DECIDE is a project funded under the EU’s horizon 2020 programme that will stimulate the creation and deployment through the use of the DECIDE tools of multi-cloud native applications. Multi-cloud native applications are applications, which are so designed that they can distribute their constituting components over heterogeneous cloud resources, sometimes provided by different cloud service providers (further: CSPs), while still holding all the functional, business and non-functional properties declared in their Service Level Agreements (further: SLA).
Examples are given in what follows. time.lex’s role in DECIDE consists of providing legal assistance throughout the implementation of the project, focussing i.a. on aspects of applicable law, data protection and contractual implications of a multi-cloud structure.
In this blog post, time.lex will present the DECIDE project, the benefits of the multi-cloud approach it utilises, and point out some of the legal challenges involved.
DECIDE stands for “DevOps for trusted, portable and interoperable Multi-Cloud applications towards the Digital Single Market” and is a project funded under the EU’s horizon 2020 programme. Within DECIDE, multi-cloud refers to the use of different cloud resources at multiple cloud layers (e.g. IaaS or PaaS) or cloud nodes in order to run a single application.
An example identified within the project of an application suited for such a multi-cloud approach would be online games with high demands in terms of computing power. In order to deal with usage peaks and prevent failure the provider of the game could use the DECIDE tools to use as many redundant game servers across different cloud platforms as necessary. This also reduces the dependency of the game provider on any one CSP. Consequently, issues with one CSP do not lead to the game being unavailable.
Another example would be an application processing medical data in a multi-country scenario. Say that the application developer is from country X and wants to run the application on servers from a certain CSP in country Z, but the application contains health data from data subjects from countries X, Y and Z. Also assume that legislation in countries X and Y requires that health data is stored locally, within the borders of the own territory. The multi-cloud approach proposed by DECIDE would allow the application developer to store the health data relating to data subjects from country X and Y locally in the respective countries, while still deploying the remainder of the application in country Z, through the use of different cloud resources provided by different CSPs.
In essence, the DECIDE project aims to provide a new multi-cloud service-based software framework for the design, development and dynamic (re-) deployment of such multi-cloud aware applications. But DECIDE aims to do more. Once such an application has been designed, the developer or user of that application will need to make a choice in what cloud resources to use in order to launch the application. Moreover, if after the launch certain cloud resources do not provide the optimal result, the user has to have the option to re-launch, using different cloud resources, probably from different CSPs. In order to facilitate this, DECIDE will create a tool that shows a broad offer (not only from the most well-known CSPs) of the reliable, interoperable, and legally compliant cloud services available and stimulates discovery, negotiation and use.
In order to reach all the foregoing objectives, DECIDE will make several tools available. First, DECIDE will provide a set of architectural patterns and the needed tools to develop and operate applications, following the DevOps approach, which are suited for multi-cloud.
DECIDE also will have a tool to discover and assess cloud services for deployment in a multi-cloud aware application, facilitating the final decision to use a certain combination of cloud services.
There will also be a deployment simulation tool, showing the operation of the application in question with the chosen heterogeneous cloud resources and a continuous deployment supporting tool, used for (semi-) automatically re-deploying certain applications, i.e. adapting the combination of cloud resources used to run the application, based on issues with one of the resources and selecting the new optimal combination of cloud resources.
time.lex is working on this project as a legal partner to a consortium of partners with technical expertise in cloud solutions, ICT and project management.
The reason for adopting a multi-cloud approach is that the digital transformation mandates a more flexible IT infrastructure. While the cloud as such partially addresses this need, it also typically creates a great dependency on external partners, and often on (a) specific partner(s), which may lead to vendor lock-in.
Moreover, using a heterogeneous structure of various cloud offerings might lead to increased efficiency in terms of reliability, profitability and costs, sharing of cloud risk amongst different cloud service providers, performance, security and legal or even ecological aspects, depending on the specific needs of the application and the cloud user.
A good example of a legal benefit of the multi-cloud approach relates to data location. In certain situations, national rules will restrict the movement and determine the location of (personal) data. This is very important in the health sector, given that personal data relating to health is subject to specific rules on data location in many countries. As already touched upon earlier, multi-cloud makes it possible in principle to store this information locally through appropriate cloud resources for the data affected by the legislation, while running other parts of the application in question in another country. Of course data protection legislation has to be complied with in a multi-cloud context as well. Therefore, a cross-border processing of personal information such as the one described before has to comply with the relevant rules in force.
The applications that would benefit the most from a multi-cloud approach are those that are critical to the business in question and that need to respond efficiently to the user’s needs in terms of performance, reliability and security and complex applications whose components need to be distributed over different cloud providers due to their specific needs and requirements. Examples include network management in multi-country scenarios with differentiated cloud layers, online videogames, the online services of Public Administrations, and online travel or ticket agencies’ applications.
Throughout the project, time.lex will be addressing all legal challenges that pop up relating to DECIDE’s multi-cloud approach. However, even at this initial stage of the project, some issues can be identified.
First of all, multi-cloud will suffer from many of the same legal pains as cloud computing in general does. Legal issues in the cloud are common and may relate, i.a. to security, data protection, interoperability, jurisdiction, applicable law, ownership of data, control and accountability, etc. Given the absence of any specific legislation on the issue, many of these issues remain unresolved. Cloud computing also knows some contractual challenges, relating e.g. to a lack of uniform terminology or borderline abusive standard clauses for customers without considerable bargaining power.
Issues relating to security, data protection, interoperability, jurisdiction, applicable law, ownership of data, control and accountability, etc. plague the multi-cloud approach as well, potentially even more given that the multi-cloud approach has to deal with an additional layer of complexity, namely the multiplicity of different cloud resources used for running a single application, often provided by different cloud service providers.
Moreover, the multi-cloud deployment method raises the question on how to deal with the different SLAs involved and their enforcement. In essence, SLAs are combined into a composite SLA on the application level, which has to fit the requirements and preferences of the user.
Another question in the DECIDE approach is to what extent it is possible to automate the conclusion and termination of contracts, in order to enable smooth (semi-) automatic redeployment of certain cloud resources through the DECIDE tools. Some of the major cloud service providers have a call-off type of offering, which invites any interested party to purchase their services in a very flexible manner. Up-scaling and downscaling, contract conclusion and termination is very easy. You need as little as a credit card to get started. However, many of the cloud offerings which could greatly enrich the multi-cloud approach are provided by smaller cloud service providers, which often work in less automated manner. The multi-cloud approach in DECIDE has to take this into account as well.
The DECIDE project is aimed at making the benefits of multi-cloud accessible to a variety of users, through the creation of easy to use and affordable software tools that enable users to discover, assess and choose cloud resources, simulate the envisioned solution on application level, and continuously deploy, adapt and re-deploy their application using the DECIDE multi-cloud solution.
Legal challenges for cloud computing in general are numerous, and multi-cloud presents an additional layer of complexity that does not simplify matters. Nonetheless, time.lex is confident that it will be able to successfully address all legal challenges, together with the consortium of partners involved in the DECIDE project.
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 731533. Read more: http://www.decide-h2020.eu/