Cloud computing provides efficiencies and competitive advantages to organisations but CIOs need to have a “sense check” while planning their public cloud strategies, say technology lawyers from Kemp Little LLP.
Cloud is moving at a ferocious rate and, while legal and regulatory aspects still play catch-up, businesses must exercise appropriate control to ensure they don’t burn their hands on cloud IT, legal experts told delegates at Cloud World Forum.
Among major cloud risks are loss of IT control and relying on cloud supplier. There are also risks in entering and leaving the cloud environment. Here is some of their advice to CIOs.
Plan your exit strategy
“It is important to plan the exit strategy right at the onset of contracting cloud services,” said Paul Hinton, commercial technology partner at Kemp Little LLP. “It should be the second thing you look at after deciding to use cloud services.”
Another commercial technology partner, Andrew Joint, also urged CIOs to plan the exit strategy upfront. “CIOs must think about the practical aspects. There should be discussions and collaborations between the legal and technology teams within an organisation before a cloud contract is signed,” Joint said.
More on cloud CIOs
The lawyers advised CIOs to consider cloud computing just like they would consider outsourcing services before using them.
Think about what happens to the data
Businesses must consider what happens to their data, when they will get it back and in what format, the lawyers advised. “Having cloud standards will provide businesses with guarantee on getting back control of their data when they leave the cloud but until such standards exist, IT must think about what will happen to their company’s data. “Having data back in the format such as .CSV is not going to be useful to businesses even if they get it without much hassle from the provider,” Joint said.
He further warned users to clarify the timescales of when users will get their data back in case of contract termination before signing up the contract.
Agreements should not rely solely on IPR (Intellectual Property Rights) provisions in relation to dealing with intangible data on expiry or termination of the contract, the lawyers warned.
The legal professionals cited the court case between the company Your Response and the service provider Datateam Business Media. Datateam refused to hand the data back to the customer because the user ended the contract.
Cloud providers maintain that loss of data is not their repsonsibility
In this case, the court of Appeal confirmed that the supplier will not have any right to hold on to customer data over pending payment but there was nothing on the contract.
Understand the public cloud SLAs
“Public cloud is a cheap IT service but you cannot control or negotiate the contract,” Joint said.
Public cloud is a one to many service and the service terms never put the risk on the supplier, the legal experts added. “If you read the clauses around downtime, you will see that it does not include scheduled or emergency maintenance works or things out of supplier control like area-wide electricity cuts or natural disaster,” Joint said.
Even if you get 99% availability, it still means 10 full days of downtime. "Can your business afford it?” asked Hinton.
Cloud providers also maintain that loss of data is not their responsibility and backing up date is the customer’s business, experts added.
“One customer we knew had entered into an agreement with default lock-in and had to keep renewing the contract only to make sure the supplier did not wipe off its data,” Joint said.
But the experts concluded that cloud contracts are becoming increasingly sophisticated and fewer enterprises are losing the battle with the suppliers. “As competition increases, suppliers are more willing to address customer concerns,” Hinton said.
“Cloud isn’t less or more risky than other methods of IT but CIOs must exercise due diligence until EU standards and policies around cloud come into effect."