Cloud computing (still) needs a bill of rights

The cloud industry badly needs a common code of practice so that buyers know what exactly they ought to expect from a provider, right from the outset. Arriving at a consensus won't happen overnight, but it's high time to start making a serious effort.

Back in December, after Amazon summarily pulled the plug on WikiLeaks using its servers for alleged violations of terms and conditions, the CTO of Fujitsu Technology Solutions wrote that the action constituted a serious threat to the business of cloud computing:

"If a provider can terminate its service that easily, then it is doing exactly what skeptics expect, putting the security and availability of cloud services into question ... Many potential customers for cloud computing services will, I fear, have been paying attention and will now be forced to reconsider whether they can afford to make their IT that dependent on a third party. Cloud-computing's reputation has been damaged."

Even without the political dimension of the Wikileaks case and the powerful arguments around free speech, the principle of non-termination without notice is an important one. CloudAve's Krishnan Subramanian highlighted a wholly commercial example in which a low-cost CDN provider had its servers shut down without notice by an upstream provider (also covered at GigaOm).

These are extreme examples, but they highlight a golden truth about service level agreements: you only find out they're defective after the service fails. The cloud industry badly needs a common code of practice so that buyers know what exactly they ought to expect from a provider, right from the outset. We've had long enough to work out what all the issues are, it's time to take some action and work on publishing some specifications.

So I was glad to see's recently recruited chief scientist JP Rangaswami had posted some thoughts last week on work at the vendor to define a set of ten guiding principles for cloud computing. He writes that "this is something the company has been working on for a while now." I should flippin' well hope so, as it is now more than five years since I first blogged on this very topic of trust in service providers — and that same post was itself in response to outages at

In that post, I set out a first version of my own suggested 5-point code of practice, which I've since elaborated. Others too have come out with valuable contributions to this debate, including Ray Wang's Customer Bill of Rights for Software-as-a-Service, and the work that RightNow has done promoting better contract terms for customers. Not to mention the initiatives under way at EuroCloud, of which [disclosure] I'm a vice-president (and is a supportive member).

Looking at's 10-point list (as cross-posted at the vendor's own Cloud Blog), I do find myself a little disappointed that it's all very data-centric, focusing on privacy, security and governance of data. That's good, but accidents with the data aren't the only area of risk that enterprises have to consider when using a cloud application provider. Their business processes are highly exposed too, vulnerable to sudden disruption from unexpected outages and patches of poor performance, or at the mercy of arbitrary changes in pricing or terms of service, including those mentioned at the top of this post.

The Wikileaks story reminds us, too, that it is not just the industry and its customers that should be involved in the process of discussing and agreeing these principles. Government has to be involved too, both in providing the necessary regulatory framework (as it does for the banking and telecoms industries on similar matters), and in particular agreeing where and when there should be legal limits to its own powers (what value is your service provider's SLA, for example, if the Government itself controls an Internet 'kill switch'?).

With so many stakeholders, and so many angles to cover, arriving at a consensus over the rights and responsibilities of cloud providers, users and regulators is not something that's going to happen overnight. All the more reason, therefore, to foster the discussion now. The more these issues are surfaced, the closer we'll get to having at some common, shared understanding of how cloud providers ought to behave and what their customers should insist on in their contracts and service level agreements.