The recent announcement of pending closure for Nirvanix,[1] a CSP, highlights a number of points that I have often stressed as critical in data assessment prior to cloud usage, cloud vendor assessment, cloud contracting specifically, and data protection and retention in general. These are:
1. “In addition – always (have) a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible. Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.”[2]
2. “If you have critical functionalities that have moved completely or almost completely to a cloud-based solution… then it is highly-advisable to have a backup cloud.”[3]
3. Protect and backup your data as per your assessment of the V5 Interplay “…the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.”[4]
4. Mature cloud users should be in a state where “Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor.”[5]
To now learn that many large and systemically significant entities in a host of industries have massive amounts of data with this one provider that they are now rushing to remove before the pending shutdown,[6] is quite worrying in terms of Cybersecurity, Cloud best practices, and attendant potential legal liability.
OPTIONS:
Of course, any speculation is pure speculation, as I have no personal knowledge of their arrangements, whether or not these exits are orderly, or if they will be concluded in good time. However, one would expect that:
(i) for the most critical data in that V5 interplay;
(ii) multiple CSPs should have been used;
(iii) offsite backup should not have been automatically discontinued;
(iv) a detailed exit protocol (“cloud emigration”) would have been contractually agreed-upon in advance, with access to the key or contracted staff – including migration/emigration as a service providers or other such specialists;
(v) guaranteed continued availability of staff and data as was already specified in the original SLA; and
(vi) either CSP insurance (as with employment practices insurance, business interruption or business continuity insurance, or some such), a portion of the client fees segregated in advance by lockbox arrangement to pre-fund an orderly exit, or any host of other arrangements to cover those exit costs, would have been specified as preconditions for entering into a cloud services agreement in the first instance, laid-out in detail, mutually agreed, practiced and reviewed for updates from time to time, and enacted as and when needed.
CONCLUSIONS:
This case is quite instructive, and many cloud users will, doubtless, take note and a few pointers for their own contracts (whether as promptly amended or when next renewed), so as to avoid future problems when this kind of situation replicates, or any other foreseeable or unforeseen eventuality causes a similar rumble of thunder to ripple across the Cloud-sphere. They must be able to promptly, securely, and in an organized fashion “rein-in” and “reel-back” their uploaded data from the cloud, without having their own clients and data subjects rain thunder and lightning down on them, for any failure to so do.[7] If their data gets stuck in CSP insolvency wranglings, then a whole host of new twists and turns will develop.
*********************************************************************
Author:
Ekundayo George is a sociologist and a lawyer. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects), and has sector experience in healthcare, communications, financial services, real estate, international trade, eCommerce, Cloud, and Outsourcing.
Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, high stakes, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams. See, for example: http://www.simprime-ca.com.
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.
This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.
[1] Isha Suri. Nirvanix Closing Down, Gives Two Weeks’ Notice of Service Shutdown. Published on siliconangle.com, September 24, 2013. Web: http://siliconangle.com/blog/2013/09/24/nirvanix-closing-down-gives-two-weeks-notice-of-service-shutdown/
[2] Ekundayo George. To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons? (at “Disadvantages potential – Vendor Inelasticity”). Published on ogalaws.wordpress.com, December 28, 2011. Web: https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/
[3] Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right (at “1. Backup Cloud). Published on ogalaws.wordpress.com, March 11, 2013. Web: https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/
[4] Id. at “4. Traditional off-Cloud Backup”, and at footnote 13).
[5] Ekundayo George. In who’se pocket is your data packet? – International Data Governance (at “d”). Published February 6, 2013. Web: https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/
[6] Jeffrey Schwartz. Cloud Storage Provider Nirvanix Goes Belly-Up, Customers Panic To Move Data. Published on virtualizationreview.com, September 19, 2013. Web: http://virtualizationreview.com/blogs/the-schwartz-cloud-report/2013/09/nirvanix-goes-belly-up.aspx?goback=.gde_1864210_member_275308263#!
[7] “Risk Management” (such as in preventing to the extent possible, planning for, and effectively prevailing with regard to this type of snafu) and “Stakeholder Management” (calming and reassuring those division heads and business unit leaders who’se core and critical functions are residing, and hopefully resiliently so, in the Cloud, during any time of crisis), have been identified as the new and added “need to have” softer business skills for IT professionals who plan to survive and thrive in the rapidly evolving (and reputedly short-skilled) Cloud space. See Steve Ranger. Big data, cloud computing experts hard to hire, bosses admit. Published on techrepublik.com, September 23, 2013. Web: http://www.techrepublic.com/blog/european-technology/big-data-cloud-computing-experts-hard-to-hire-bosses-admit/?tag=nl.e077&s_cid=e077&ttag=e077&ftag=TRE9ae7a1a. For a broader overview of the changing nature of IT skills with regard to changing technologies, such as Cloud Computing, see Ekundayo George. Why “will” IT jobs persist through changing technology, and why “must” IT initial education and ongoing training be both constant, and consistent? Published on ogalaws.wordpress.com. June 5, 2013. Web: https://ogalaws.wordpress.com/2013/06/05/why-will-it-jobs-persist-through-changing-technology-and-why-must-it-initial-education-and-ongoing-training-be-both-constant-and-consistent/
Some people have said that IT careers and IT jobs will disappear due to the advent and mainstreaming of Cloud applications, as well as IT commoditization and outsourcing that will close data centers en masse. Indeed, one author in 2012 directly predicted a coming re-imagination or demise, of 4 (“four”) specific IT roles and career paths, namely: (i) Programming; (ii) Datacenter; (iii) Data Technology; and (iv) Security.[1] My detailed thinking on these predictions is more specifically laid-out below, in the “Analysis” section.
Will IT Jobs Disappear?
Such projections are in error, at best! Consider this statement regarding current IT role disruptions:
“The more interesting lesson is the tectonic shift in computing away from the device and software residing on the device, to data and applications access on a variety of form factors and connected operating systems”.[2]
In-house, traditional data centers are there to ensure that data and applications can be accessed from devices near and far; cloud computing data centers are there to ensure that data and applications can be accessed from devices near and far; IT staff are needed in both cases to troubleshoot, ensure that those devices and/or the servers are configured to “play nicely” with each other, and otherwise act when the system cannot itself, or its subsystems will not themselves, fail-over, add or reduce capacity, self-diagnose, grant access to technicians and tours to top brass, run out with backup tapes or portable hard drives when all else “really” fails, things fall apart, and the (data) center cannot hold,[3] and so on. Even when printing money and coins (stamps are less used in the West nowadays, due to the rapidity of mobility, and courier efficiencies), human eyes are still needed for that final quality control function Indeed, the case is also and stringently made that there is in fact an accelerating skills shortage in IT.[4]
What then, has changed to make the human factor suddenly obsolete?
I would say nothing, because the more things change, outwardly, the more they stay the same, behind the scenes, as IT jobs and IT professionals will always be needed; albeit with skills–sets that are both more diverse and more specialized at one and the same time, due to an increasing complexity of things.
“We estimate that by 2016 approximately 106,000 ICT jobs will need to be filled in Canada with demand for critical jobs far exceeding the supply. This figure will be further compounded if we account for the new emerging ICT sectors. Canada is also competing in an increasingly tight labour market, emerging global economies such as Brazil, Russia, India, China and South-Africa (BRICS) are achieving unprecedented economic growth using new energy, telecommunications and information technologies”.[5]
Let us look, then, at 7 (“seven”) specific area examples to help demonstrate how and why this must be.
7 Examples as Proof of IT’s Adaptability, Persistence, and Traction (APT).
1. Cloud applications.
Late last year, there came the headline story – “Almost 1.7 Million Cloud-Related Jobs Went Unfilled in 2012: Estimate“.[6] That’s a lot of jobs! However, what is the Cloud and what might those jobs be, some doubtless asked? In the 6 (“six”) months since the article was published, many of those who asked may now know a little more about the Cloud. For others, however, an overview may help give perspective.
What is Cloud Computing (“Cloud”)?
According to data from the United States’ National Institute of Standards and Technology (NIST):
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured Service); three service models (Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS), Cloud Infrastructure as a Service (IaaS)); and, four deployment models (Private cloud, Community cloud, Public cloud, Hybrid cloud). Key enabling technologies include: (1) fast wide-area networks, (2) powerful, inexpensive server computers, and (3) high-performance virtualization for commodity hardware”. [7]
Unfortunately, this NIST data is already behind the market as the Cloud is advancing so fast. There are now no less than 7 (“seven”) well-identified Cloud service models, being: Software as a Service (SaaS),[8] Security as a Service (SecaaS),[9] Platform as a Service (PaaS),[10] Infrastructure as a Service (IaaS),[11] Networking as a Service (NaaS),[12] Data as a Service (DaaS),[13] and Migration as a Service (MaaS).[14]
Which are the Cloud Jobs?
An October, 2012 article identified the following 10 (“ten”) IT jobs as in-demand Cloud careers;[15] being:
(I) Cloud Architect; (II) Cloud Software Engineer; (III) Cloud Sales; (IV) Cloud Engineer; (V) Cloud Services Developer; (VI) Cloud Systems Administrator; (VII) Cloud Consultant; (IIX) Cloud Systems Engineer; (IX) Cloud Network Engineer; and (X) Cloud Product Manager.
The takeaway, is that “professionals who are experts in cloud computing, software as a service and virtualization are in high demand, but those with combined skills in server, software and networking are the most sought after in the current IT job market”.[16] Add to this, another recent survey that concludes: “[c]loud related skills represent virtually all the growth opportunities in IT employment worldwide as demand for cloud-related positions grows.”[17] Together, these findings put to rest any assertion that datacenter jobs will disappear, because servers are housed in data centers and data farms, and the need for them as well as the IT staff to tend to and manage them, is increasing with time and Cloud uptake.
Where is Cloud Heading – Long term?
In response to the PWC/Digital IQ Report that presented this year’s top 10 technology trends for business, I pondered this year’s top 5 technology trends for consumers;[18] one of which was EULA3. This term co-represents: (i) End-User Legal Authority (free rein to develop and customize screen savers, fonts, skins, and avatars to their liking, after download from developers with the IP rights therein); (ii) End-User License Autonomy (lawful unlocking of devices and to remove geographic restrictions, freedom from multi-year service contracts, number portability, rights to opt-out of geo-tracking, receiving ongoing service or functionality updates, and in the EU, a right to be free from pre-sale, bundled OEM-ware; and (iii) End-User Leveraged Ability (massively enhanced remote and mobile collaboration and empowerment tools and technologies, in “online groups, archives, fora, encyclopedias, and societies”).[19]
My focus here, is on the leveraged ability, that allows for more creativity, collaboration, commentary, commerce, connections, and cloud applications.[20] Within and as a result of this leveraged ability, I see the coming offering of Economies as a Service/Elasticity as a Service (EaaS). This will go beyond the mere discrete, standalone offerings of storage, ERP, and data analytics, to offer specific enterprise-level function and service suites that are customizable to users of various sizes, and that help customers to cut-down on their overhead in a still very tight global economic climate.
I can think of 10 (“ten”) such scalable suites right now, being: (1) Administration; (2) Compliance; (3) Efficiencies (requirements analyses, efficiency audits, business process reengineering, and big data analytics with recommendations and action on same, all from one vendor– essentially, management consultant services on demand, with M2M delivery in eFormat); (4) Facilities management (electronic and sensory, in M2M/SCADA); (5) General Counsel (as outsourced to on-call, geographically distributed providers through a Cloud contact point); (6) Human Resources; (7) Operations and Development; (8) Research and Development; (9) Sales (as tasked to geographically distributed operatives, on-call in the requisite locations- little travel needed; and (10) Treasury (audit, bookkeeping, and capital markets).[21]
Which Cloud sub-sectors will likely lead?
In a 2012 report for the EU, IDC predicted that the market for public cloud services in Europe would grow at a compound, annualized, 35% (“thirty-five percent”) from 2011 to 2014, despite structural challenges (security, infrastructure, standardization), and the continued tight economic climate.[22] IDC further posits that “[…] the diffusion of cloud computing is expected to generate substantial direct and indirect impacts on economic and employment growth in the EU, thanks to the migration to a new IT paradigm enabling greater innovation and productivity”.[23] Admitting that jobs will both be lost and created, “the cloud market is expected to be a driver of net creation of employment in the medium term”, regarding the European economy through 2020; with their estimate of the number of European cloud industry jobs then existing, ranging from 1.3 million to 3.8 million.[24]
Globally, IDC’s results from an Infosys-sponsored July, 2012 survey of 326 large companies across the US, Germany, France, and the U.K. found that, 2 out of 3 were adopting the cloud, with private cloud more popular than public or hybrid cloud.[25] While cloud strategy in Europe is more developed, it is standalone and needs to be integrated into a larger “whole of IT” approach; U.S. cloud adoption lags behind, but this is due to its being part of a “whole of IT” planning process with many stakeholders.[26] According to IDC, many survey respondents across the board were reportedly dabbling in “public cloud for some specific areas, but when it comes to the core IT environments, they are starting out with private cloud. Connecting the two into a hybrid model is gaining momentum”.[27]
Why use the Cloud?
In essence, “cloud computing simply capitalizes on the need of a business to manage costs, stick to its core competencies and outsource the rest”.[28] Services and servers formerly managed in house with capital expenditures, can now be managed by vendors as operational cost items, and expensed. “Companies want to escape IT equipment and support costs, but there are also certain applications and data that large enterprises especially are unlikely to ever let out of their sight and perimeters, King said. That is why the hybrid model works pretty well for many companies right now”.[29]
2. Mobility.
“Digitization—the mass adoption of connected digital services by consumers, enterprises, and governments— is far more than a disruptive wave washing over isolated industries. We have long since recognized that reality. Digitization is a fundamental driver of economic growth and job creation the world over- in both developed and emerging markets”.[30]
Within the home and other fixed locations, this digitization has permitted the visual TV broadcast format to shift in many locales to High Definition, allowing for clearer pictures, denser colours and images, and added content and utilities. In addition, ubiquitous computing is now the default mode, with digitization and packetization, and smartphones and tablets fast-nearing the raw computing power of earlier laptops; if not surpassing them in both that, and storage capacity, through the availability of add-on storage and memory card capacity. Customer-facing cloud applications (online photo storage, social media profile pages, and available-anywhere office productivity and document processing or management service offerings), all benefit from the spread of digitization and the ongoing drop in memory and hardware costs. Taken together, these developments have enabled location independence, geo-tagging, behavioural marketing, and social business on a hitherto unprecedented scale.
“IT” with regard to mobility ranges from applications, through form factors, to networking, diagnostics, and data analytics. Similarly, “convergence” in general, means that the field of mobile computing is already broad and deep,[31] and continues to grow with the expanding market for existing form factors (laptop, tablet, smartphone), and ever more innovative offerings to come. Even though some employers eschew creating and implementing BYOD policies for their increasingly mobile workforces (a dangerous oversight, in my opinion), while others re-think or seek to restrict aspects of the whole “mobility” dimension of work,[32] I really cannot envisage ITs mobility-enabling skills-sets facing any realistic danger of impending obsolescence.
