How to balance risk in cloud contracts by adopting best practice

The first of a two-parter that looks at how to minimise risk when moving to cloud

Enthusiasm for cloud computing is undiminished with survey after survey showing that cloud adoption is significant.  But, in their rush to embrace cloud, are customers taking on greater risks than they need to?  And are cloud service providers seeking to exclude all risks when providing services?

The allocation of risk between a cloud service provider and its customer is done through the contract.  A Cloud Industry Forum survey earlier this year indicated that 45 percent of customers were not offered the opportunity to negotiate contracts suggesting that cloud service providers are using standard contracts and click-through arrangements.  Also, a third of customers reported that their cloud service providers could change the contract by simply posting a new version online.  In some ways, the more revealing statistics are that many customers did not try to negotiate their contractual position and simply did not know what their contractual exposure was.

That is changing.  Clearly, where customers are looking for a standardised or cheap cloud service there will not be much opportunity for them to discuss the allocation of risk with their cloud service provider, nor should they expect to.  Otherwise, as cloud services mature, with more service providers and channel resellers offering Virtual Cloudsducts, customers will have the ability to shop around for the best protection. 

Not surprisingly, in a crowded market, cloud service providers and resellers are looking for ways to stand out in a crowded market.  This includes joining industry bodies, such as the Cloud Industry Forum, which offers an accreditation scheme to a code of practice. 

Virtual Cloudsviders can also adopt best practice in their contracts.  In conjunction with Cloud Industry Forum, earlier this year we published a whitepaper providing guidance to customers and cloud service providers on best practice in cloud contracts. 

Best practice recommendations include:

Local law for local customers
A cloud service provider that offers a standardised public cloud service with data centres in the cheapest location will not wish to be drawn into any discussions, let alone the customer’s ability to apply its local law.  But, where a service provider offers a bespoke or private cloud solution, then it might be willing to adopt the customer’s local law or concede on other issues instead.  Not surprisingly, data location and security are key concerns for customers and if the data centre is local to the customer then choosing local law is probably not that difficult.

Identifying location of data centres
Overall, 75 percent of customers said it was important that their cloud service provider stores their data in the UK or the EU, with this increasing to 80 percent within the SMB sector and 82 percent in the public sector.  The EU-wide data protection laws are possibly a contributory factor here, but clearly, a cloud service provider stands more chance of winning business the UK or the EU if it has its data centre in the UK or EU.  Disclosing where the data centre is located is crucial to this.  If the service provider offers a secondary facility from a non-UK/EU data centre, such as a back-up or failover service, it should state this too.  It goes without saying that all cloud service providers will need to put in place adequate measures to ensure data security and avoid data leakage or loss.

Documented management systems, processes and resources
Not all cloud service providers are alike.  Although there is not yet an international standard that applies to cloud solutions, there are others which might be useful and the customer should investigate.  For example, does the provider comply with ISO 90001, ISO 27001 or SAS 70?  Does the provider adhere to an industry code of practice, such as the one run by the Cloud Industry Forum?  Has the provider documented its management systems, processes and resources?  Is the provider willing for the customer to review these (under an obligation of confidentiality or otherwise)?

Best practice recommendations include:

  • Local law for local customers 
  • Identifying location of data centres 
  • Documented management systems, processes and resources 
  • Clear SLAs showing average availability times
  • Clear statements of what losses a cloud service provider will cover
  • Changing and terminating the contract
  • Adequate opportunity for customers to retrieve their data 
  • Migration assistance to a replacement provider

Sign up for our free newsletter