Three steps towards drawing up ideal cloud computing contract

Once you’ve made the decision to move away from an IT environment that is physically located within your organisation, there’s another problem to solve.

One of the crucial elements of moving to the cloud is the type of contract that you have with the cloud provider (or a reseller of the cloud provider’s service). Get this part wrong and your business could be looking at some very serious financial consequences.

There are three main areas to concentrate on: reliability, security and liability and all customers should be paying keen attention to what a cloud providers’ policy in these three areas is.

If we take reliability first, this is simply about the technical performance of the cloud provider’s service. Do their servers break down? What mirroring options do they have in place? What monitoring systems do they have in place? Customers should be prepared to carry out due diligence on the cloud companies and assess their performance. Look at the company’s past performance – does it have a good reputation?

On the other hand, cloud companies will point out that having an IT infrastructure in-house does not necessarily mean that the servers or network are more reliable. Cloud providers will say that managing data centres is their core business and they will claim that they’re much more reliable in managing this infrastructure than user organisations will be.

However, while it’s true that cloud providers will tend to have more robust and better managed infrastructures, the customer needs more reassurance than that. It’s vital that all the fine details are built into the service. And the type of cloud provider is important here – one factor to bear in mind is that buying a standard package from a larger operator will leave very little room to manoeuvre, while customising an offering from a smaller reseller could offer a much more tailored experience.

When it comes to security, there are a couple of factors to consider. Financial companies will have the Financial Services Act to conform to and all companies will have to consider the Data Protection Act and the scrutiny of the Information Commissioner. And offending organisations can be hit by big fines – for example, the FSA fined HSBC £3m for losing data.

To be blunt: the liability for any breaches of security or privacy lies with the cloud customer – so they are going to be very concerned about the consequences of handing over information to a third party.  It’s very important for companies to ensure that the cloud companies are taking proper steps to protect data. Are they keeping it inside the EU where there is adequate protection for data, rather than sending it over to the USA or India? We hear of companies who insist that UK data is housed in the UK – that’s not legally necessary but it does give added peace of mind.

Although the customer is ultimately liable, there are steps that can be taken. It should include in the contract where the data is held and who it can be released to.  There should be an indemnity clause meaning that the cloud provider takes all possible precautions to avoid breaches and takes legal responsibility for any losses.

Ultimately however, market forces will come into play. If a company loses data, then its reputation will suffer – cloud companies are going to stand or fall by their reliability and a few security breaches will quickly destroy that.

The third factor to look at is liability – what happens when things go wrong?

Again, levels of compensation need to be placed in the contract but all the money will be of little satisfaction to a company that has gone bust.

The annoying aspect of this is some cloud providers try to exclude liability, rather in the same way that insurance companies will look not to pay out on their policies –although the customer could get around this problem by taking out an insurance product of his own.

One other option is that cloud providers will offer some sort of protection but this will involve paying a higher fee for a Gold or Platinum type service. This approach could mean that the cloud company will be offering a more robust service, based on a high quality data centre, with better monitoring facilities. Or it could be based on the fact that the cloud company is prepared to pay more if things go wrong.

All the discussion so far has been about a simple relationship between customer and cloud provider but there’s another factor to bear in mind. The cloud service could be provided by a reseller and that could introduce another level of complication. The customer will be signing on the reseller’s terms but there could well be a clash with the cloud hosting company, for example, the cloud company could be providing a bronze level of service while the reseller could be offering a gold one – that’s a bit of a disconnect.

One way of getting round this is by signing a pass-through contract where the reseller supplies service from a named supplier such as Amazon or Microsoft.

There’s no doubt that the market will consolidate over the next few years as the poorer providers are found out and smaller cloud companies will be taken over. While that’s happening, one of the things that a cloud customer could do is sign up with an accredited cloud provider, a company that has been endorsed by the Cloud Industry Forum or ISO for example.

Certainly, all the work needs to be carried out up-front – there is little opportunity for comeback after a system problem, whether it’s a security breach or a cloud.