3. Operational and ongoing improvements.
In the words of the American Society for Quality (ASQ): “[c]ontinuous improvement is an ongoing effort to improve products, services or processes. These efforts can seek “incremental” improvement over time or “breakthrough” improvement all at once”.[33] Of course, improving the individual (skills and abilities), can also lead to improving the product, service, or process – including of business processes and in separate business cost centres. Aside from the plethora of quality measures and quality improvement models, perhaps the simplest offering suggested by ASQ, is the P-D-C-A cycle, which stands for:
(i) Plan (identify opportunities and strategize for their exploitation);
(ii) Do (roll-out a pilot or beta of the change as planned);
(iii) Check (analyze the results and determine whether the desired result was achieved);
(iv) Act (Proceed on a larger scale if successful, or revise if not, with ongoing assessment in both cases).[34]
In the current and evolving IT environment, the need for operational and ongoing improvements is driven by a desire for post-merger, acquisition, or restructuring economies of scale; improved efficiencies in a very tight global economy and hyper-competitive climate; and to increase security in the face of heightened governance, risk, and regulatory compliance (GRC) requirements, and Cybersecurity exposures and events. Automated systems (after human programming), can gather and crunch a vast quantity of data in terms of Enterprise Resource Planning (ERP), Privacy Impact Analysis (PIA), Security and Risk Analysis (SRA), and Threat Risk Assessment (TRA). However, in the three common, broad stages of all these activities (identification, assessment, mitigation), human input is indispensable to catch the nuances, round-out the corners, and otherwise right-size and customize both process and result. IT professionals will always be needed to plan, to do, to check and double-check, and to act.
4. Networking.
Networking has come very far since it was merely a question of connecting desktops to servers, and making sure that different servers or server versions and their operating systems (usually all in the same place or distributed corporate space or ecosystem), all meshed well together. Now, we network across availability zones in region, time zones, and definitely different ecosystems. With the speed at which technology is currently advancing and generations of IT are maturing,[35] there will always be “legacy” systems in the mix, and this will require the presence of professionals who know and are familiar enough with the idiosyncracies of these legacy systems to service and maintain them. As with the Basic, Fortran, and Pascal programming languages (which are still used, in some places), someone somewhere, will always be needed into the foreseeable future. This peculiarity will come into the clearest focus when data must be migrated from these legacy systems, and it can only be done the hard way. Networking also gains importance with the mainstreaming of Supervisory Control and Data Acquisition (SCADA), the Internet of Things (IoT) or Machine to Machine (M2M) communication[36] – as enabled and enhanced by MEMs[37], Software-Defined Networking (SDN), and of course, Cloud Computing. These, in their turn, further fuel the “apolitical” socialization of business, living, and leisure.
5. Virtualization.
“The term virtualization is commonly used to refer to the creation of multiple virtual servers that operate on one physical computer. Virtualization uses fewer physical resources to do an increased amount of work in a virtual environment, cuts the costs of purchasing expensive hardware for computers, uses less physical storage space and reduces costs to power and cool physical computers”.[38]
As stated, virtualization has many benefits; including heightened productivity and cost savings. However, the need for real human beings will persist. Additional solutions enabled by virtualization include advanced gamification (both single user and multi-user), eLearning, and social business with real time product and service demonstrations, serious streaming and graphics, and simultaneous screen-in-screen separate software instances for multitaneous collaboration, creativity, and other connections. Content is key, so there will always be a need for IT professionals across the 15 (“fifteen”) phases of the following, proposed new “horseshoe waterfall” software development process (up from the classic 6):
1. Requirements Analysis phase (PIA, ERP, SRA, TRA, and Objective-oriented Risk Identification);
2. Programming & Development phase (design, documentation, IP, cross-disciplinary “play-in/pet-in”[39]);
3. Vendor Development Testing phase (Quality, Usability, Interfaces, Performance, Stability – “QUIPS1”);
4. Application Security Testing (by subsystem, including to regulatory standard/industry metrics);
5. Contract Modeler/Tweaker phase (add-ons, P3 standalone software, and software for hardware);
6. P3 Development Testing phase (Quality, Usability, Interfaces, Performance, Stability – “QUIPS2”);
7. Vendor Integration phase (collective work of all subsystems & add-ons; documentation & IP updates);
8. Application Security testing (complete system by Vendor, and by user panel on late-stage beta);
9. White Hat phase (QUIPS3; with penetration testing, and to regulatory standard/industry metrics);
10. Feedback Integration phase (rectifications, new requirements, ruggedizing for special orders);
11. Deployment phase (with customer training, static testing, and onsite and remote debugging);
12. Implementation Validation phase (QUIPS4 ; with training, operational testing, and debugging);
13. Maintenance and Support phase (updates, patches, customer service, technical support);
14. Customer and Industry Feedback Analysis phase (knowledgebase, data analytics, planning);
15. Re-start at phase 1, 2, or 5: (next generation solution, fully new iteration, or market re-focus).
The falls are shaped like a horseshoe because the water can fall from several places or points at once, because the phases can easily overlap, and because the constant cycle of water never stops; so nobody can peer into the resulting product whirlpool and determine from where, or when, something fell-in.
6. Innovations.
The predictable thing about change, is that it will be constant. Whether or not you define it as progress, technology innovations will generally have knock-on effects that include additional innovations. This is a given, as items and areas rendered obsolete will be replaced, and those that wish to resist obsolescence, will make speedy and aggressive moves to adapt to that “new normal”. From mainframes, through PCs, laptops, smartphones, tablets, and wearable IT[40] and other solutions, innovation feeds upon itself, and knowledgeable IT personnel will always be needed to make things work, adapt, and counter-adapt with concatenating advances in miniaturization[41] and processing power spurring “chipification”[42] of ever more discrete utilities and ecosystems to enable higher functions, remote diagnostics, and interoperation. Current and developing form factors including wearables (heartrate monitors), scannables (QR codes and RFID), flyables (drones), drivables (smart cars and next generation autopilot), and as enabled by current (Gesticuloperation – i.e. operation by voice, clap, and hand signals in the likes of Microsoft Kinect, Sony Wii, interior lighting, and otherwise by voice or eyesight recognition), or Google Glass, and future tech., will likewise still demand contributions from multifaceted IT personnel.
7. Predictive Analytics.
Big Data is here to stay, due to the proliferation of ways in which it is collected, and the depth and detail with which it is being concatenated. Businesses will need ever-more powerful and intuitive ways to crunch and package its content, whether for ERP, CRM, or other predictive data analytics.[43] We already see automated resume sorting, but the human eye and brain will still be needed to develop and tweak the software, perform quality checks, and deal with data input delays (illegible writing that won’t scan, jammed paper in scanner input feeds, and machine maintenance and downtime for whatever reason).
ANALYSIS:
Rightly Forecast to Stay.
While the 2012 ICTC briefing identified 3 (“three”) specific areas of greatest need and growth potential in the prevailing IT skills shortage: Mobile Computing, Cloud Computing, and creative online content (Social Business),[44] IBM’s study of the global IT picture found a fourth: Business Analytics.[45] Looking at the above 7 areas, Cloud computing touches (at least), 1, 5, 6, and 7; Business Analytics, touches (at least), 3, 4, 6, and 7; Mobile Computing, touches (at least), 2, 4, 6, and 5; and Social Business, touches (at most), 1 through 7. I see no way that IT jobs or career paths can disappear any time soon. The health of that sector may well ebb and flow, with economic growth and job prospects fluctuating back and forth; but ITs adaptability, persistence, and traction (APT), give it true staying-power as a criss-crossing, sub-factor of production supporting that new factor of production, “information” – both of which now span mere land, labor, and capital,[46] and thusly remain indispensable bedrocks of modern and future society.
Wrongly Forecast to Go.
Similarly, regarding the 4 (“four”) specific IT roles identified for re-imagination or extinction,[47] vis-à-vis the above 7 areas: Programming; Datacenter; Data Technology; and Security. With regard to programming, the author states that the popular or most common computer languages will change. I agree, but the older languages will not die-out, due to the reasons I gave above. Similarly, with regard to data technology, the author states that the new and evolving paradigms will require IT professionals who are both more multifunctional and more capable of multitasking across different cost centres in the organization (IT, data analytics, PR, R&D). With this, I also agree, because up-skilling should be a constant when the going is good, and retraining should remain an option should the paradigm shift.
My disagreements arise with regard to the author’s predictions for IT’s datacenter functions[48] and IT’s security functions,[49] which will supposedly be forever and irretrievably changed by Unified Communications (UC) protocols, outsourced to third-parties, and otherwise surpassed or subsumed by and within the ambit of, a variety of Cloud Services Providers (CSPs).
Datacenter, specifically.
With regard to datacenter functions, machines can still not fully administer themselves, whether it is an airliner on autopilot, a nuclear power station, the switching center of a railway system, or a conveyor belt – which is supposed to stop by itself when something clogs the mechanism, but still has an emergency stop mechanism for the occasional “human” intervention. I think that any prediction of the demise of these jobs and functions is premature or wishful thinking at best, and ill-advised at worst.
Security, specifically.
With regard to security functions, it is worthwhile to note that evolving data protection and privacy standards set-out by legislation, as well as industry best practices across several fields, are severely limiting the extent to which an entity can outsource the “responsibility” that it does and must hold in-house, for the ultimate security of customer or client data; especially with regard to Personally Identifiable Information (PII), including within the financial services industry, and Personal Health Information (PHI), including within the healthcare sector. This fact, alone, will mandate the persistence of the need for in-house skill sets in “security standardization, procedures, and auditing”[50], due to the necessity of verifying: (i) that third-party providers can and do perform as promised and required by law; (ii) that breach notification is timely and properly conducted, and that third-parties are aware of their contractual and legal responsibilities, as applicable; and (iii) that loss prevention, IT, managerial, and legal personal are all on the same page with regard to ERP, outsourcing, risk mitigation, and regulatory compliance across the entire IT ecosystem – whether in-house physical, in-house virtual, outsourced (including Cloud and offshoring), BYOD, or otherwise. This security matrix must be complete, as omitted input will lead to omitted considerations, and avoidable losses that could rise to be in the extreme.
Even the much maligned practice of offshoring can have a net benefit to the outsourcing economy by pushing those it leaves behind into higher, more skilled, and managerial roles that are needed locally.
“Outsourcing can help create opportunities that didn’t exist before,” […]. Recruiting more bodies in another country can “upskill” Canadian IT workers, boosting them into higher level managerial positions,[…]. “The jobs are slightly different than what they may have been before, but it actually is an economic addition, not necessarily a detractor from the economy and from the employment landscape.”[51]
CONCLUSION:
For the final word on this issue, I think Stephen C. Ehrman, summarized it best, when he wrote that:
“Each predictable doubling of chip power enables the development of surprising new tools for thinking, analyzing, studying, creating, and communicating in the world. Products and professions erupt, altering the content of some discipline, creating new fields, and compelling new forms of interdisciplinary collaboration in the wider world. The level of education required for many jobs is increasing as well. So technological change in the wider world both increases the number of people who need an education and changes what it is they need to learn as well.”[52]
I think that should do it!
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in New York, New Jersey, and Washington, D.C. Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] Kerry Doyle, MBA. IT Roles Facing Extinction. Published on globalknowledge.com by Global Knowledge Training LLC, 2012. Online: >http://images.globalknowledge.com/wwwimages/pdfs/SR_IT_Roles_Facing_Extinction.pdf<
[2] Patrick Gray. HP and BlackBerry abandon in-house tablet ecosystems. Published in “Tablets in the Enterprise”, on techrepublic.com, May 24, 2013. Online: >http://www.techrepublic.com/blog/tablets/hp-and-blackberry-abandon-in-house-tablet-ecosystems/3428?tag=nl.e101&s_cid=e101&ttag=e101<
[3] Tribute to the late Professor Albert Chinualumogu (Chinua) Achebe, (1930-2013), author of the timeless classic “Things Fall Apart” (first published in A.D. 1958).
[4] A sometimes heated debate persists on whether or not the United States is currently experiencing a skills shortage in graduates of Science, Technology, Engineering and Mathematics (STEM). See e.g. (severe shortage exists): Society for Human Resource Management (SHRM). The Ongoing Impact of the Recession – Recruiting and Skills Gap. Published on shrm.org, March 12, 2013. Online: >http://www.shrm.org/Research/SurveyFindings/Articles/Pages/SHRM-Recession-Recruiting-Skill-Gaps-Technology.aspx<; see contra (no shortage found): Economic Policy Institute (EPI).Hal Salzman, Daniel Kuehn, and B. Lindsay Lowell. Guestworkers in the high-skill U.S. labor market: An analysis of supply, employment, and wage trends. Published in “Immigration”, on epi.org, April 24, 2013. Online:
>http://www.epi.org/publication/bp359-guestworkers-high-skill-labor-market-analysis/<
[5] In Canada, however, the skills shortage issue appears better settled – it exists! See e.g. Namir Anani, President and CEO of the Information and Communications Technology Council (ICTC). Briefing – HUMA – Fixing The Skills Gap and Understanding the Labour Shortages, at page 2. Mr. Anani delivered this briefing in Ottawa, Canada, on April 4, 2012, before the Parliamentary Standing Committee on Human Resources, Skills and Social Development and the Status of Persons with Disabilities. Published on ictc-ctic.ca. Online: >http://www.ictc-ctic.ca/wp-content/uploads/2012/06/ICTC_HUMAPresentation_EN_04-12.pdf<
[6] Joe McKendrick. Almost 1.7 Million Cloud-Related Jobs Went Unfilled in 2012: Estimate. Published in “Tech”, on forbes.com, December 21, 2012. Online: >http://www.forbes.com/sites/joemckendrick/2012/12/21/almost-1-7-million-cloud-related-jobs-went-unfilled-in-2012-estimate/<
[7] National Institute of Standards and Technology (NIST). NIST Cloud Computing Program. Online: >http://www.nist.gov/itl/cloud/index.cfm<
[8] PCI Security Standards Council: Cloud Special interest Group. PCI Data Security Standard (PCI DSS), Version 2.0 – Information Supplement: PCI DSS Cloud Computing Guidelines, at 4. Released March, 2013. Online: >https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf< Software as a Service (SaaS), is there defined by PCI SSC as: “[c]apability for clients to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface”. See also Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right, at Note 1. Published on ogalaws.wordpress.com, March 11, 2013. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< SaaS offerings generally include tools for processing, analysis, accounting, CRM, and back-office functions, as delivered on a “pay by use or increment” basis.
