Organizations looking to put any portion of their IT operations in the public cloud need to sign a cloud service...
agreement with a cloud service provider. This pact determines what services the provider is responsible for and what it will do in case of problems such as an outage.
The Cloud Standards Customer Council, which aims to establish standards for the cloud computing industry, released this month an updated guide on understanding and negotiating cloud service agreements. The first version was published in 2013.
"The market has evolved, and there is a certain number of cloud service providers, or CSPs, that have entered and that changes the lay of the land," since then, said the CSCC's Claude Baudoin in a Thursday webinar presenting the guide.
The increasing use of blended IT environments often called "hybrid IT" -- on-premises data centers mingling with an assortment of cloud services -- spurred the need for an update. The dissolution of the EU-U.S. data transfer pact known as Safe Harbor in October 2015 did, too. "Now service agreements need to say something about how data is protected against access by the wrong jurisdiction or country," Baudoin said.
A cloud service agreement typically consists of several documents, Baudoin said: a sign-at-the bottom customer agreement, an acceptable use policy laying out what the customer should and shouldn't do, and a service-level agreement that details what services the provider is promising and what it will do if problems arise and services go offline. Then there are privacy policies that establish what the provider can do with personal information of its cloud customer's customers.
The guide lays out 10 steps for organizations to take when evaluating cloud service contracts -- from understanding who is responsible for what, to evaluating data privacy policies to exiting the contract. Baudoin summed up its most important points; I've summed up his:
Don't sign cloud service agreements without reading them -- carefully. The terms of the agreement are usually scattered throughout the constituent parts, and often the language in the documents doesn't mirror the provider's initial proposal, Baudoin said. "That's why you cannot just close your eyes and sign on the bottom line. You have to scrutinize this language."
Not all negotiations are equal. Cloud providers expect to give you "one-size-fits-all terms," Baudoin said. But large organizations can often use their sway to get better terms. Smaller ones can sometimes get what they want -- if they pay extra. "Sometimes it's worth considering depending on the impact on your business," Baudoin said.
Have a starting point for evaluating service. Assess the service you have in-house before being wowed by, say, vendor claims of 99.9% uptime. It might not matter, Baudoin said. "If your own availability in-house has been 99.5%, maybe that fourth decimal is not as important as the third one -- so have a baseline about your current practice." (Besides, those "classic" claims of 99.9% availability, said Mike Edwards, who works on cloud computing standards at IBM and spoke in the webinar, are difficult to verify.)
Understand how service levels are measured. That typically means how the cloud provider calculates cloud service downtime, when IT operations go offline and thus compensation for that downtime. In one agreement the CSCC examined for its guide, the downtime must be longer than five minutes before the provider logs it.
Have a worst-case-scenario plan. Understand what the provider will do in case of a data breach or natural disaster -- and plan accordingly. For example, most cloud service agreements don't provide adequate guarantees in case of a service outage after, say, an earthquake, the guide says. In fact, most focus on limiting what the cloud provider is liable for. So customers must make their own disaster recovery plans.
Own your data governance. Organizations are putting essential applications -- ones that support day-to-day operations -- in the cloud. But cloud service agreements today contain few provisions on management and communication processes. That puts data governance squarely on you, the customer. "Don't abdicate your own responsibilities," Baudoin said. "Continue to have strong governance in-house."
Find out about new cloud standards that aim to make cloud service agreements easier to understand.
Cloud contracts: Negotiating tips for CIOs
A lawyer sounds off on cloud contracts
Develop a cloud service agreement with your provider