18 January 2012
The drumbeat of cloud computing is getting ever louder with regular testimonials about the cost-savings and agility benefits it provides. Yet, large corporations have made only limited use of cloud computing. They have typically limited cloud services to peripheral, non-core functions, due to technical, legal, and security concerns. Today, many companies are discovering the growing number of offerings for a breed of private cloud services that deliver the benefits of public cloud computing, while providing more of the protections that large corporations seek. This growth in corporate-friendly offerings is being fueled by the goal of cloud service providers to expand their reach into the corporate market and by the desire of traditional outsourcing providers to protect their share of that market.
Private Cloud Computing Defined
The National Institute of Standards and Technology (NIST) describes the essential characteristics of cloud computing as (i) on-demand self-service, (ii) broad network access, (iii) resource pooling, (iv) rapid elasticity and (v) measured service. It further defines a “private cloud” as a cloud computing infrastructure that “is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units), [which] … may be owned, managed and operated by the organization, a third party, or some combination of them ….”
This definition covers a wide range of private cloud offerings, many of which can have very different consequences for the customer. Some private cloud offerings go a long way toward addressing the privacy, security and compliance issues that companies face, while others pose many of the same risks as public clouds. The fact that a service is a private cloud offering does not necessarily solve all these issues. Customers must carefully consider the attributes of each service and the corresponding contractual protections that it can obtain.
Contract Terms for Private Services
From a customer’s perspective, a well-constructed private cloud contract will adhere to many of the customer protections found in traditional outsourcing contracts. It will also allow the service provider the flexibility needed to achieve the structural efficiencies inherent in cloud computing. The following is a brief review of some of the key terms that customers should obtain when contracting for private cloud services to support core functions.
- Location Commitments. A key contractual term for private cloud services that support core functions is the customer’s ability to specify the locations where data will reside. This requirement arises principally from the customer’s need to comply with data privacy and security regulations enacted around the globe. This term is standard in outsourcing contracts but not in public cloud contracts, which enable the provider to change locations at will and without notice to or consent by the customer.
- Architectural Control. In contrast to traditional outsourcing arrangements, the standardized nature of the service provider’s private cloud environment means that the customer must accept some loss of architectural control. A customer can take steps to ensure that its systems are compatible with the cloud systems at the start, but this is not a complete protection, since the provider can make changes over time.
There are risks that the customer may incur uncertain costs to make modifications to its systems or that it could suffer disruption, neither of which is tenable when core functions are involved. If the customer cannot be protected against a disruptive change, the contract must at least include rights that give the customer the legal and practical ability to terminate the cloud services and a provide a reasonable time to transition its functions to an alternate provider before the change takes effect. One additional provision that can help the customer to avoid burden or disruption is a requirement that the provider must give the customer advance notice of its architectural plans and ensure opportunity to comment on those plans.
- Technology Currency and Technology Advances. In traditional outsourcing contracts, customers often require providers to keep pace with current technology and to share their advances with the customer. Cloud service providers may resist this requirement on the grounds that they must maintain consistent architecture, which for technical or strategic reasons may not be current in every respect.
The need for this protection is less compelling in cloud services, however, because the cloud provider is already motivated by competitive pressures to keep its shared environment current. Nevertheless, customers that rely heavily on cloud services for core functions may want some general commitment in this regard, particularly given the potential time and effort required to shift a core function to another provider.
- Data Security Commitments. Cloud contracts generally do not permit customers to impose their unique security requirements on the provider. This is not significantly different from traditional outsourcing arrangements, in which providers press to use their own security protocols when delivering services from their environments (e.g., a provider’s data center or call centre).
The difference comes in how the potential gap is bridged. In public cloud offerings, the customer is usually obliged to satisfy itself that security protections disclosed by the provider are adequate. In private cloud arrangements, as in traditional outsourcing, the customer should have the right to require the provider to confirm that its security protections equal or exceed the customer’s standards and that it will not diminish those protections. This difference is important, since the provider is clearly better positioned than is the customer to interpret the security-related capabilities of its own systems and procedures.