[9] Michael Hafner, Mukhtiar Memon, and Ruth Breu. SeAAS – A Reference Architecture for Security Services in SOA. Published 1.9.09 in the Journal of Universal Computer Science (JUCS), vol. 15, no. 15 (2009), 2916-2936, at 2924. Online: >http://www.jucs.org/jucs_15_15/seaas_a_reference_architecture/jucs_15_15_2916_2936_hafner.pdf<
Security as a Service (SecaaS), is there defined by the authors, as:
“[…] the delivery of security functionality over infrastructure components in a service-oriented manner. For SOA, this means that security services are accessed through common Web services technologies and standards”.
As stated in that publication, SecaaS offerings generally encompasses services for: authentication, authorization, security compliance, security interoperability, cryptography and message processing, protocol-based security, and security monitoring and auditing.
[10] PCI Security Standards Council: Cloud Special interest Group. PCI Data Security Standard (PCI DSS), Version 2.0 – Information Supplement: PCI DSS Cloud Computing Guidelines, at 4. Released March, 2013. Online: >https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf< Platform as a Service (PaaS), is there defined by PCI SSC as: “[c]apability for clients to deploy their applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider”. See also Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right, at Note 2. Published on ogalaws.wordpress.com, March 11, 2013. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< PaaS offerings generally include tools for email, online backup, or desktops on demand, as well as middleware and raw development platforms.
[11] PCI Security Standards Council: Cloud Special interest Group. PCI Data Security Standard (PCI DSS), Version 2.0 – Information Supplement: PCI DSS Cloud Computing Guidelines, at 4. Released March, 2013. Online: >https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf< Infrastructure as a Service (IaaS), is there defined by PCI SSC as: “[c]apability for clients to utilize the provider’s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure”. See also Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right, at Note 3. Published on ogalaws.wordpress.com, March 11, 2013. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< IaaS offerings generally include tools for collaboration, integration, and visualization, in scalable storage and server capacity on demand.
[12] Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right, at Note 4. Published on ogalaws.wordpress.com, March 11, 2013. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< Network as a Service (NaaS), generally includes advanced virtualization tools such as bandwidth-on-demand for multiple VPNs-on-demand, and for cloud-to-cloud networking on-demand.
[13] Data as a Service (DaaS), generally includes the hosting and delivery-on-call of data that is both form factor independent and software independent, as its storage (static) and delivery (formatted) states will differ, and the data will only be transformed from one to the other as and when needed, and as optimized to form factor or use. Increasing data analytics and in-house ownership of the crunched result, will spur growth in this DaaS (author).
[14] Migration as a Service (MaaS), refers to the transmission or translocation of clientele (users of blogs, wikis, chats, or other collaborative portals), data and databases (documents, files, spreadsheets and folders), capital operations and office suites (applications, business processes, or operating systems from version to version, or from server to server on premise), or services (emails and VOIP/voicemails); whether from one platform or service provider, to another (on-premise to cloud transforming capital expenditures to operating expenses, or cloud to cloud). This can be done on a self-serve basis, or through a vendor. The volume of data that many companies now command otherwise makes migrations quite expensive, and implies that MaaS will remain a growth area (author).
[15] Christine Burns, Network World. Cloud careers: It’s a seller’s market. Published on networkworld.com, October 8, 2012. Online: >http://www.networkworld.com/supp/2012/enterprise5/100812-ecs-cloud-careers-262741.html<
[16] Id.
[17] Joe McKendrick. Almost 1.7 Million Cloud-Related Jobs Went Unfilled in 2012: Estimate. Published in “Tech”, on forbes.com, December 21, 2012. Online: >http://www.forbes.com/sites/joemckendrick/2012/12/21/almost-1-7-million-cloud-related-jobs-went-unfilled-in-2012-estimate/<
[18] See Ekundayo George. Ctrl-Shift-Del: 2013’s Top 5 Technology Trends for Consumers. Published on ogalaws.wordpress.com, March 16, 2013. Online: >https://ogalaws.wordpress.com/2013/03/16/ctrl-shift-del-2013s-top-5-technology-trends-for-consumers/<
[19] Id.
[20] See e.g. Ekundayo George. Social Media Policies: Why have them, and what should they cover? Published on ogalaws.wordpress.com, May 29, 2013. Online: >https://ogalaws.wordpress.com/2013/05/29/social-media-policies-why-have-them-and-what-should-they-cover/<
[21] I see these enabling, at the very least: (i) ”eNUB“ (email, number, and URL banking); and (ii) “Work-Shifting”.
(i) eNUB will be the response of entities and employers to salesforce BYOD, now better able to take existing contacts, prospects, vendors, and sales peers with them, due to all knowing that contact number by heart. Hence, even if that person’s entire eRolodex gets remote-wiped, they can still be reached by their now “good old friends”. So, with growing number portability and VOIP, employers will own and manage banks of mobile contact numbers (in addition to the URLs and emails they already tag-onto/under domain names), to prevent salesforce lead-bleed.
(ii) The growing ability, through advancing mobile device management (MDM) technologies to stop and start the delivery of emails, and to route and unroute calls to BYOD-enabled workers so that they are not troubled (into working costly overtime), outside the standard workday, will enable employers to more easily juggle the workflow between permanent and contract employees in different time-zones through disclosed/undisclosed jobsharing arrangements. Hence, less downtime in a new, cloud-enabled world of work-shifting, as opposed to shift-work.
See Tom Kaneshige, CIO. Which Workers Are the Best Fit for BYOD? Published on cio.com, May 14, 2013. Online: >http://www.cio.com/article/733399/Which_Workers_Are_the_Best_Fit_for_BYOD_?taxonomyId=600007<
[22] IDC. Quantitative Estimates of the Demand for Cloud Computing in Europe and the Likely Barriers to Up-take. SMART 2011/0045. D4 – Final Report, at 30. Published on ec.europa.eu, July 13, 2012. Online: >http://ec.europa.eu/information_society/activities/cloudcomputing/docs/quantitative_estimates.pdf<
[23] Id. at 9.
[24] Id. at 9.
[25] Marianne Kolding. IDC White Paper. Adoption of Cloud: Private Cloud is Current Flavour but Hybrid Cloud is Fast Becoming a Reality, at 1-2. Published on Infosys.com, September, 2012. Online: >http://www.infosys.com/cloud/features-opinions/Documents/hybrid-cloud-becoming-reality.pdf<
[26] Id. at 2.
[27] Id. at 3.
[28] Peter Brown and Leonard T. Nuara, Co-chairs. Cloud Computing 2011: Cut Through the Fluff & Tackle the Critical Stuff. Intellectual Property Course Handbook Series. Number G-1055, at 49. Published in 2011 by the Practicing Law Institute, New York (PLI).
[29] TechRepublic. Executive’s Guide to Best practices in SAAS and the Cloud, at 14. Published in “Whitepapers”, on ZDNet.com, March 2013. Online: >http://www.zdnet.com/executive-guide-to-best-practices-in-saas-and-the-cloud-free-ebook-7000012032/< The author quotes Charles King, principal analyst at Pund-IT.
[30] World Economic Forum and INSEAD. The Global Information Technology Report 2013: Growth and Jobs in a Hyperconnected World. Foreword by Cesare Mainardi, Chief Executive Officer, Booz and Company, at vii. Published on weforum.org, 2013. Online: >http://www3.weforum.org/docs/WEF_GITR_Report_2013.pdf<
The author takes care to point-out that while digitization brings benefits in both productivity and employment growth, there “may well come” a point of disequilibrium. Similarly, there is a delicate balance to be found for the 3 (“three”) roles on the input matrix, being the roles of financier, facilitator, and direct developer. Where and when the ratio is off, the national cake will not rise to meet the demand, or otherwise respond on command.
[31] See e.g. Guarav Kumar, Ph.D., Assistant Professor, Department of Computer Applications, Chitkara University, Rajpura, Punjab. Career Guide: Career in Mobile Computing and Wireless Technology. Published in Employment News Weekly, 25 May – 31 May, 2013, issue (No. 08), on employmentnews.gov.in. Online: >http://www.employmentnews.gov.in/career_in_mobile.asp< This article and the sheer diversity of the career streams here listed provide a very clear idea of just how vast the mobile field now is, and promises to become.
[32] See e.g. Kara Swisher. “Physically Together”: Here’s the Internal Yahoo No-Work-From-Home Memo for Remote Workers and Maybe More. Published on allthingsd.com, February 22, 2013. Online: >http://allthingsd.com/20130222/physically-together-heres-the-internal-yahoo-no-work-from-home-memo-which-extends-beyond-remote-workers/<
[33] American Society for Quality (ASQ). Continuous Improvement. Published on asq.org, at Continuous Improvement Model – Learning Resources. Online: >http://asq.org/learn-about-quality/continuous-improvement/overview/overview.html<
[34] Id.
[35] Jonathan Huebner, Ph.D. A possible declining trend for worldwide innovation. Published 2005, in Technological Forecasting & Social Change 72 (2005) 980-986, at 981, on sciencedirect.com. Online: > http://accelerating.org/articles/InnovationHuebnerTFSC2005.pdf<
“There is a general consensus that technology is advancing exponentially, and that this advance will continue into the distant future. The basic assumption behind this view is that either there is no limit to technological advance, or if there is a limit, then we are far from reaching it.”
[36] See Infra, note 41.
[37] Visa. The Future of Technology and Payments report: More of the Same (2nd edition, printable version), at pp. 10-11. Published by Visa, on visaeurope.com, April 24, 2013. Online: >http://www.visaeurope.com/en/about_us/industry_insights/tech_trends.aspx<
“We therefore expect to see the progressive deployment of so-called Microelectromechanical systems (MEMs). These minute devices, generally smaller than a square-millimetre, typically comprise of a microprocessor plus a sensor or actuator. Already, they are common components within consumer devices acting, for example, as accelerometers or gyroscopes. (…)”.
“For the future, the use of MEMs seems destined to become more widespread. More exotic sensors will become available (capable, for example, or checking blood pressure or glucose levels). Their proliferation could therefore enable the so-called “internet of things” (…). And, in the coming years, IBM holds out the prospect of a trillion connected d devices (…) – that equates to one hundred smart objects for every person on our planet”.
[38] Megan M. Kearney, Esq. Faster Than the Speed of Law: Technological Advancements Generate a Host of Novel Legal Concerns. Originally published in The Philadelphia Lawyer, Winter 2011, “Intellectual property law”, pepperlaw.com. Online: >http://www.pepperlaw.com/pdfs/PhilaLawyer_Kearney.pdf<
[39] See e.g. Lucas Mearian, Computerworld. The Time is Right for an ‘IT Petting Zoo’. Published on cio.com, June 5, 2013. Online: >http://www.cio.com/article/734452/The_Time_is_Right_for_an_IT_Petting_Zoo_?taxonomyId=600007<
[40] Canadian Manufacturing Daily Staff. Ontario firm gets federal funding for wearable lithium-ion pack. Published on canadianmanufacturing.com, April 23, 2013. Online: >http://www.canadianmanufacturing.com/general/ontario-firm-gets-federal-funding-for-wearable-lithium-ion-pack-101574<
[41] Fundación de la Innovación, Bankinter, and Accenture. Future Trends Forum (FTF) Series, Number 15: The Internet of Things – In a Connected World of Smart Objects. Chapter 3, at page 37. Published on fundacionbankinter.org, in 2011. Online: >http://www.fundacionbankinter.org/system/documents/8189/original/XV_FTF_Interneto_of_things.pdf<
“More than half a century on from the days of mainframe computers that took up whole rooms, components are becoming smaller and smaller, enabling faster and more powerful computers to be developed. This physical layer occupies less space, making it easier to connect practically anything, anywhere, anytime. What we are seeing is the phenomenon of miniaturization”.
[42] Supra note 37.
[43] Toni Bowers. IT needs to understand the move from BI to data analytics. Published in “Tech Decision Maker”, on techrepublic.com, May 28, 2013. Online: >http://www.techrepublic.com/blog/tech-manager/it-needs-to-understand-the-move-from-bi-to-data-analytics/8277?tag=nl.e099&s_cid=e099&ttag=e099<
[44] Namir Anani, President and CEO of the Information and Communications Technology Council (ICTC). Briefing – HUMA – Fixing The Skills Gap and Understanding the Labour Shortages. Mr. Anani delivered this briefing in Ottawa, Canada, on April 4, 2012, before the Parliamentary Standing Committee on Human Resources, Skills and Social Development and the Status of Persons with Disabilities. Published on ictc-ctic.ca. Online: >http://www.ictc-ctic.ca/wp-content/uploads/2012/06/ICTC_HUMAPresentation_EN_04-12.pdf<
[45] See IBM. Fast Track to the Future: The 2012 IBM Tech Trends Report. Published by the IBM Center for Applied Insights, on ibm.com, December, 2012. Online: >https://www.ibm.com/developerworks/community/blogs/techtrends/?lang=en<
[46] Supra note 41, at 18. “Just as in an agricultural economy, the factors of production were land and labor, and in an industrial economy they were capital and labor, information has become the production factor of the twenty-first century”.
[47] Kerry Doyle, MBA. IT Roles Facing Extinction. Published globalknowledge.com, by Global Knowledge Training LLC, 2012. Online: >http://images.globalknowledge.com/wwwimages/pdfs/SR_IT_Roles_Facing_Extinction.pdf<
[48] Id. at 3. “Gone are the service technicians responsible for rewiring and maintenance. UC makes those skills unnecessary. In the future, one or two systems analysts will centrally handle communication implementation and flow from within the datacenter”.
[49] Id. at 4. “Within organizations, gone are the traditional back-up and recovery skill sets which will be relegated to third-party providers”. (…) “Gone are the technicians who relied on security standardization, procedures, and auditing”.
[50] Id. at 4.
[51] Brian Bloom. IDC: Offshoring IT keeps Canadian firms competitive. Published for Computing Canada in itworldcanada.com, June 14, 2012. The quotation is from Jason Trussell, senior vice-president and Canadian regional manager at iGate Inc. Online: >http://www.itworldcanada.com/news/idc-offshoring-it-keeps-canadian-firms-competitive/145611<
[52] Stephen C. Ehrman, Ph.D. Technology and Revolution in Education: Ending the Cycle of Failure. Published in Liberal Education, Fall (2000) 40-49, at “Double Double Toil and Trouble: Moore’s Law”. This penultimate draft of the final article is available through The TLT Group (Teaching, Learning, and Technology), on tltgroup.org. Online: >http://www.tltgroup.org/resources/V_Cycle_of_Failure.html
“e-Solid”: Constraints to Cloud Come-up, under the Current Nigerian System & Status-Quo.
April 12, 2013
Comment in the discussion chain: Data Centers and Disaster Recovery in Nigeria.
Started by moderator Christopher Odutola of the Linked in group: Cloud Computing, Virtualization and Disaster Recovery in Nigeria.
**********
Thank you, all for your highly knowledgeable and astute comments in this discussion so far. We all know that as Nijas, we have the talent and we have the skills to get things done – as you all show. However … na conditions!! I think 6 factors need to be addressed to some extent before the cloud can gain more credibility and traction in Nigeria, and even in Africa, and become “e-Solid”.
