ODMOB Law

ODMOB LAWYERS

5/1/2015

Edition 2015 Issue 1

Cloud Computing
Is it more than a fad?

Next Issue

From a business perspective

capacity than they require

there has been a substantial

internally and so they have

amount of uptake in cloud

decided to commercialise this

computing. The concept of a

capacity to other organisations

The next newsletter will

cloud environment has moved

on a shared basis.

cover cyber-insurance and

over the last few years from

hype-ware to sound business
subject

matter.

Literally

With the accelerated uptake of

1 August

its effectiveness.

cloud

computing,

The November Issue will

organisations

that

cover Penetration Testing

are

why it is necessary from a

The basic premise behind cloud computing is that

legal perspective

some large IT based organisations have far

greater IT resource capacity than they require

internally and so they have decided to

commercialise that capacity to other
organisations on a shared basis.

billions of dollars are being

investigating moving to the

expended

on

cloud should first undertake a

structures.

due diligence to ensure that

Further, commercial entities

what is being offered actually

both large and small are taking

meets its needs.

building

advantage

annually
cloud

of

the

benefits

afforded by cloud providers.

According
Governments

to

the

USA

National

The basic premise behind

Institute of Standards and

cloud computing is that some

Technology cloud computing

large IT based organisations

can be characterized as either:

have far greater IT resource

IaaS: Infrastructure as a
Service involves the
availability of hardware
components only. This
offering allows the
Client to load and
manage
its
own
platform,
operating
system,
security
environment and all
software.
PaaS: Platform as a
Service involves the
availability
of
the
hardware and platform
infrastructure.
This
allows the Client to load
and manage all software
that it may desire to use
in
its
business

1|Page

operations. PaaS is of
particular importance to
software development
organisations, as it
allows them to redirect
their
funds
to
operational
expenses
instead
of
capital
expenditure. That is,
they pay for their
platform needs without
expending on capital
hardware components.
Even though software
development
companies have in
general a great deal of IT
expertise, they rarely
have
sufficient
IT
security capability nor
for
that
matter
configuration expertise.
The management of IT
infrastructure
is
a
specialist
area
that
includes
the
implementation
and
management of security
frameworks, which is
best left to organisations
that have dedicated
resources
such
as
reputable
cloud
providers.
SaaS: Software as a
Service involves the
availability of particular
software that a business
desires to use it is
business
operations.
Such services include
MS
Office
365,
Salesforce CRM and
many others.

In addition to the three types

Cloud Provisions

of cloud environments, cloud

Elasticity of the Service is a

offerings are either:

fundamental aspect of cloud

Public Cloud: This

includes
Facebook,
Twitter and MS Office
365 and involves the
ability for the general
public to utilise a
particular
software
service;
Private Cloud: This
involves an entitys
exclusive use of cloud
infrastructure
and
services located at the
providers premises.
Community
Cloud:
This involves a private
cloud that is shared by
several
organisations
with similar security
requirements and a
need to store or process
data
of
similar
sensitivity.
Hybrid Cloud:
This
involves a combination
of cloud models noted
above.

services;

that

continuous

is,

the

expansion

and

contraction of the available

service.

The

variation

provision needs to be carefully

considered. Some provisions
allow

for

adjustments

automatic
without

any

human intervention. If this is

acceptable

then

it

is

not

uncommon for there to be a

minimum service utilization
(Take and Pay) together with
an

arrears

anything

payment

greater

than

for
the

minimum utilization.
Security and Privacy is an
important aspect. All modern
organisations are dependent
upon information technology
and

in

particular

information records.

their
Such

Once a client has decided the

records will include employee

type

required

records, customer records and

whether IaaS, PaaS or SaaS

may even include personal

and whether Public, Private,

identifiable information (PII).

of

cloud

Hybrid or Community, the

legal aspects come into play.

The

Australian

Privacy

Principles (APP) as detailed in

Client needs to keep in mind

the Privacy Act (1998) Cth

that a service is being provided

provides for a number issues

which requires a different set

dealing with security and

of

would

protection of information. Of

normally be expected in a

particular importance is that

computing environment.

PII must not be relocated

provisions

than

external to Australia unless the

2|Page

destination
similar

jurisdiction
legal

has

protective

measures in place.

This is

provided under APP 8.

arrangements. Of particular

accelerate

importance are the following:

timeframe.

To cover cloud structures ISO

27018

now

covers

the

protection of PII. The Cloud

provider should warrant that
their service complies with
ISO 27108.
Warranties

are

always

contentious issue as the cloud

provider will want to give as
little as possible whereas the
client

desires

certainty

of

service. This is where a wellstructured

Service

Level

Agreement (SLA) comes into

play.

The

European

Commission

recently

published a standard SLA

which

has

specifically

been

designed

for

cloud

Response times should

an issue arise. Issues are
usually categorized as
follows:
Critical;
Highly Important;
Medium Importance
Low Importance.

the

Termination is the last issue

that will need careful attention.
Since the offering is a service
delivery

structure

that they have prompt access

to their data in a format that is
quickly

time to resolve issues as they

alternate provider.

table.
who

This table will detail

should

be

contacted

the

customer should make sure

Aligned with the response

arise is the escalation of issues

resolution

migrated

to

an

Conclusion
Cloud

offering

differ

depending of the time elapsed

substantially

since the issue was identified

providers. Care needs to be

and the categorization of the

taken in contracting and in the

issue. For critical issue if the

end there can be substantial

issue is not resolved within the

financial benefits in utilising a

contracted time frame then the

cloud service but the contract

issue may be escalated to

needs to cover the clients

higher management so as

needs.

between

Adrian McCullagh
ODMOB LAWYERS
Ajmccullagh57@gmail.com
Mob: 0401 646 486
SKYPE: admac57

PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue
then they should seek appropriate legal advice. The author makes no warranty as to
correctness of anything contained in this paper. This paper is the sole opinion of the
author and must not be relied upon as legal advice. Every situation is different and as
such proper analysis must be undertaken when seeking a legal opinion.
Consequently, the author takes no responsibility for any errors that may exist in this
paper and certainly takes no responsibility if any reader takes any actions based on
what is (expressly or by implication) contained in this paper. All readers take full
responsibility for anything they may do in reliance of anything contained in this paper.
3|Page