Cloud computing may simplify operations on the ground, but up on the Web, there are a host of issues that must be carefully weighed before customers sign on the dotted line.
By Martin Sinderman
Channel pros haven’t finished the job of helping their customers transition to cloud computing until they have warned them of some of the contractual, regulatory, and liability issues that come with making a wholesale move to Internet-based computing.
Users migrating applications to the cloud need to make sure they have a service-level agreement (SLA) in place that protects them from the potentially devastating impact of unplanned downtime—and incentivizes the cloud service provider to keep that downtime to an absolute minimum. “Most of the SLAs written for cloud-based applications today offer a service credit if the provider fails to live up to their SLA,” says Ed Burke, technical consultant for Edge Solutions Inc., an Alpharetta, Ga.-based IT solutions provider.
But getting a day-for-day credit from the provider isn’t enough, notes Burke. If, for example, a business’s mission-critical, cloud-based customer relationship management (CRM) software is down for a week, getting seven days of free access isn’t going to make up for business lost during the outage. “We recommend that users make sure their SLAs have teeth, with enough redress written in to scare the vendor from casually unplugging you for any period of time,” says Burke. “Make sure the vendor is not promising you just five days credit for five days down, but a penalty that is more in line with how critical the application is to your business.”
WHO OWNS THE DATA?
There are also a number of legal issues surrounding ownership of data entered into cloud-based apps that need to be addressed contractually between vendors and customers. When migrating applications to a cloud vendor, “many customers don’t really think through the ramifications of who owns that data, and how hard it might be to get it back in some instances,” Burke notes.
Contracts need to be written in a fashion that makes it clear customers have full access and ownership rights to their data, according to John Pavolotsky, an intellectual property and technology attorney with the San Francisco office of Greenberg Traurig LLP. “You want to make sure that any time you ask for your data, it is provided to you in x-number of days, and that this is not contingent on outstanding fees, etc.,” says Pavolotsky. There are instances where fees may be in dispute, he says, “and you would be surprised at the number of contracts where the cloud vendors basically say, ‘I won’t give your data back until you pay me what is due.’”
Businesses in some sectors must be careful about possible legal/liability ramifications when they engage cloud vendors to provide processing services for customer-related data, such as personal medical and financial information, that is subject to special privacy laws and regulations.
“The challenge is that cloud providers, like any IT providers, do not necessarily have expertise in regulations that affect financial services or healthcare-related information,” says Pavolotsky. “The more sophisticated cloud providers already represent/warrant that they are going to comply with the data privacy laws and regulations that generally apply to IT providers—but also that they have no obligations regarding those from any particular industry or subsector within,” he adds.
Differences in data privacy laws among countries also can have an impact on cloud users making their information available to cloud providers. “You need to be concerned about where your data is stored, because if there is a security breach, you are subject to the privacy laws of where your data is stored,” says Edge Solutions President Michael Haley. “It doesn’t really matter what the U.S. laws are if you are working with some of these cloud providers that will replicate your data on servers located in Asia, Europe, or South America.”
Data-based issues such as these are slowing down the adoption of cloud-based computing solutions, adds Haley. “Many of us are waiting to see how the first legal cases concerning these issues make it through the legal system,” he says. “Until these things get litigated, you will see companies keeping data and mission-critical applications on-premise, as opposed to moving them to the cloud.”