“E”nergy is number one. Data centers need cooling (especially below the equator), and drives need energy to spin, access memory, and provide those virtual instances. The idea of generators in series has merit, but I would say turbines are better – with all the natural gas we have flaring. I always wonder why none of our unemployed Engineers have built scalable and modular mini-re refineries that can be used in the Niger Delta instead of all these open air burns; as used to feed or as combined with, modular and scalable mini-power stations. We do have the labour, craftsmen, engineers, and natural resources. Perhaps some of your banking and industrial contacts can be interested in seed funding. Such machines will get plenty of interest in similarly challenged parts of the world. It will take quite an effort to string functioning power lines everywhere, or bury them where there are already more people than spare ground. I think localized modularity is the way to go, as opposed to regional and national power grids.
“S”ecurity has many facets. One the one hand, it is the day to day matter of traveling to work while avoiding roadblocks, armed robbers, militants or les beaucoup-harmers, and drivers of trucks with no brakes, or of buses full of people and tankers full of petroleum or chemicals, who are not in their right minds due to some substance or other. The 24/7 nature of IT will require people to travel back and forth at odd times, unless you are there on 7-12 day on, and 7-12 day off shifts, or something like that. Even then, you will have to switch-out at some point, and face the travel hazards. The other facet of security is data security. Are the sys-admins selling off data sniffed in transit; is the data entirely managed within Nigeria or are portions of the cloud external and therefore subjecting the data to the laws and sniffing of other jurisdictions; are Nigerians adequately protected from identity theft and loss of funds in the case of financial data transfers through the cloud? These are all areas where Nigerian laws are pretty far behind, due to other priorities of our dear leaders – state and federal, and legislators.
“O”versight is also highly important. There are a plethora of regulatory bodies, associations, commissions, and parastatals in Nigeria that have overlapping and complementary functions. When people in position wake and realize that there is money to be made from taxing, regulating, and licensing the cloud, there will be a rush to assert jurisdiction. Will it be from NCC (due to communications), CBN (due to financial transactions in the cloud), FRSC (due to data transportation on the information highway), NIMASA for the undersea telecommunications cables, each and every state government (due to data center location), EFCC (due to the potential problems within their competence), or any combination of the security agencies, due to the potential national security implications. How easily can the Corporate Affairs Commission define which of the above types of business the CSP/CSV is engaging in, and how many lawsuits, pleas to the President, and examples public rudeness and misbehavior at the highest levels will Nigerian have to endure from those many competing regulatory interests? I think a massive rationalization and realignment of Nigeria’s regulatory landscape is long overdue, but it may not happen while there are so many who benefit from the current alphabet soup of a conjoint twin octopus at a grand buffet, still eating to their heart’s content. Other countries have established central fora, fusion centers, and similar councils where many bodies work together for the same goal. In our case, that may take some time to achieve.
“L”egal is the logical follow-on, here. There can be a self-regulatory body established for cloud service providers that enforces standards amongst peers, coordinates training and best practices, and works to lobby the government where and when needed. Or, providers in the space can continue to work independently and accept whatever laws and regulations – no matter how contradictory, policy-somersault-laden, or otherwise non-conducive to sane and sustained business – are handed down from above. Tips can be taken from what transpires with regard to the cloud outside Nigeria, but we should not be so fast to adopt things full force, that might not quite fit with our unique context. We have seen many examples of this, as well as cases where countries accepted Constitutions and laws drafted by outsiders that were just plain wrong.
For example, the Warsaw Convention limits liability to air carriers in the case of a lost luggage, persons, or goods. The Hamburg Rules perform a similar function with regard to carriage of goods by sea. Those work well and are generally accepted for important service industries, when coupled with insurance. Obviously, some lawyers can always be found to sue, despite the caps! Attitudes change, however, when the protection is given to specialized industries and interests. You have for example the Nuclear Liability Act in Canada, and the Price-Anderson Nuclear Industries Indemnity Act, in the United States – both limiting the liability of civilian nuclear installations for any incidents. Most recently, on top of the refusal or inability of the United States Food and Drug Administration to force the labeling of genetically modified foods and food ingredients, President Obama still signed a Monsanto Protection Act on March 28, 2013 – http://rt.com/usa/monsanto-bill-blunt-agriculture-006/.
A time may well come when the cloud industry becomes so large and all-pervasive that it will merit similar protections for all the data breach and failings we see with it in the western world – the first adopters. However, if this happens in Nigeria before deposit insurance is taken and managed seriously (towards fewer vanishing premiums), a national identity system is firmly in place (towards fewer unusually expensive ghost workers), and business insurance and industry best practices are firmly adhered to, someone may pull a Cyprus without the government involvement. The supposedly un-hackable Bitcoin was recently pilfered, and government should not help itself to personal bank accounts just because someone tells it to. If the industry itself is protected, but the protection is not there or woefully inadequate for customers/consumers, some major problems could very well result.
“I”nfrastructure also needs a lot of work – whether roads and rails, buildings within which mobiles may or may not function, encryption and security of data in transit against SQL insertion and other malware exploits, and a lot more attention to such basic security as keeping programs and systems patched and up to date. BYOD can mean both bring your own device and bring your own destruction, depending on what the device owner is knowingly or unknowingly carrying within it, or something to which the device attaches. It is no secret that many government websites in Africa (not just Nigeria) are Trojan-laden. This needs to be fixed, before Nations are cut-off from the outside and just go dark, due to the increasingly powerful antivirus and anti-malware programs that just block access to swathes of e-Estate, due to the real or alleged vulnerabilities that they represent. Come on, guys and gals, we need to be able to reach you …. and there is no guarantee that VOIP will remain unaffected. I cannot count the number of times that my system has refused to go somewhere – somewhere legitimate thank you – and then, I had to decide whether or not to disable the meguard and go there anyway. This trend is already well-underway. Even with all or most of the cell towers up, there should be backups in hard lines and satellites, because towers can still be taken down. We need to get our act together and put in the kind of backup and redundancy of critical infrastructure that gives people a greater sense of confidence that things will work and continue to work when they are needed most. With the near total absence of landlines, what happens to emergency calls when the cloud-based cellular service goes down? Our infrastructure needs some serious work if we are to have the necessary bandwidth for greater cloud uptake (by SMBEs and conglomerates), deployment (in SaaS, PaaS, and IaaS configurations), and uptake (by the public and the powers that be); along with the other deficiencies here identified.
“D”isaster prevention, planning, response, and recovery is an obviously-ignored competence at the higher levels in Nigeria, due to the abundance of buildings and homes in flood plains – recurrently lost; the lack of an organized, national ambulance and air and water ambulance service – let alone fully-equipped, staffed, and functioning medical and dental facilities and pharmacies; poor attention to building standards, and road and rail traffic, maritime, and aviation vessel quality and facility maintenance; and the preponderant fire brigade approach with promises and prayers when things go horribly wrong. Even where the cloud is proprietary, such as the example of your own VM instance on campus or at work, commonsense and best practices still advise the use in any combination, of off-cloud backup (such as having your digital photos both in the cloud and on a physical USB stick that can create a mirror collection with rapid and relative ease – so long as not corrupted or lost), a substitute or backup cloud (such as also storing them in another location and with another vendor, perhaps as sent email attachments due to the current almost unlimited email storage capacity), offsite backup (on a portable hard drive at a second physical location), and perhaps physical hardcopy prints that can be laboriously scanned and uploaded, again, if and when all else fails. Multiple redundancies are keys to data availability, reliability, and replicability, and all of the above need to be addressed before that can be more fully guaranteed with the appropriate high-uptime SLAs.
SUMMARY:
In summary, unless the Nigerian cloud industry members, vendors, and workers want to be misled by the kind of absentee and not quite technically competent as it is supposed to be or claims to be leadership that has characterized so much of our experience in recent memory, they (and other like-minded professional bodies tired of waiting to be disappointed, yet again), will step-up to take the lead in their own best professional and practical interests, and the interests of all Nigerians at home, abroad, and as yet unborn, to organize, strategize, and familiarize themselves with global best practices, apply only what makes most sense with regard to local idiosyncrasies, and work to build local workarounds and custom solutions to the Nigerian situation that can waylay & workaround the kind of Bigman and Bigwoman jealousy, grandstanding, and other examples of feferity and insincerity that I alluded to above; better insulating their businesses from marauders to make them e-Solid.
That’s my N 100;
I hope it helps.
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
Gobble-Gobble Security: Facetiously “Visioning-out” the full Software as a Service (SaaS) Trajectory.
March 28, 2013
I would say there are essentially 7 (“seven”) stages in this trajectory, being:
(i) SaaP;
(ii) SaaS;
(iii) SaaR;
(iv) S3aUR;
(v) PcSS;
(vi) SaEE/SaEA;
(vii) PC3S.
Kindly allow me to explain.
SaaP – Software as a Product:
(i) Software was originally a product, although many in the younger generations may have little to no recollection of those days. It was separately shrink-wrapped and sold first in hard copy format, on disks (you might recall the almost never-ending deluge in your snail mail of all those free and unsolicited AOL, Earthlink, and MSN discs of yore), amongst others; and then, it moved online, with click-wrap licensing.
SaaS – Software as a Service:
(ii) Software as a Service developed with the outsourcing trend, and it has actually been with us for at least a good decade. Value-added through offshoring, near-shoring, and contracting-out for the design of software to run CAD and CAM applications (as well as the machines on which to run them), all after first hiring the outside management consultants to advise on how to better streamline and align critical line and staff functions to increase ROI, boost productivity, and maximize shareholder value.
SaaR – Software as a Right:
(iii) Although many don’t quite see it – due to the fact that Stage 4 is already taking the limelight ahead of its time – Stage 3 is when we start to see Software as a Right (SaaR). Software is becoming a right because cost-cutting has led to several European and North American governments cutting funds for hardcopy libraries, both public and at educational institutions. As this happens, older collections are being shredded to save space and funds (sometimes with and sometimes without ensuring that they are first put to the expensive process of scanning and digitization, and very often without any public disclosure, comment, or opportunity for interested parties and departments to offer to raise the funds or find the space to preserve them). As more and more knowledge goes online and becomes accessible only for a fee (see the recent moves of certain provides of news and commentary to dispense with the printed versions of their publications); and as more and more public government services (information, forms, e-filing, e-refunds) and even private sector services (banking, customer service, event and school registration and RSVP), then software becomes a right, to the extent that people need it for access to these essentials of daily living.
S3aUR – Software and Systemic Security at Undue Risk:
(iv) We are now seeing multiple, concatenating, and overlapping tangible and virtual instances of Software and Systemic Security at Undue Risk in multiple Availability Zones (AZ), due to hacking and malware, Advanced Persistent Threats (APT), insider fraud and disgruntled employees,[1] apparent personal grudges,[2] blatant BYOD misuse, and just bad design, mismatched configuration, or absent/inactive management. There are climatic and other intervening “exigent events”. However, the argument will always be made that these (including climate change), were predictable, and could therefore have been better planned for and their effects, controlled.
PCSS – Persistent Cloud Security Systems:
(v) As a result of Stage 4, discussions have already commenced and are well underway,[3] on how to best structure,[4] roll-out, and govern a Persistent Cloud Security (PCSS) that (a) works in real-time, (b) is networked to involve end-users, private sector providers, and public sector actors of various profiles, and (c) is truly multinational and achieves massive regulator and government buy-in to work consistently and predictably with common rule or principles to drill down on, rein-in, and prosecute actors in the under-most belly, of the Deep Web.[5] Monitoring as a Service, Alerts as a Service, and like offerings will not, alone, suffice to stem Stage 4s insecurity tsunami.
SaEE/SaEA – Software as Embedded Enabler or Enhancement/Appendage or Augmentation:
(vi) Of course, being a non-Wizard, I cannot say what term precisely, will be used. It is possible, just as is the current case with the Phase 2 SaaS variants, that different terms will be used by different providers and commentators, unless and until some sort of standardization is agreed-upon. The need for constant updates, patches, and other communications with the thin, thick, and virtual clients running all of this massively-dispersed computing power, whether by pull-down or push-out from the update source, will eventually start to fall too far behind the developing threats and vulnerabilities presented. At that point, one or more governments may “force” this Stage 6.
There are already “some” people experimenting with themselves by embedding RFID chips, and the agriculture industry has lots of experience on their use with farm animals. Anecdotal stories on the internet about additional experimentation by early-adopters with pets, children, and the elderly, are yet to be proven for the most part …. I think?! A number of nations are reportedly also spending copious amounts of declared and undeclared moneys on brain-mapping, brainwave scanning, and methods to understand, predict, and control human brainwaves and human behavior without being detected.
Whatever the case, once the critical point of the implantation quotient is achieved or nearly-achieved, there may come a time when governments “mandate” that people embed or append the software through a chip implantation of some sort. This will be resisted on a number of fronts and may cause unrest in several jurisdictions. However, judging by the way some governments can tend to proceed with their plans despite the protests of millions, the effects on their citizens, and the horror of other nations, things may still get pretty ugly.
As we have already seen in the case of consumer products (from smokeables, through manufactured goods and automobiles, to even fresh food), not all dangers in end-use and the potential side-effects that could and should have been disclosed, were disclosed. Let us therefore hope that these “implants” do not create a globe of rabid zombies under the remote control of whoever can hack the system best, or hostages to brain-frying hacktivists.
PC3S – Pure Collectivized Communications Culture System:
(vii) Then, once everyone who counts or wants to count, is wired-up (or at least, all who want to be able to eat & drink, fully & freely exercise inalienable rights, or buy & sell in a fully-tracked, value-stacked, government-backed, and supposedly hard-to-crack, pay as you go system with monthly user fees and transaction levies (ePayment only in a cashless society, with interest-bearing pay-day-loans preferred so as to keep everyone happily hard at work for their own self-serving purposes) that by definition includes all but the “obvious terrorists”, we will have that Stage 7, in a Pure Collectivized Communications Culture System. If software becomes embedded to get around hacking, then who is to say that a person’s brain will actually be able to remain free and clear of the hackers; or that interested parties with the access (such as corrupt insiders), will resist the temptation to hack someone’s brain for profit, or to create a robot on demand”, with credible and provable amnesia? A number of 20th and 21st Century books and movies may quickly come to mind.[6]
SUMMARY:
Of course, all of this is a work of fiction and can never happen in this modern world …. except of course, for those stages in these above 7, that have already taken place, or that are …. “something of a work in progress, by someone, somewhere, for some specific purpose, and at the behest and request of some sort of sponsor”! It is said that being fore-warned is to be fore-armed, but nobody really remembers things they read on the internet, unless there is some sensual stimulant or celebrity endorsement, right?
