Now that we have summarized some key issues from the perspective of the cloud computing vendors, it's time to review some key issues from the perspective of the customers. Customers who are looking to access computing capability, whether from vendors providing infrastructure as a service, platform as a service or software as a service, need to be sure that they address issues that are specific to the cloud computing model and not ordinarily negotiated in the context of a license agreement for a traditional software distribution.
In addition to the service level commitments discussed in the prior column, which are of concern to both vendors and customers, the following are some more customer-centric issues that we recommend customers negotiate in their service agreements:
- Ability to increase/decrease capacity and use: One of the critical advantages of cloud computing is the rapid ability to deploy more services (or decrease the amount of services) as a customer may need. In order for a customer to optimize this benefit, the service agreement should include a clear procedure for ordering and providing increased services and decreasing services if capacity needs drop.
- Continuity of Business: Given that access to computing capability is dependent in large part on the stability of the cloud service provider's systems, a customer should require a commitment by the vendor to establish a disaster recovery plan and continuity plan for the services as part of the service agreement. The customer should have the right to review the plan on a regular basis and audit the provider's compliance with it. The customer may also wish to consider requiring that the cloud service provider give the customer prior notice of any changes in those plans. A standard that can be referenced for the certification of the plans is BS25999 which is a Business Continuity Management (BCM) standard in two parts developed by the British Standards Institution. A related issue is the cloud service provider's financial viability. The possibility of a service provider going into bankruptcy poses a number of very difficult legal issues and the potential solutions are not clear. The best method of avoiding these problems is to ensure that the service provider is financially strong. One way to address this issue would be for the customer to obtain the right to review the financial status of the provider and/or obtain periodic financial information on a regular basis.
- Privacy: Privacy issues form a very difficult potential problem in the cloud environment because of the intensely local nature of the statutes regarding the protection of personal information. For example, the laws in the United States are quite different from the laws of Europe with respect to privacy, and even within the United States, laws vary depending on the particular state. The question of which law would apply can be a difficult one in a cloud environment because in many cloud environments the data may be moved to data centers which are located in many different countries. While a customer may try to limit the service provider's ability to transfer data among jurisdictions, a more realistic approach may be for customers and service providers to work together to ensure that any data is collected, stored and processed in accordance with applicable privacy laws.
- Security: This issue is very important because a security failure could cause substantial damage to customers through, among other things, the loss of proprietary information and data. Many providers will try to limit their security obligations to "standard industry practices" and further qualify them by limiting the scope of the obligations to the use of "reasonable commercial efforts" to meet that standard. Because such standards in cloud computing are not yet firmly established, this approach is very dangerous. One unique potential risk to cloud computing is the use of multi-tenancy in which multiple tenants are on a single server. The risk of multi-tenancy that, if improperly implemented, the tenants may have access to third-party data. A customer should negotiate with the provider for specific security obligations, including monitoring for problems.The provider should be obligated to undertake a SAS 70 style audit of its security procedures and provide the result to the customer.Rather than use a commercially reasonable efforts standard, the customer should impose the use of ISO 27001/27002 as guidelines and even better the provider should be certified as compliant with ISO 27001:2005.
The above is not an exhaustive list of all issues that cloud computing customer should consider in their service agreements with providers but they are some of the key issues on which customers should focus in order to assure themselves of the full benefit of a service agreement.