By Christine Enemark
To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years. Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites, highlights how public cloud computing services are different – and how the contracts for those services are different, too. Here are just three ways that typical cloud contracts may not be adequate to protect a customer’s interests in the cloud.
No Quality of Service Commitment. Cloud computing is becoming a commoditized service, provided like a public utility. Contracts for public cloud services are often presented to customers as non-negotiable, take-it-or-leave-it agreements. For many customers, the cost benefits of cloud services may seem to outweigh the legal costs associated with negotiating a specific service agreement. But typically, cloud service contracts include no commitments regarding quality of service, uptime, security, or other key factors that customers have come to expect from traditional IT providers. In the case of an outage, then, customers may have no contractual recourse against the cloud provider, even for catastrophic data loss.
No Security and Back-Up Services. Most IT contracts include detailed provisions, with an allocation of responsibility, for data protection and data back-up and disaster recovery. Not so in most cloud computing contracts. In the cloud, the customer is usually ultimately responsible for basic security, such as encryption, to protect critical data. Yet cloud customers may not realize that certain services they use are in the cloud, and that the data provided in these services is unprotected. Similarly, customers do not necessarily get commitments from cloud providers on data back up to protect critical information and systems in the event of a network outage or other service failure. The cloud may be an easy resource for customers who need to provide their own redundancy – so a customer can use one service provider one as a primary service, and one for data back-up. (Of course, this only works if one service provider is not simply reselling cloud services provided by the other – due diligence is important.) But in general, each customer is ultimately responsible for protecting its own critical data. It cannot blindly assume the cloud provider is securing, or protecting, its data.
No Audit Rights. The cloud, and its inherent efficiencies for data storage and processing, makes any audit to evaluate and verify system operations difficult. The cloud allocates spare processing and data capacity to wherever it is needed, whenever it is needed. This elasticity creates the impression that computing resources are infinite, and infinitely available. But customers will not know at any particular time where its data is actually physically located. Certainly, this creates regulatory risk of which any customer using the cloud to store and process sensitive data (personally identifiable information, credit card information, health information) must be aware. But separately, the very benefits of the cloud make it difficult for customers to examine whether the service they have purchased is really working the way it ought to be working.
At a minimum, last week’s Amazon outage should encourage cloud customers to reexamine the commercial terms on which they purchase cloud services, and to rethink what terms they can live with in the cloud.