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] See e.g. Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published on ogalaws.wordpress.com, January 17, 2013. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<
[2] See Adam Edelman/New York Daily News. Cyberbunker hosting site said to be dropping virtual ‘nuclear bomb’ on Internet with massive, global denial of service attack. Published Wednesday, March 27, 2013 on nydailynews.com. Online: >http://www.nydailynews.com/news/national/internet-nuked-massive-ongoing-cyber-attack-experts-article-1.1300372 < It is “alleged” that a private dispute of some sort between Cyberbunker (a Dutch internet hosting business that will take all-comers, “except child porn and anything related to terrorism”), and The Spamhaus Project (a non-profit centred in London and Geneva, but with operating nodes in ten nations, that “works to help email providers filter out spam”), has led to the largest DDOS in history with a data stream attack magnitude of 300 billion bits per second, when 50 billion bits would suffice to bring-down the online service of many significant online businesses, including major banks. The fact that most people have seen no significantly noticeable disruptions due to this “attack”, just goes to show the added resilience built into the system since this kind of attack was first noticed, understood, and responded to by industry and regulators. Personally, I saw some emails come through on device group “A”, but they were delayed on others – thankfully, nothing time-sensitive, and I was aware of them due to my own system of redundancies in having those multiple email access points and service providers. Microsoft also just switched a “massive” few more users over to Outlook, so that may have also played a part in my own delayed email receipt. In any case, investigations are ongoing into the source of the current and sustained attacks, but as with others, the true perpetrators may remain hidden. See Infra, note 5. See also The Spamhaus Project homepage. Online: > http://www.spamhaus.org/organization/<; The Cyberbunker Data Centers homepage. Online: >http://www.cyberbunker.com< (the Cyberbunker website was verified by this author as unreachable online, at the time this SaaS Visioning-out article posted).
[3] See e.g. Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right, at Note 17. Posted March 11, 2013, on ogalaws.com. Online:> https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<
[4] See e.g. Mikael Ricknäs, IDG News Service. AWS takes aim at security conscious enterprises with new appliance. Published on itworld.com, March 27, 2013. Online: >http://www.itworld.com/cloud-computing/349894/aws-takes-aim-security-conscious-enterprises-new-appliance?goback=.gde_1864210_member_226976359< Amazon Web Services has introduced a standalone, secondary cloud-based system to manage cryptographic keys that will be used in the cloud, with limited AWS access through “strict” separation of administrative and operational duties between the vendor and the client, and segregation and limitation of access according to business need. SOD best practices are thus clearly translated into the cloudsphere.
[5] See Gil David. The Dark Side of the Internet. Published on israeldefence.com, December 1, 2012. Online:
>http://www.israeldefense.com/?CategoryID=483&ArticleID=1756< This article provides a fairly good overview of what we are all dealing with on a daily basis, with regard to the Deep Web. I will post at a later date, regarding some of my thoughts on how this might spur and/or impact upon, that promised “Internet of Things” to come.
[6] I think I will also have to post at a later date on what might constitute “work”, when machines do so much of one type of work, and many of the other types are outsourced to someone, somewhere else. As automation really took hold on a massive scale in the industrial west (Japan, Europe, North America, South Korea) in the 1960s and 1970s, much was said about the coming leisure society as machines did so much, that people would have more time on their hands to relax and actually enjoy life. Now, the “massively unemployed, migrating mass populations” in almost all geographic zones and nations, mean something clearly went very wrong. We are a few steps away from chaos; one that may well start in the European Union –or with one or more of its “pending former” members. Should this happen and spread as political leaders continue making very bad calls, Anonymous, Environmentalists, Occupy, and the Anti-Globalization folks will look like child’s play, even when first combined and then multiplied.
Much attention is focused on the “Triple A” of Cloud services, namely: Availability all the time (Service Level Agreements and uptime claims); Appropriate access controls (passwords and authentication); and Alteration protection and audit trails, which is especially critical in terms of eDiscovery, and responsibility in ensuring the entity’s ability to effectively backup, recover, and archive its data on a regular basis, and to restore its data on-site or off-site after the fact of a contingency event.
Whether you are thinking of a far-flung transnational operator or a small business, the following are 8 (“eight”) factors to constantly revisit in getting it right when considering or indulging in cloud services.
1. Backup Cloud: If you have critical functionalities that have moved completely or almost completely to a cloud-based solution (SaaS,[1] PaaS,[2] Iaas,[3] NaaS[4]),[5] then it is highly-advisable to have a backup cloud. Whether this is done as a failover provision (not always easy to coordinate the two providers), or the running of parallel instances (such as accessing a standalone data archive with staggered replication between those two or more remote access nodes, so permitting them to jointly recover the entire data set should access to the central archive suddenly cease), is ultimately the consumer’s decision. It is important to remember in the former scenario, however, that if it is not working or suddenly stops working, then it might not be able to failover on its own, without external intervention. This is especially true if the stoppage is due to a utility outage, climatic event, or human action (terrorism, error, criminality, or hacktivism).
2. Effective Version Controls: Backup, recovery, and replication processes can be configured in a variety of ways, from the guarantee that a single newer version replaces a single older one, to cases where multiple older versions are retained and disposed-of in sequence as new ones are stored. Mishaps or mis-alignments in this process can lead to sometimes irretrievable loss of valuable data, which must be avoided. It may well be true that short of walking hard drives and zip drives, many modern “losses” may still be recoverable. However, with the increasing complexity and sensitivity of the back-end tools, and the difficulty and active management required to get them to work well together (within promised SLA parameters) for enough of the time, the costs can be prohibitive. Doing it right the first time, should always be the goal.
3. Security Consciousness: There is significant current media and government focus (here in North America and Canada) on the topic of hacking and data exploitation. One report,[6] indicates that while 54% and 20% respectively of all 2012 breaches were in the accommodation and food services industries, and the retail trade industry,[7] external threats accounted for 95% of all breaches.[8] With regard to the actors, 83% of breaches against all organizations reporting, were by organized criminal groups,[9] and the descending-order ranking of breach motivation for exploits at large organizations, was: financial or personal gain (71%); disagreement or protest (25%); fun, curiosity, or pride (23%); and grudge or personal offence (2%).[10] The disgruntled current or former employee with a grudge, is apparently less of a threat than the current employee in deep financial distress, who himself or herself is also apparently less of a threat than the totally unknown but well-financed and staffed criminal organization or state actor that wants access at almost any cost, to the treasure-chest of information on your servers or on the servers of your Cloud Services Provider (CSP). However, “apparently” is just that, because the reality is joint or co-opted action. In stating that 65% of internal agent breaches were through a cashier, teller, or waiter, the report also found that “[t]hese individuals, often solicited by external organized gangs, regularly skim customer payment cards on handheld devices designed to capture magnetic stripe data. The data is then passed up the chain to criminals who use magnetic stripe encoders to fabricate duplicate cards”.[11] The threat landscape is deep, diverse, and dynamic. Forewarned with this knowledge, you should have no choice but to be security conscious, spurring you on to craft strategies appropriate to your industry, entity, and V5,[12] to protect your client and other critical data, systems, and processes against compromise, criminality, and a completely unrecoverable disaster.
4. Traditional (off-Cloud) Backup: Whether the cloud package is offsite, uses in-house accessories, or is a hybrid solution, off-cloud backup may still be an option – whether in addition to or as an alternative for, a backup cloud. An offline backup sequence that occurs weekly, daily, or several times during the day depending on the interplay (V5)[13] of data Volume (sheer amount), Velocity (speed of its change), Variety (by operating division, product line, client, transaction, trade or other event, analytical element or matrix of elements in the case of big data, and so forth), Value (its criticality to the core functionality, as well as its full replicability on short-order), and Vulnerability (susceptibility to internal, external, and developing threats), with tapes transported, maintained, and regularly tested for their usability, offsite, is a highly-advisable redundancy. In the event that the primary workspace is compromised and cloud connectivity interrupted, a well-prepared and practiced entity may – far more swiftly and smoothly than the competition – be able to recover from an initial adverse event or sequence of same, and resume operations in an alternate location using the backup tapes, staff able to reach that location if telecommuting remains unavailable, and either pre-positioned or called-in equipment; as available through an expanding group of contingent offsite emergency recovery solution/outcome providers.
5. Data Retention Policies: Be aware of, and attune your operations to, applicable data retention policies. Courts in the United States have, to date, proven more eager than Canadian courts to sanction parties for failing to preserve, protect, and produce data that they should have kept by law, and didn’t, or data that they could have had to present at a court or regulatory proceeding, but couldn’t, due to its initial non-retention. There may be specific rules pertinent to your industry (such as food, or financial services and the PCI-DSS), your activity (such as Intellectual Property filing/prosecution, and healthcare), or your jurisdiction (differing in Canada and the European Union, for example).
6. Advisable (and accelerating) Best Practices: Having your data resident (whether by bald custody or actual control, in accordance with your Cloud Services Agreement) in the pocket of a third-party, has its obvious risks. There are also several more subtle ones, which I have canvassed at some length elsewhere in my several blogs on the cloud and outsourcing in general. It used to be the fact that: (i) the lawmakers would write a law either creating a new regulator or authorizing an existing regulator to act; (ii) proposed regulations would be published for comment; (iii) final regulations would issue; and (iv) tests in court would help to better define and refine them. Now, everything is in reverse. An event leads to tests in court, the regulator makes a knee-jerk reaction to try and restore sanity in the interim, there is a public outcry (either here, or earlier in this reversed process), and then a law is passed; which may start the entire sequence again if the law is too broad, not broad enough, or has some adverse effect on a specified/protected group or interest. “Best Practices in the Cloud” must for now, remain a still-evolving paradigm, so watch your prose (know what you draft and sign), listen to those-in-the- know (pay attention to ongoing doings, debates, and developments), and stay on your toes (be nimble and adaptive, and keep an open mind in this rapidly-changing service space).
7. Transferring Risks: Insure thyself! The costs of privacy practices, data breach liability, and similar lines of insurance have come down due to a modicum of standardization, and increased prevalence and awareness of their value from breach announcements occurring in several industries and jurisdictions; despite apparent best efforts. Business interruption insurance has long been an option, and now, there are contingent event recovery services that can provide pre-packaged, tailored recovery solutions for a fixed monthly price; which is akin to insurance. Risks can be transferred (insurance), shared (pooling), accounted for (planning), and limited (due diligence and best practices). However, they can never be fully eliminated. Be prepared, practice and game a variety of disaster and other contingency scenarios within your organization on a regular basis – whether actually or as tabletop exercises,[14] and expect the unexpected! Utilities fail; climatic events don’t discriminate; and irrational actors, opportunists, state actors, hacktivists, and criminals all remain predictable in one respect: they will act!
8. Alert and Notification Protocols: There is really no substitute for a solid system of internal controls. Pre-employment background checks, segregation of duties, authentication and access logging, counterparty due diligence, and strictly enforced policies, are all critically important. Only 2% of 2012 breaches for misuse were as a result of inappropriate web or internet usage (surfing the wrong type of site, for example), whilst 43% were the result of abusing system access or privileges, and 50% were the result of using unapproved hardware or devices on work systems[15] (whether with BYOD, or as a workaround on strict network controls or prohibitions). Having, properly configuring, and diligently checking logs is key to risk management. However, the report also notes the rising challenge to proper data protection and retention from Anti-forensics[16] – especially when someone else is handling functions, now outsourced on a Cloud, that were formerly done in-house. Cloud Security and Cybersecurity will, for now, remain as moving targets; even with current calls in the United States for laws empowering private actors to jointly take immediate steps (preserving evidence, curtailing breaches, or tracking sources, deeper structures, and sponsors of security events),[17] while regulators and Law Enforcement and National Security (LENS) actors either get up-to-speed, or use their own customized tools for some parallel or complementary actions.[18]
CONCLUSION:
We all know the adage that asks why re-invent the wheel? I think the Payment Cards Industry Standards Council has already done a very good job in establishing the framework for its members to follow in their data protection and retention efforts as they “process, transmit, or store” that data;[19] which with “access” – presupposed by those first three options, also constitute the majority, if not the totality, of functions that can currently be performed in/via the Cloud.
I also think that the 6 categorical elements of that PCI-DSS Standard,[20] are broadly applicable in other industries; especially with cloud-based or cloud-dependent entities and service models. To allow for proper tailoring, the 12 sub-elements can of course remain customizable within each of the SaaS, PaaS, IaaS, and NaaS sub-spaces.
There are many avenues that CSPs can pursue in efforts to self-regulate before something, perhaps more draconian than they had wanted, comes down firmly from the lawmakers and/or regulators above; whether with or without the precursor hue & cry following an adverse incident.
Perhaps they may find something in the above that is worthy of trying.[21]
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] Software as a Service (SaaS), including “tools for processing, analysis, accounting, CRM, and back-office functions”.
[2] Platform as a Service (PaaS), including tools “for email, online backup, or desktops-on-demand”.
[3] Infrastructure as a Service (IaaS), including “tools for collaboration, integration, and visualization”.
[4] Network as a Service (NaaS), including advanced virtualization tools, such as bandwidth-on-demand for multiple Virtual Private Networks (VPN)-on-demand, and for cloud-to-cloud networking on demand.
[5] See generally, Ekundayo George, at (f). In who’se pocket is your data packet? – International Data Governance.
Published February 6, 2013 on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/<
[6] Verizon. 2012 Data Breach Investigations Report (DBIR). Published 2012, by Verizon.com. Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<. The report also discloses an error rate of +/- 4 percent.
[7] Id. at 11.
[8] Id. at 18.
[9] Id. at 20.
[10] Id. at 19.
[11] Id. at 21-2.
[12] Infra, note 13.
[13] The V5 interplay, is the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.
[14] I have proposed a number of permanent executive positions for the C-Suite in modern business, including a Chief Contingency policies, plans, and practices Officer (CCO) with line and staff responsibility for all-hazards contingency affairs. See e.g. Ekundayo George, at (i). 10/4: the “C–Suite” in 2013 and beyond; who should really be there? Published November 21, 2012 on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2012/11/21/104-the-c-suite-in-2013-and-beyond-who-should-really-be-there/<
[15] Verizon. 2012 Data Breach Investigations Report (DBIR), at 35. Published 2012, by Verizon.com. Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.
[16] Id. at 55.
[17] American Bar Association (ABA). National Security Experts Discuss Options for ‘Active’ Cyber Defense. Published February 11, 2013, by ABA Division for Communications & Media Relations, on abanow.org. (Link to full podcast is available at bottom of page). Online:
>http://www.abanow.org/2013/02/national-security-experts-discuss-options-for-active-cyber-defense/<
[18] Supra note 15, at 52. Fully 59% of breaches at all organizations in 2012 (10% for large organizations), were “only” discovered by the target when it was notified of the breach, by an arm of law enforcement/national security. Notification by third-party as a result of that third-party’s fraud detection measures came next, at 26% and 8% respectively.
