Last week, in discussing findings from the BT Global Services Enterprise Intelligence survey, I wrote about why cloud computing environment location matters:
“Many of the clouderati will tell you that the physical location of the cloud computing environment shouldn’t matter to adopters. While technically and architecturally this might be true, given appropriate and reliable network connections, there are business implications of physical location. Most notably, regulatory and compliance concerns for cloud-resident data.”
Today, via Twitter, I became aware of an Interactive Data Protection Heat Map, published by Forrester, and shared on their Infrastructure & Operations Professionals blog:
“To help you grasp the varying scope of regulatory requirements at a high level, we’ve also created an interactive privacy heat map that denotes the degree of strictness — highlighting scope of protection, affected entities, ‘adequacy’ standards met, and heavily surveilled countries — across national data protection regulation.”
The map is in Flash, go check it out.
Tagged as:
enterprise considerations,
Forrester
Posted by brenda michelson at 2:31 pm in 100-days, Cloud Watch, adoption, data, regulatory | Permalink
| Comments(0)
| Trackback URL
Next on my cloud computing survey list is BT Global Services Enterprise Intelligence survey. The survey is broader than cloud computing, covering “CIOs and their relationship with senior corporate executives and IT systems users.” The survey report includes:
- the relationship between corporate information business performance
- demand for information
- successful collaboration
- what the CIO needs to do in the recession
- the challenges facing cloud services
- security in the cloud
- global attitudes to business success
- the role of the CIO
As someone interested in active information and the business-IT relationship, I found interesting points throughout the report. However, the one cloud computing finding I want to call out is cloud location.
Many of the clouderati will tell you that the physical location of the cloud computing environment shouldn’t matter to adopters. While technically and architecturally this might be true, given appropriate and reliable network connections, there are business implications of physical location. Most notably, regulatory and compliance concerns for cloud-resident data.
The BTGS Survey focused on the likelihood to use cloud computing environments in another country:
“For example, the majority of CIOs (57%) and senior executives (53%) around the world are not happy to run applications and store data on servers based outside their country, for IT security reasons.
Perceptions of where servers should be based revealed a pro-European focus. For CIOs and senior executives, the UK was the most popular place in the world for servers to be based, with a quarter (25%) saying they would be extremely comfortable with servers being based there. This was followed by North America (22%), Western Europe (20%) and Nordic Europe (18%).
Conversely, two thirds (68%) of CIOs and senior executives said they would be uncomfortable with servers being based in Africa, closely followed by Latin America (53%), Russia/Central Asia (43%) and the Middle East (40%). The reasons cited for such unease were security/political issues, service quality, distance and time zone issues and cost. Perceived high cost was specifically mentioned in relation to North America and Nordic Europe.”
Survey methodology: “Conducted by Datamonitor Ltd. Total sample sizes were 274 CIOs and other senior corporate executives in 12 countries and 2,476 employees who use corporate IT systems in 13 countries. Fieldwork was undertaken between 1 September 2009 and 30 September 2009. The survey was carried out online.”
Tagged as:
BTGS,
enterprise considerations,
location
Posted by brenda michelson at 3:00 pm in 100-days, Cloud Watch, adoption, assurance, compliance, cyber risk, data, regulatory | Permalink
| Comments(0)
| Trackback URL
In IBM’s November 2009 SOA Newsletter, Fill Bowen, Program Manager responsible for Smart SOA in IBM Software Group, discusses the relationship between SOA and Cloud Computing, and shares prerequisites for providing services in a cloud and consuming services in a cloud.
The newsletter emphasizes that SOA and Cloud Computing are complements. SOA is an architectural style, while Cloud Computing is a deployment model. These concepts can come together in the design of the cloud computing environment:
"’SOA is an architectural style for building applications, loosely coupled, allowing composition,’ says Jerry Cuomo, CTO of IBM’s WebSphere business. ‘Can we build a datacenter infrastructure on SOA principles? Yes, and that’s the cloud, so it’s a service-oriented infrastructure,’ he adds. ‘It’s taking that architectural principle of SOA and applying it to an infrastructure.’" – InfoWorld, “The cloud-SOA connection”
In discussing the SOA-Cloud Computing relationship, Fill offers a helpful analogy using books and a library:
“An interesting analogy for cloud and SOA is to think of books in a library. The books represent the services that customers can access once the library acquires them, and the library building represents the cloud where people come to check out the books/services. Books are reusable, and several books might make up a series or topic. Someone writes the book once and it is reused many times.
