Embed Size (px)
Citation preview
Cloud Computing:Brought down to Earth
6 October 2016
• noun• cloud computing; plural noun: cloud computings• the practice of using a network of remote servers hosted on the Internet
to store, manage, and process data, rather than a local server or a personal computer.
2
Cloud Com·put·ing
6 October 2016
3
In the Media
Clips from Google
6 October 2016
4
“Cloud-related technology is real and useful now. Practically every
developer I know is either using or looking at cloud infrastructure in either private or public clouds.”
– Alex Miller
6 October 2016
6
“Im pretty liberal in my view on cloud; really, in a sense, the whole industry is becoming cloud computing. It’s hard to differentiate today the software industry
and cloud computing.” – Geva Perry, Independent cloud strategist
6 October 2016
7
In the Media
Clips from Google
6 October 2016
8
“The interesting thing about cloud computing is that we’ve redefined
cloud computing to include everything that we already do.”
– Richard Stallman
6 October 2016
9
$400 MillionThe estimated financial loss from 70 million compromised records shows the real importance of managing data breach risks.- Conducted by Verizon with contributions form 70 organizations from around the world
6 October 2016
In the Media
10
“ In the post-Snowden world, you need to enable others to build their own cloud
and have mobility of applications. That’s both because of the physicality of
computing – where the speed of light still matters – and because of geopolitics.”
– Satya Nadella
6 October 2016
Cloud Computing:Brought down to Earth
6 October 2016
12
Craig McDougallPartnerDentons
+1 780 423 [email protected]
Rhys MorganAssociate PartnerErnst & Young LLP
+1 587 340 [email protected]
Tom SidesPartnerDentons
+1 780 423 [email protected]
Calvin EngenDirector of I.T. F12
+1 780 413 [email protected]
Speakers
6 October 2016
May 3, 2023 13
Calvin Engen, F12Intro to the Cloud
May 3, 2023 14
What kind of clouds are there?
May 3, 2023 15
What kind of clouds are there?
May 3, 2023 16
Cloud - Why you need it!
• Efficiency – Lower Hardware and IT Costs• Agility – Performance and storage on demand• Flexibility – Pay for what you need• Redundancy• Reduced Maintenance• Defer Risk
May 3, 2023 17
Benefits of the Cloud
May 3, 2023 18
Which Cloud Provider?
May 3, 2023 19
Certification – Where it really matters…
May 3, 2023 20
Questions to Ask…
• What certifications do they have? How often do they maintain their certifications?
• What is your single point of failure? Internet?
• What is your service level agreement (SLA) for uptime? What are the steps for remediation?
• Where do the servers, processes, and data physically reside?
• Client References…
• It not me its you. How do you get your data back?
6 October 2016 22
Rhys Morgan, EYPoint of View
Page 23
Cloud ComputingPoint of View – Rhys Morgan, EY October 2016
Page 24
► In the last 7-8 years, cloud services rapidly gained a foothold in the technology industry.
► With the publication of cloud security standards and reference architectures by NIST, ISO, SOC, CSA and the DoD (among others), companies have began to adopt cloud strategies at an increasing rate.
► By 2020, cloud adoption will dominate IT and become the new norm.
Emergence of Cloud Computing
Page 25
Milk…..and why is it relevant?
Public Cloud Global Market value estimated to be worth over $200 billion by end of 2016
Estimated to be growing 20% year on year
This is more than Global Market value of Milk…..and Chocolate
So why does ‘Cloud Aspiration’ significantly outpace ‘Cloud Adoption’?
Page 26
Why so slow? What’s driving the reluctance to move to Cloud when the market is in rapid growth?
Fear Uncertainty
Procurement
The trinity of evil?Who’s driving?
Page 27
Is Cloud right for you?Why not just stay with status quo?
Security concerns with
existing environment – DR/BCP issues?
Inability to provision IT
resources when needed – slow go-
to-market
Difficulty managing
archaic legacy environments
Costly ongoing capital and operational expenses
Most industry sectors and Government have been slow to adopt and implement an enterprise cloud strategy. However, due to limitations encountered with traditional architectures, organizations are developing a cloud migration program at an increasing rate.
Lack of technical
expertise and access to
talent
IAAS IAAS IAAS
PAAS
SAAS SAAS SAAS
PAAS
SAAS
. What next?
Page 29
Stealthy Cloud Decide and just do it
Strategize, decide and educate Assess benefits for your organization, decide and educate stakeholders on benefits and overcome concerns.