[19] PCI Security Standards Council. PCI DSS Quick Reference Guide – Understanding the Payment Card Industry. Data Security Standard version 2.0. For merchants and entities that store, process or transmit cardholder data. Published 2010 on pcisecuritystandards.org, by PCI security Standards Council LLC. Online: >https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf<
[20] Id. at 8. These six categorical elements of the PCI Data Security Standard (DSS), are: (i) Build and maintain a secure network; (ii) Protect cardholder data; (iii) Maintain a vulnerability management program; (iv) Implement strong access control measures; (v) Regularly monitor and test networks; (vi) Maintain an information security policy.
[21] Supra note 15, at 58. With regard to PCI DSS in the context of the 2012 Data Breach Investigation Report (DBIR), we read:
“Overall, the standard attempts to set a bar of essential practices for securing cardholder data. Nearly every case that we have seen thus far has attributes of its breach that could have been prevented if the control requirements had been properly implemented. Of course, there is no way to be certain that new and different tactics could not have been used by the perpetrators to circumvent a compliant entity’s controls”.
Having practiced law in the United States and still keeping a discerning eye on the occasional changes in U.S. National Security and other laws, I wrote, quite some time ago,[1] that it was important for anyone and everyone migrating to a cloud platform or not even “thinking” they used one, to be aware of such things as where their data stood, slept, or transited. Now, it seems that more Canadians are aware of the need for this, with a recent article in the Ottawa Citizen newspaper drawing attention to the “near-open-access” to any and all data on U.S. servers,[2] no matter who the owner is, or where in the world they physically sit,[3] or are legally domiciled.[4] If something is already comfortably in your own pocket where you can sense it and hear it jingle-jangle as you walk and talk, then only in the most extraordinary circumstances will someone ask you not to adjust it or look at it at your leisure, and actually have you comply.
I still believe that the Cloud “is” a positive development and that it “can” be a productive platform – especially in terms of backup and redundancy, or in disasters and emergency situations, as was recently proposed in New Jersey.[5] However, this worthy end-state can only be reached, when:
(a) Properly governed by the appropriate regulators in a more globally cooperative fashion;[6]
(b) Used with eyes wide open by both vendors and clients, and with proper regard to their rights and duties regarding third parties;
(c) Balanced with enterprise, agency, and personal best practices, and insurance coverage appropriate to the data, users, risks[7] and regulations, and custodians;
(d) Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor;
(e) Industry Vendors agree to some degree of stabilization and standardization, and a modicum of synchronization in exigent situations that adequately respects local laws;
(f) Companies in that space, begin – in addition to the current rules on breach disclosure, notification, and remediation – to be more open in educating the public on some of the potential Cloud hazards, as well as on the potential benefits of the many and evolving cloud-based offerings now available, including: SaaS ~ Software as a Service (tools for processing, analysis, accounting, CRM, and back-office functions); UaaS ~ Utilities as a Service (providing video, audio, and gaming on demand); PaaS ~ Platforms as a Service (for email, online backup, or desktops-on-demand); and IaaS ~ Infrastructure as a Service (tools for collaboration, integration, and visualization).
As a work in progress the Cloud space is not a perfect thing, but it “is” a growing and increasingly popular and pervasive one, and it should now be obvious that those who do not even “think” they need to know about the Cloud, should actually be paying the most attention to its growth and diffusion into more and more facets of their work, lives, and free- or down-time.
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] See Ekundayo George. To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons? Text at points (c) and (d) under “Disadvantages (potential)”. Published on ogalaws.com, December 28, 2011. Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<
[2] Ian Macleod, The Ottawa Citizen. Cloud computing law puts Canadian users at risk of snooping by American spies. Published on ottawacitizen.com, February 2, 2013. Online: >http://www.ottawacitizen.com/business/Cloud+computing+puts+Canadian+users+risk+snooping+American/7907562/story.html<
[3] The Telegraph. US authorities can spy on the iCloud without a warrant. Published on telegraph.com, January 30, 2013. Online: >http://www.telegraph.co.uk/technology/news/9836715/US-authorities-can-spy-on-the-iCloud-without-a-warrant.html<
[4] Of course, some people have proclaimed that increasing encryption is the answer to protecting one’s privacy online. However, considering the facts that: (i) the United States (although not the only place where they are made) puts severe restrictions on the export of certain technologies including those for encryption; (ii) it is commonly known in the security and technology fields that certain nations have an ability to “pre-etch” backdoors into their chips; (iii) external attacks may be targeted at specific hardware, software, or “usage/speech” by means of little known vulnerabilities, through the growing family of tools that now includes Stuxnet, Duqu, Flame, and Gauss, as well as the “Anonymous” entity, and others now in existence or still as yet unknown; and (iv) certain promoters of greater encryption have tended to receive greater regulatory attention …. this may be a little hard.
[5] Katie Eder. Experts consider how to address communications challenges ahead of next Sandy. Published on njbiz.com, February 5, 2013. Online: >http://www.njbiz.com/article/20130205/NJBIZ01/130209911/Experts-consider-how-to-address-communications-challenges-ahead-of-next-Sandy<
[6] David Kravets. Internet Safe From Globalized Censorship as UN Treaty Fails. Published on wired.com, December 14, 2012. Online: >http://www.wired.com/threatlevel/2012/12/united-nations-internet/< Many naysayers had predicted that the goal of this conference was UN-domination of the internet, but its failure might have actually been due to the reluctance or outright refusal of certain nations, to submit to limits on extraterritorial surveillance.
[7] Terry Collins and Anne D’Innocenzio, The Associated Press. Twitter hackers nab data on 250,000 accounts. Published on ottawacitizen.com, February 2, 2013. Online: >http://www.ottawacitizen.com/business/Twitter+hackers+data+accounts/7911027/story.html
To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?
December 28, 2011
As briefly as possible, let us consider the essential pros and cons of Cloud Computing, so that you can be better informed to make a decision on whether or not to join the club. A detailed analysis on each point and its many sub-points could easily run into a multi-volume treatise. Hence, I will try to give you enough to get the right questions asked.
ADVANTAGES (potential):
Floor Space: Of course, when you cut down on the amount of space you need for your own servers, wiring, HVAC, and individual desktops with full monitor and CPU packages, you can re-dedicate the space to other internal purposes and business units, earn revenues by sub-leasing (to the extent the landlord lets you), or move to a smaller location. These are increasingly pertinent considerations in any cost-conscious climate.
Operational Efficiencies: Cloud providers allow clients to pay for only that amount of service that they actually use, in addition to any standby or contingent services that are retained as available for purposes of surge capacity, emergencies, or other events whether or not specified. This allows for the streamlining of staff and functions, a slimmer I.T. department, and a clearer focus on essential, mission-critical business functions.
Capex to Opex: What would formerly have been capital expenditures for I.T. equipment, including servers, setup and administration costs, and repairs and replacements, can now be expensed as operational costs. Even with the loss of those once available depreciation allowances, the CFO should be happier with the cleaner budget, and greater cost control through a better defined and appropriately confined predictability of outflows. Software licensing costs do not have to be so closely monitored and temperamental legacy servers running dedicated software in-house that can or cannot be easily upgraded and updated, can be downgraded in priority, as Cloud Vendors can often accommodate a variety of Cloud subscription fee arrangements including per-seat, per use, per tier, and so forth.
Ubiquity: As defined by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”[1] The key word here, is “ubiquitous”, with a one to many service model available anywhere, to any or all persons, and at one or all times. Wireless and satellite Internet access, and portable hotspots where no fixed-site or sufficiently secure or reliable Internet on-ramp exists, make this all possible. However, this ubiquity comes with costs, as I will outline under the Disadvantages, below; specifically under the Legal and Liability Issues section.
Scalability: The prudent and professional Cloud Vendor will generally maintain sufficient spare capacity to handle the surge requirements of all of its clients. Certain industries and business models, as well as regular business events – such as for accounting and regulatory filings at the end of a month, quarter, or year – and the happening of special or otherwise distinctive events (public offerings, mergers, bankruptcies, or litigation), will generally lead to a heightened usage requirement due to the additional activities and actors that will be brought online. That is “really” not the time, if ever, for a Cloud Vendor to say that there is no more to give, or that the capacity to handle such an expected spike was never actually considered or built-in, to the service model. This nightmare scenario will invariably lead to side litigation on the main instigation, and nervous General Counsel calls to insurers, counterparties, and regulators. But, we are still listing the Pros; yes?! Always, always, discuss your actual, anticipated, and remotely potential needs, thoroughly, with the Cloud Vendor, so that “your” package fits “you”. Besides which, savvy parties are already moving to put adequate and secure capacity in place[2], to ground the infrastructure for this promising but tricky new platform.
DISADVANTAGES (potential):
Vendor Inelasticity: Once you have decided on a particular Vendor, with its services and cost structure, it can be hard to move. There will always be costs associated with any change in vendor, and it may take quite some time to have the same service or a comparable or better service (depending, of course, on the reason for your relocation), up and running in the successor location, including potentially significant unanticipated costs and delays. Once you are in, then you should plan to be there for the long-haul. This is why, one again, due diligence and a mutuality of party good faith, are essential. In Cloud and outsourcing contracts that I have drafted, I provide for open party communication lines, detailed ADR clauses, and a means to address any failure to meet agreed SLAs. In addition – always a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible. Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.
Access to Data: There are at least 5 (“five”) viewpoints on this issue, depending on whether you are talking about source code, backup and contingency planning, customers in the third-party, server location, or insolvency.
(a) The cloud vendor will be very reluctant to escrow its source code, the very essence of its competitive advantage, as we now often see touted by many a commentator. Onlookers argue that such an escrow arrangement is essential to providing the customer with the peace of mind that their data will always be accessible, and that the service will be replicable, should any calamity befall their Cloud Vendor or a related provider in the chain. Indeed, there is more than one way to provide peace of mind.
(b) Sensible backup and contingency planning requires multiple levels of redundancy, and the United States Securities and Exchange Commission (SEC),[3] for one, has issued guidance on the disclosure of Cybersecurity risks by issuers. In time, this may expand to non-issuers in that and other jurisdictions. I would advise that the customer, and the Cloud Vendor must have and share, and coordinate, their disaster management policies, plans, and procedures. To the extent that this will require that the customers of a specific Cloud Vendor all know one another and thereby decrease their mutual security, or that a third-party “security coordinating group or consultant” intervenes to preserve some anonymity, or some other solution or suite of solutions is developed for this requirement of mutually assured security and stability, will remain to be seen.
(c) In some industries, such as healthcare in the United States,[4] and generally under the Privacy laws of Canada,[5] the patient (or data subject, as appropriate) of the Cloud Vendor’s client – and therefore who is not in direct privity of contract with the Cloud Vendor – will have a right to access, and track, and by implication correct errors in, their own personal data. In a growing number of jurisdictions, the right of governments to access data on individuals with or without warrants, and with or without notification to the subject individual, is expanding. Without a doubt, new legislation will be created, or existing legislation will be interpreted, to permit the accessing of this information in the hands of the Cloud Vendor, without notice to the Customer, or to the third-party customer as patient, for example. This complicated mix of privacy, information technology, National Security, and contract, should be closely watched, bracketed and predicted and controlled by appropriate and adequate insurance and drafting, and disclosed in advance by all parties collecting or holding information on individuals, and to all parties considering the use or offering of Cloud-based or Cloud-amenable services.
(d) Server location, is a critical issue that may feed or impede point (c). Having your data in the jurisdiction or jurisdictions that you know, will always let you more easily manage those hiccups that may occur from time to time. Going after your data in a jurisdiction where you don’t speak the language, where you are unfamiliar with the laws, or where there is hostility to you or one or more of your Cloud Vendors or your government, will always make data recovery and re-custody, that much harder.[6] Some commentators and practitioners in the field have alerted others to the danger of employees and contractors working with Trade Secrets and other critical information on mobile media and otherwise through the Cloud, including by backing-up devices; even going do far as to say that “no” Trade Secrets should ever be put on the Cloud, at least not yet.[7] This is a legitimate concern, and cannot be lightly dismissed, because, as they point-out, nobody really wants to be that first test case. However, with many industries, including the legal profession,[8] moving to the Cloud – albeit cautiously – I think the genie is already pretty much out of that lamp.
(e) Insolvency can be a very complex area with regard to a Cloud Vendor, itself in distress, or when a holder of Intellectual Property Rights (I.P.R.) or an I.P.R. licensee is in distress and a Cloud Vendor gets caught in the middle. Under recent caselaw in the United States of America, we have seen that sometimes the court will decide that the proper venue is that where the injury is deemed to have taken place and thereby where the I.P.R. claimed to have been violated, were originally held.[9] Where does this leave the Cloud Vendor that provides the means to access that material across jurisdictions? Sometimes, the court will refuse to permit a foreign licensor in receivership or a similar insolvency situation, to disclaim or otherwise curtail or constrain the I.P.R. licenses granted to United States entities.[10] Where does this leave the Cloud Vendor who can be sued by one or both sides for compliance and non-compliance alike, and for contributory infringement,[11] or as an accessory to, or as a first party in, I.P.R. infringement?[12] Foresight, experience, broad practice area knowledge, and good drafting can address some, but not all of the potentially very serious wrinkles that might very easily arise.
Uptime and SLAs: Service Level Availability agreements run from light, through adequate, to (almost) iron-clad. Some Cloud Vendors will want to exclude mandatory downtime for maintenance and upgrades, or for addressing user-generated issues (such as hacks and malicious code), and the customer, depending on its business model and leverage, may or may not agree or even be comfortable with this. In addition, many Cloud Vendors will want to limit available remedies for failing to meet stated or contracted-for SLAs, to service credits, exclusively. Hence, SLAs must always be cautiously and thoughtfully negotiated. However, some Cloud Vendors will offer a set menu from which to choose, in which case a potential customer should choose wisely, because when things go wrong, as they well may,[13] downtime could be extensive.[14]
Legal and Liability Issues: There are an appreciable number of legal and liability grey areas that remain to be addressed by contract or legislation, and I have addressed some of these in the foregoing. Now, the transfer of personal data between jurisdictions in North America and the Pacific Rim has also been eased by the recent establishment of the Asia-Pacific Economic Cooperation (APEC) Privacy Rules, involving 21 (“twenty-one”) nation-parties.[15]
Technical Issues: These mainly revolve around security, privacy, and e-Discovery. The truth of the matter, actually, is that most people are already using, often heavily, some form of Cloud. Examples include BlackBerry,[16] Google,[17] Hotmail,[18] and Gmail,[19] for a host of social media, email, regimented,[20] and telecommunications (“Smert”) applications. 2011, alone, has seen technical challenges identified for all of these 4 (“four”), some other known or knowable risks,[21] and spectacular failures to failover.[22]
In terms of privacy and security, the potential to use a Cloud service for wrongdoing[23] has heightened the awareness of the public, of legislators, and of law enforcement and national security entities and their operatives, globally,[24] as to the obvious security and privacy challenges presented by this platform.
