When there's a third party in the cloud
- 30 July, 2012 14:28
When contracting for cloud-computing services, one challenge is that there may be more parties involved than your company and the cloud vendor. The vendor might outsource some of the services covered in the contract, or it could end up under different ownership after a merger or acquisition. On the client end, you might choose to work with a cloud broker. Because the introduction of third parties can increase risk, it's essential for potential cloud clients to identify third parties before adopting a cloud service, thoroughly understand their roles and ensure that their responsibilities are effectively addressed in the contract.
You need to know whether your cloud-computing vendor is itself outsourcing to another cloud-computing vendor. For example, a SaaS vendor, such as Dropbox, could be running its service in the data center of a third-party IaaS vendor, such as Amazon Web Services. This can increase the complexity of a cloud-computing contract, especially in determining which vendor is responsible for which action. To mitigate risk, the contract should obligate the cloud vendor to do the following:
* Identify any functionality that is outsourced and name the third party.
* Require any third-party vendor to abide by the same security policies and procedures that apply to the cloud vendor's employees.
* Have business continuity plans in the event that the third-party vendor fails.
* Take direct responsibility for all aspects of complying with the terms of its contract with you.
Mergers and acquisitions
In the past 12 months alone, the rate of cloud vendor acquisitions has been nothing short of breathtaking. Oracle purchased Right Now. SAP picked up Success Factors. Microsoft bought both Skype and Yammer. And that's just the tip of the iceberg. The risk for clients is that the new owner might not continue with the same product road map or honor contract terms.
No matter how good your due diligence ahead of signing a cloud contract, none of us can predict the future. Because cloud computing is a growing and volatile market, it has many new players. The weaker among them might not have long-term viability, while the stronger ones could become targets for acquisition. In either event, your data and ongoing access to the service could be at risk, so it is important to do what you can to mitigate these risks. One approach is to include contract language along these lines:
ASSIGNMENT. This Agreement shall be binding on the parties and their successors (through merger, acquisition or other process) and permitted assigns. Neither party may assign, delegate or otherwise transfer its obligations or rights under this Agreement to a Third Party without the prior written consent of the other party.
Client organizations that are new to cloud computing may engage third parties for assistance in making the complex transition to the cloud and integrating with existing infrastructure. The recently issued Request for Information #QTA00AH12BRI0002 by the United States General Services Administration highlights the growing importance of cloud brokers.
Cloud brokers essentially play matchmaker between cloud clients and cloud vendors. Some types of assistance that a cloud broker may provide to clients include:
* Enhancing an existing cloud service through access management, performance reporting, etc. to make it more effectively meet the client's needs.
* Combining and integrating multiple cloud services into one or more new services that meet the client's needs, including integration and secure movement of data between the client and multiple cloud vendors.
* Aggregating the demand for cloud services among a community of clients with common needs in order to negotiate improved contract terms and pricing, such as Internet2's new Net+ program does in higher education.
While a cloud broker can add value in all of these roles, as well as helping the client address complexity and reduce costs, the use of one still brings a third party into the game, which in itself introduces different complexity and different costs. In short, if you use a cloud broker, you need a contract to govern that relationship, and you need to ensure that the broker contract effectively aligns with any direct contract you may have with a cloud vendor.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Spiceworks' free management software gets integrated MDM
How Web Security Improves Productivity and Compliance
In this white paper, we will look at how secure web gateways, one type of information security technology, can provide benefits to many departments within any business or government agency. Download now.
ESG Whitepaper: Integrated Computing Platform Survey
Data centres, servers, storage and more are being combined for simplified management and cost savings. In this survey, ESG looks at the current and future trends surrounding today’s integrated computing solutions. Download to find out how organisations are more likely to see commit IT budgets to the purchase of integrated solutions. Read more.
Benefits of Deploying Microsoft Exchange Server 2010 on Dell Compellent with Data Progression
Messaging and collaboration platforms have emerged as mission critical applications, consuming a large portion of IT spending for organisations. The rich features in these applications have significantly changed the messaging requirements and needs of today’s information from anywhere with any device, the result is an ever increasing demand on storage systems both in terms of capacity and bandwidth. Many organisations are rethinking their storage strategies to meet the demanding criteria and to handle the future requirements. Read more.