David Snead on Virtualization and Legal implications. David is a practicing attorney focusing on web infrastructure concerns. From a legal perspective, David shares that from a legal perspective, virtualization and cloud computing are similar.
Three aspects to be considered:
Software or Operating System
Expectations – your own, that of your users, that of your customers
Contract Review
Goal of session to give information on how to parse legal risk. Lawyers who say “no legal risk” are misstating the truth.
What is Virtualization (CC) from lawyer’s perspective, operating system or network distributing things. (Didn’t catch that exactly). Can look at virtualization as server based, application based or desktop based.
Application virtualization, this is the holy grail. This is what his clients want. Want to put applications on Salesforce.com
Server virtualization risk areas: virtualization software, individual operating systems. For example, do individual have the ability to interfere with other users on the server? What happens when a user brings down a shared environment.
Application virtualization brings highest risk and reward. Keys to ask, who is providing the underlying application infrastructure? Is the application part of an ecosystem? An application ecosystem? A platform (infrastructure) ecosystem?
Concerns: will the infrastructure be up when required? what happens if it isn’t? next, your data. where is it? is it safe? can you get it back? finally, virtualization software. what is the provider running? how might that impact you from a risk perspective?
In response to question on fiduciary responsibility, contract law is going to govern 98% of scenarios. So, understand and comb those contracts! Need to approach all relationships as though the provider doesn’t have your best interest at heart. Admittedly, a lawyerly response, but important to say/hear.
Desktop virtualization concern – no surprise – is you want to be in compliance with your Microsoft desktop license agreement. Also, need to look at security provided, beyond the application layer.
Common issue is understanding virtualization software and understanding if that software will work with type of virtualization – desktop, application or server. Is software appropriate for task at hand. Sounds simple, but has seen issues here. You can’t get out of contract just because application doesn’t work, especially if you didn’t check compatibility.
Different risks for Vmware view of world vs. Parallels (container) view of universe. In container view, it is easier for one user to destabilize another user. If that’s a concern, consider the vmware view.
Need to determine if your licenses will work in virtualization environment.
Warns that anytime a human touches the system, there is a chance to break it. Need to understand the degree of automation done by the service provider. (Reminds me of my Joyent briefing earlier, automation is critical)
Understand that the data doesn’t go to “the cloud”. It goes somewhere. Understand cloud provider’s warranties, SLA, privacy, skin in the game. Suggests going out to read Amazon’s terms of service. Go to company that drinks own Kool-aid.
Also want to understand potential channel conflict. [Example I just read about in HBR (I think) is Toys-r-Us and Amazon.] David cites Salesforce & Zoho recent litigation.
Don’t do find/replace contract changes, such as other vendor name/your name or dedicated host/cloud host.
In response to question, avoid CA, UT and most of South in interpreting technology contract law.
End of day, who owns the data? Especially critical where channel conflict might exist. Don’t want to accidently give your customer list to a competitor.
360 degree contract review:
Infrastructure: bandwidth, upstream, AUP (SLA)
Virtualization: type, IP protection, end user interaction
End User: customer expectations, ultimate use, expertise
Read the contracts! Not just data center. All contracts, current and new. Don’t forget SLA / expectations of your ultimate end-users.
Don’t forget choice of law and regulatory issues.
PDF 
