Items to address in cloud contracts

Cloud providers have had a lot to contend with in recent months as the market continues to raise expectations regarding service quality. The cloud service contract has become a focal point of many discussions, as well as a source of confusion for buyers. When questions over data ownership go unanswered, it can create negativity in the vendor-buyer relationship. For this reason, it’s important to ensure written agreements are laid out clearly and address buyer concerns.

Outlining several key considerations from the perspective of the buyer, Stanford researchers W. Kuan Hon, Christopher Millard and Ian Walden noted the issue of liability. Cloud storage companies can address a lot of concern simply by clarifying what would happen in the event of a data loss. Although no technology professional wants to think about the worst happening, it may prove to bebeneficial to show that there is a plan in place. From a contract perspective, cloud vendors would benefit from establishing clear policies for which party is responsible for damages in the event of an outage.

Just like any other relationship, some business partnerships are simply not meant to be. As a result, many cloud buyers cited vendor lock-in as a top concern.

“A major lock-in concern is risk of dependence (or over-dependence) on one provider’s, often proprietary, service,” the research report stated. “If the service is terminated for whatever reason, users wanted to recover all their data and metadata in formats that are easily accessible, readable, and importable into other applications, whether running internally or in another provider’s cloud.”

Transparency, availability, responsibility
If two primary themes can be extracted from Stanford’s research, transparency and service availability were top-ranking considerations. The premium on uptime is not surprising, but researchers were understanding of the dilemma faced by cloud storage providers. In many cases, for example, clients expected the highest level of availability for the lowest cost. Given this is not financially feasible for vendors, expectations regarding uptime should be made clear in the negotiation phase. One trend among smaller providers is the acceptance of liability for service outages caused by their own data centers. This seemed to build trust between the buyer and provider, making small-scale service offerings competitive with larger cloud vendors.

In highly regulated sectors, vendors must often answer the question of who is responsible for data security. There have been numerous approaches to getting cloud security on firm ground. In some instances, customers are employing their own solutions to supplement their provider’s architecture. However, cloud storage companies would be wise to eliminate the confusion by detailing the safeguards they are responsible for implementing.

Healthcare and cloud security
The healthcare sector serves as a good way to generate discussions about technological security issues. Hospitals and other organizations have been quick to adopt electronic health records and cloud solutions to improve patient care,despite facing stringent compliance mandates. In analyzing cloud contract provisions for the health sector, American Medical News writer Pamela Dolan outlined a few requirements.

Physicians are likely to place great importance on data access and the controls used to prevent unauthorized parties from obtaining sensitive information, Dolan noted. For this reason, cloud providers must spell out how users shouldlogin to their systemsand how much access is granted. Howard Burde, a health IT lawyer, emphasized the importance of building an understanding of vendor-provided safeguards and how those meet compliance mandates such as the Health Insurance Accountability and Portability Act.


About the Author: