The economics of cloud computing are compelling and cloud solutions offer customers the flexibility to rapidly provision and release computing elements. As a result, use of cloud services is clearly growing. However, buying cloud services is different from buying traditional outsourced services. Cloud providers are able to offer low cost, flexible solutions because they standardize their offerings for multiple customers. Accordingly, cloud providers are less likely than traditional outsource providers to adapt their solutions to the customer’s needs or negotiate contract terms to meet the customer’s requirements. The key to successful cloud computing is to find the right fit between the cloud solution and your business needs.
Approach to Cloud Services
You need to carefully select the cloud solution to meet your needs and manage the associated risks. The following are important steps in that process.
Know Your Requirements
You should start with an understanding of the attributes of the outsourced function. How critical are the outsourced services to your business? Is the data involved personal data or competitively sensitive? These attributes will drive important requirements for the cloud services.
Select the Right Cloud
You need to understand the cloud options available from your provider. Cloud solutions can be deployed in several distinct ways: private cloud, under which cloud elements are dedicated to the customer; public cloud, under which cloud elements are used for multiple customers; and hybrid solutions. Private clouds offer flexibility in terms of the solution and contract terms but come at a higher price; public clouds offer little flexibility but are available at a low cost; and hybrid clouds fall somewhere between private and public clouds in terms of cost and flexibility. A public cloud may work well where the outsourced service is not critical and the data is not sensitive, but a private cloud may be a better solution for critical services involving sensitive data.
Good Due Diligence is Essential
Given the limited ability of the provider to customize a cloud solution (in particular, in a public or hybrid environment), you must conduct thorough due diligence on the cloud solution to determine what gaps exist between your requirements and the provider’s services and whether there are workarounds to fill the gaps. This should include an understanding of the provider’s data flows, security standards and options available to address your compliance requirements, and the provider’s change process.
Key Risks and Challenges
Criticality of the Outsourced Services. Below are some of the key risks and challenges in contracting for cloud services to be considered and managed.
Continuity of Services
Customers have more risk as to continuity of services in cloud transactions than in traditional outsourcing. For example, cloud providers demand suspension rights for non-compliance with rules of use. Customers can often negotiate some protections around such suspension rights, such as limiting the suspension to the minimal extent necessary to address the violation and prompt reinstatement of services upon cure of the violation.
Provider Rights to Change Terms
Cloud contracts typically incorporate by reference other provider terms and conditions, and the provider maintains flexibility to change those terms and conditions without the customer’s approval. Some providers will agree to compromises in this area, such as a requirement that the changes not degrade the services or ease security requirements or that notice of changes be given, with a right for the customer to terminate if the changes that are unacceptable to the customer.
High Level Service Descriptions with Few Warranties
In public cloud contracts, services are often described at a high level with little detail, and providers are reluctant to give general performance warranties, which limits the customer’s ability to bring claims for damages for deficient services. Providers may agree to include core features of the services and limited performance warranties.
Cloud contracts may contain few service levels, typically with no methodology for allocating at-risk amounts across service levels. Service level credits are relatively small, and providers often demand that service level credits constitute a customer’s sole and exclusive remedies. If your company is considering using cloud services for critical functions, you should consider whether you need more protections than those offered by the provider. Providers of private clouds may agree to higher incentives and language permitting damages if another claim can be made under the agreement.
Data Privacy Compliance
As noted above, it is essential to consider the sensitivity of the data to be placed in the cloud. Cloud solutions are often designed to permit the provider to move data from location to location. However, movement of data is often at odds with the customer’s need to comply with data privacy laws and policies. For example, privacy laws require safeguards around the collection, processing, storing and transferring of customer data and that customers know where there data is located. In selecting a cloud solution, you need to understand how the solution will handle the flow of data.
Standard Security Offerings
Providers have a standard cloud security protocol to offer customers and typically will not customize the security safeguards to a customer’s particular needs. You need to understand whether those security protocols allow you to meet your obligations. Some providers may warrant that they will maintain certain certifications, such as ISO 27001, but you need to consider with which certification standards the provider complies.
Other Compliance Requirements
You need to consider compliance obligations beyond just data security. For example, will the provider be able to effect litigation holds on data in the cloud? You may be able to manage compliance risks by retaining the compliance obligations yourself as long as the solution provides the tools you need to meet those obligations.
You can successfully use cloud solutions if you make informed decisions about the solutions selected, understanding the needs of your business, the ability of the provider to meet those needs and the contractual terms that can be obtained.
This article was originally published by Inside Counsel.