Allocate ownership and identify candidates based on business drivers Identify candidate components, allocate organizational ownership, assess readiness, plan for deployment and execution.
Execute, validate and repeat (if you want) Execute the project, assess effectiveness, validate benefits, document lessons learned and repeat (or not).
‘Light up’ the current environment
Do these things
anyway
Information
Classification
Infrastructure
Virtualization
Application
Rationalization
Page 30
Cloud Computing
Point of View –
Rhys Morgan, EY
October 2016
6 October 2016 32
Tom Sides, DentonsUnderstanding and Mitigating Legal Risks
CLOUD COMPUTING:Understanding and Mitigating Legal Risks
33
Tom A. SidesDentons Canada LLPOctober 6, 2016
34
Outline
Legal Risks in the Cloud•Privacy Law and Legislative Framework•Data Security Stds: Remedies •Director/Officer Liability
Cloud-Based Agreements•Cloud/Cyber Due Diligence•Key Contractual Terms – Business & Legal•Jurisdictional Issues•Risk Allocation
Legal Risks in the Cloud
35
Legislative Framework: Data Privacy and Security
Private Sector Legislation• Personal Information Protection Electronic Documents Act (Canada) (“PIPEDA”)• Personal Information Protection Act (Alberta) (“PIPA”)
Public Sector Legislation• Freedom of Information Protection of Privacy Act (Alberta)• Health Information Act (Alberta)• Privacy Act (Canada) • Access to Information Act (Canada)• Canadian Security and Intelligence Service Act (Canada)
Individual Rights
to Protect
Information
Organizational Need to Collect, Disclose and Use
Information
VS.
Data Security Standards
36
PIPA (AB)
s. 34 An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.
Importantly, extends to service providers … CSP’sSimilar provisions under most other public/private sector privacy acts:
HIA, PIPEDA and FOIPP … but not Privacy Act (Canada)
A reasonable person would use higher security arrangements to protect more sensitive dataCommon Law: industry recognized standards – ISO/IED 27018 (Standard for Privacy on the Cloud) … and others
Establish standard of care – negligence claims?
Statutory and Common Law
Data Security
37
Complaints under PIPA (AB) and PIPEDA:Organization that suffers security breach that poses a real risk of significant harm to individuals must notify the Privacy CommissionerCommissioner may require org’n to notify affected individuals
Privacy Commissioner may order org’n to:Comply with a request for informationPay damages to affected individuals that suffered loss or injury due to breachPerform its obligations under PIPADestroy personal information collected
Breach: Complaint filed - OIPC
Legal Risks in the Cloud
38
Breach: right of action• Private right of action
• Common law right of action – Alberta• Under PIPA only once Privacy Commissioner issues a final order (without further right of appeal) can ind’l commence action against org
• Statutory right of action – BC, Manitoba, Saskatchewan and Newfoundland and Labrador
• Ind’l Org’n CSP• Invasion of privacy lawsuits in infancy in Canada• Class action lawsuits, i.e. Ashley Madison
Cloud/Cybersecurity
39
Due Diligence
• Telling your own story: sensitive/non-sensitive PI, data flows, regulatory requirements, deployment/service model required
• Results from DD: develop comprehensive RFP• Opportunity to level playing field with CSP’s …
especially large ones• Important contractual terms in RFP
• Importance of Cybersecurity homework on M&A target: Verizon’s acquisition of Yahoo
Cloud-Based Agreements
40
Key Business Terms
Confidentiality Data Privacy
Cloud-Based Agreements
41
Most Significant Legal Considerations
Governing Law Confidentiality
LOL
Transition Services
Data OwnershipData
Ownership
Confidentiality
LOL
Transition Services
Dispute Resolutio
n
Governing Law
Privacy & Data
Security
Cloud-Based Agreements
42
Jurisdictional IssuesChoice of Law
Jurisdiction
Where data
stored?
Employee
Obligations
3rd Party Obligati
ons
Cloud-Based Agreements
43
Risk Allocation
Rep’s & warranties
Audit CSP
LOLService Level
Credits
Cybersecurity
Insurance
Indemnities
Coffee Break!See you in 5 minutes
May 3, 2023 45
Cloud Computing:Brought down to Earth
6 October 2016
Panel Discussion
47
Craig McDougallPartnerDentons
+1 780 423 [email protected]
Rhys MorganAssociate PartnerErnst & Young LLP
+1 587 340 [email protected]
Tom SidesPartnerDentons
+1 780 423 [email protected]
Calvin EngenDirector of I.T. F12
+1 780 413 [email protected]
Speakers
6 October 2016
