Insight

Cloud Computing: An Exercise in Architecting Trust

Rather than the cloud being a thing, it is actually a process.

Cloud Computing
Kelly L. Frey Sr.

Kelly L. Frey Sr.

December 19, 2017 02:16 PM

Cloud computing is a misnomer of arcane origin. Originally the “cloud” was literally just a technology doodle (beyond the then-available lexicon or the plastic templates of systems architects 40 years ago).1 The billowing shape was used in system schematics to represent something beyond the computationally and conversationally stunted devices of the time (reminiscent of the ancient cartographers’ “terra incognita”). But over time, and especially with the dawning of the gigabyte era, the image/term has been co-opted to visually/linguistically represent what NIST has defined as “a model for enabling ubiquitous access to shared pools of configurable resources (such as computer networks, servers, storage, applications, and services).”2

Rather than the cloud being a thing, it is actually a process.

So how do you cloud compute? You enlist the aid of applications, platforms, and resources owned and controlled by third parties, when and as needed. Whether infrastructure as a service (IaaS), platform as a service (PaaS), and/or software as a service (SaaS), you (the consumer of cloud services) hand over management and control of critical information technology infrastructure to third-party vendors (who legally become your agent[s]). From a legal perspective, that means you delegate responsibility for performance to your agent, by contract (whether negotiated, click-through, or any variation in between). However, despite such delegation of performance you (as principle) still retain primary legal liability for anything that your agent does during such performance. It is important, therefore, that the contract with the agent/vendor adequately and equitably allocates the risks you retain as principle. And that is where most legal issues occur: as a failure to adequately address or allocate such risks.

Part of the risk concerns come from most cloud vendors’ perspective that since they are providing a standardized suite of services to all customers, the contract for such services should also be standardized (i.e., a form contract). These form contracts always seem to disproportionately favor the vendor (and if the cloud vendor has market power, it can force such unfavorable terms across its customer base). What this form-based contracting ignores is that risk is most efficiently allocated in an open marketplace to the party that has control. In the cloud environment, the vendor by definition has control (of the activity), but the form contract avoids and minimizes shifting the risks related to this control, thereby negating the actual monetary consequence of whatever choices the vendor may have made in architecting or operating its cloud. This can be done in the form agreement via:

  • limitations of liability and/or caps on liability (that, while proportionate to the value to the vendor of the contract-for-service, have no relationship to the absolute risk of and costs to the cloud customer);
  • limited indemnification provisions (leaving the principle exposed to disproportionate third-party risks, even if covered for the customer’s own first-party risks); and/or
  • disclaimers of the true equitable and/or monetary damages the customer may experience from a vendor’s activities in favor of service credits (that represent only a fractional or variable cost to the vendor, with little proportionality to the actual customer risks and damages).

However, even when contracts for cloud services are negotiated, attorneys sometimes forget that these negotiations must be mapped against their client’s enterprise vulnerability, which must account for both the probability of disruption or liability and the severity of the consequences.3

Intentional risks grab headlines (and disproportionate mindshare in cloud contracts).

Certainlythe nefarious activities of hackers involved in cybercrimes and security breaches are problematic, require contract allocation of risks, and are prime candidates for risk-sharing with insurance underwriters of cyber insurance.

But cyberterrorism and cyberwarfare are now equally an issue of risk allocation.4 Similarly, the intentional acts of the vendor in architecting, implementing, and/or operating its cloud infrastructure based around appropriate standards (and certification and residual auditing around such standards) need to be addressed in negotiations (and run the gamut from the esoteric to the more mundane aspects of cloud operation, such as employee background checks and the physical security of locked doors and drawers).

Negligent risks are more familiar territory for attorneys. Such risks begin with a duty, such that the first issues in cloud contracting are to properly and adequately define the vendor’s duty in the agreement (and make such duty both legally and practically enforceable). Once such duty is articulated in the contract, then the task turns to not only allocating the risks of loss from failure to adhere to that defined duty, but also monitoring for lapses of that duty over the term of the contract. So, for example, shifting uptime responsibility to a vendor and allocating the monetary losses from a breach of such duty is essential in the contract. But however necessary that may be, it is insufficient unless there is appropriate responsibility for monitoring in place of the contract to compensate against a breach of such uptime duty (i.e., the vendor has a much better ability to assess when its infrastructure is working than the customer, so it is legally appropriate to place an affirmative obligation on the vendor to monitor, report, and automatically credit for downtime rather than requiring the customer to either notice and/or report downtime).

