Cloud computing (still) needs a bill of rights
Summary: The cloud industry badly needs a common code of practice so that buyers know what exactly they ought to expect from a provider, right from the outset. Arriving at a consensus won't happen overnight, but it's high time to start making a serious effort.
Back in December, after Amazon summarily pulled the plug on WikiLeaks using its servers for alleged violations of terms and conditions, the CTO of Fujitsu Technology Solutions wrote that the action constituted a serious threat to the business of cloud computing:
"If a provider can terminate its service that easily, then it is doing exactly what skeptics expect, putting the security and availability of cloud services into question ... Many potential customers for cloud computing services will, I fear, have been paying attention and will now be forced to reconsider whether they can afford to make their IT that dependent on a third party. Cloud-computing's reputation has been damaged."
Even without the political dimension of the Wikileaks case and the powerful arguments around free speech, the principle of non-termination without notice is an important one. CloudAve's Krishnan Subramanian highlighted a wholly commercial example in which a low-cost CDN provider had its servers shut down without notice by an upstream provider (also covered at GigaOm).
These are extreme examples, but they highlight a golden truth about service level agreements: you only find out they're defective after the service fails. The cloud industry badly needs a common code of practice so that buyers know what exactly they ought to expect from a provider, right from the outset. We've had long enough to work out what all the issues are, it's time to take some action and work on publishing some specifications.
So I was glad to see Salesforce.com's recently recruited chief scientist JP Rangaswami had posted some thoughts last week on work at the vendor to define a set of ten guiding principles for cloud computing. He writes that "this is something the company has been working on for a while now." I should flippin' well hope so, as it is now more than five years since I first blogged on this very topic of trust in service providers — and that same post was itself in response to outages at Salesforce.com.
In that post, I set out a first version of my own suggested 5-point code of practice, which I've since elaborated. Others too have come out with valuable contributions to this debate, including Ray Wang's Customer Bill of Rights for Software-as-a-Service, and the work that RightNow has done promoting better contract terms for customers. Not to mention the initiatives under way at EuroCloud, of which [disclosure] I'm a vice-president (and Salesforce.com is a supportive member).
Looking at Salesforce.com's 10-point list (as cross-posted at the vendor's own Cloud Blog), I do find myself a little disappointed that it's all very data-centric, focusing on privacy, security and governance of data. That's good, but accidents with the data aren't the only area of risk that enterprises have to consider when using a cloud application provider. Their business processes are highly exposed too, vulnerable to sudden disruption from unexpected outages and patches of poor performance, or at the mercy of arbitrary changes in pricing or terms of service, including those mentioned at the top of this post.
The Wikileaks story reminds us, too, that it is not just the industry and its customers that should be involved in the process of discussing and agreeing these principles. Government has to be involved too, both in providing the necessary regulatory framework (as it does for the banking and telecoms industries on similar matters), and in particular agreeing where and when there should be legal limits to its own powers (what value is your service provider's SLA, for example, if the Government itself controls an Internet 'kill switch'?).
With so many stakeholders, and so many angles to cover, arriving at a consensus over the rights and responsibilities of cloud providers, users and regulators is not something that's going to happen overnight. All the more reason, therefore, to foster the discussion now. The more these issues are surfaced, the closer we'll get to having at some common, shared understanding of how cloud providers ought to behave and what their customers should insist on in their contracts and service level agreements.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
21st Century technology meets 19th Century legal system
- there are layers of contract terms and conditions
- parties are subject to many different types of legal sanctions (subpoenas, seizures, court orders)
- tolerance of weasel-words in Terms and Conditions
Cloud computing adds some additional problems on top of the already nasty brew because of opacity. As a risk manager, you *don't know* where your data or service resides and what hazards that exist. And if you expect the service provider to "make things right", READ YOUR CONTRACT. Half of them don't promise that the company will even return your phone call.
RE: Cloud computing (still) needs a bill of rights
I had a site called www.sirs.org and www.sirs.co.nz which exposed boiler rooms selling fake shares to people around the world. At its peak, the site was preventing about $120,000 of securities fraud a day. However, being so effective caused the boiler room operators to hire hackers to do DDOS attacks of which the first successfully took down the whole country of New Zealand for 12 hours. The second attack took it down for only 90 minutes. At which point the government asked me to kindly move the server to somewhere where they could handle the DDOS attacks better. I moved it over to one of the largest hosting providers in the US and told them in advance the issue I was experiencing. After two more DDOS attacks which took down their datacentre, they had to shutdown the site. Although SIRS would be arguably considered a benefit to society and Wikileaks is not as clearly seen that way by all, both site attract a certain amount of hacking and cyber-sabotage attempts. The Cloud Provider needs to protect their business and think about the great good of all their customers.
I accepted that no matter where I hosted the server now, it would impact other business at the same datacentre, and so therefore, after 5 years of preventing securities fraud, i let the site close down. The crooks had won purely by being able to do cyber-sabotage. I am sure for Amazon, host Wikileaks caused nothing but similar problems. Of which a bill of rights which you suggest would neither solve nor be viable in these cases.
There is more to the Wikileaks issue at Amazon than what the press is trying to sensationalize on and using that to jump on the bandwagon of insisting for a bill of rights, means you haven't thought through the issue before you wrote the article.
RE: Cloud computing (still) needs a bill of rights
- Data retention (after termination the data must be available for up to X days)
- Termination notice (Where permissible by law of the operating juristdiction we will provide up to 72 hours of warning)
In the end, all things are "imposed" by the government
RE: Cloud computing (still) needs a bill of rights
Yes, it's better to built a private cloud. More security and peace of mind. With the right software such as ThinServer, it need NOT be expensive or complicated
http://www.aikotech.com/thinserver.htm
RE: Cloud computing (still) needs a bill of rights
But I'm not yet convinced the world needs cloud computing.
RE: Cloud computing (still) needs a bill of rights
Private cloud considered harmful
http://www.zdnet.com/blog/saas/private-cloud-discredited-part-1/1204
InfoLawGroup's Cloud Customer Bill of Rights
Cloud Failure in 2011
http://bit.ly/dScUsh
Michele Hudnall @HudnallsHuddle
mhudnall@novell.com
www.BusinessServiceManagementHub.com @BSMHub
RE: Cloud computing (still) needs a bill of rights
...this is not exclusively a Cloud computing problem