Indeed, with the move to criminalize so much misconduct involving e-Commerce and the Internet, a test case will surely come when an as yet unknown Cloud Vendor in e-Discovery, and using a 5th Amendment argument,[25] finally and successfully refuses to turn-over discoverable records that are clearly within its possession or control – whether or not those records are ultimately its own – that may, or indeed, would, tend to incriminate it for some bad act or acts, whether in doing a thing, failing to do a thing, or having a wanton or reckless disregard for risks of harm from doing or not doing a thing.[26]
SUMMARY? (in a way, somewhat):
I say “in a way”, because this fast-moving business platform that touches so many areas of law, as I described in an earlier blog,[27] cannot be so easily summarized. Many honest I.T. professionals will tell you that their skills can be fast outpaced by the market, very easily, if they do not work very hard to stay current and abreast of developments in the industry. I do not think you can identify too many weather systems, if any (at least not on this planet of ours), that just stay over the same spot of geography with clouds, rain, high winds, thunder, and lightning that does not stop, waver, or let the sun in now and then.
The above, however, is still a handy checklist to have and consider when looking at the Cloud industry and its development over the coming little while. The Cloud Vendor contracts may be or become quite complex, if you are a potential Cloud customer, and the customer demands or prerequisite requirements may be or become almost impossible to meet, if you are a prospective Cloud Vendor. However, seasoned and knowledgeable legal counsel, properly structured insurance coverage, and due diligence coupled with stringent and zealously enforced internal controls, including Social Media usage policies, may still let some or all of those involved, sleep soundly.
Sweet dreams, then, count the sheep well, and don’t forget to set your alarm. Happy New Year, 2012.
Author:
Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1]Peter Mell and Timothy Grance. Computer Security Resource Center of the National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology. Published in September, 2011, at Section 2. Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
[2]Greg Markey. Ottawa Business Journal. Building data storage capacity. Published on December 21, 2011. Available at: http://www.obj.ca/Technology/2011-12-21/article-2844044/Building-data-storage-capacity/1
[3] Division of Corporation Finance, United States Securities and Exchange Commission (SEC). CF Disclosure Guidance: Topic No. 2 – Cybersecurity. Released October 13, 2011. Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
[4] Under Section 13405 of the HITECH Act, an individual has rights: in subsection (a), to restrict a Covered Entity’s disclosure of their Electronic Health Records (EHR) including Protected Health Information (PHI) and electronic Protected Health Information (ePHI) in certain cases; in subsection (c), to request and receive an accounting of all disclosures of their PHI and ePHI by a Covered Entity; in subsection (d), to be protected against the sale of their PHI and ePHI without “a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual”; and, in subsection (e), to request and receive a copy of their EHR, PHI and ePHI, or designate that said records in the hands of a HIPAA Covered Entity be sent or transmitted to “an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.” See: Section 13405, Title XIII ELECTRONIC HEALTH RECORDS. American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5, as signed into law on February 17. 2009.
[5] As provided in 4.9, Principle 9 (Individual Access), of Canada’s federal Personal Information and Protection of Electronic Documents Act (PIPEDA): “Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.” See generally PIPEDA, SCHEDULE 1 (Section 5). PRINCIPLES SET OUT IN THE NATIONAL STANDARD OF CANADA ENTITLED MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96.
[6] Rob McCauley and Ming-Tao Yang. Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. Rob McCauley and Ming Yang Discuss the Impact of Cloud, Mobile, and Social Technologies on Trade Secret Law, Podcast, released on December 5, 2011. Available at: http://www.finnegan.com/lawyers/bio.aspx?lawyer=8a4f9668-a2be-4fc9-8700-800969d07a0&mode=podcasts
[7]Id.
[8]See, e.g. United Kingdom, Information Commissioner’s Office (ICO), Advocate’s legal files lost after unencrypted laptop theft. News release: 16 November, 2011. Available at: http://www.ico.gov.uk/news/latest_news/2011/advocates-legal-files-lost-after-unencrypted-laptop-theft-16112011.aspx Lawyers may well be moving to the Cloud, but even offline, significant risks remain that need to be addressed.
[9]See, generally Penguin Group (USA) Inc. v. American Buddha, 16 N.Y. 3d 295 (2011), No. 7, 2011 WL 1044581 (N.Y. Mar. 24, 2011), where the New York Court of Appeals first noted that §302(a)(3)(ii) of the New York, Civil Practice Law and Rules (C.P.L.R.) gave 3 options to determine the situs of the injury, being: “(i) any place where plaintiff does business; (ii) the principal place of business of the plaintiff; and (iii) the place where plaintiff lost business” (16 N.Y.3d at 304). But then, the New York Court of Appeals determined that due to the ubiquity of the internet and the potential for global and near instantaneous infringement, the best choice was (ii), the principal place of business of the I.P.R. holder, for purposes of establishing personal jurisdiction in that modern-day copyright infringement case (16 N.Y.3d at 307).
[10] In the United States Bankruptcy Court for the Eastern District of Virginia, the court found that it would be against United States public policy to permit the domestic application, in America, of the result of a German insolvency proceeding that would have deprived U.S. I.P.R. licensees of the use of patents granted by a foreign entity that was no longer solvent, under German law. See In Re Qimonda AG, 433 B.R. 547 (E.D. Va. 2010); decided on October 28, 2011.
[11] Thankfully, [t]he Supreme Court of Canada (SCC) recently ruled that linking to a libelous blog, was not, without more, sufficient to hold the linker additionally liable for “publication” of that defamation. See Crookes v. Newton, 2011 SCC 47 (CanLII); decided on October 19, 2011. Perhaps a Cloud Vendor so implicated under Canadian law, might find a way to avail itself of this very solid precedent; which may also one day be analogized and/or stretched to work with “like”, “friend”, and “follow”, but for obvious reasons, perhaps not with “retweets”. Available at: http://www.canlii.org/eliisa/highlight.do?text=crookes+v+newton&language=en&searchTitle=Search+all+CanLII+Databases&path=/en/ca/scc/doc/2011/2011scc47/2011scc47.html
[12] Amazon recently introduced the Cloud Drive and Cloud Player services, that permit “customers to upload music files to private, user-specific online drives (the Cloud Drive) and then listen to these files remotely using the Cloud Player”. Questions have been raised, and linger, about issues of I.P.R. management and infringement in relation thereto. See generally Nickolas B. Solish. The Law of Tomorrow Today. Is Amazon’s Head in the Clouds? Published on May 4, 2011. Available at: http://lawoftomorrow.com/2011/05/04/is-amazon%E2%80%99s-head-in-the-clouds/
[13] On Thursday, April 21, 2011, the Amazon Web Service (AWS) suffered a significant outage as a result of an incorrectly performed capacity upgrade. A cascading failure of attempted but incomplete re-mirroring efforts resulted in a number of Amazon Elastic Block Stores (EBS) becoming stuck and failing to receive or transmit further instructions, and an even larger impact on the Relational Database Service (RDS), which utilizes multiple EBS. Amongst the lessons learned, Amazon stated an intention to: alter its procedures (increasing automation to reduce the chance of future human error); modify its platform (for more robust capacity planning and alarming and redundancies to better deal with large scale failures); and its processes (finding and fixing hitherto unknown bugs that causes the events to cascade to such an elevated degree of systemic severity). See generally Amazon.com. Summary of the Amazon EC2 and Amazon RDS Service Disruption in the US East Region; Undated. Available at: http://aws.amazon.com/message/65648/
[14] From one commentator closely following that April, 2011 Amazon outage, we learn that EBS are spread across multiple Availability Zones (AZ), within each Region of operation. The above-referenced Amazon outage was especially significant in its impact on those multiple AZ, and therefore upon clients of Amazon’s Elastic Compute Cloud (EC2) that should have been insulated from one another and from any failure in a distinct subsection of a platform that was, logically if not geographically, so widely distributed. See Cade Metz in San Francisco. Infrastructure. Amazon outage spans clouds ‘insulated’ from each other – not what it says on the tin. Published on April 21, 2011. Available at: http://www.theregister.co.uk/2011/04/21/amazon_web_services_outages_spans_zones/print.html
See also Cade Metz in San Francisco. Infrastructure. Amazon cloud still on fritz after 36 hours “All hands on deck”. Published on April 22, 2011. http://www.theregister.co.uk/2011/04/22/amazon_elastic_compute_cloud_still_experiencing_problems/print.html
[15] The United States Federal Trade Commission (FTC) announced the inauguration of the APEC Cross-Border Privacy Rules on November 14, 2011. The 21 (“twenty-one”) APEC members, are: Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States of America, and Vietnam. Press Release available at: http://www.ftc.gov/opa/2011/11/apec.shtm As separately implemented, developed, and enforced by each jurisdiction of application, the APEC Privacy Rules are to generally adhere to the 7 (“seven”) principles underlying the E.U. Directive on the Protection of Personal Data, being: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement. It is interesting to note that while the emphasis is or appears to be on greater monitoring and controls on the Western side of the Atlantic, there is a tendency on the eastern side of the Atlantic to favor a more liberal model. See e.g. Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL C-70/10; decided on November 24, 2011 (I.S.P.s cannot be obligated to implement a general monitoring or filtering policy, as it would infringe fundamental rights and Directives applicable in the E.U.)
[16] There was a service outage in the BlackBerry service of Research In Motion (RIM), in October, 2011. See e.g. Research In Motion. BlackBerry Service Update; visited on December 27, 2011. Available at: http://www.rim.com/newsroom/service-update.shtml. See also Charles Arthur. guardian.co.uk. BlackBerry outage: RIM boss’s YouTube apology in full, with transcript. Published on Thursday, October 13, 2011. Available at: http://www.guardian.co.uk/technology/2011/oct/13/blackberry-outage-rim-apology-youtube
[17] There was a service outage at Google on September 7, 2011, where again, as with Amazon, an attempted upgrade exposed a hitherto unforeseen technical issue. See e.g. Official Google Enterprise Blog. What Happened to Google Docs on Wednesday. Published on Friday, September 9, 2011. Available at: http://googleenterprise.blogspot.com/2011/09/what-happened-wednesday.html
[18] There was a service outage at Microsoft’s hotmail service on December 31, 2010, where user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a glitch in system test procedures, and left undetected for a length of time due to a subsequent failing in the customer issue management matrix. See generally Mike Schackwitz. Inside Windows Live. What happened in the recent Hotmail outage. Published on January 6, 2011. Available at: http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/01/06/what-happened-in-the-recent-hotmail-outage.aspx
[19] There had been an earlier service outage involving Gmail and Google Apps on February 27, 2011. Again, as with the Hotmail outage, user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a bug “inadvertently introduced in a Gmail storage software update.” See e.g. Google Apps Masters. Google Apps Tips. Google Gmail Outage – February 27, 2011 – What happened to my E-mail? Published on March 10, 2011. Available at: http://blog.gappsmasters.com/2011/03/google-gmail-outage-february-27-2011-what-happened-to-my-e-mail/
[20] Social Media can be used for a variety of things, including networking, play, jobsearch, and actual work. Whether one works from home, virtually, on the road, or in a bricks and mortar establishment, there will always be some boundaries, caveats, deliverables, and regulations. This is why I use the term “regimented”, here, to mean something that has a structure, or some boundaries and rules. It therefore covers whatever is left of the work-space.
[21] On June 22, 2011, Microsoft’s Business Productivity Online Suite (BPOS), a cloud service, suffered an outage that one commentator described as its “fourth in two months”; wherein users could not use the Exchange email servers or use the Online Web Access (OWA) browser client. The same commentator reports that Microsoft alluded to the cause being a hardware issue. See. The Microsoft Update. Julie Bort. Networkworld. Microsoft confirms BPOS cloud outage. Published, on Wednesday, June 22, 2011. Available at: http://www.networkworld.com/community/blog/microsoft-confirms-bpos-cloud-outage
Later, on August 17, 2011, Microsoft’s Office 365 and Skydrive, additional cloud offerings and with Office 365 having been designed, launched on June 28, 2011, and marketed as a more robust successor to BPOS, suffered service outages. Once again, access to email and calendars was disrupted, and this time Microsoft declined to give a reason or the cause for the outage. The company did, however, issue a letter of apology and offer a credit to its customers. See generally Mary Jo Foley. All About Microsoft. Microsoft: Here’s what caused our cloud outage this week. Published on August 19, 2011. Available at: http://www.zdnet.com/blog/microsoft/microsoft-heres-what-caused-our-cloud-outage-this-week/10381
[22] The Cloud Foundry outage of April 25, 2011, was initially traced by the company, in total candor and transparency, to a partial loss of the power supply for a systems storage cabinet. Then, in what was supposed to be a dry-run, tabletop exercise to establish an improved protocol for dealing with the types of events caused by that first outage, someone touched their keyboard, in unmistakable human error, leading to a second outage of April 26, 2011; and as again explained by the company in total candor and transparency. See Dekel Tankel. Cloud Foundry Forums. Analysis of April 25 and 26, 2011 Downtime. Published on April 29, 2011. Available at: http://support.cloudfoundry.com/entries/20067876-analysis-of-april-25-and-26-2011-downtime
Still on the subject of power supplies, a utility company outage in Dublin, Ireland, on August 7, 2011, first caused a service disruption in the cloud offerings of both Amazon and Microsoft, which have established significant data center facilities in that jurisdiction. Ordinarily, backup generators would have taken-over and immediately started to supply power. However, due to the strange nature of the outage – which a number of parties including both Microsoft and Amazon had originally and erroneously blamed on a lightning strike – their emergency backup system failed. See Rich Miller. Data Center Knowledge. Dublin Utility: Power Outage Not caused by Lightning Strike. Published on August 10, 2011. Available at: http://www.datacenterknowledge.com/archives/2011/08/10/dublin-utility-power-outage-not-caused-by-lightning-strike/
[23]Dan Goodin. Security. Researcher cracks Wi-Fi passwords with Amazon cloud. Return of the Caveman attack. Published on January 11, 2011. Available at: http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/print.html
[24] An after-hours raid by the United States Federal Bureau of Investigation (FBI) on a Reston, Virginia data centre, and targeting the Lulz Security group, on Tuesday, June 21, 2011, managed to disrupt services for multiple and non-targeted, innocent users. Where one serves many, a raid on a few can still inconvenience more than the one, as discomfort is passed along. Whether a warrant was used, I cannot say. However, it was fortunate that the gag and delay orders on warrantless and warranted searches under antiterrorism and other laws, were not. Otherwise, the data center operator would not have been able to explain to the client what happened when the client called from Switzerland, or explain where the missing servers had gone, when someone was sent to physically determine why the services that they hosted were all down. A report of a theft, an insurance claim, or a call to the police, would have had somewhat interesting consequences with regard to jurisdiction issues, and investigating the “disappearance”. Would that make a false claim or report, one filed on incomplete information, or both? For an account of that Lulz Security raid, see Verne G. Kopytoff. NYTimes bitsblogs. F.B.I. Seizes Web Servers, Knocking Sites Offline. Published on June 21, 2011. Available at: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
[25] The Fifth Amendment to the Constitution of the United States of America provides, inter alia, that a person charged with a criminal offence under U.S. law shall not suffer compulsory self-incrimination. To date, no corporate entity has been permitted to use this “individual” right.
