Negotiating Cloud Computing Contracts
Posted by
Christopher C. Cain and Foley & Lardner LLP
July 21, 2010
Cloud computing continues to grow apace, with more businesses each year considering some form of a cloud solution. This is not to say that IT departments are abandoning traditional software solutions but they are picking and choosing business functions they are willing to push to the cloud. With one foot increasingly in the cloud and the other remaining in the business, IT personnel need to keep in mind the difference between a traditional software solution and a cloud offering. With those differences in mind, you can focus on the key aspects of the cloud computing agreement.
Cloud computing involves scalable and elastic IT-enabled capabilities delivered as a service. The vendor hosts the software and data, often your data and other customers' data held in a shared environment. In contrast, traditional software licensing involves the delivery of a good, the software, installed locally in your environment. The software is usually highly configurable so it can meet particular business needs and you retain control over the data used by the software. So going from the ground to the cloud means your focus must shift from installing and configuring software to making sure the cloud service is available when needed and secure. Let's consider availability and security each in turn.
The cloud service needs to be available for use in your business, but you are relying on the vendor, not your own IT personnel, for that availability. Pay close attention therefore to the vendor's service levels, response times for issues and remedies for unavailability. Any reputable cloud vendor should have a very high uptime warranty, guaranteeing that the cloud service will have an uptime of a certain percentage, during certain hours, measured over an agreed upon period. Carefully consider the agreed upon measurement period (e.g., daily, monthly, quarterly), as vendors want longer measurement periods because they dilute the effects of a downtime. Then ensure the vendor provides latency warranties for untimely or delayed responses from a service is effectively unavailable. The agreement needs to include a matrix for estimated resolution times for reported problems based on severity of the issue. Finally, the vendor should provide adequate service credits as a remedy for excessive downtime. The remedy should start out as modest credits towards future services and scale to larger credits and if repeated failure occurs, you should have the right to terminate the agreement without penalty.
Data security is important to protect sensitive data, both the company's and your customers'. You are accountable for complying with security and privacy laws, regardless of whether you or a cloud vendor are holding the relevant data. And data breaches are expensive. A recent study Cost of a Data Breach, Ponemon Institute, LLC examined the costs of dealing with a data breach and revealed an average total cost of $6.75 million. At a minimum, if a breach of security or confidentiality requires notification to your customers under any privacy law, then you should have sole control over the timing, content and method of such notification.
The cloud agreement needs to have specific details regarding the vendor's security measures, security incident management, and hardware, software and security policies. These should all be reviewed by someone competent in data security. Compare such policies with your own. More customers of cloud vendors are demanding the vendor match the customer's policies and provide copies of annual SAS 70 audits.
Page: 1 | 2 | Next Page »
