Technology, Cloud

Look before you click: 10 questions to ask before agreeing to a cloud services contract

Blog-post by,
HP Blogger
,

I accept these terms

“I accept these full terms and conditions. Click to confirm.”

How many times have you subscribed to a cloud provider’s service and clicked on that box without reading what’s in the small-font legalese you just agreed to?

Don’t do it again.

If you take nothing more from this post, if you stop reading now, that’s fine. Just make certain that for any high value business service you or your employees don’t click another one of those boxes without reading the fine print and understanding what you are signing up for.

As I described in my last post, When Compliance and Cloud Computing Collide, the ease with which cloud services can be consumed has made it practical for anyone to effectively enter your company into a binding sourcing agreement with the click of a button. The problem is that if you – or worse, one of your company’s employees – blindly enter into a cloud computing contract without due diligence, you could be in for unexpected surprises.

As one DLA Piper LLP consultant noted in a presentation last year,

 “The form contracts or terms that cloud service providers typically offer (especially in online, ‘click-through’ agreements) are generally quite one-sided and contain few, if any, terms to protect their customers from potential legal risks and liabilities. Only large companies will likely have the leverage to negotiate material changes to those terms. Small companies will often be faced with a ‘take it or leave it’ situation.”

Let’s look at a few examples of how two of the better-known service providers handle some of the more sensitive topics to get some idea of what common things to look for.  But before I do, it’s only fair to start by letting you know where to find ours (http://welcome.hp.com/country/us/en/termsofuse.html) too. Happy reading!

I want to make it clear that I’m neither endorsing nor critiquing anyone’s term sheets.  The point is that, I suspect, unlike many users, I’ve taken the time to read them and consider the implications to my organization.

Now, depending on the nature of the service and the sensitivity of service quality and security, there are numerous issues you need to consider, especially as it relates to retaining ownership of your intellectual property. Having said that, there are a few areas that most often cause consternation among users and suppliers alike, specifically those relating to access to – and the security of - your data. Let’s take a look at both.

Security and Encryption

Are you clear on what’s “in the clear?” Most consumers today assume that their data will be stored in encrypted format, but it’s not always the case (or even a good idea). Read the fine print to ensure you’re not in breach of your compliance and governance requirements.  In the case of the Amazon Web Services agreement, clause 4.2 illustrates that the onus is clearly on the user to protect their data:

“You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.”

Termination and Transition

The whole idea of cloud services is to allow you to focus on getting value from the service, not running it, but there are times when you need to take direct control. This is especially true of transitioning your data back to you upon termination of service. It’s critical that your service provider has a clear policy for doing so. For example, check out clause 12.5 of the Salesforce.com terms of use.

12.5. Return of Your Data. Upon request by You made within 30 days after the effective date of termination of a Purchased Services subscription, We will make available to You for download a file of Your Data …

However, there’s a risk that your chosen service provider may be forced to close their business without notice. While less of an issue with large, established names, it’s a legitimate concern with smaller companies. In these cases additional precautions might be required, such as the ability to maintain your own offsite backup of the data at will – it’s worth asking for.

By looking before you click, you may find yourself reading a contract that you wouldn’t even want your worst enemy to enter into. Here are ten things to make sure your employees look for in a cloud-based services contract.

  • Who’s responsible for security?
  • Who’s responsible for regulatory compliance (privacy or reporting)?
  • Who’s responsible for ensuring performance?
  • What facilities do you have to audit the service provider’s claims?
  • Are you transferring intellectual property rights to your provider?
  • What happens to your data if the service provider closes their doors?
  • How much notice is necessary to terminate a contract?
  • How much time will it take to get your data back?
  • What format will the data be in and how will it be transported to and from the provider?

 

Better still, it would be so much easier to use a portal where a service broker has brought together a variety of cloud-based services that use a set of terms pre-negotiated for your users by your legal team. At HP we’ve created an innovation project code-named CORAL which is exploring new ways of thinking about the problem that takes just this approach. To give you an idea of what the world of the service broker might look like, check out a free trial (https://coral.saas.hp.com/coral/web/service-catalog/and while you are there you may want to register to qualify to be one of our first users of the new HP Public Cloud Service Catalog (beta)!

