FeaturesSecurity ComplianceStrategy

Industry experts say cloud computing is a technology. Analysts say it is an IT force or megatrend. Some suggest cloud computing is just a mode of service delivery defined by the service level agreement (SLA) in a cloud service contract. Whether you are from the vendor's or the customer's side, there is a range of issues in a cloud service contract that is worth taking a close look at. 

In an interview with Asia Cloud Forum's Carol Ko (read part II here), Thomas Shaw (pictured), attorney at law and CEO of CloudRisk Asia, exposes the possible conflicting interests between cloud service vendors and customers: How is cloud computing different from outsourcing and managed services, and what is its implication on service level? Why and how far are public cloud service contracts "non-negotiable?"

What four items can a cloud service customer perform off-site? Why should cloud service customer demand knowledge of any cloud subcontractors used? And how problematic is it to define "service downtime?" Find out below how the interests of both the cloud service vendors and customers are represented and defended in a cloud service contract.

Thomas Shaw: Cloud computing, except for a private cloud hosted internally, is a form of outsourcing, Cloud computing can be a form of managed services, as there should always be some sort of quality of service guarantee, but some may not consider an IaaS (infrastructure-as-a-service) offering to be a managed service, as the customer will be doing much of the "managing." The legal agreement will then reflect those varying service offerings.

For example, if the cloud service provider (CSP) is offering a SaaS (software-as-a-service) application, then the CSP will need to determine if it is providing the application with just online help or if it is also providing live person (e.g., help desk) support to customers, which will be reflected in how the contract or SLA (service level agreement) is written. 

Shaw: It is not really possible to know which factor is most important in each situation without knowing the individual circumstances. The key factors from the perspective of the cloud consumer and the CSP may be different. Where they clearly intersect is on issues such as legal liability.

Both parties will want to give as much liability to the other party as possible. For the CSP, their stated liability limits are likely something they won't vary, due to the large number of other customers, their insurance coverage, and the financial implications. So cloud consumers should instead focus on whether there are certain situations where they want to have different limits. One such situation for consideration is in the case of a data breach.

Data mobility in the cloud potentially implicates numerous legal regimes and potential legal exposure. So both the CSP and the cloud consumer will want to have drawn a box around that legal exposure. The CSP will do it by having appropriate agreements with subcontractors but the cloud consumer can only do this by limiting the locations where their data is distributed.

Once data is located in a country, then the cloud consumer can become subject to that country's legal regime. But it is not really that simple, as for example some countries' laws are enforced on data about their citizens, regardless of where the data is hosted or the CSP is incorporated. This issue must be resolved in advance by cloud consumers in the CSP agreement and should not be left to technical workload balancing or backup considerations.

 

Shaw: No, but as with any issue in negotiation, a cloud consumer's negotiating strength comes from a variety of factors. Consider it from the CSP's perspective. They have invested the time and money to create a standardized agreement, so why would they change it if you are their 1000th customer bringing only 1/1000th of their revenue?

While it is best to consider any "standard" contract as a starting point (a well-written agreement is always a good starting point, even if unfavorable), don't expect maximum flexibility in such an agreement. The contract will reflect the CSP's standardizing of their service offerings, their financial commitments and expectations, and the organizational acceptance of risk. It would be unrealistic to think that they would re-do all of that for a single customer. With that said, it is important to believe that there will be at least a few key points that any cloud consumer must obtain in negotiation. CSPs know this and to some extent have started offering these as options.