Choices when choosing cloud services
Nowadays it is possible to do everything in the cloud, you just need to have a computer with an internet connection. All you have to do is log in and all the heavy computing is done in the cloud. Once you enter the world of cloud services you will come across a number of different types of services with catchy names like IaaS, PaaS and SaaS. These types are like different animals and they all have their own advantages and disadvantages. In this article I will discuss the differences between on-premise, IaaS, PaaS and SaaS and then explain the legal implications.
A general advantage of as a Service (aaS) products is that you don't have to buy and manage the servers yourself. This allows you to install more capacity much faster and you don't need to reserve extra physical space to put servers down. On the other hand, for all aaS services you are dependent on both the provider of the service and a stable internet connection. This may not be a problem for some businesses but can be unacceptable for others.
Software as a Service (SaaS)
The first type is the SaaS. A SaaS is like a goldfish, as long as you keep paying, the service keeps working. You only have to do the minimum amount of maintenance and you don't have to fix most problems yourself. An example of a SaaS is Google Drive. You can store your files in it, but only as Google sees fit.
The advantage of a SaaS solution is that as a user you are not responsible for keeping the product running. The provider takes care of the security, the servers and they take care of the maintenance. This makes a SaaS solution the most accessible type of aaS of the three.
The advantage of the SaaS can also be a weakness. As a user, you have (almost) no ability to add new features and also little control over how the service works behind the scenes. For example, as a user it is not possible to force Google to store your files within the EU.
Platform as a Service (PaaS)
A PaaS is more open than a SaaS. You can compare a PaaS to a dog, you have work to do on it. With a PaaS you get space on which you can run other programs. An example of this is a remote desktop. You can run all sorts of programs on it, but the provider determines which operating system is installed and when updates are performed.
With a PaaS, you as a user have more control. You can install and develop programs yourself and add new functionality as a result. The provider still takes care of the fundamental security of the servers and the operating system and also ensures that the necessary updates are carried out.
The disadvantage of the PaaS is that as a user you get more responsibility. You have to be sure that all the programs you install are secure and that you don't make mistakes when developing new programs.
Infrastructure as a Service (IaaS)
An IaaS offers the most freedom you can have without owning servers. It's like having a litter of puppies, you get to and have to raise them yourself. You can choose your own operating system, how you set everything up, what programs you use and what happens. Amazon Web Services (AWS) is an example of this.
The advantage of an IaaS is that you have the benefits of controlling servers without having to buy or maintain them yourself. You get an empty shell that you can set up yourself and if you need to, you can make 100 copies of it in minutes.
The disadvantage of an IaaS is that it requires more knowledge and skill. This is because you are responsible for everything except the physical server and the internet connection. So for this you need to know how to keep your operating system secure, how to make sure all the programs are set up and more.
On-premise
If you want to take care of everything yourself then you can purchase the software and run it on your own servers. This is a household with three children, but without a school or day-care. You have to do everything yourself and are responsible for everything. On the other hand, you are in control and therefore have the freedom to set everything up the way you want. This is what Google, Amazon and Microsoft do. They only use their own servers.
Comparison
The table at the top of this article provides an overview of which party is responsible for what. Basically, as a customer, you should be able to expect that the part which the service provider takes care of will work properly. If not, then your service provider should be liable for the downtime within the contractual limits. For example, AWS is supposed to be available 24 hours a day. Amazon guarantees that AWS is available 99.99% of the time. That means AWS can have 0,144 minutes of downtime every day. If the downtime is more than this, Amazon will give clients back some of their spent credits.
The two big choices to make when deciding on which aaS is for you, are the amount of control you want as a user and the amount of responsibility.
The more control you have (or want) over the service, the better you can control what happens. This can be important in relation to the GDPR and also if you perform services for others and have a duty of confidentiality. More control also means that you have more options and can therefore develop your own services. You will not be able to sell a SaaS you buy as a SaaS to others, but you can build your own SaaS on a PaaS. With an on-premise solution you have all the reins in your own hands.
If you accept more responsibility, with an IaaS and a PaaS or on-premise hosting, you can also make more mistakes. You cannot hold the provider liable for these mistakes, because their responsibility decreases. If data is deleted by a program you installed, you will have to solve that yourself and your provider will not be able to do much about it. If you host on-premise, then you also have all the responsibility for all physical problems like internet connection and maintenance of servers.
In terms of data protection, the type of aaS makes a difference when assessing whether the service provider is a processor or a data controller. The person who determines how personal data is processed is almost always one of the data controllers, so with SaaS it may well be that the service provider and the customer are joint data controllers. In all other solutions, the service provider has no say in how personal data is processed and so here the customer will be the data controller and the service provider a processor.
Conclusion
The different aaS forms each have their advantages and disadvantages. Also legally. How much responsibility and risk are you willing to accept? Does this fit with the corporate/professional liability insurance you have?
For questions on this subject, please contact Jos van der Wijst (wijst@bg.legal).
Here you can find the dutch version.
Robin Verhoef and Jos van der Wijst.
