Cloud service contracts are often rushed through, which leads to costly blunders and serious risks. According to a recent Techaisle estimate, small and medium businesses are reviewing and signing about $11 billion worth of cloud service contracts, in 2011 alone.
Whenever an enterprise is planning to enter into a cloud computing contract, it should consider four risky issues, which have been identified by the technology research firm Gartner Inc.:
- Cloud sourcing contracts are not mature for all markets. When taking a look at cloud sourcing contracts, it’s often quite obvious whether they were written for mature corporations or the consumer market. Contracts often lack descriptions of cloud service providers’ responsibilities. It’s not rare to find contracts that fail to meet general legal, regulatory and commercial contracting requirements of most enterprise organizations.
- Contract terms generally favor the vendor. Cloud services generally don’t lend themselves to partnership-style relationships between companies, due to the high degree of contract standardization, and services that are delivered remotely, instead of locally. Customers of cloud services are one of many. This multiple-customer model breaks the norms of most industrialized service delivery. As the majority of contracts are written in general, standardized terms, potential customers must be extremely clear on what is acceptable and what is negotiable.
- Contracts are opaque and easily changed. Most contracts from cloud service providers are not very long or detailed; it’s common to find URL links providing additional information, or even terms and conditions. The missing details are essential to the quality of service and price for uptime or performance; service and support terms; and the description of the core functionality of the product. It’s common to find clauses on these additional pages will change without notice to the client.
- Contracts do not have clear service commitments. Increasing numbers of cloud service providers are including SLAs in URL documents that are referenced in their contracts. Providers will limit their area of responsibility to their own network and many commitments remain vague.
According to Frank Ridder, Gartner’s research vice president:
“Cloud service providers will need to address these structural short comings to achieve wider acceptance of their standard contracts and to benefit from the economies of scale that come with that acceptance. CIOs and sourcing executives have a duty to understand key areas of risk for their organizations.”
Cloud Contract Reviews
A sound cloud contract review is crucial before jumping into a service contract with a vendor. While it’s useful to have legal counsel on contract matters, it can be helpful to have some in-house knowledge in order to develop an effective vendor selection process, diminish fears around migrating to the cloud and ensure successful results from doing so.
A contract review should prioritize three key areas:
- Service Availability
- Service Level
- Data Security
It’s important to review the vendor’s definition of planned or permitted downtime, which is different from unexpected outages. Look at the reasons behind the downtime, and how and when the vendor schedules it.
Another thing to consider is that cloud-based systems often undergo frequent updates and improvements. If an enterprise’s key applications are moved to the cloud, it’s crucial to have a clear contractual understanding of what maintenance and upgrades are included, as well as the costs involved.
Finally, data availability and security are big reasons preventing businesses from moving critical functions to the cloud. In the event of unexpected downtime, enterprises should always have some means to access their data. They should also strive to retain as much power over their data as possible in the vendor contracts. Another issue that arises is termination of a contract. In such situations, what happens to the data?
A Flexible Cloud Service Agreement?
In early 2010, RightNow Technologies introduced its flexible cloud service agreement, which it boasted would give clients far greater flexibility in negotiating contracts for its SaaS applications. Unique aspects of the service agreement included annual usage agreements up or down, which allow customer to adjust the number of seats or subscriptions, based on business requirements. Other software purchase contracts will require customers to buy more seats than they need to lock in long pricing.
RightNow also offers “annual pools of capacity,” which let customers adjust the number of seats it uses over a 12-month period to accommodate fluctuations. Most SaaS contracts will lock customers into purchasing enough seats to accommodate peak potential usage over the course of a year.
Currently, RightNow only requires customers to commit to a service contract for a year. Most other software purchase contracts have customers buy so many seats or copies of an application, without the option to end the agreement early, at least not without incurring heavy penalties.
This article looks at the risks inherent to cloud service agreements, as well as the key components involved in conducting a thorough contract review. The four risks involved with cloud service agreements are: cloud sourcing contracts are not mature for all markets; contract terms generally favor the vendor; contracts are opaque and easily changed; and contracts do not have clear service commitments. The article goes on to describe how organizations can mitigate these risks while migrating critical functions to the cloud. The notion of a flexible cloud service agreement, as offered by RightNow Technologies, is briefly introduced at the end of this article.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Contractual security requirements (Domain 2)
- Contract enforceability (Domain 3)
- Lock-in risk mitigation techniques (Domain 6)
- Provider selection (Domain 8 )
- Key management best practices and standards (Domain 11)