Trust is the extent to which one party relinquishes control to another party on the belief that it will fulfill tasks and responsibilities the grantor values. In the cloud, our clients relinquish control. Unfortunately, the cloud was never architected for trust; it is completely agnostic, in that each bit is valued the same as every other bit. So much of what attorneys must do in the cloud environment is architect such trust between the client and a cloud vendor. And this must be done with the sole tool available: appropriate contract language that requires an alignment between the cloud vendor’s values and the client’s values (as set out in the tasks and responsibilities a vendor must assume, by contract, to implement such client values).

----------------------------

1 See www.retroist.com/2009/01/11/ibm-flowcharting-template/ for example of an early plastic template used for system analysis.

2 SP 800-145, The NIST Definition of Cloud Computing, at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

3 See generally, Sheffi, The Resilient Enterprise, MIT Press, 2005.

4 See Frey, Cyber-warfare, cyber-terrorism, and cyber-crime, Financier Worldwide, April, 2013; www.financierworldwide.com/cyber-warfare-cyber-terrorism-and-cyber-crime/#.WgnxjMJPqUk.

Related Articles

Bringing Cloud Liability Down to Earth


by Jim Steinberg and Lance McCord

Unlike most traditionally licensed software, cloud solutions also put the customer at risk by transmitting, storing, and processing the customer’s data outside of the customer’s networks.

Cloud Liability

Into the Breach


by John Ettorre

Data breaches have become inevitable. Here’s what you can do to respond.

Data Breaches

How Does Your Firm Measure Up?


by Best Lawyers

BL Intelligence provides your firm with valuable industry data.

Best Lawyers 27th Edition Stats

2019 Women in the Law at a Glance


by Best Lawyers

2019 "Women in the Law" by the numbers.

What Practices Grew the Most in 2019?

My Data My Rules: An Overview of Data Protection in Brazil


by Fábio Pereira

My Data My Rules

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights.

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Discover The Best Lawyers in Spain 2025 Edition


by Jennifer Verta

Highlighting Spain’s leading legal professionals and rising talents.

Flags of Spain, representing Best Lawyers country

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Paramount Hit With NY Class Action Lawsuit Over Mass Layoffs


by Gregory Sirico

Paramount Global faces a class action lawsuit for allegedly violating New York's WARN Act after laying off 300+ employees without proper notice in September.

Animated man in suit being erased with Paramount logo in background

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipment

Introduction to Demand Generation for Law Firms


by Jennifer Verta

Learn the essentials of demand gen for law firms and how these strategies can drive client acquisition, retention, and long-term success.

Illustration of a hand holding a magnet, attracting icons representing individuals towards a central

Social Media for Law Firms: The Essential Beginner’s Guide to Digital Success


by Jennifer Verta

Maximize your law firm’s online impact with social media.

3D pixelated thumbs-up icon in red and orange on a blue and purple background.

ERISA Reaches Its Turning Point


by Bryan Driscoll

ERISA litigation and the laws surrounding are rapidly changing, with companies fundamentally rewriting their business practices.

Beach chair and hat in front of large magnify glass

How Client Testimonials Fuel Client Acquisition for Law Firms


by Nancy Lippincott

Learn how client testimonials boost client acquisition for law firms. Enhance credibility, engage clients and stand out in a competitive legal market.

Woman holding blurb of online reviews

Critical Period


by Armelle Royer and Maryne Gouhier

How the green-energy raw materials chase is rewriting geopolitics

Overhead shot of mineral extraction plant

Best Lawyers Expands With New Artificial Intelligence Practice Area


by Best Lawyers

Best Lawyers introduces Artificial Intelligence Law to recognize attorneys leading the way in AI-related legal issues and innovation.

AI network expanding in front of bookshelf