Risks of Cloud Computing — Part I

With the next big wave in IT — so-called "cloud computing" — starting to hit the shores of the corporate world, now is a good time to begin to grasp what cloud computing entails and how to manage the legal risks it kicks up.

Accessing Computing Resources

Today there are essentially three ways companies can access computing resources. Pretend for a moment you are the Chief Information Officer of a large organization and you need to ensure that your staff have software productivity tools — let’s focus on word processing and document management software — to be able to function and do their jobs effectively. What are your options?

You can buy computers for your staff, and so-called server computers for the organization, on which you would load up the software that you licensed. In this traditional IT scenario, the computers, the software and your resulting data (in the form of documents, databases, customer lists and the like) would all reside on physical premises (essentially your offices) in buildings that you either own or rent. Let’s call this the "buy" model.

In the buy model, you have an IT department with expertise in managing software and keeping computers humming. They also work hard to ensure the security of your computer systems and your data.

A second way to satisfy your organization’s IT requirements is for you to take most of your hardware and the software, and hand it over to an IT outsourcing company — let’s call them the supplier — and have them manage it for you. For example, you would give the supplier your server computers, who would house them at the supplier’s premises and keep them humming for you. Your staff would still have laptop and personal computers, but these would connect to the servers operated by the supplier. Let’s call this the "outsourced" model.

In the outsourced model, a good portion of your IT staff transfer to the supplier, which is responsible for ensuring the security of your computer systems and data.

In both the buy and outsourced models, you typically would pay upfront for the capital purchase of the relevant hardware and software (in addition to paying ongoing maintenance fees, and monthly service fees to the supplier in the case of outsourcing). In return, the computing equipment would be "yours," and used exclusively by you. So even in the outsourced model, you would buy a copy of your software and the supplier would operate that software solely for you (the supplier could not use your software to process anyone else’s data). Your data would also reside only on your computers (whether on your premises, in the buy model, or in the outsourced model at the supplier’s premises — but on equipment dedicated to you).

Computing Through the Cloud

Lately, a third type of computer resources procurement process has been developing. Known in the jargon-filled IT world as "cloud computing," this model is quite different from both the buy and outsourced models.

In a cloud computing arrangement, you don’t buy a licence to some word processing/document management software. Instead, a supplier buys (or simply already owns) the relevant software, and merely gives your organization’s staff access to it on a subscription basis. And the access is over the Internet, from anywhere the staff can get online (the office, at home, on the road, etc.), hence the term "cloud":  it’s as though the service is as ubiquitous as the air we breathe. As for pricing, in the typical cloud scenario, you would pay a certain dollar amount — say $50 — per year for each one of your employees who is given access to the software (as opposed to paying thousands of dollars upfront for a perpetual licence, and then essentially paying again every four years through the aggregate maintenance fees that accompany most software).

In the cloud model, the suppliers not only make available the relevant software, they store your documents and data on their computers. The suppliers who offer cloud services have huge data centres — called server farms — where gargantuan amounts of data are stored on behalf of their customers.

Cloud computing resembles the way we traditionally get electricity from the local power company. Instead of every house having a small power plant, the utility operates one big plant, and it distributes the power to each household by transmission lines. You then only pay for the amount of power you actually use.

So it is (roughly) with cloud computing. Instead of an expensive upfront capital payment for your own computing environment (complete with pricey software licence fees), you purchase access to the supplier’s service as you require it — essentially, as new employees join your organization. And in the unfortunate case that you have to lay off staff, or you divest a business, your computing costs drop because you have fewer users (whereas in the buy model, you typically do not get a partial refund of your upfront costs).

Software as a Service

Another term for cloud computing is "software as a service" (SaaS). So, rather than software being a "product" that you take possession of (specifically, of the CD on which it comes), you simply get access to the software in order to use it in return for your annual payment. And the supplier of the cloud service has to take care of all the hassles of dealing with glitches in the software, of installing updates, of buying a new program when the previous one is discontinued, and so on.

In the consumer space, we have had some good examples of cloud computing for some time — one is Hotmail. As a Hotmail user, you have an account and e-mail address with Hotmail; e-mail messages are sent to you at this address, and you retrieve these messages and send messages from it. The software operating this messaging system resides on Hotmail’s server computers, and you can access it over the Internet — all you need is an access device to connect to the Hotmail website. Google’s gmail works in much the same way. Both services are extremely popular.

In the computer world, an early pioneer of SaaS was salesforce.com, a company that makes available customer relationship management (CRM) software (the software used by sales reps to track and follow up with their prospects, etc.) on a software-as-a-service basis. So, if you want to make use of a CRM system, in the buy model you can purchase a software licence for a CRM software program — and the large, sophisticated ones can run you many hundreds of thousands of dollars. Or, if you use salesforce.com, in their cloud model you pay a yearly fee for each person on your sales staff that accesses and utilizes their system. Voila, software as a service.

The Gathering Clouds

For several years, salesforce.com was one of the few SaaS offerings that caught on with corporate users. That’s now starting to change, in a big way. Microsoft reports that by the end of this year, 90 per cent of its 40,000 software programmers will be working on cloud or cloud-related applications.

As for today, consider what the 73 lawyers (207 employees in 12 offices) of US law firm Bradford & Barthel have done to adopt a cloud computing solution to their IT needs. Instead of perpetuating the buy model, earlier this year they signed an agreement with a supplier under which they give their staff access to e-mail, calendaring, intranet, extranet, video, document, spreadsheets, presentations, and document management, all for an annual fee of $63 per employee per year.

The firm’s early assessment of the new mode of computing is that it’s cost-effective, collaborative, flexible and efficient. And just how cost-effective, you ask? At $63 per user per year, they estimate a 90 per cent savings over their traditional, previous buy model. Presumably enough to catch the attention of most law firm managers — or CIOs in the non-legal world!

So, that’s the good news about cloud computing. In the next edition of the TLQ — how to manage some of the inherent legal risks.

Authors