Four risk areas CIOs must consider when contracting cloud services

CIOs should be aware of four main risks when contracting for cloud services, says analyst firm Gartner.

Cloud service providers should also address these structural shortcomings to achieve wider acceptance of their standard contracts, according to Frank Ridder, research vice-president at Gartner.

"CIOs and sourcing executives have a duty to understand key areas of risk for their organisations," he said.

Gartner's four risk areas:

1. Terms and conditions not mature in all markets

Cloud service contracts from traditional service providers tend to include generally acceptable terms and conditions for their private clouds. But many cloud-sourcing contracts lack descriptions of cloud service providers' responsibilities and do not meet the general legal, regulatory and commercial contracting requirements of most enterprise organisations.

Areas such as data-handling policies and procedures can have a negative impact on the business case (for example, additional backup procedures or a fee for data access after cancellation). This may create compliancy issues and cost increases.

2. Arrangements not partnerships

Cloud service contracts do not lend themselves to the partnership-style arrangements seen in outsourcing relationships, mainly because of the high degree of contract standardisation - where terms are consistent for every customer and service is typically delivered remotely rather than locally.

Buying organisations need to be clear about what they can accept and what is negotiable. Contracts for cloud services tend to be written in standardised terms and organisations should understand they are one of many customers. For many cloud providers customisation breaks their models of industrialised service delivery.

3. Contracts are opaque and easily changed

Contracts from cloud service providers tend to be short and contain clauses that lack detail. This means that clauses can change over time; often without prior notice.

Organisations need to ensure that they understand the complete structure of their cloud sourcing contract, including the terms that are detailed outside of the main contract. They need to be sure these terms cannot change for the period of the contract. It is also critical to understand what parts of the contracts can be changed and when the change will take place.

4. Lack of service commitments

As the cloud services market matures, increasing numbers of cloud providers are including online service level agreements referenced in their contracts and, in fewer cases, in the contract itself. Things are improving, but service commitments remain vague.

When deciding whether to invest in cloud offerings, buyers should understand what they can do, if the service fails or performs badly. They should understand whether the SLAs are acceptable and if the credit mechanisms will lead to a change in the providers' behaviour; if not, they should negotiate terms that meet their requirements - or not engage.