Last week, IDS hosted a dinner featuring a presentation about current cloud trends and how IDS is helping our customers create their cloud strategy. The topic generated a lot of very interesting conversation and one of the biggest discussions was about cloud contracts. If you’re going to trust a partner to host your data, it is critical to have a contract in-place that protects the interests of both parties. Many large cloud providers have a “take it or leave it” approach to contracts and others will work to customize to your needs. Regardless of the flexibility, it is imperative that you understand all aspects of your cloud contract and what it means to your business. Since this was a highly discussed item at our dinner, I decided to create a list of the top 5 contract considerations when evaluating Cloud Providers.
Five Crucial Cloud Contract Considerations
1. Who can access your data?
When evaluating cloud providers, most customers are quick to ask where their data will be hosted. One thing most people fail to ask is who will have access to their data. Many internal and external regulations stipulate the data can only be accessed by US citizens who have had specific security and compliance training, background checks, among other things. In an era where cloud providers are being driven to lower prices on a daily basis, many are looking to offshore resources for support and monitoring. If these resources have access to your data, this outsourced model could be a violation and could be putting your data at risk.
Before evaluating a potential cloud provider, I recommend an internal analysis on what is, and isn’t, acceptable regarding data access and set internal policies to document it. Once that is in place, it is much easier to evaluate the policies of your prospective cloud partner.
2. What are the SLAs?
All cloud providers should have documented Service Level Agreements (SLAs) regarding uptime, performance, and availability of resources. When moving your data to the cloud, you need to ensure that it will be available, that the access and performance will be predictable, and that you can scale on-demand without having to wait for resources to come available. The only guarantee you have on these services levels comes in the form of the SLAs that your cloud partner will provide to you. That being said, evaluating your cloud providers SLAs is just the first step.
One thing many customers learn the hard way is that a SLA is only as good as the penalty that is associated with it. If your cloud provider has a rogue employee who exposes your customers’ Personally Identifiable Information (PII), will a $500 credit on your next bill really satisfy your customers and investors? Knowing what penalties are associated with SLA violations is a great way to measure how serious your cloud provider is about your data. Your expectations need to be realistic as you can’t expect the cloud provider to put themselves at risk of going out of business for small outages and performance issues, but major security breaches and extended downtimes should come with significant penalties.
Finally, it is imperative to understand what constitutes a SLA violation in the contract. Does planned downtime count against the uptime SLA? Is an unacceptable performance spike lasting only 2 minutes a violation of the performance SLA? If the service is so slow that your applications are unusable, is it considered “downtime?” Remember, this is a contract and is the only document that binds your service provider to the commitments that were made upfront. When you’re signing the contract, you’re likely not necessarily thinking about all of the bad things that could happen, but you certainly need to ensure you are properly covered.
3. Exit clauses
This goes very closely with knowing your SLAs. If your cloud provider is repeatedly missing SLAs or has security breaches that leave you concerned about the integrity of your data, you need to be able to exit the contract and take your data elsewhere. Remember that your Cloud Provider isn’t putting a term on your contract to “lock you in” and make sure you can’t go anywhere else. They’re doing that because every customer they bring on requires investment of people and resources and they need to protect that investment. However, if they aren’t doing their job and meeting the service levels of the contract, you should have every right to go elsewhere. Exit clauses are always written in the cloud provider’s favor to protect that investment and those are typically non-negotiable. The key is to ensure that certain criteria can trigger an exit clause if the service doesn’t live up to the SLAs that are promised.
4. How do you get your data out?
In a world where Nirvanix (remember them?) can make an announcement to their customers that they are shutting down their business and that all of their data must be out within 15 days, the ability to extract your data is absolutely critical. Even the large-scale “stable” providers such as Microsoft, Amazon, and Google could make an acquisition tomorrow and have a new “platform of the future” that requires you to migrate your data. The first key is to understand how you get to your data and what processes are required to extract it. The second key is to understand if there are any costs associated with this extraction. Are there professional services required from the provider? Is there a fee for downstream bandwidth during the mass data transfer? I have personally worked with several customers who have found about $100K+ worth of fees for extracting their data when it is already too late. Make sure to ask all of the questions ahead of time so there are no surprises when you need your data back.
5. Insurance coverage
Cloud providers carry many types of insurance to protect their businesses and their customers. Many of the benefits of those policies flow down to you as a customer through the contract. The reason it is critical to understand their coverage (and your access to it) is to ensure that the coverage matches your business’s risk tolerance. If not, there are many insurance providers that will provide additional policies for your company to augment the protection you get in your cloud contract. Some cloud providers will offer customer-specific policies that will have customized terms to meet your needs and are built in as an add-on to the monthly cloud service fee. When you trust your data to an outside provider, ensuring that your coverage matches your risk tolerance is an absolute necessity.
The 5 topics above are just the tip of the iceberg. We are talking to our customers about these items, and others, on a daily basis. Whether we are helping them evaluate other cloud providers or if they’re looking at the IDS Cloud, we make sure that all of these items are considered before any contracts are finalized. If you would like to talk about any of these topics in more detail, contact us to get the conversation started!