Your Six Cloud RightsBy Susan Nunziata | Posted 07-12-2010
Cloud Computing Rights and Responsibilities
Do you know your cloud service rights? The complexity of today's cloud computing environment has motivated Gartners Global IT Council for Cloud Services to define the six rights (and one responsibility) of cloud service customers. The goal: to help cloud providers and their customers establish successful business relationships.
Although their tone reminds us vaguely of the U.S. Miranda Rights, the spirit of these rights and responsibilities outlined by Gartner serve as a best-practices guideline for enterprises looking to deploy cloud-based solutions. The Council, which consists of CIOs of large enterprises that consume cloud services and Gartner analysts, has made it a priority to identify the key rights of cloud service consumers and how these might be upheld.
"If cloud services are commoditized, providers should offer stronger customer guarantees," says Daryl Plummer, managing vice president and Gartner fellow, in a prepared statement. "However, service providers either do not offer protections or vary greatly in the protections they do offer. We believe that the Global IT Council for Cloud Services can facilitate improvements in industry practices that will benefit not only IT customers and clients, but also developers, vendors and other stakeholders."
Your Six Cloud Rights
No. 1: You have the right to retain ownership, use and control of your own data
The Council insists on the importance of data security in the issue of ownership and control. The provider must specify what it can do with the consumer's data. Lack of clarity on this point can lead to costly legal battles. Lastly, the customer could lose control of its data if the service provider goes out of business or is sold to another company. The original contract or service-level agreement (SLA) must provide for the clear disposition of the service consumer's data, in case the provider can no longer provide service.
Cloud Right No. 2
No. 2: You have the right to SLAs that address liabilities, remediation and business outcomes
All computing services suffer slowdowns and failures. However, cloud services providers seldom commit to recovery times, specify the forms of remediation or spell out the procedures they will follow. To make SLAs relevant to the business, providers do not have to customize them for every organization. Rather, these agreements should comprehensively address the business issues implied in the type of service offered. The provider's contract should not simply guarantee a certain turnaround time for adding capacity; it should specify how it will deliver that capacity.
Cloud Right No. 3
No. 3: You have the right to notification and choice about changes that effect your business processes
Every service provider will need to take down its systems, interrupt its services, or make other changes in order to increase capacity and otherwise ensure that its infrastructure will serve customers adequately in the long term. Protecting the enterprise's business processes entails providing advanced notification of major upgrades or system changes, and granting the customer some control over when it makes the switch. Such changes might include upgrading a Software-as-a-Service application, implementing salesforce.com, introducing new versions of services, changing the location from which the service is provided, entering or exiting a business, shuttering a facility, and so on.
Cloud Right No. 4
No. 4: You have the right to understand the technical limitations or requirements of the service up front
Most service providers do not fully explain their own systems, technical requirements and limitations. This means that after enterprises have committed to a cloud service, they run the risk of not being able to adjust to major changes, at least not without a big investment. Service users and providers must do a better job of keeping each other informed about their technical limitations, particularly for complex, long-term projects or complex architectures and systems.
Cloud Right No. 5
No. 5: You have the right to understand the legal requirements of jurisdictions in which the cloud provider operates
If the cloud provider stores or transports the your company's data in or through a foreign country, the service consumer becomes subject to laws and regulations it may not know anything about. Service providers have not done a good job of explaining in which jurisdictions they put data and which legal requirements the service consumer must, therefore, meet. The service consumer needs reassurance that the provider does not violate any country's rules for which the enterprise may be held accountable.
Cloud Right No. 6
No. 6: You have the right to know what security processes the provider follows
With cloud computing, security breaches can happen at multiple levels of technology and use. Cloud service customers must understand the processes a provider uses, so that security at one level (such as the server) does not subvert security at another level (such as the network). Without this knowledge, service customers risk security violations caused solely by the provider not accounting for the ways in which organizations or consumers might use a service. Service consumers also need to understand a provider's business continuity plans, so that they can ensure that their own operations continue in an emergency. Service providers are not consistent in explaining either their security processes or their business continuity plans.
Your One Responsibility
You have the responsibility to understand and adhere to software license requirements
Cloud service providers and their customers must come to an understanding about how the proper use of software licenses will be assured. On the one hand, providers must be held harmless if you put the software you license from a third party in the cloud even though it violates your licensing agreement. On the other hand, the provider should not agree to an audit directly by the vendor of that software if your enterprise indeed owns the software licenses. It's the job of the enterprise cloud service consumer to take charge of any audits, because you need to consider the whole context: Both what you are running in the cloud (perhaps using several service providers); and what you are running on your own infrastructure.
The Last Word
The Last Word
Daryl Plummer, managing vice president and Gartner fellow, notes that these rights and responsibilities stand to benefit both service providers and service consumers. "Respecting these rights will require effort and expense from providers, but securing the rights will encourage enterprises to put more of their business into the cloud," says Plummer. "However, the seven rights will not become a reality unless enterprises insist on them when they negotiate with service providers. We urge all enterprises to do what they can to establish these rights and responsibilities as the standard for cloud computing."