No single person has done more to bring the cloud down to earth than Tom Robertson. That’s because Tom is Microsoft Corporation’s leading regulatory expert on cloud computing. As Vice President and Deputy General Counsel of Microsoft Corporation in Redmond – Washington, Tom leads a legal team the size of a small law firm.
His team is in three-way discussions with governments and corporations around the globe (including Japan’s) to ensure that hundreds of millions of Microsoft customers successfully move their IT infrastructure to the cloud. It’s a challenging job made even tougher by the release from Edward J. Snowden of classified NSA documents (see recent FT article).
Beacon Reports spoke to Tom to find out the nature of those discussions, to learn what issues enterprise customers face and to determine what impact the ‘Snowden effect’ might have.
As background, Microsoft has experienced near exponential growth in its cloud business. The reason is that the cloud model is convenient and cost-efficient.
Under the cloud based model, customers outsource their IT hardware, software, maintenance and support to Microsoft. Customer data sits remotely within Microsoft’s data centers, where it is processed and accessed by means of the Internet. Microsoft owns all the technology, charging customers a usage fee.
Tom began by describing what questions enterprise customers need to ask themselves when deciding to take the leap into cloud:
Customers first need to ask themselves, “Will the cloud service provide our company with the functionality and capacity we need to do our work?” That is, “Does the cloud service offer the required feature set and the breadth of applications and does it tie into services that we already use?”
Take a product like Word or Outlook which a company may have been using for decades. For them, the transition from on premise to cloud based functionality could be seamless. Or it could be difficult because they use third-party applications or those they have developed by themselves that may not be available in the cloud. Firms have to assess what level of productivity experience they need and compare that to what is achievable in the cloud.
The second question they need to ask themselves is, “What is the total cost of ownership of a cloud based experience versus an on premise experience? Can our company get it for a sensible price?” This is important because the on premise experience involves the firm buying the servers and the technology needed to keep the enterprise’s computing infrastructure up and running. They’re employing people who can do or will do that for them.
When firms move to the cloud, many of those infrastructure costs disappear. They may pay a bit more on a per user basis, but typically total cost of ownership is lower over time. People need to understand what those numbers look like.
Another question to ask is, “Does the entire organization need to move to the cloud or can it move in part?” For many organizations, going whole-hog up into the cloud makes good sense because there are not many differences between user groups within the firm. For other organizations, it may make less sense. These firms may want to have a hybrid environment for some time.
If customers go the whole-hog route, they have to think about, “What does migration look like and what steps does the firm need to take to transfer functionality to the cloud?”
In a hybrid environment, customers still have that first issue of migration to deal with, but they also have the ongoing issue of management of that hybrid environment. Some companies can afford to do that while others can’t. Customers need to be aware and well-informed of these kinds of decisions they will have to make.
It is important firms take a step back and reflect on the next question: “How does the world change when one moves from on premise to the cloud?” In an on premise world, vendors provide customers functionality in the form of software programs and related support services. Information technology administrators spin them up and load them onto the computers within their own corporate data centers. It’s their responsibility to maintain the system and to make sure that it’s all working properly in light of the needs of the business.
The needs of the business will vary depending on the kind of business of the customer. The regulatory obligations of a bicycle repair shop, for example, are quite light. Those of a financial institution, on the other hand, are substantial.
The financial institution needs to ensure that its own systems comply with the regulations. It needs to ensure that financial regulators have the ability to audit those systems to ensure that they’re actually doing what they’re supposed to be doing.
When an enterprise moves to the cloud, those obligations remain. They’re still the customer’s obligations. The difference is there is a partnership between the enterprise and its cloud service provider. Firms, therefore, need to make sure that the provider can help meet their obligations because compliance is no longer entirely within their control. They’ve ceded control to the cloud service provider.
To address those issues, firms might look for certifications, such as ISO 27001, as an indicator that their cloud service provider meets compliance requirements. Firms might choose to use model clauses in vendor contracts, as they have in Europe. (Model clauses are standard provisions included in agreements between the cloud service provider and the enterprise customer.) Or, they might impose a whole host of other requirements.
As a first step, firms first need to look at how they are currently handling certification and compliance issues. Then they need to talk to potential cloud vendors to see what steps vendors can take to ensure that their own certification and compliance obligations are met. In heavily regulated industries such as financial services, that may mean the institution and the cloud service provider both need to talk with the regulator to make sure the regulator is comfortable with the approach the partnership will take.
Microsoft is part of these discussions. It’s a three-way dialogue. Firms and regulators ask for things such as information and access that we need to understand before we can agree to it. They need to understand what we have available and our general approach so they can suitably define what they need.
