Editor: There has been a continuing increase in interest in cloud computing since we talked with you in February .
Thimot: Given the significant benefits of using cloud-based software applications versus buying, installing and maintaining on-premise software applications, I am not surprised at the amount of interest or coverage. What is surprising is that a significant amount of the media coverage of cloud computing treats it as a homogenous concept, when nothing could be further from the truth.
Editor: Please explain.
Thimot: First, there is no such thing as "the cloud" other than as a high-level metaphor for the Internet. Here is a definition of "cloud computing" from the National Institute of Standards and Technology, or NIST as many know it, that provides a useful framework for discussion: "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models." The full NIST definition is available here: http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc.
One of the issues I perceive is that there are many different types of clouds for many different purposes. The most well known and well used are for consumers: online banking, Internet retailing and online airline reservations, to name a few. These types of applications are typically very different from cloud-based business applications or services consumed directly by businesses.
Businesses need different types of cloud services, which typically fall into three service models: Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS) and Cloud Infrastructure as a Service (IaaS). Each of these three service models has a different value proposition to the business user, who is often IT, as opposed to Legal.
When it comes to cloud-based eDiscovery and litigation support, we are really talking about delivering a software application and services via the Internet such as on-demand preservation, review, analysis and production, to both legal and IT users. This is commonly known as Software as a Service, or SaaS. However, depending upon the service provider, the actual data center supporting the cloud-based eDiscovery software delivery may be an enterprise-class one with disaster recovery that is better than your own data center or it may be a "data closet" down the hall from the water cooler. One size does not fit all, and understanding the next level of detail of what issues are relevant to your situation is the next important step.
Editor: There have been some recent high-profile cases in the news about cloud computing. How do they relate to eDiscovery or do they?
Thimot: There have been a few newsworthy cloud computing reports recently, but one in particular, Eli Lilly and AWS, while not about eDiscovery, provides some instructive lessons in what to look for when considering or negotiating with a cloud provider.
According to Jo Maitland, executive editor for SearchCloudComputing.com, pharmaceutical giant Eli Lilly has pulled back from AWS due to an inability to come to terms on legal liability and indemnity issues. Essentially, according to SearchCloudComputing. com, Amazon was unwilling to negotiate terms beyond its standard take-it-or-leave-it contract language for AWS. Christine Van Marter, corporate communications advisor at Eli Lilly, confirmed this report in a blog posting by Jo Maitland on August 3 of this year.
Eli Lilly had already been using Amazon's cloud for processing and number crunching on small research products - this would be Cloud Platform as a Service (PaaS) or Cloud Infrastructure as a Service (IaaS) - and had apparently been looking to increase usage with larger and more sensitive projects. But for Eli Lilly, these projects and associated data are too sensitive for the standard contract agreement. According to SearchCloudComputing.com, Amazon was unwilling to budge.
The standard Amazon Web Services Customer Agreement clearly states:
We and our licensors do not warrant that the service offerings will function as described, will be uninterrupted or error free, or free of harmful components, or that the data you store within the service offerings will be secure or not otherwise lost or damaged.
This language offers no shared accountability or partial recompense for failures and data breaches. In fact, this language seemingly takes no responsibility at all. Of course any number of occurrences (i.e., hacking, natural disaster, power outage) may cause an Internet outage that would disrupt service and be well outside of Amazon's power to control, but this language seemingly does not take into consideration matters that are, in fact, within Amazon's control.
How does this relate to eDiscovery? What is needed here is real assurance in the form of service level agreements (SLAs) backed by limits of liability. The more mature purpose-built cloud applications already provide SLAs for a Recovery Point Objective (RPO), Recovery Time Objective (RTO), Disaster Recovery and more. More importantly, the SLA is a means of redress if those SLAs are not met. All cloud providers are not created equal. Net, net, caveat emptor.
Editor: Does this mean eDiscovery cannot benefit from the cloud?
