There is another paradigm shift happening in business, in some ways it is very similar to the early days of virtualization, senior leadership didn't trust virtualization with mission critical applications until it was reassured that the technology provided the security, stability, and performance it had come to expect on a conventionally provisioned server. The same holds true for cloud service providers. In all likelihood, your IT executives are going to be comfortable with the perceived risks of moving an application to an external provider for the economic gains.There are several aspects to cloud contracts that you should consider when working with a cloud service provider to move an application away from servers physically located within your datacenter. The contract with a cloud service provider is vital. The National Outsourcing Association (NOA) points out that cloud computing is not like normal outsourcing contracts, cloud service provider contracts tend to be far less rigorous than traditional outsourcing partners.
Many cloud services providers reserve the right to change all, or part of, the agreement once it is signed.
Public cloud services, especially when using it for fundamental parts of your business, can leave a lot to be desired in regards to service level agreements (SLAs), which have been a staple for traditional outsourcing contracts. It is important to appreciate the need for due diligence up-front when analyzing a cloud contract, there is little room to renegotiate after a problem or security breach.
Here are some important considers on cloud contracts from Gartner:
"Where possible, negotiate that the cloud services provider should identify where the data is being held and should at least notify the customer if there are changes to that location. Ideally, the customer should have to approve changes in location of the data, but we see this as very difficult to negotiate in the current market.
The customer should ensure that, if the cloud services provider is using any third parties, any clauses negotiated would equally apply to any third party, and that the cloud services provider is ultimately responsible for any breach of contract, even when the third party is at fault."
"Gartner recommends negotiating SLAs for security, especially for security breaches, and has seen some cloud services providers agree to this. We would suggest immediate notification of any security or privacy breach, as soon as the provider is aware of it. Ideally, we would recommend that you be informed if any cloud services provider technology or process fails and when any customer data is compromised, even if the provider has no reason to believe that your data was compromised.
Remember, you are ultimately responsible for your data and for alerting your customers, partners and employees of any breach, so it is particularly critical for companies to determine what mechanisms are in place to alert customers if any security breaches occur, and to establish SLAs determining the time frame for the cloud services provider alerting you of any breach."
"Negotiate that the cloud services provider should identify where the data is being held and should at least notify the customer if there are changes to that location.
Contractually require the cloud services provider to inform you when law enforcement authorities request personal information that you have put in the cloud. You should be notified regarding what information is shared when and with whom."
"Ensure that you have documented that all data must be returned to you in a predefined format within 30 days of termination. In some instances, organizations have terminated their cloud services agreements and have struggled to get their data back, because the lack of any future payments meant that the cloud services provider had scant motivation to assist. Some contracts also state that if a company has not transferred the data within 30 days, the cloud services provider has no obligation to provide security or backup of the data. Sixty to 90 days is more realistic, and is negotiated in better contracts."
Clauses Preventing Contract Terms Diminishing
"Understand the complete structure of the cloud contract, including the terms that are detailed outside the main contract. Ensure that these terms cannot diminish for the period of the contract and, ideally, for at least the first renewal term. Ensure that you get the details of what types of information can be shared with subcontracted companies. You should also read and approve any subcontractor agreements, if possible."
A few other items you should consider are:
- Uptime Guarantees
- Service Level Agreement Penalties
- SLA Penalty Exlcusions
- Suspension of Service
ITWorld shows that when statements from leading cloud service providers are examined, the reason for ensuring you truly understand cloud contracts becomes clear.
Cloud Contract - Amazon Web Services
"...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."
Cloud Contract - Amazon Web Services
"In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination under Section 3.4.1, (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval."
Cloud Contract - SQL Azure, Microsoft
"Upon the expiration of the term or any termination or cancellation of this agreement, your rights to access or use the Services immediately cease, and you must promptly remove from the Services any data, software programs or services (if any) used in connection with your access to or use of the Services. If you do not remove such data, software programs or services from the Services, we reserve the right to remove them in accordance with our normal business practices for the Services."
"Upon cancellation, suspension or any termination, your right to use the Services stops right away and you must immediately remove your Data and applications from the Services. You are responsible for taking the steps necessary to back up your Data. Upon any termination of this agreement, all other rights granted to you by this agreement will also automatically terminate."
Cloud Contract - GoGrid, Microsoft
"You bear sole responsibility for any and all data used in connection with the development, operation or maintenance of any software programs or services that you use in connection with your access to or use of the Services, including without limitation taking the steps necessary to back up such data, software programs or services."
If you need help designing a cloud contract strategy, I would highly recommend seeking out a cloud reseller that specializes in corporate cloud strategies.