“This is done to overcome the apprehension potential customers may have that by moving to public cloud model they will be vulnerable to experiencing unexpected downtime,” Vincent wrote in the report.
Security was one area where cloud providers exceeded the norm in the IT industry. Vincent said most of the contracts failed to say which security standards applied. Some specifically rejected a commitment to provide security.
“The service is provided with no warranties regarding security, reliability, protection from attacks, data integrity, or data availability,” one contract stated. Other contracts required the customer to implement security measures to protect their data using encryption and maintaining backups.
However, in practice many providers had world’s best practice. “Despite lack of specificity in most contracts, global providers offer better and more sophisticated security standards than individual companies could achieve,” Vincent said. By contrast, a recent audit review of security patches found 40 percent of government departments weren’t up to date.
The get-out clause
Traditional outsourcing agreements go into detail outlining the process of leaving a provider. By comparison Truman Hoyle found cloud computing contracts that failed to provide any framework for leaving a service. Five of the 25 contracts gave no days at all to remove data. The best case was 90 days.
If a customer had chosen to terminate an agreement it could make plans to retrieve the data before the service period expired. However, if the termination was by the provider or was inadvertent, customers could struggle to access their data.
The report noted that “virtually all” contracts surveyed allowed the vendor to terminate the agreement immediately for cause in at least some circumstances. Of these, only one specifically gave the customer the right to retrieve its data in those circumstances.
Vincent thought “there would be movement” within the terms of contracts as there was evidence of vendors competing on terms and conditions. He said he had seen press releases from vendors announcing maintenance would be undertaken on the vendor’s time, or promises of no downtime.
The transition clauses were definitely expected to improve. “Those promises the industry makes about transition out will have to get better, Vincent said.
Cloud computing providers also gave themselves very generous terms for limiting liability. The most common scenario was to cap losses at one year of fees, Vincent said.
Exposure to liability should be reasonable based on the type of service offered, Vincent said. A highly standardised or commoditised service with known risks would likely come with tight limitations for liability. This was because a commoditised cloud computing provider would need to manage the potential risk for its customers to afford a mass- consumption service.
Vincent pointed out if a similar service was being supplied by an in-house IT department there would be no ability to claim for damages in the case of data loss or downtime. All the risk of a service failing could not be borne by the reseller.
“There will be no wholesale opening up of liability that vendors will take on. Commercial services need predictable amounts of exposure. “Suppliers are not insurers,” he said.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