Everybody is learning as we move forward into this space.
The cloud service providers are continually spinning up new services. They are constantly evolving to improve their functionality and the way in which they approach compliance issues. They learn as they evolve.
Customers are just going through this for the first time. They’re trying to understand what it means in practice to take the step into the cloud. It’s not always clear to them.
The regulators are learning too. Now that regulators have regulated entities that want to adopt cloud computing, regulators are asking themselves, “What does that mean in terms of our own responsibility to ensure compliance?” Then there are the legislators, the folks who are developing regulations. They are also grappling with the evolutionary change in the marketplace.
The top to bottom evolutionary nature of this transition requires a robust dialogue between the cloud provider, the customer, the regulator and the legislator. Everyone must understand how the transition is taking place and the various roles and responsibilities of the different participants. Having that dialogue now is important and will continue to be important over the coming years as we sort through the transition.
An example are discussions taking place with a European bank. The bank sees the value in going to the cloud with Microsoft. But it needs to ensure that its regulator feels comfortable with the approach that we’ve taken. That means the regulator must feel comfortable with both the approach and its ability to audit that approach over time. That’s an instance where we all need to adapt: We talked to the bank. We talked to the regulator. The bank talked to the regulator. Then we all got together and asked ourselves, “OK, here’s how we’re going to approach it. Is this an approach that everyone feels comfortable with in terms of the sharing of the information, how the system works, and the audit rights of the regulator?” After some discussion, and it took a while, we were able to get everyone on the same page and ensure that the regulators felt comfortable that the banks could meet their obligations.
Next, customers always think about privacy and security of their data. Privacy is about, “What are you doing with my data that I provide you with or you collect that is related to me, my employees or my customers.” Security is about, “How are you protecting that data from inadvertent breach or third-party access?”
As relates to the issue of privacy, there is a fairly well developed set of privacy rules in jurisdictions around the world. These are continually being developed over time. Take for instance, Europe’s Data Privacy Directive of 1995, which has set the definitive rules in Europe on privacy. Those directives have been independently implemented within Europe by each member state. The implementations vary slightly. Brussels is now considering, and I think they will adopt within the next couple of years, a regulation that will have the force of primary law across the EU. We don’t know where it’s going to end up, but it will certainly change the rules related to privacy in Europe.
The issue of security is similar to that of privacy, where rules are a patchwork around the world. The rules in Japan are different from the rules in Korea, China, Australia, the US, Canada or in any given European Union member state.
That’s an issue for cloud service providers that have servers in more than one country. It’s equally an issue for multinational corporations because they need to make sure that they’re living up to the rules in all the jurisdictions in which they do business.
I think over time on both the issues of privacy and security we will begin to see norms developing around the world. But it could take decades before we see convergence on approaches. Right now, the rules can be quite different from country to country.
Governments are also taking different approaches when enforcing the obligations that they impose on cloud service providers. If I am a legislator or regulator in any given country, I want to make sure that I am protecting the interests of my companies and citizens. This raises the question, given the nature of data, “How do I do that in this cyber world where there are no borders?” For example, the data and functionality of a company offering a global service may never reside for more than a nanosecond in the computer systems in a particular country. How then, does a government ensure that it can enforce its laws and regulations?
The initial reaction of some nations has been to require that all the data and functionality reside on servers within the physical boundaries of their own country. Regulators then know there is somebody within their jurisdiction to address any concerns they might have.
Other countries, like those within the European Union, have said, “We know there are going to be cross data flows, so we need mechanisms to assure that our citizens will be protected and that we will have some ability to regulate and enforce in this space.” They’re now using things like model clauses. That way the enterprise customer has explicit commitments from their cloud service provider as to how data will be managed and how privacy and security will be addressed in a manner that can be enforced in court.
Asked by Beacon Reports if corporations and governments across the world were rethinking their move to cloud in light of the alleged security breaches instigated by the NSA, Tom said, “It is too early to say what the overall impact will be on the willingness of customers to embrace cloud computing. But it is clear that customers have questions and that the disclosures have the potential to significantly undermine trust in the cloud. People won’t use technology they don’t trust.” He added, “We have very clear principles that govern how Microsoft responds to legal demands from governments. Beyond this we’ve also announced a number of measures including expanded use of encryption to increase the privacy and security of our customer data. And we’ve joined with others across the industry in outlining clear principles for reform of government practices.”
Beacon Reports reveals Japan through the lens of thought leaders. Subscribe free!