Business Cloud News
Cloud service customers should ensure they know what they've signed up to

Cloud service customers should ensure their cloud SLAs fully reflect their needs

Consumers of cloud services need to better assess the terms of their agreements with cloud service providers or risk vendor lock in and paying higher costs for less reliable services over the long term, according to Frank Jennings, a “cloud lawyer” at DMH Stallard.

As cloud slowly moves into what Gartner Research calls the trough of disillusionment – the period after the introduction of a new technology when interest wanes after implementations fail to deliver, it’s worth looking more closely at how consumers of cloud services can ensure they are effectively managing risk when entering into relationships with cloud service providers.

“The reason why public cloud services are so cheap is because the customer bears all of the risk,” Jennings said, speaking to a group of cloud service providers and enterprise IT customers at the Cloud World Forum in London last week. “A lot of people do not understand what they are buying today, and many think that the cloud provider does everything,” he said.

That being said, enterprises on the hunt for their next cloud infrastructure service should ensure they’ve done their due diligence, which means knowing what the service will guarantee and ensuring the SLA leaves nothing unambiguous; reading the fine print on the contract and negotiating new terms where possible; and optimising the strategy for contingencies.

Be wary of Clause 11 and “as is” services

With commoditised cloud service offerings often come standard, un-negotiable agreement terms that cloud service consumers – particularly of public cloud – need to be aware of. Clause 11 is often the clause in public cloud service contracts which states that the service provider is not liable if data is lost, deleted, corrupted or otherwise mishandled.

Unfortunately, these terms cannot be changed and are often subscribed to in a “click yes to accept, click no to decline” fashion, and may limit the appetite of some enterprises to move into the public cloud domain.

Nevertheless, if public cloud is the way forward then it’s important to ensure appropriate failover and backup measures are taken – which may mean contracting with another service provider.

Know where your data sits and who has access to it

This is particularly important given the EU directive on data protection and the UK Data Protection Act specifically, which applies some restrictions on where personal data can reside and limitations on the location of the data controller and the type of personal data that can be processed by a data processor.

Cloud service consumers should ensure that their cloud service providers have local datacentres in place in order to comply with existing legislation on data residency and data processing, and ensure exceptions are clearly indicated in the contract (such as if a US affiliate of a UK company has access to personal data on a UK customer’s hosted system so that it may provide support to UK customers during certain hours of the day).

And while the data controller is primarily liable towards data subjects (cloud service customers), data controllers much select appropriate data processors and seek appropriate protections from them to ensure that data is cannot be compromised along the way.

If a cloud service provider cannot clearly spell out the measures they take and the agreements they make with data processors within a contract then enterprises should either seek to have these explicitly outlined therein, or opt for cloud services through an alternative provider.

Only get into agreements you can smoothly exit 

At the moment, there is no general requirement that cloud vendors provide customers with data export facilities, or assist them with the migration to another service provider. The European Commission and European Parliament are in the process of changing this with the development of new data privacy regulations, but it will likely be at least a year until the final text is agreed and even longer in terms of practical implementation.

As many who have tried switching cloud services may have found, data transferability is not the same as data portability. In the event of terminating a contract with a cloud service provider, the provider may return all of the data – but in a proprietary, encrypted format. This could easily lead to lock-in because the exorbitant cost of decryption on such a massive scale could detract cloud service customers from leaving a service.

In order to avoid having to pay a hefty sum to have that data restored, an enterprise’s only bastion at this point is the contract. Enterprises should be especially wary of this because the format of the data returned won’t necessarily be explicit within the contract’s terms of agreement, and should either move to have this included within the service contract, or weigh the gains from using the service against the potential costs of leaving if the relationship sours or the service isn’t up to scratch.

Use common sense

Most customers move to the cloud on the promise of lower costs, but Jennings believes cloud actually tends to hit cost parity with existing managed IT services after about five years. Much of that added cost is due to the top-up services – like backup or failover – that aren’t necessarily on offer from the same service provider, and the unforeseen costs attributed to data loss and downtime cloud service customers don’t often accurately account for.

The majority of these problems can be avoided doing the appropriate due diligence in cloud service procurement, which ultimately means knowing what you’re buying.

Moving towards a private cloud solution may help circumvent many of the abovementioned issues as they often provide more leeway for contract tailoring. The downside is that private clouds may not offer the price points and elasticity public clouds have to offer, although this is slowly changing.

Given that service credits are often the sole and exclusive mechanism for remediation in the public cloud – certainly not nearly enough to capture the level of risk some companies may take in moving to Azure, AWS and the like (to say nothing of the counter-intuitive nature or remedying bad service with more of it), enterprises procuring those solutions need to ensure appropriate protocols for managing contingencies are in place. That, after all, is simply common sense.