Layered Cloud Basics: Awareness of Cascading Issues from Sub-clouding

Layered Clouds for Lawyers: Cascading Issues May Arise When Your Cloud Provider Sources (Sub-clouds) from Another Cloud Provider

As cloud computing continues to pose new challenges for the legal community, an additional complexity, potentially missed by many lawyers, may arise when Cloud Provider A sources (or sub-clouds) services from another cloud provider—Cloud Provider B. Issues with Cloud Provider B may cascade upwards and affect Cloud Provider A (and Cloud Provider A’s subscribers).

Understanding Cloud Computing Types: IaaS, PaaS, STaaS, and SaaS

As I have written before, one must understand the basic types of cloud services. Briefly, Storage-as-a-Service (STaaS) and Software-as-a-Service (SaaS) are high level clouds. Think of these services as complete applications, already assembled, and requiring minimal (if any) configuration. In contrast, Infrastructure-as-a-Service (IaaS) is a low level cloud and usually confined to physical hardware (servers, routers, storage) and internet connectivity. Think of IaaS like a photocopier rental–you get basic hardware, some management/service, but not much else. In between STaaS/SaaS and IaaS, Platform-as-a-Service (PaaS) usually incorporates infrastructure and a set of application development tools (APIs, modules, or software components) that the end-user configures (or more likely has a software development team configure) for the end-user’s specific needs. Think of PaaS as the Tinker Toys (R) approach or as a application kit that you must assemble to meet your needs.

Thus, cloud services in order (from an end-user perspective) from most complete to least complete:

  1. SaaS/STaaS
  2. PaaS, and
  3. IaaS.

Understanding Cloud Layers and Sub-clouding

In the simplest cases, an entity subscribes to a cloud service of some type where the provider controls and provides all the basic services to the cloud subscriber. A one-to-one relationship exists between the subscriber and provider. Most people assume that all cloud models operate in this manner.

In more complex cases, however, the cloud provider may sub-cloud (sub-lease or sub-contract) services lower on the ladder from another cloud provider. For example, Lawyer Linda contracts with SaaS cloud provider (fictitious name) for basic word processing services. Linda contracts with Sassy. But, unknown or not evident to Linda, the SasssySoftwareStuff offering is actually built on tools provided by PaaS provider PaassablePlatform. SaassySoftwareStuff is thus a layered cloud. The top layer is the software that Linda receives. Saassy has a contract with with PaassablePlatform to use Paassable’s software components to build the Saassy application. But, unless Linda carefully inquires or carefully reviews the click-through agreement, Linda may be unaware of the Saassy-Paassable relationship.

The issue can get even more complex. Paassable may sub-cloud its servers and infrastructure from IaaS cloud provider IAMIaaS. This creates yet another layer and again, Linda may be unaware of the Paassable-IAMIaaS relationship (and risk).

In summary,from Linda’s perspective, there may be two or three cloud layers:

  1. SaassySoftware,
  2. PaassablePlatform, and
  3. IAMIaaS.

As lawyers learned in basic contracts class, a potential privity and enforceability issue may arise here.

Cascading in Cloud Computing

Cascading in cloud computing arises when one day Linda cannot login to her SaassySoftware application. She soon learns (how she learns is its own topic) that Saassy is experiencing “issues” and is offline. Linda learns from online stories news stories that an IaaS (she has no reason to connect the events at this point) faced problems with a network upgrade. The IaaS named was IAMIaaS.

As Linda soon finds out, her network problem with Saassy directly derives from the IAMIaaS issue. Because IAMIaaS failed, the problem cascades to include Saassy and thus Linda.

For lawyers, the issue (at least in part) is one of remedies and recourse. The cascading in cloud computing creates potential recourse issues due to the layered clouds and sub-clouding by the cloud providers. The open question: does Linda have recourse against IAMIaaS?

Amazon EC2 Example

In April 2011, Amazon EC2 (a PaaS) experienced a notable network outage due to a network upgrade malfunction and subsequent malfunctions during attempt to correct the first malfunction. For this discussion, the salient issue was the upstream effects of the Amazon EC2 outage. Reddit and foursquare (social media services but the example applies to cloud computing as well) users experienced significant outages because those services apparently use Amazon EC2 as a PaaS.[FN1] Few end-users probably even heard of Amazon EC2 prior to the outage. According to the official Amazon EC2 report on the incident, the remedies available to the PaaS subscribers (remedies for end users affected obviously are not discussed) were limited to future credits for Amazon EC2 services.

Conclusion: Really Know Your Cloud Provider

Layered clouds and the cascading issues directly stemming from layered cloud computing loom on the near horizon. As the incidence of end-user (subscriber) adoption of cloud computing increases, so will the incidence of layered cloud conflicts. Lawyers, thus, should carefully assess not only the cloud provider’s services but should also carefully inquire into sub-clouding (sub-contracting or sub-leasing) issues. As indicated above, sub-clouding may not be readily apparent but may significantly limit remedies. Thus, a lawyer really needs to know the cloud provider.


FN1—Tony Bradley, Amazon EC2 Outage Shows Risks of Cloud, PC World (Apr. 25, 2011),

Original Publication

28 June 2011
06 July 2011-Title Revision