What Legal Needs to Know About IT’s Move to the Cloud
Discovery Digest – Q3 2012
In December 2010, the federal government began mandating how and when agencies must move more data and services to virtual environments. While this presents many challenges for agency attorneys, it also puts tremendous pressure on their counterparts in the IT department. In order stay ahead of emerging issues with cloud-based computing, here’s what every in-house attorney involved with eDiscovery needs to understand about the implications for IT.
The new paradigm
Starting with a memo in December 2010, the U.S. CIO laid out an ambitious agenda to start developing a “cloud first policy,” which, according to the government, “mandates that agencies increase the use of available cloud and shared services.” (see appendix, “Homework for In-House Counsel”).
Since then, a series of communications has made it clear that the federal government takes this initiative very seriously. IT and legal won’t be able to ignore it and hope it goes away. While individual agency CIOs may have concerns about how the new initiatives will work in their particular agencies, the federal government has continued to add more details and specifics about the move to the cloud, including timelines for the completion of projects.
Along with the logistics of moving data, hardware and software to a virtual environment, agency IT departments are also being asked to rethink their missions. Instead of their traditional role of providing services, IT departments are being asked to think in terms of asset management. In effect, agency IT personnel are being asked to procure IT services as a commodity. Some IT personnel may find the idea of their work as “commodity” demeaning, which attorneys may be able to relate to. It also requires a complete change in mindset, from thinking about input metrics to focusing on output metrics. For example, under the cloud first policy, IT departments won’t be thinking about buying servers. Instead, they will focus on procuring service-level agreements for virtual storage.
The move to the cloud will also affect IT budgets and staffing. The federal government has announced that it expects $20 billion in IT costs to migrate to the cloud over the next few years, which could have a significant impact on headcount. This adds even more pressure on the IT department.
Security and cloud concepts
In order to grasp the uncertainties that IT departments face, along with the potential implications for discovery, attorneys need to understand some basic security and cloud concepts. In 2011, the National Institute of Standards and Technology (NIST)released “The NIST Definition of Cloud Computing,” which lays out the different service models for cloud-based environments.
According to NIST, there are three basic service models for cloud computing:
Software as a Service (SaaS)
“The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”
Platform as a Service (PaaS)
“The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming.”
Infrastructure as a Service (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”
With these different service models, agencies have different levels of control. They will have less control over SaaS then PaaS, but more control with the IaaS model than the PaaS model. Lawyers need to understand which type of service IT is considering, and how that will affect data and its accessibility during litigation.
Working with IT
In order to meet deadlines, some IT departments have had to move some services to the cloud before all the guidelines were finalized. Some backtracking may need to take place, now that the U.S. CIO has added more specifics to the plan. But if agency attorneys have not been meeting with IT to discuss the new mandates, they need to start immediately.
The new paradigm that is driving IT procurement affects eDiscovery on a massive scale, and agency attorneys must be involved with and vet service-level agreements, NDAs and other contracts, along with familiarizing themselves with IT’s procurement processes. Attorneys need to know what types of data will be moved to the cloud, when migrations will take place, who controls the data in the cloud, how litigation holds will be managed and how the agency can access the data, among other issues.
Technology adoption is rapid, and the government is now playing catching up to the private sector. Traditionally, the federal government has been hindered in its ability to rapidly adopt new technology. This is changing, and that should ultimately be a good thing for taxpayers. However, in the short term, attorneys will need to expand their technical knowledge in order to work with the IT department and ensure that discovery can be conducted in a timely, cost-effective and defensible manner when data resides in the cloud and not on servers down the hall.
Homework for in-house counsel
No one likes homework, but agency attorneys will find it useful to take a few minutes to familiarize themselves with key documents the U.S. CIO has released regarding moving agencies to the cloud:
- December 2010— 25 Point Implementation Plan to Reform Federal Information Technology Management
- February 2011—Federal Cloud Computing Strategy
- December 2011—Security Authorization of Information Systems in Cloud Computing Environments (FedRAMP)
- February 2012—Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service
As used in this document, “Deloitte” means Deloitte Financial Services LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
While the information in this article may deal with legal issues, it does not constitute legal advice. If you have specific questions related to information discussed in this article, you are encouraged to consult an attorney who can investigate the particular circumstances of your situation.