Follow best practices while contracting cloud services, warns lawyer

Enterprises need to assess the risks of cloud computing and have clarity on data protection and security responsibilities when contracting

Enterprises need to assess the risks of cloud computing and have clarity on data protection and security responsibilities when contracting cloud services to avoid another “2e2 disaster”, a cloud lawyer has said.

Cloud is not a magical solution that will fix all of IT’s problems and customers must understand that the service they get depends on what they pay for, Frank Jennings, cloud lawyer at DMH Stallard told Computer Weekly at the annual Cloud World Forum 2013 event.

“If you are a big blue chip company paying more for the cloud service, you may get a higher level of protection, but if you are a small enterprise, your contract doesn’t provide enough value to the cloud service provider,” Jennings said.

“Another 2e2 disaster will happen if customers don’t provide for it,” he warned.

2e2 is the datacentre service provider and systems integrator that went into administration in January this year. Its administrators demanded nearly £1m in funding from its customers if they want uninterrupted services and access to their data held in the provider’s facilities.

If customers do not pay, 2e2 warned it: “Will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations.” 

Some of its high-profile customers included Vodafone, NHS Trusts, Citigroup, O2 and Kellogg's among others.

A more sophisticated approach required

According to Jennings, who is also a member of Cloud Industry Forum, enterprises must have a more sophisticated approach to cloud computing contracts. “Customers can have a hybrid set-up, for instance to avoid losing data when the cloud provider goes bust,” he said.

Other measures users can take include a strategy for an external backup. 

“It is important to have some sort of a data backup policy that is stored away from the data on the cloud,” Jennings said. “Disaster recovery strategy is vital for a safe use of cloud.

“But a lot of people do not understand what they are buying today. They think that the cloud provider does everything,” he added.

Jennings’s warnings were particularly stark for public cloud contracts: “With public cloud, sometimes there is no negotiation and customers are using credit cards online to purchase cheap public cloud storage services.

“But it is important to understand that in such cases where cloud is cheap, data is solely the user’s responsibility.

"From a procurement perspective, CIOs must think about the longer term cloud strategy and purchase a secure solution.”

Exercising caution

It will be a while before the industry sees a piece of legislation around cloud but until then, it must exercise caution in cloud contracts, he warned.

Analyst firm Gartner also urged users to consider security factors before contracting cloud services.

Enterprises lose varying degrees of control over their IT systems and data as they move from in-house or self-managed hosting to various types of cloud offerings, according to Gartner analysts at its summit earlier this year.

"The devil is in the details," especially regarding which party is responsible for which aspect of security operations, John Morency, a research vice-president with Gartner said at that time.

One cloud customer, Thomson Reuters takes a pro-active approach to assess the risk before entering into a cloud contract.

“Risk appetite is different among different users, but it is important to make sure that the user is clear on the division of responsibilities,” said Andy Boura, Information Security Architect at Thomson Reuters. “There has to be no room for grey area.

“The key is to have clarity. Cloud won’t take all your problems away, but a lot of its advantages are down to the right contract with the service provider,” Boura said.

Read more on Datacentre disaster recovery and security