custodians, including Cloud Vendors and their associates in multiple jurisdictions, who will strenuously argue that they have absolutely nothing to do with what happens on their servers, within their social media, or otherwise, in using them as an innocent conduit, this right may very well be extended at some point; absent some legislative and global, or regional cooperative guarantees, protections, and both specific and generalized immunities, that go far beyond the simple “hold harmless, defend, and indemnify“, found in their contracts.

The United States’ Stop Online Piracy Act (SOPA) that threatens to knock websites offline, which may well include the rights of Cloud Vendors and their affiliates to “vend cloud services”, very much bespeaks caution, and is a portent of some very trying and litigious times to come for that business model, and indeed also for any and all online providers of a “one to many” service, or solution, or suite.

Indeed, the recently publicized Model Electronic Discovery Order adopted by the [t]he Advisory Council for the United States Court of Appeals for the Federal Circuit, may also fall far short in the number of records custodians permitted to be listed and ordered to produce.  See generally website of the United States Court of Appeals for the Federal Circuit.  Available at: http://www.cafc.uscourts.gov/the-court/advisory-council.html; with the actual order available on that same site at: http://www.cafc.uscourts.gov/images/stories/the-court/Ediscovery_Model_Order.pdf

[26] To its credit and in demonstration of its leadership role in the field, Amazon has published and updated a whitepaper on suggested cloud best practices.  See  Jinesh Varia, Architecting for the Cloud: Best Practices Whitepaper.  Version first released by Amazon Web Services (AWS) in January, 2010, and last updated on January, 2011.  Available at:  http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf

[27]Ekundayo George.  Ogalaws. Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”.  Published in this Blog, on December 1, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/outsourcing-and-cloud-computing/

2 Responses to “To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?”


  1. […] [17] See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on ogalaws.wordpress.com. December 28, 2011.  Online:>https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-p…< […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: