CIF urges users follow procurement best practice after 2e2 closure

The high-profile closure of 2e2 should serve as a lesson in best practice for businesses contracting cloud or managed service providers, says CIF

The high-profile closure of datacentre service provider 2e2 should serve as a lesson in best practice for businesses contracting a cloud or IT managed service provider, cloud consortium Cloud Industry Forum (CIF) has said.

While 2e2 was not a cloud service, businesses must learn from its closure that service providers are not insurers of a customer’s business, CIF warned.

2e2 administrators asked customers for nearly £1m funding for uninterrupted services and access to datacentre facilities when the company folded.

If customers did not pay, “We will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations,” the administrators warned. Some of 2e2’s high-profile customers affected included NHS Trusts, Vodafone and O2 among others.

IT professionals must not enter into services agreement without being fully aware of each other’s responsibilities, or without clarification as to how a relationship ends at a practical level, regardless of cause, CIF warned.

2e2 operated as an outsourced/managed service business, which has similarities with a cloud service provider (CSP) model. Businesses must learn cloud procurement lessons from 2e2’s sudden and very public failure, CIF’s chairman Andy Burton said.  

“As a matter of principle, cloud users should always plan rationally upfront and seek contractual clarity and reassurance from CSPs in order to understand how the service would be delivered, who is accountable and liable for which aspects of service continuity, and ultimately what is the process and timescale to disengage and move data in a planned or forced termination,” Burton advised.

Using best practice around contingency planning, contracts and cloud certification will help enterprises prepare for all eventualities and mitigate the risks associated with the failure of their cloud or managed services suppliers, he added.

“Remedies under a contract may form part of, but should not be considered to be an entire, risk mitigation strategy,” he continued.

The industry body called on enterprise IT to maintain overall governance of how IT is delivered. CIF said businesses should always assume responsibility for the decisions they make, either on-premise or in terms of adopting cloud services.

Businesses must maintain ultimate responsibility with regards to three main areas of focus: contracting, contingency and certification, it said.

While entering into a contract, IT executives must review how contract and SLAs are drafted and be able to take measures to mitigate risks and losses in an unforeseen event. IT must understand how the service is delivered and who is accountable and liable for service delivery, including post-termination timescales and how to recover data when the service provider ends the business, CIF advised.

As for contingency, whilst a cloud service provider can be held accountable for a breach of contract or a service failure, the user still needs to be clear on what their remediation plan is, Burton said.

“The absence of such a contingency plan is a critical flaw in any sourcing decision,” he warned.

Read more on Datacentre disaster recovery and security