5 ways to take the opaqueness out of cloud contracts

Summary:If your data goes down, who's responsible? Not the cloud provider. But there are ways to strengthen an enterprise's negotiating position

Eight out of 10 enterprise Software-as-a-Service buyers will not be happy with the contracts they sign. And there's good reason for that.

Cloud-May 2013-photo by Joe McKendrick
Photo credit: Joe McKendrick

That's the prediction from Gartner analyst Alexa Bona, who chides the current state of contracts, which all too often "have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident."

Bona outlines three options enterprise cloud buyers need to exercise every time they cut a cloud agreement:

Bring in third-party verification. SaaS contracts should "allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure," Bona advises.

Insist on standardized assessments. "Ask a provider to respond to the findings of assessment tools," says Bona. "The Cloud Security Alliance (CSA), for example, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing."

Include adequate service levels for security and recovery, including recovery time objectives, recovery point objectives, and data integrity measures. “Whatever term is used to describe the specifics of the service-level agreement, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations,” says Bona.

Along with Gartner's recommendations, there are other pro-active steps cloud consumers can take to ensure that their vendors fulfill their roles as partners:

Get involved with a user group or advisory committee associated with the vendor. This helps provide clout, as well as build personal relationships with managers on the vendor side. 

Maintain relationships with mutiple providers, including the option of going back to your own data center. Nothing delivers more favorable terms in business than competition.

More food for thought: in an issue of Stanford Technology Law Review earlier this year, researchers affiliated with the QMUL Cloud Legal Project at the University of London reported on conversations with cloud providers and consumers, identifying the major points of discussion — or contention — that have been coming up in negotiations for cloud engagements. 

Major areas of disagreement include the following, as outlioned in the article:

  • Who’s liable for damages from interruptions in service? (Cloud providers won't accept liability for issues.) ,
  • Number of perfromance indicators within service level agreements. (The more you pay, the more you get. Smaller customers tend to get 5-10 key performance metrics.)
  • Data availability and data loss. (Many cloud porviders won't assume liability for data loss.)
  • Physical location of data. (A big issue for European enterprises, since data must reside with the bounds of the EU. However, many providers are opaque about the whereabouts of data centers.)
  • Vendor lock-in. (Vendors try to get long-term contracts, with onerous automatic renewal policies. But at the same time, that won't stop vendors from changing their service terms)
  • Compliance data, return of data upon contract termination. (Vendors won't provide this voluntarily.)
  • Intellectual property rights. (Right now, a very murky area. What happens when cloud providers make changes to data and applications?)

 

Topics: Cloud, Enterprise Software, IT Priorities

About

Joe McKendrick is an author and independent analyst who tracks the impact of information technology on management and markets. Joe is co-author, along with 16 leading industry leaders and thinkers, of the SOA Manifesto, which outlines the values and guiding principles of service orientation. He speaks frequently on cloud, SOA, data, and... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.