- Termination Charges and Residual Costs. Given the standardized nature of the cloud infrastructure and the deployment of that infrastructure to support multiple customers, contracts for private cloud services should not require the customer to pay termination charges for stranded systems costs. There may be termination costs in some cases, particularly if the customer has required the provider to assist with transition of the customer’s systems to the cloud environment (i.e., data conversion, transfer and testing) without full, up-front compensation for those services. Flexibility is one of the inherent benefits of cloud computing, however, so any provider request for termination charges should be carefully scrutinized.
- Post-Termination Rights to Technology. One of the protections that customers often obtain in traditional outsourcing agreements is the right to acquire equipment and software used by the provider to support the customer. This protection is not available in private cloud arrangements for the obvious reason that the supplier cannot hand over part of its cloud infrastructure. As a result, it is important that customers of private cloud services include contract protections, similar in terms to traditional outsourcing contracts, that ensure the customer will have the time and information necessary to in-source or re-source the services when necessary, regardless of the reason for termination.
- Post-Termination Rights to Personnel. In traditional outsourcing contracts, the customer often has the right to hire provider personnel who are substantially dedicated to the customer’s account. This helps ensure transfer of knowledge relevant to the supported function.
Because private cloud services, by definition, do not rely on personnel dedicated to the customer, this protection is not available to customers of those services. The absence of this protection further underscores the importance to customers of exit planning and associated contract rights.
- Limitations on Key Personnel. Contractual assurances relating to the quality and continuity of key provider personnel are mainstays of traditional outsourcing contracts. The success of an outsourcing relationship depends heavily on effective governance of the relationship. While private cloud services rely less on individual management, the reality is that even in those arrangements, there is need for effective governance to answer questions, advise on strategy and resolve problems.
Building customer confidence in using private clouds to support critical functions will, no doubt, require a strong connection to the provider organization. Consequently, many of the same key personnel protections found in traditional outsourcing contracts should apply, as well, to private cloud arrangements.
- Audit Rights. Customers in traditional outsourcing arrangements typically have broad audit rights, while customers in public cloud arrangements have few, if any. Audit rights in private cloud contracts generally fall somewhere in between.
Since private cloud services utilize leveraged systems, private cloud providers want to limit a customer’s operational audit rights to protect the security and the integrity of those systems. This may limit the extent of a customer’s right to directly access the provider’s systems and may well prevent the customer from being able to test the integrity of those systems. Nevertheless, private cloud customers should have the right to obtain all the information and data they need to satisfy their control requirements. In addition, customers should require SSAE 16 or equivalent audit reports for the provider’s systems and processes used to support the customer.
- Change in Volumes. Pricing structures under traditional outsourcing contracts often contain volume ranges beyond which unit pricing must be renegotiated. This constraint is based on the changing proportion of the provider’s fixed and variable costs that comes with volume changes.
An essential characteristic of cloud computing is price elasticity, which results from broad leveraging of the cloud systems across multiple customers. Volume pricing discounts may still be used by cloud providers wishing to encourage broader use of their systems.
Another factor that may influence variable pricing, at least for some initial period, is cost recovery. This becomes especially relevant when a provider incurs up-front costs in assisting the customer to initially transition to a cloud environment.
Many of the benefits of private cloud services come from the provider’s standardization of its services across multiple customers, including standardization of its architecture, currency, security controls and quality measures. Standardization in this context requires certain customer compromises and risks that must be carefully managed, particularly when the private cloud is used to support core customer functions.
The transition of large corporations to widespread use of cloud services for core functions is likely to be slow and evolutionary because of these risks and compromises. However, the persistent cost pressures and agility demands on companies and their need to remain competitive, together with competitive pressures among service providers, make this evolution inevitable.
Lawyers representing these companies must find contract solutions that balance customer needs against the essential features of cloud computing. They must also aim to develop outsourcing contracts that not only keep pace with changing customer issues, but that also advance the evolution of the cloud computing industry.