Using our analogy of books in the library, there are two components to consider when thinking about services in a cloud environment. One is the providing of services (books) to the cloud (library). And the other is the consuming (checking out) of those services (books). Each has different requirements.”
Read the article to learn of the prerequisites for providing and consuming services in a cloud.
[Disclosure: IBM is not a direct client of my firm, Elemental Links, however IBM is a founding sponsor of the SOA Consortium, which is a client.]
Tagged as:
Fillmore Bowen,
IBM,
soa
Posted by brenda michelson at 11:11 am in Cloud Watch, cloud computing environment (cce), fundamentals, governance, provider positions, services architecture, virtualization | Permalink
| Comments(0)
| Trackback URL
The Information Law Group has an excellent 4-part series on the legal implications of cloud computing. The series is written for lawyers, but the issues addressed — Privacy, Relationships, E-Discovery and Digital Evidence — are important for anyone considering cloud computing.
Series Context:
“Bottom line: this is not your father’s outsourcing relationship, and trying to protect clients with contracts may be very difficult or impossible unless the cloud computing community begins to build standards and processes to create trust. This post is not for my tech/security friends, it is for the attorneys out there, especially the general counsel and transactional attorneys who draft terms for tech contracts (e.g. outsourcing contracts, ASP contracts, software licenses, etc.).
…One final note to the attorneys out there: there is going to be incredible financial pressure on organizations to take advantage of the pricing and efficiency of cloud computing and if attorneys fail to understand the issues ahead of time there is a serious risk of getting "bulldozed" into cloud computing arrangements without time or resources to address some serious legal issues that are implicated.”
Legal Issues:
“Transborder Data Flow Triggering Legal Obligations in Multiple Jurisdictions. This sharing and transfer of data within the cloud, the inability for anybody to easily say where the data is or has been, is the key problem that creates legal issues. An obvious problem is transborder data flow. For example under the EU Data Protection Directive, unless they take certain steps, organizations are prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information of EU residents (the United States is one such country). A company that does its processing in the cloud may be violating EU law if data goes to servers outside of the EU to prohibited countries. Unfortunately, contracts may not be too helpful because cloud providers will not be in any position to make any contractual promises to their clients because in many cases they cannot say which countries data will be transferred to or from. So how can companies seeking the efficiency and cost savings of the cloud utilize it if, by its very nature, it leads to potential legal compliance nightmares?
"Reasonable Security" Under the Law. Then there is the issue of "reasonable security" in the cloud computing context, and potential liability arising out of security breaches in the cloud. Generally speaking if a company outsources the handling of personal information to another company they may have some responsibility to make sure the outsourcer has some level of reasonable security to protect personal and confidential information. What happens when the could is utilized? Service providers using the cloud platform essentially rely on the security of each of the cloud participants receiving personal information. That could be name brand companies like Google who are likely to have some level of adequate security, but it could also be lesser players trying to engage in business as cheaply as possible and not implementing rigorous controls. The bottom line again is that the organization seeking to do business in the cloud has no way to even perform a due diligence of "the cloud" to ensure that adequate security is in place. Moreover, cloud companies and service providers that contract directly with such companies are not likely to make any contractual promises around security since they ultimately don’t control it (or even know how good or bad it is within the cloud). Ultimately, the legal question is, what liability does a company face when there has been a security breach in the cloud that has resulted in the theft or harm of valuable or protected data?
Electronic evidence/e-discovery. Utilizing the cloud can be problematic in the litigation context. First off, when litigation ensues and a litigation hold is initiated, the organization will have to deal with a third party cloud provider in order to get at the information relevant to the litigation. It may not be easy for that provider to actually preserve the data that is needed for several reasons. For example, an organization may be using a third party software provider that itself utilizes the a cloud platform. The data subject to the litigation hold therefore may actually reside in the cloud and may not be readily accessible/preserved by the software provider. This could complicate gathering electronic evidence and responding to e-Discovery requests. Moreover, it could lead to spoliation of evidence. In addition, considering that multiple copies of data may be created, stored, recompiled, dispersed, reassembled and reused, the idea of what constitutes a "record" or a "document" for evidentiary purposes may be difficult to grapple with in the cloud.”