.

Oh, but don’t forget to read the terms of service first!

Happy face

 

 

 

 

(3) (3)

Discussion
Would you like to comment on this content? Log in or Register.
robweis
Rob Weis 0 Points | Thu, 04/21/2011 - 21:44

Great article. I'll have to keep this handy for future agreements! Thanks for putting this together.

ptm
2028 Points | Sun, 04/24/2011 - 21:58

Thanks Rob - have you had any experience with your users consuming cloud services without checking in with IT first?

(or if you prefer to plead the Fifth, friends of friends who've had the problem? ;-) 

jdodge
John Dodge 1400 Points | Wed, 04/20/2011 - 15:00

Tell me why we have lawyers again (I ask even though my wonderful son is in law school)? It's ironic the URL to HP's legalese begins with "welcome." -:)

But your cautionary advice is spot on...and I think security, data ownership and some of the other considerations you mention are why enterprises need their own internal cloud platform. What is the cloud churn rate, i.e. enterprises switching cloud vendors? I suspect many of these relationships are long term. Maybe the cloud is too new to have spawned long term relationships.  

That said, provisions for getting your data back is akin to a landlord getting the keys back from departing tenants. What did IT departments do in the days of timesharing? I imagine ADP customers figured this out long ago. Are there parallels?   

 

 

ptm
2028 Points | Sun, 04/24/2011 - 21:56

And it's exactly the difference between ADP, time sharing and Cloud services that makes this so different and yet so similar.

If you're seasoned enough to remember ADP, then you'll also remember the only people empowered to sign up the contracts were officers of the company or their appointees (and a cadre of legal and procurement folks). 

The precise difference with cloud services is that they can be so readily consumed by well intentioned business folks. Folks who've spent little, to no, time understanding what they might be getting themselves AND THEIR COMPANY into.

Having said that, nobody wants to be locked out of tapping the huge pool of innovative services that are being created and combined every single day - the challenge is finding a governable model that offers the best of both worlds.

The closest business parallels I know of are the idea of "approved supplier" models where procurement did the hard work of vetting and getting a supplier on the list which later evolved into online, internal procurement tools such as Ariba.

Project Coral in essence is offers something similar for Cloud services.

jdodge
John Dodge 1400 Points | Mon, 04/25/2011 - 03:13

What impact do you think the Amazon outage with have with CIOs looking at cloud services? Certainly, your points about contractual safeguards would seem even more relevant and essential given such cloud failures. And contracting for richer and more robust cloud services with backup would seem to be another lesson.   

PaulM
Paul Muller 119 Points | Tue, 04/26/2011 - 23:48

The first thing it should remind every CIO is that even the most well thought through data center design or distributed application can be impacted by outages.

In other words, what is your disaster recovery plan in the event an SLA cannot be met?

The great thing about Hybrid Delivery is that you CAN burst/bridge capacity back onto your own premises or onto a third party's.

To make that a reality, you must architect and plan for failure - build in redundancy and make sure that your application is designed to fail over gracefully (which means your DATA and your apps can fail over - so yes, JD, backup!)

jdodge
John Dodge 1400 Points | Tue, 04/26/2011 - 23:55

i do backup!

PaulM
Paul Muller 119 Points | Thu, 04/28/2011 - 09:03

While we're on the topic of backup and cloud, I recommend Peter Krough's great 3-2-1 rule for backup (here: http://www.dpbestflow.org/backup/backup-overview#321)

You should keep three backups, on a least two different media types and at least one "off site" (yes, even in the cloud).

I've been (mostly) using it for two years now and it's saved me more than once!

jdodge
John Dodge 1400 Points | Thu, 04/28/2011 - 13:22
Great advice...here's the essence of 3-2-1...
  • We recommend keeping 3 copies of any important file (a primary and two backups)
  • We recommend having the files on 2 different media types (such as hard drive and optical media), to protect against different types of hazards.*
  • 1 copy should be stored offsite (or at least offline).