Cloud Computing for Lawyers: Understanding the Difference Between Private and Public Clouds
Not All Clouds Are Alike—Cloud Computing Architectures May Influence Lawyer Duties and Obligations
Cloud computing may pose challenges for the Pennsylvania legal community just as cloud computing poses challenges for any highly regulated profession. “Normal” businesses might be able to jump into cloud computing. For lawyers, however, cloud computing must be carefully analyzed within the context of a lawyers special, regulated duties—especially competence and confidentiality. General purpose cloud computing “solutions” might not recognize or understand the special challenges that lawyers face—and the lawyer, not the cloud computing vendor, pays the penalty for failing to fulfill the duties.
Since I have written before about cloud computing, I will dispense with definitions. See my articles at http://www.shannonbrownlaw.com/cms/?s=cloud for background information—especially Cloud Computing 101 for Lawyers, At Issue 8-9, 10 (Spring 2011) . Instead, this article emphasizes a less-obvious distinction between basic cloud computing architectures.
The Error of the Homogenous View of Cloud Computing
Cloud computing exists in three, general architectural types:
- public clouds,
- private clouds, and
- hybrid clouds.
Thus, one-size-fits-all rules for cloud computing, especially as related to the legal community, may inaccurately skew the ethical and business considerations related to cloud computing. Instead, appropriate rules for cloud computing properly distinguish between public and private clouds.
Public Cloud Computing
When most laypeople and lawyers mention cloud computing, the focus usually falls on public cloud computing. Think of public cloud computing as a building of office suites leased by each individual company. The building owner (lessor) is the cloud provider. The individual suite lessees are cloud users.
Similarly, in public cloud computing, cloud users share a common cloud computing resource. While each user has a slice or dedicated account in the cloud, the cloud is by definition shared with others. Multi-tenancy describes this form of cloud computing. The user typically has no ownership interest in the cloud application, the infrastructure (servers and network), the system policies, or the other common tenants of the cloud application. By inference, the user has little control over the location of the data, access to the data, or system backups.
Most of the popular cloud computing applications typically function in the public cloud model. DropBox, SpiderOak, Clio, Mozy, Office 365, Google Docs, RocketMatter, and SalesForce.com, to mention a few, all exhibit public cloud computing architectures. The public cloud quintessentially illustrates the purported (and heavily marketed) “benefits” of cloud computing:
- low cost of entry (usually only a monthly fee),
- universal accessibility (mobile access, office access, home access),
- minimal system maintenance requirements,
- “always upgraded” status (minimal upgrade requirements), and
- outsourced support needs.
The user simply uses the system—at least according to the marketing.
Private Cloud Computing
In contrast, think of private cloud computing as owning your own office building where you allocate office spaces to your staff, contractors, and business associates. Private clouds are usually deployed by a single organization and that organization controls the cloud application—rather than relying on a third party cloud provider. In both function and from the perspective of an end-user, a private cloud shares many of the purported advantages of the public cloud:
- universal accessibility (mobile access, office access, home access),
- minimal system maintenance requirements, and
- “always upgraded” status (minimal upgrade requirements).
But, unlike the public cloud, the owner has more control over upgrades, policies, access, backups, and deployment strategies. Granted, the private cloud owner also spends more on deployment, maintenance, and administration because these functions are likely in-house rather than shared (as is the case with public clouds). But, those “additional” expenditures are simply the price of maintaining control—and may cost less than one believes when one also considers the cost of loss of control.
Hybrid Cloud Computing
Frankly, so-called hybrid clouds defy simple definition. In essence, hybrid clouds combine parts of private clouds with parts of public clouds—thus creating a “hybrid” solution. In other words, part of the cloud might be hosted in a public cloud and part hosted in a private cloud—creating a multi-level deployment architecture. For example, a business might create a private cloud system running on top of a public cloud (PaaS or IaaS) provider (e.g., Amazon EC3 or RackSpace). I discussed some of the implications of “layered clouds” and “sub-clouding” before—see my article entitled Layered Cloud Basics for Lawyers: Awareness of Cascading Issues from Sub-clouding for a basic overview of multi-layer cloud implementations.
Why Is Distinguishing Cloud Architectures Necessary for Lawyers?
When evaluating cloud computing providers, whether for firm use or arising in a legal matter, the architecture may provide important insights into the lawyer’s duties and obligations. For example, a Pennsylvania lawyer might need to take reasonable action to assure that client information is not “lost” in the cloud. If a public cloud, the lawyer might need to get reasonable assurances from the cloud provider regarding backups and supervise compliance. But, if a private cloud owned by the lawyer’s firm is involved, the lawyer might need to internally investigate and internally supervise the backup process. Thus, the type of architecture may inform the lawyer on:
- who to ask about cloud-related issues,
- who the lawyer must supervise,
- where data resides,
- how the integrity of the data is maintained,
- what types of assurances are necessary (and remedies for non-compliance).
For pure public or pure private clouds, the modes of inquiry are fairly straight-forward. But, as I have written before, if a hybrid cloud is involved, the issues may become far more complex as the lawyer might need to investigate layered clouds and sub-clouding issues.
A private cloud may provide far more control over the data, administration, access, and deployment.The additional control comes at a price because the private cloud does not benefit from the shared cost structure of a public cloud. Cost alone should not obviate private deployments since cloud computing is about more than just perceived “cost savings.” For example, mobile access and collaboration benefits of cloud deployments are increasingly a compelling selling point for private clouds (although, similar benefits have long been available via VPNs).
The public cloud seems ideal especially to smaller law firms or solos—promising reduced costs of ownership, ready access, and low or no maintenance headaches. But, the public cloud comes at its own price—loss of control, critical dependence on a third party (probably non-lawyers), and shared security models. When using the public cloud, the duties of COMPETENT inquiry by a lawyer are perhaps “heightened” because of the inherent disclosures to a third party (the cloud provider) and because of the nature of the information disclosed (potentially client property and client confidential information). Competent inquiry might include not only being able to completely and knowledgeably assess responses from the provider but knowing what questions to ask in the first place.
While the issues are similar between private and public clouds, knowing the difference might help a Pennsylvania lawyer to properly inquire about a cloud solution and understand that not all clouds are the same.
Original Publication: 29 August 2011