Cloud Service Agreements: Negotiation Best PracticesBy John Pavolotsky | Posted 02-21-2012
What Your CEO Needs to Know About the Cloud
"Cloud services" have arrived. Enterprises have either subscribed to cloud services or are seriously considering moving some of their IT infrastructure to the cloud. From an IT point of view, however, the cloud is not as new as it seems.
In fact, most CEOs already know quite a bit about the potential benefits and pitfalls of cloud services. Consider an application service provider (ASP) transaction circa 2000. Even back then, cost, flexibility and the promise of eliminating at least some of a company's IT infrastructure argued in favor of the ASP solution. Service level agreements (SLAs) were entering our lexicon. Information security was nascent. One of the overarching concerns was relinquishing control to the vendor, especially for mission-critical applications. That general concern, however, probably found its genesis in the mid-1980s, with the advent of outsourcing arrangements.
Fast forward to 2012, to the world of:
the public cloud (infrastructure furnished to general public);
the private cloud (infrastructure operated for specific customers);
the hybrid cloud (a combination of public and private clouds);
and the various cloud services models: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
To be sure, the technologies (such as virtualization) have advanced, but in the end, a private cloud is still a remote data center, and SaaS is but an ASP under a different name. With a few exceptions, the conversation today between a CEO and CIO regarding a particular cloud service should not be terribly different from the conversation held in 2000 about an ASP solution. With cloud services, there is no reason to reinvent the wheel when it comes to helping your CEO understand the business implications of the solutions you're recommending.
While a standard framework to assess each cloud service should be used, by definition each assessment should be different, as no two use cases, or prototypical data sets, will be the same. Email is not ERP, which is not CRM. Whether your company operates in a heavily regulated industry, such as financial services or health care, should weigh on the advisability of selecting a particular cloud service.
My suggested framework consists of three parts:
understanding all facets of the current solution;
conducting due diligence (technological, organizational and financial) about the proposed cloud service/provider; and
ensuring risk mitigation by negotiating certain protective provisions and remedies into the services agreement, if possible, and taking certain preventive measures, regardless of whether such an agreement adequately addresses the underlying concerns.
Understanding every aspect of the current solution is obvious enough, but its importance cannot be overstated. Consider information security, which continues to be viewed as one of the biggest impediments to the adoption of cloud services. At a minimum, your assessment should show not only the security measures available to protect the company's IT infrastructure, but also how well those measures have, in fact, been implemented. Put simply, know your baseline and current risk profile.
Due diligence requires slightly more explanation. While a request for proposal is generally not necessary, care should be taken to understand whether the cloud service is in fact a "composite service" (meaning that it leverages the services of other cloud vendors, thus amplifying risk) and to request the SLA (if one is not readily provided). Your company should understand the vendor's approach to data privacy and information security -- including the tools used, historical breaches and root causes, if available, and remediation -- as well as the vendor's willingness to assist your company in its efforts to comply with statutory or regulatory requirements.
In fact, it is this focus on data privacy, information security and compliance that will most distinguish between the process of assessing a particular cloud service in 2012 and evaluating an ASP solution back in 2000.
When selecting a cloud service provider it's important to consider the vendor's financial stability, and its organizational experience in running a data center or providing a hosted (cloud) service. The results of this due diligence should inform your contract negotiations. For example, if a question exists about the financial viability of the cloud vendor and your company has the technical capability to operate a system internally or through another trusted vendor, remedies such as a source code escrow should be considered.
Cloud Service Agreements: Negotiation Best Practices
The cloud services agreement is a complex issue. Many such agreements are effectively nonnegotiable, and you should use caution trusting vendors with mission-critical functions or sensitive company data. If pushed, many vendors will negotiate their agreements, and your efforts should be focused on addressing the entire data life cycle. Among the points your contract should expressly provide:
- that the customer data is owned by your company and shall be deemed your company's confidential information;
- specifying for what limited purpose and where the data is processed and stored, and for how long it will be retained; and
- expressly providing that the data will be made available to your company on demand, regardless of whether there is a dispute between the parties or any amount is then outstanding.
Further, the agreement should provide that the cloud vendor will cooperate with your company and with any new vendor in migrating the data when the contract has been terminated or has expired. The cloud services agreement should also specify the frequency of data backups as well as the pricing for any additional data backups and storage.
Care should be taken to detail the vendor's information security practices and to negotiate in a duty to defend and otherwise make the company whole (indemnity) if a claim is asserted by a third party (e.g., one of your company's customers) against the company based on a security breach caused by the vendor. Note that the indemnity should be carved out from the limitation-of-liability provision, which will usually limit damages to 12 months' fees.
An important component of risk management is insurance, including a "no-fault" policy for security breaches, to which your company should be named as an additional insured. In terms of intellectual property, there is, as in the case of a traditional on-site deployment, the possibility that a third party may assert an infringement claim against your company. As in the case of a claim based on a security breach, an indemnity is a common protective measure and remedy.
Even where your cloud vendor agreement is nonnegotiable (or minimally negotiable), certain measures may be implemented to reduce risk. For example, if the vendor will not agree to make certain representations and warranties (promises) regarding information security, perhaps the implementation can be structured so that personal or other sensitive or valuable information (such as trade secrets) will not be submitted to the vendor.
Other basic good practices of IT system management can also help reduce risk. Install antivirus software on connected mobile devices, laptops or desktops accessing a particular cloud service through a Web browser to reduce the likelihood of a security breach. Implement redundant Internet connections. Create a remediation plan in case there is a security breach. Develop a contingency plan if the cloud service is suspended or unavailable beyond the window stated in the SLA.
Moving to the cloud is hardly ever an all-or-nothing proposition. A company may start with an application that is not mission-critical, and then as added measure build in redundancy for some time. As an intermediate step, a company can try a private cloud solution before moving certain applications to a public cloud. In sum, understand the risk profile of the particular cloud service and plan accordingly.
About the Author
John Pavolotsky's practice focuses on technology transactions and other intellectual property matters at Greenberg Traurig, where he is Of Counsel. He works primarily with clients in the software, hardware, Internet, mobile, wireless and life-sciences industries. All views expressed herein are solely those of the author and should not be attributed to Greenberg Traurig.