Considering a Cloud Service? Read This Before Signing on the Dotted Line
Look for a contract that addresses service availability, SLAs, and security
If your company is like the majority of small businesses, you probably plan to invest some of your IT budget in cloud computing, if you haven’t already. According to an August report from Techaisle, small and medium-sized businesses will spend $11 billion on cloud computing services worldwide in 2011. There are many advantages to be realized when you move business applications to the cloud, but it’s still an investment that requires careful consideration and thorough research. Before you sign a contract, make sure it clearly states what you can expect from the cloud service and the provider.
Cloud contracts can be, well, cloudy. According to a Yankee Group report, ”…cloud contracts are rife with disclaimers, misleading uptime guarantees, and questionable privacy policies…” The Yankee Group recommended that companies look closely at the claims made in cloud service contracts. The most important of these contractual promises is the availability of the service, the provider’s service level agreements (SLAs), and the security of your data.
Guaranteeing the cloud service
When reviewing a contract, the first thing to check is the availability, or uptime, of the cloud service. You’ll want to know how often the provider requires downtime for system maintenance or application upgrades. You should ask how the provider schedules and communicates that downtime to customers. In addition, find out how the provider handles emergencies (such as an unplanned outage) with a disaster recovery plan, how quickly the service will be reinstated, and what kind of reimbursement you can expect if the contract’s service availability promises aren’t met.
Some providers, like Amazon, post real-time service availability information or offer to send alerts in the case of an outage. Your provider should have a method for communicating changes in your cloud service as they happen.
The second thing to look for in a contract is the SLAs. These are the legally binding promises that support a provider’s service availability claims. The SLAs cover the service’s uptime; where data is located; and the provider’s responsibility for outages and disaster recovery plans, network maintenance, and security. One of the most important parts of any provider’s SLAs is its availability promise, generally expressed in terms of ”nines,” such as ”four nines” or ”five nines” of uptime. Four nines means the system is available 99.99 percent of the time, and five nines means it’s available 99.999 percent of the time. Nines also indicates downtime; thus, four nines means the system is down 4.32 minutes a month, and five nines means it’s down only 25.9 seconds a month.
SLAs tend to be written in very precise legal terms and technical terms. This example from Amazon’s EC2 SLA shows how specific SLAs are, both in terms of the uptime guarantee and the vendor’s responsibility in case of an outage:
”AWS will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime Percentage (defined below) of at least 99.95% during the Service Year. In the event Amazon EC2 does not meet the Annual Uptime Percentage commitment, you will be eligible to receive a Service Credit as described below.”
Amazon isn’t alone in offering service credits instead of refunds. The Yankee Group report found that none of the surveyed vendors provides a refund if their SLAs aren’t met.
Security in the contract
Third, look to see how the provider handles security for storing and transmitting your data. Make sure you know at what point the provider assumes responsibility for securing your data. Usually, providers won’t promise secure transfer of data over the Internet but will have provisions for securing your data once it’s behind their firewalls. You should find out what security measures the provider has in place to protect your data, such as firewalls, data encryption, and user authentication.
The contract should also clearly state the provider’s policies for notifying you of any security incidents. Does the provider comply with local and federal security breach notification laws? How quickly will the provider contact you after a security breach? Find out, too, how the vendor will address a security incident involving your data.
Finally, your cloud service contract should clearly state what happens to your data if you stop using the service. You want to be assured that you’ll get all of your data back immediately and in the format you prefer.
As with any contract, you should have a clear idea of what you need from the provider before you commit to the service. Depending on the provider, however, the contract for a small business cloud service might be non-negotiable and you’ll have to accept the contract as is. If you have any questions or concerns about the contract, you should have your attorney review it before you sign on with the provider.
How have you approached negotiating contracts with cloud service providers?