Thimot: Not at all! Consider why Eli Lilly chose to use cloud-based services in the first place. Eli Lilly's Dave Powers told InformationWeek in 2009, "The deployment time is really what impressed us. It's just shy of instantaneous." According to Powers, server deployment went from 7 weeks to 3 minutes.
The primary benefits of using cloud computing versus deploying on-premise software include:
Scalability - Servers, disk space and users can be added or removed elastically.
Cost efficiency - Cloud applications and services transfer the cost and support of the hardware and software to the provider, who passes economy of scale savings back to users.
Collaboration - Cloud services are available everywhere the Internet is available with no modifications required to your corporate or law firm network infrastructure.
For eDiscovery the value of these three benefits becomes even more apparent:
Scalability - Litigation is unpredictable. Cases, users and data storage ramp up rapidly and can contract just as quickly, with little warning. IT departments are constantly at odds to provision, deploy and retire resources to support eDiscovery's unpredictable requirements. Real cloud-based eDiscovery providers can absorb expansion and contraction elastically, without leaving expensive hardware purchases on your accounting books.
Cost efficiency - For the Fortune 500, litigation costs have grown to an estimated one-third of profits, according to an eLawForum study. In any economy saving money is everyone's job, including the general counsel's office. Reducing eDiscovery costs is a big trend for 2010, and technology is one of the key enablers. Moving the large capital expenditures, IT and administrative costs off the ledger frees significant budget. Additionally, the "pay as you go" model of SaaS and cloud computing offers predictability where there often is none.
Collaboration - To paraphrase the old cliché, it takes a village to manage eDiscovery. From collections by IT to early case analysis and preparations for production by outside counsel, collaboration among all parties is key. And the collaborators need access from a multitude of locations, some inside the corporation's network and some outside. Cloud services and applications by their nature are ubiquitous and can promise secure access to authorized parties anywhere.
Editor: You talked about Amazon with us before when you discussed what the differences between Public and Private Clouds means for eDiscovery.
Thimot: Public clouds like Amazon EC2, AWS and Google Apps use shared hardware, software and applications, and are very effective when used for consumer applications or business applications that do not have the same security and access control requirements or the level of legal and regulatory scrutiny as eDiscovery.
In contrast, private clouds, whether deployed by a company behind the firewall (aka "internal cloud") or deployed by a provider, use hardware, software and applications dedicated to subscribing users and geared toward specific tasks.
One of the potential issues of using a public cloud for eDiscovery is the physical location of your data. Public clouds typically use virtualization technology, meaning that your data may be located on a physical server in another state or country, which in turn can introduce unexpected liabilities of differing or more stringent regulatory or privacy laws. For a trade secret case the data may even call into question national security regulations regarding the transmission of data offshore. And when it comes time to retire a case, certification of data destruction can be pivotal. For legal reasons, clearly the location of the data is important.
And the apparent lack of appetite of public cloud providers to offer SLAs can be troubling for those looking to use the cloud for eDiscovery.
Editor: What more is needed?
Thimot: There remains a requirement for better standards around cloud computing, and several organizations are beginning to address this need. CaseCentral is a member of the Cloud Security Alliance, an organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and providing education on the uses of Cloud Computing to help secure all other forms of computing. The Alliance has just released the Certification of Cloud Security Knowledge (CCSK) to ensure a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.
Across the pond, the European Union's response to security, the European Network and Information Security Agency (ENISA), released the Cloud Computing Information Assurance Framework, a guide to assessing the risk of adopting cloud services and a framework for evaluating cloud providers.
Similarly CaseCentral has released the Blueprint for Cloud-Based eDiscovery . This blueprint provides corporations and law firms with an evaluation framework for eDiscovery security, privacy, control, risk and cost practices when considering cloud-services and applications specifically for eDiscovery.
Companies and law firms looking to benefit from the cloud for eDiscovery have the great advantage of several proven, purpose-built solutions already on the market. The more mature of these eDiscovery cloud application providers have years of experience with small and large clients and what it takes to deliver an enterprise-class, secure software application and service.
Published August 30, 2010.
