BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
With all the benefits that come with enterprise cloud computing, which include low costs and agility, even sophisticated IT departments are sometimes blindsided by the razzle-dazzle they get from cloud providers when striking a deal.
But it's important to slow down and thoroughly read that cloud contract, said Daniel Masur, a lawyer and partner specializing in IT and business at Mayer Brown LLP's Washington office.
"Whenever there's a new paradigm shift in how [IT] services can be delivered … what we have to do is look at 'What are the issues that are unique to this particular delivery model?'" Masur said.
Here are six basic issues Masur deals with on a regular basis when he reviews cloud options with his clients.
Private versus public cloud
Private cloud is typically more expensive than the public cloud, but it offers more contract protections, Masur said. Private cloud is more customizable and a company's data won't be comingled with another company's, as it is in the public cloud.
"So, depending on which offering you're looking at, it will, to a great extent, dictate what contractual protections might be available," he said.
Masur said many of his clients have heightened concerns regarding privacy and security issues especially since the whole "NSA dust-up," referring to the controversies surrounding the National Security Agency's bulk collection of phone calls and other data records. As a result, Masur said, many companies, especially larger ones, are opting for private cloud solutions.
Another issue companies must consider is their ability to audit the cloud or, in other words, to look at statistics about the performance and security of the cloud services they are using.
"Auditability" allows companies to see that their data is being dealt with in a way that is consistent with their privacy and security obligations, Masur said.
Many cloud contracts, however, make this "extremely difficult, and often impossible … in a one-to-many cloud offering," or public cloud service.
However, cloud providers will typically have a third party conduct a service organization controls (SOC 1 or SOC 2) audit, Masur said, which reports on various organizational controls, such as finances, security, availability and privacy. But they will not allow individual customers to conduct audits.
He added that companies that require greater audit rights usually opt for private cloud solutions.
The web of subcontractors
Public cloud providers sometimes hire subcontractors, unbeknownst to the company using that cloud service.
A cloud contract "requiring that they disclose the subcontractors they're using is a major strain in the public cloud," Masur said.
But he encourages people to be tough on this point in the contract and make "sure that the terms that you get with the principal contracting party are flowed down to those subcontractors," Masur said.
Companies need to be able to search and locate electronic data in its original metadata form for the purpose of legal uses, including their data stored in the cloud. "Companies are required to be able to do this. It's a critical function that people need to be sure that they have," Masur said. Yet "some cloud providers don't offer it at all."
It is important in those cases to make sure the cloud provider is able and willing to let companies connect their own tools to do electronic discovery.
When it comes to providing a detailed description of what service levels cloud providers will adhere to, contract terms can be vague -- and that's when companies should ask questions.
"Cloud service levels tend to be far less exacting than in a traditional IT relationship," Masur said. "The penalties, if any [are] available, are significantly smaller."
Masur said that public cloud providers are less willing to agree to aggressive, customized service levels typically have a set of standard service levels for all customers. He added that public cloud providers tend to offer much smaller service level credits, due in part to their low cost model, but also possibly because there is a lack of historical data showing that the provider is capable of achieving more stringent service level goals.
Cloud and the law
It’s no secret that companies are bound by a slew of laws related to their data, including data privacy laws and laws that prohibit data from traveling to other countries without a license. However, it remains a tricky area to navigate when it comes to contracts and the cloud.
"So, you can imagine if your data is flying all over the world dynamically, finding the least expensive place in order to sit, if you don't have controls in place, you may find out that you have inadvertently violated the export control laws because data that shouldn't have been … residing in a particular location is now there," Masur said.
In fact, some countries have said that due to their own stringent laws concerning data privacy, companies and people within those countries would never be able to use the cloud and abide by the laws at the same time.
"In Germany, they have data commissioners in various regions throughout Germany and some of them have come out and said that as far as they're concerned, there's no way that the cloud can be implemented in a way that meets the obligations that people have under the EU data privacy laws," Masur said. Though it is still unclear whether that is precisely true, "it does give you an idea that it's shaking a lot of people up in terms of privacy and security and exactly how it's going to be addressed."
How to forge a clear cloud contract
KPIs, contracts, cloud monitoring tools drive cloud economics