Use of cloud-based systems and services is now mainstream, and a key part of IT strategies for many enterprises. Yet ask any IT manager or CIO about their chief concern with cloud systems and you'll get the same answer — security.
Cloud providers have gone to great lengths (and great expense) to address security. Nothing technological is 100% hack-proof, but the security of many providers has sufficiently advanced that it's now acceptable to CIOs. Cloud is typically safer than relying on your own infrastructure.
Read the fine print
But security seems far from certain based on some of the contracts cloud users are required to sign. While salespeople and technical teams make lofty claims about the security and stability of their organizations' cloud offerings, it seems that the legal department don't share their views.
Read contracts or user agreements regarding cloud services. Look for the sections dealing with data security, service levels, and system failure or breach.
Examine the wording. Then think about the consequences to your organization in the event that there was a data breach or a severe system outage.
Typical contract wording includes terms such as "we do not warrant that services will be uninterrupted, error-free or completely secure" and "your sole remedy in the event of breach is credits under the service level agreement." What does this actually mean?
In many cases, it means that if something goes wrong you may find that the only compensation your organization is entitled is service credits, or perhaps a refund of the sum paid for a number of months of service.
Adobe and AWS debacles
When Adobe's Creative Cloud collapsed in May, users found they were entitled to an apology, and perhaps compensation on a "case by case" basis. When Amazon Web Services (AWS) suffered its notorious four-day outage of 2011, the outage did not trigger any compensation under the Amazon SLAs — great for Amazon and its lawyers, not so great for those using AWS for mission-critical functionality (not a best practice).
It's hardly reassuring to receive an apology and a promise that "it won't happen again" when you are losing revenue far in excess of any compensation you could receive. Unfortunately, the limits on a provider's liability seem to be replicated across agreements for free public cloud services, paid public cloud, and private cloud. This creates an interesting conflict: providers promise the most robust, stable and secure system, but their contracts indicate they have no faith in their own solutions.
Liability versus confidence
As a lawyer advising both cloud providers and users, it's simple to view the issue from both sides. Providers want to minimize their liability, and why shouldn't they? But as a user, when the advice from your lawyer is that you will have little or no protection in the event that your cloud server fails, or your data is compromised, can you really sign up to that cloud with any confidence?
Sign up for CIO Asia eNewsletters.