However, as the proliferation of rich clients and thin clients means that Electronically Stored Information (ESI) that may be relevant to the litigation is in the custody or control of multiple, third-party data custodians, including Cloud Vendors and their associates in multiple jurisdictions, who will strenuously argue that they have absolutely nothing to do with what happens on their servers, within their social media, or otherwise, in using them as an innocent conduit, this right may very well be extended at some point; absent some legislative and global, or regional cooperative guarantees, protections, and both specific and generalized immunities, that go far beyond the simple “hold harmless, defend, and indemnify“, found in their contracts.
The United States’ Stop Online Piracy Act (SOPA) that threatens to knock websites offline, which may well include the rights of Cloud Vendors and their affiliates to “vend cloud services”, very much bespeaks caution, and is a portent of some very trying and litigious times to come for that business model, and indeed also for any and all online providers of a “one to many” service, or solution, or suite.
Indeed, the recently publicized Model Electronic Discovery Order adopted by the [t]he Advisory Council for the United States Court of Appeals for the Federal Circuit, may also fall far short in the number of records custodians permitted to be listed and ordered to produce. See generally website of the United States Court of Appeals for the Federal Circuit. Available at: http://www.cafc.uscourts.gov/the-court/advisory-council.html; with the actual order available on that same site at: http://www.cafc.uscourts.gov/images/stories/the-court/Ediscovery_Model_Order.pdf
[26] To its credit and in demonstration of its leadership role in the field, Amazon has published and updated a whitepaper on suggested cloud best practices. See Jinesh Varia, Architecting for the Cloud: Best Practices Whitepaper. Version first released by Amazon Web Services (AWS) in January, 2010, and last updated on January, 2011. Available at: http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf
[27]Ekundayo George. Ogalaws. Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”. Published in this Blog, on December 1, 2011. Available at: https://ogalaws.wordpress.com/category/strategic-consulting/outsourcing-and-cloud-computing/
The advent of the cloud has, indeed, changed outsourcing and litigation, inter alia. For now, all who think they may one day be or become subject to discovery and e-discovery requests in relation to I.T. outsourcing, or cloud-sourcing, or both of these, (as well as those who think it can never happen to them, especially General Counsels), may wish to consider, at a minimum, the following, as gleaned from my knowledge and work in the field and review of assorted arrangements, agreements, laws and developments.
Vendors (“Cloudmasters”):
For Vendors, especially the Master Vendors, or “Cloudmasters”, 3 (“three”) critical and indispensable components of the ecosystem (short for “e-commerce system”) and cloud business model, are the “Air”; the “Water”; and the “Seeds.”
1. AIR: The air is, of course, the environment within which one does business. Bad air can lead to acid rain. I think this has been well-enough established in the field of environmental law. In and comprising the air, there is law, there are regulations, and there is company policy. It is not impossible for a Cloudmaster to be in compliance with law, and have lax internal controls and policies at the same time. All the air must be good, or else something will suffer. Certain jurisdictions have strong privacy laws, and others do not. Certain jurisdictions and types of activity call for the application of heightened regulatory oversight, and this must be respected. The Cloudmaster choosing the law of a one jurisdiction as the preferred location for any “rain” must also be and remain aware and relatively up to date regarding the laws of certain other jurisdictions through or by or from which some or all of the cloud Residents are governed, whether as individuals or as businesses, and whether as parties to the contract, or third-parties in interest. Many laws may be national, but the air knows no borders! National and sub-national governments may also go in many and conflicting directions at once in terms of cybersecurity,[1] for example, and until things settle, the Cloudmaster must follow the storm and sail in the direction of every conflicting wind at the same time. Helping shape a uniformity in the direction of these winds is just one of the many ways in which lobbyists “can” be useful.
2. Water: Water, also, knows no borders. Considering the vast array of chemicals that are toxic, carcinogenic, and persistent organic pollutants, and also water-soluble, and considering also, the richness of microscopic life that can be found in the waters of this glorious planet, I think an analogy of data as water, is quite apt. You never really know what is in it, until it is in your system and has had a chance to … relax, look around, and spread its wings to feel right at home. Water that gets into the wrong place of a critical system can cause rust, fry circuits, and give some nasty shocks to anyone in contact with or in the vicinity of, that system. Bearing all of this in mind, it becomes rather important, in a one- to-many service offering such as with the offering of a Cloud Utility, for the Cloudmaster to “most stringently enforce” some shared responsibilities on the Residents for the good of all, and to credibly and demonstrably promote best practices in safeguarding the resilience of critical processes. What this means is that “Your” water, as a Resident, gets nowhere near the bigger body, unless you can show that some that, at a bare minimum, some very basic things are in place, such as procedures for enforcing internal controls, employee integrity, and system security; and taken seriously.
Consider this: (i) many reputable antivirus programs will not even install, until after they have performed a basic scan; (ii) a number of educational institutions will not let a user onto their wireless network unless and until the presence of a “current end functioning” antiviral program on that potential user’s system, has been detected; and (iii) it is always advisable to at least take a tour of a new neighborhood before you move-in, unless you are in the habit of buying “sight unseen” and without any clue as to what you might be getting into. Checking the credentials or credit of an applicant or prospective resident, or asking about the standard operating procedures and policies of a landlord, employer, or prospective host, are really not new or alien practices.
Some Cloudmasters will accept all comers in order to grow fast and bulk-up ahead of the competition. When the indiscriminate taking-on of water catches up with them and becomes too much for the emergency pumps, the market will surely assign them their just rewards. Know your water source before it gets to your water course, to the extent possible, and ensure that all Residents have, in advance or within a reasonable time after joining, information security, infrastructural security, best practices, acceptable and defined compliance and internal governance programs, and self-certification or third-party certification in the form of a warrant and representation, a covenant and undertaking, or both of these; and always with indemnification.
3. SEEDS: Bad seeds will either not grow, or they will grow into the wrong and unanticipated, and unexpected plant. Remember, a weed, an insect eating plant, and a cactus, are all still plants – at least to my non-botanist self. Your seeds are your Residents. A bad seed may be a rotter on the water, or just not care for the air. Cloudmasters can ill afford to follow suit, and must be prepared when called for, to give a bad seed the boot, before it really takes root and creates a bad breed that cannot be easily or cheaply removed from the system. Prevention is always better than the cure; and it is also much cheaper, in most if not all cases.
But, what of those Residents? Should they not look-upon and treat their Cloudmasters with equal, if not greater suspicion? Of course, why not!
Customers (Cloud “Residents”):
For cloud Residents, the primary 4 (“four”) critical questions they should consider, begin with: “Who?”; “Where?”; “What?”, and “Why?”
a. WHO: Know your primary cloud vending entity (“Cloudmaster”), draft your agreements defensively, and protect against both changes in control (theirs and yours) and changes in liquidity as a going concern (again, both theirs and yours).
b. WHERE: Be sure to extract an iron-clad guarantee from the Cloudmaster that your data will be kept “solely and entirely” in the appropriate country (such as Canada or the United States), or another jurisdiction acceptable to you, such as the European Union (EU); or the European Economic Area (EEA) to further include Norway, Iceland, and Liechtenstein; or the European Free Trade Area (EFTA) to further include Switzerland, as appropriate. If the Cloudmaster cannot definitively tell someone where their data will be hosted, or if they just do not know, then the end-result of any decision to continue doing business with such a Cloudmaster, will be solely and completely for the one so deciding to continue.
Everyone who has been paying attention to the news in this area will know that data breaches and the costs of these data breaches in reputation, fines, settlements, and regulatory enforcement actions and investigations and sanctions, have been mounting at a fierce pace. In addition to your undoubtedly stringent precautions in the above and otherwise, it is not irrational to try to deal with as few privacy regulators as possible, should a breach occur that forces you to make the appropriate disclosures to clients and the proper authorities. More jurisdictions of operation means more potential discovery and e-discovery obligations; most definitely a greater level of costs for ongoing compliance; and, more than likely, significantly greater costs of remediation in credit counseling and monitoring, changes to and replacement of compromised documents and credentials, and the various and assorted court and regulatory proceedings to monitor and report on the progress of same. Some courts are becoming rather aggressive in striking-down arbitration clause provisions that specified arbitration (and imposing outright litigation in its stead), or that specified a particular forum (and imposing their own idea of what is or should be, the appropriate forum, which is, invariably, the court striking down that carefully-drafted contract clause).
Just as the cloud has expanded access to hitherto unheard of computing capacity and lowered its costs, it may also lead to either: (a) greater insularity and a lower level of “real” cross-border trades, because of the almost unlimited potential liabilities; or (b) new laws and/or regulations on a regional bloc-basis or on an international or near-international level, in order to control for some of these risks and to put both the market and the consumers more at ease. Privacy Insurance has already taken a firm hold in a number of jurisdictions; albeit not yet too uniform as to underwriting standards, coverage options, and policy limits.
c. WHAT: In addition to the above, you would be well-advised to develop an in-depth understanding of the Cloudmaster’s security, data retention, and other policies, and also those in the links and structures of the cloud; as well as the who, where, and what of the other cloud participants, sub-vendors, and sub-contractors to the extent that they are disclosed and distinct or otherwise discoverable by due diligence, in order to prevent your being inadvertently caught in a “chain of rain” that brings far more pain than the originally anticipated gain.
d. WHY: Of course, you also need to know what and how often the Cloudmaster does purge or intends to purge, and what logs, if any, they keep and can provide to you without breaching their obligations to other cloud users and deemed cloud residents, whether permanent, or occasional as needed, or transient and otherwise fleeting (each and all deemed and defined herein as “Residents”).
Over-partitioning the data of different Residents, where and as available, adds costs, of course, but it may well also add serious peace of mind in enabling ease of recovery and e-Discovery, and decreasing the risk of inadvertent disclosures and/or cross-contamination when discovery does come-a-calling. That is a trade-off computation that must be done and presented to a company’s management for their own good Business Judgment, then the appropriate sign-off can be a waved as shield – once properly discovered – against that judicial Sword of Damocles. Whether Sarbanes-Oxley requires legal counsel, accountants, or auditors to protest more loudly and publicly where and when a publicly-listed entity is unwilling or unable to pay that extra cost and then fails to disclose this in the MDA or otherwise in accordance with law, such as with the current and growing push by the United States Federal Trade Commission (FTC) for greater disclosure of cybersecurity risks by issuers, is significantly beyond the scope of this little missive.
Let the Cloudmaster know what, how, and how much of that “purgeable content” and other data content you want: (a) not purged and kept in place; (b) not purged and delivered to you in backup format on a periodic basis; (c) purged but similarly delivered to you on a periodic basis; or (d) otherwise dealt with. A Cloudmaster is not responsible for meeting anyone’s preservation or discovery or e-discovery obligations but its own, except if contractually so bound to comply or assist in the same and appropriately motivated by consideration in cash and contract and consequences of complying-not. In the case of a Platform-as-a-Service (Paas) or an Infrastructure-as-a-Service (Iaas) Cloudmaster providing a flow-through Utility, appropriate Digital Millennium Copyright Act (DMCA) safeguards and the like, may further so endeavor to hold that Cloudmaster them harmless, and potentially also adequately defended and indemnified against an assortment of potential claims.
SUMMARY: To the exclusion of any particular industry of Resident focus or Cloudmaster competence, which would be additional, we should all be mindful that cloud computing touches over two dozen practice areas and is therefore extremely complex, by nature. Anyone who cannot appreciate this fact from the outset, is not setting-out well, at the very least. Some cloud-touching and cloud-touched practice areas that I have identified, so far, include those listed below, and in no particular order:
Contracts;
Criminal law;
Antitrust law;
Competition law;
Information Technology (I.T.);
Insurance;
Outsourcing;
Class Actions;
Labor and employment law;
Bankruptcy and insolvency policies;
Securities regulation;
Corporate governance;
International trade law;
Choice and conflicts of laws;
Interstate and interprovincial trade;
E-discovery;
E-commerce;
Banking and secured transactions;
Litigation (including forum selection);
Intellectual Property Rights (I.P.R.);
Libel and Defamation;
Alternative Dispute Resolution (A.D.R.);
Constitutional law and National Sovereignty;
Law Enforcement and National Security (LENS);
Media, privacy, new and social media, and moral rights.
The Cloud is still quite new, as was aviation before it, once upon a time. The aviation industry built-upon the foundations of shipping, which has been in place for a very long time, and the cloud will build upon the lessons, disasters, and opportunities of both of these same – that are themselves, still evolving (in shipping, such as with the Laws of the Sea re: territorial limits, ocean dumping, and piracy; and in aviation such as with GHG emissions, Air Marshalls, Space law and space tourism, and passenger bills of rights when stuck on the ground between the terminal and the flight plan). Alas, things move significantly faster over the Internet and through the Cloud – especially those things to which significant liability can and does attach, and so these older, tried and tested concepts may need to be speeded-up, re-mixed, re-constituted and re-configured, just to keep pace with the speed of this our human race.
We should also add Taxation to the above listing of practice areas, as the United States and other jurisdictions, are looking with increasing favour and fervor at a tax on internet-based or internet-enabled commerce as a way to boost falling (and flat) government revenues.[2] Following the earlier lead of the E.U. in this effort,[3] the questions of who is taxable and why, and of what transactions from where and to where, are taxable at what rate or rates, will most certainly keep practitioners in conflicts of laws, constitutional law and national sovereignty, and the other above-listed practice areas, rather busy, then.
For now, watch the weather forecast, but always take your own precautions, scan the horizon, mind the air, the water and the seeds, and keep a reinforced umbrella handy.
Anyone telling you that the Cloud is a simple thing to seed or read, is, I think, mistaken.
Author:
Ekundayo George is a Lawyer and Strategic Consultant. He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.
Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] Colin J. Zick, Esq. More Consumer Data Security and Privacy Legislation Introduced. Posted on September 12, 2011, in a blog entitled “Security, Privacy and the Law”, published by Foley Hoag LLP; (visited on November 28, 2011). Available at: http://www.securityprivacyandthelaw.com/2011/09/articles/data-breach-1/more-consumer-data-security-and-privacy-legislation-introduced/
[2] ecommercejunkie. Congress Eyes Federal Sales Tax Bill. Posted on August 1, 2011 in a blog entitled “E-Commerce News”, for e-commerce news from around the web; (visited on November 28, 2011). Available at:
http://ecommercejunkie.com/2011/08/01/congress-eyes-federal-sales-tax-bill/
[3] Martin A. Weiss, Analyst in International Trade and Finance, Foreign Affairs, Defense, and Trade Division; Nonna A. Noto, Specialist in Public Finance, Government and Finance Division. CRS Report for Congress: EU Tax on Digitally Delivered E-Commerce. Updated on April 7, 2005, (visited on November 28, 2011). Available at: http://ipmall.info/hosted_resources/crs/RS21596_050407.pdf
Ogalaws 