Cloud contracts – the Devil is in the detail

Cloud computing today is no longer a buzzword associated with universities or advanced technology organisations at the bleeding edge of innovation. It is now a mainstream sourcing model that most organisations are looking to as part of their broader IT strategy.

The shift away from building customised systems specifically for organisational requirements is fast approaching. Global financial scenarios are presenting a funding challenge for IT innovation initiatives, transformation projects and ongoing support services.

One of the greatest shifts was demonstrated and highlighted by a US Government White House Paper titled: “25 Point Implementation Plan to Reform Federal Information Technology Management”, in December 2009, and included support for a “Shift to Cloud First Policy”. An important point to note is the term “Stand-Up Contract Vehicles” was used for both secure infrastructure-as-a-service (IaaS) and commodity services. Supporting actions were required, alongside the endorsement of the strategy and the guiding “Cloud First” policy.

In all cloud discussions to date, major emphasis is placed on the service types of cloud—Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or cloud models such as Public Cloud, Private Cloud, Hybrid Cloud and Community Cloud. Very little emphasis or discussion is undertaken about the major vehicle through which these models and services will be utilised and consumed—cloud contracts.

Traditionally contracts have been the realm of procurement, accounting, legal or sourcing functions. Technologists and (more specifically) information security professionals kept a safe distance because, quite frankly, they are boring, however with the advent of cloud computing, this is changing fast.

Concern over service levels, data security, data leakage, data access, scalability and security compliance with organisations’ policies and standards are just a few of the issues that require the attention of security and information management prior to cloud computing services being deployed or contracts finalised. Whilst some of these concerns are similar to outsourcing contracts of the past, there are new areas that require consideration.

Research has highlighted that cloud contracts are often governed by the Terms and Conditions (T&Cs) of how the service will be delivered. Interestingly, more often than not it is a set of documents containing the terms that govern the relationship between the customer and the Cloud service provider. These can be relatively short and simple, or lengthy, complex and split over several documents. Generally T&Cs are made up of common documents like Terms of Service (ToS), Service Level Agreement (SLA), Acceptable Use Policy (AUP), Privacy Policy or a mixture of these components.

But!

Once the following statements from leading cloud service providers are examined, the reason for ensuring you truly understand cloud contracts becomes clear.

Cloud Contract – Facebook

“We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.”

Cloud Contract – Amazon Web Services

“…you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.”

Cloud Contract – Amazon Web Services

“In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination under Section 3.4.1, (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval.”

Cloud Contract – SQL Azure, Microsoft

“Upon the expiration of the term or any termination or cancellation of this agreement, your rights to access or use the Services immediately cease, and you must promptly remove from the Services any data, software programs or services (if any) used in connection with your access to or use of the Services. If you do not remove such data, software programs or services from the Services, we reserve the right to remove them in accordance with our normal business practices for the Services.”

“Upon cancellation, suspension or any termination, your right to use the Services stops right away and you must immediately remove your Data and applications from the Services. You are responsible for taking the steps necessary to back up your Data. Upon any termination of this agreement, all other rights granted to you by this agreement will also automatically terminate.”

Cloud Contract – GoGrid, Microsoft

“You bear sole responsibility for any and all data used in connection with the development, operation or maintenance of any software programs or services that you use in connection with your access to or use of the Services, including without limitation taking the steps necessary to back up such data, software programs or services.”

Cloud Contract – DropBox

“Dropbox reserves the right to terminate Free Accounts at any time, with or without notice. Without limiting the generality of the foregoing, and without further notice, Dropbox may choose to delete and/or reduce: (i) any or all of Your Files if your Free Account is inactive for 90 days; and (ii) previous versions and/or prior backups of Your Files.”

The Devil is in the detail.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Show Comments