With the major standards bodies working out identity management and security and portability in the cloud, the industry has turned its attention to another matter: cloud computing law and order -- in particular, the lack of jurisprudence as to who pays for what when an outage occurs.
"Providers can build the best clouds out there, with high availability, performance and price; but every cloud provider goes down," said Drue Reeves, director of research at Burton Group in Midvale, Utah. "When that happens, who owns the liability? The consumer, the provider? We don't have enough jurisprudence to decide who pays for that." Public clouds service the mass market with standard service-level agreements (SLA) rather than individual agreements. Most of them will pay for time lost during a service interruption, but not for valuable business lost, he said.
And with the rapid adoption of cloud services, there's not much incentive for public cloud providers to change their business models, according to Reeves. "Cloud vendors are happy with their offerings," he said. "They need to be pushed by the market to offer more enterprise capability." And with no cloud computing law to speak of, contract negotiations are the order of the day for CIOs.
When -- not if -- the cloud goes down
As an independent consultant in Chicago, Raymond Gloor has been a vocal prophet about uptime in the cloud. "Everyone is betting heavily that the Internet will always be available," he said. "Client connections are very problematic. Most will fail at some time or another." Yet, is that the provider's fault?
On a recent cloud webcast with Verizon Communications Inc., Gloor asked what a client could do to ensure that cloud connectivity was maintained, he says. "The vendor said, 'We have had 100% uptime for seven years.' Wow," Gloor said. "The obvious next question is what does [the vendor] mean by uptime?"
Any remote server is going to have latency, Gloor explained; the online experience is colored by the expectation that there will be some waiting. If an instantaneous response is required, an active proxy server with website caching should be employed, he advised. Companies who really depend on databases should have a local private cloud (a server farm) acting as a primary or secondary application server and database backup, ready to step in when the connection is lost.
Money-backed guarantees of uptime
Plenty of jurisprudence exists to protect enterprises that invest in traditional software deployments. "A lot of that goes out the window" in the public cloud environment, said Mike Grandinetti, managing director of Southboro Capital LLC, a venture consultancy in Concord, Mass., and a moderator at industry events. "It's different in the cloud because the vendor is provisioning a service, as opposed to the enterprise being responsible for uptime after installation," he said.
Although no cloud computing law exists to govern liability for service interruptions, such large cloud providers as Salesforce.com Inc. and Google Inc. nevertheless are winning customers through transparency, Grandinetti said. Both companies offer uptime guarantees of 99.9%, as well as portals that let customers compare performance with their SLAs, and that notify them of maintenance and other planned events. The numbers speak volumes: Salesforce.com has 64,000 customer entities, with 2 million subscribers, and hosts 200 million transactions a day; Google has 34,000 customer entities, with 2 million subscribers, and is adding 3,000 a day, thanks to large contracts with the city of Los Angeles and Motorola Inc. The search company also has a contract in the pipeline with the U.S. General Services Administration, a federal agency with 15 million employee accounts, according to Grandinetti. "All of this to me conveys a high level of confidence," he said.
Amazon.com's cloud platform, on the other hand, is growing and maturing. "Amazon is the world's largest retail organization, and long ago staked out a position as the low-cost provider," Grandinetti said.
Meanwhile, some Software-as-a-Service providers, such as Taleo Corp., are offering uptime backed by financial rebates, Grandinetti said. "If you've got thousands of customers, that's potentially thousands of checks, and you know they're incented to live up to the SLA."
Negotiate liability for downtime
Despite such promises, "I'm not buying 100% or 99.9999% uptime," Gloor said. A cloud provider's Web servers may be available, but infrastructure will fail. Encryption certificates will expire (usually on a major holiday). Firewalls and intrusion-prevention devices will lose power or get changed (perhaps by another third party) without proper change control, halting Web traffic. Cloud providers could terminate their services, he said.
What's a CIO to do? Reexamine contracts, Gloor advised. Is the provider guaranteeing things it cannot control? Are connectivity assumptions being made? How sturdy and redundant is the client infrastructure? What would happen if connectivity was lost for various time frames? Would the downtime penalties at the provider drive it out of business in a serious outage? What if the Internet becomes prohibitively latent or unavailable? When the provider's servers are not available, penalties must be clear and enforceable.
In any negotiation for uptime, it's important to understand where the lines of responsibility are drawn, Grandinetti advised. "Be very clear. Understand what they're guaranteeing on a given day, what their uptime is over a month or a year; what their response time is and procedures are in the event that a service goes down," he said. Above all, "Have an exit strategy when entering into a business relationship," he added. "Plan for the worst: How will I get my data back? How long will it take?"
Before entering a contract with a cloud provider, customers should analyze their risk as if it were a business continuity decision. "Which it most certainly is," Gloor said. "The result of this analysis should be, 'What would happen if . . .?' And here is where potential clients should really use their imagination."
Let us know what you think about the story; email Laura Smith, Features Writer.