Series Posts:
Legal Implications of Cloud Computing — Part One (the Basics and Framing the Issues)
Privacy and the Cloud
Relationships in the Cloud
E-Discovery & Electronic Evidence
Tagged as:
contracts,
e-discovery,
InformationLawGroup,
legal,
privacy,
security
Posted by brenda michelson at 2:48 pm in Cloud Watch, adoption, assurance, customer-provider agreements, legal | Permalink
| Comments(0)
| Trackback URL
Bessemer Venture Partners published a winter release of their 10 Laws of Cloud Computing and SaaS. These laws are written for cloud computing providers – potential investees. However, the laws are also interesting to anyone interested in the cloud computing marketplace.
As I was reading the full whitepaper (pdf), I found one law to be pertinent for potential cloud computing customers. Law #8: Leverage and Monetize the data asset. (emphasis is mine)
“BESSEMER CLOUD COMPUTING LAW #8: Leverage and monetize the data asset. While Cloud Computing is about providing a subscription service to your customers, one of the happy consequences is that you end up hosting their data. This becomes a critical asset that you can monetize by increasing the value of your offering; by leveraging it across your customer base in the form of benchmarks; or for specific businesses, by using the data to generate leads (within the contracted obligations). In these difficult economic times, where prices are under pressure and customers are tightening their budgets, data can be a difference maker.
As a Cloud Computing service, your company captures a lot of business information on each individual customer, information that is typically peripheral to the delivery of your service, but could be very interesting for your customer’s executives. This information can generally be packaged and synthesized into a set of management dashboards that you can provide to your customers, potentially for an incremental subscription fee, or as a way to expand usage and increase product stickiness. Within our own portfolio, successful examples include the “CMO dashboard” (Eloqua), “Merchandising Dashboard” (Retail Solutions), “CFO Dashboard” (Intacct), and “HR Dashboard” (Cornerstone OnDemand) .
A second way to monetize your data is to identify the key performance indicators that you can derive from them – typically the ones that you have identified for your executive dashboards – and develop benchmarks across your customer base. These benchmarks can be customized along several dimensions (e.g., by company size, sector, geography) and be provided separately to your customers and even included in the executive dashboard. One of the early companies to sell benchmarks was Concur, the leading public company in the expense management space. With Concur reports, customers can compare their travel costs and business expenses against their peer group and track the evolution over time. We believe this “data-as-a-service” model has a lot of potential and will become more prominent as companies mature and need to find additional revenue streams.
Finally, another way to take advantage of your data is to use it to generate leads. While we recognize that this may not be possible for many of the B2B businesses for obvious reasons, this practice has proven to be successful for the lower end of the market, including small businesses and consumers. A company like Mint for example (now part of Intuit), even based its business model around it. Mint launched a SaaS financial application for consumers, competing against Quicken, but while the Quicken and Quicken Online business models used a license or a subscription fee, Mint was free and generated revenue by using its consumer insights to generate leads that were sold to service providers. For example, if Mint identified that your savings account had a 2% rate, it would notify you by email that another bank could offer you 2.5% and sell your click (or whatever action you would perform if interested) to a provider. Mint was so successful in this customer acquisition model that it ended up being acquired by Intuit in 2009 and will now replace the Quicken Online product.”
Certainly, there is no malice or wrongdoing here, as the above Law explicitly states “within the contracted obligation”. And, there can be great value to your organization to receive benchmark, trend, lead or other aggregated data. However, the use of your hosted data must correspond with your organization’s privacy and IP practices. Therefore, it’s critical to understand, and if necessary, negotiate any data usage components of your service contracts.
Tagged as:
Bessemer,
data
Posted by brenda michelson at 6:15 pm in Cloud Watch, SaaS, compliance, customer-provider agreements | Permalink
| Comments(0)
| Trackback URL
