Fair weather friends
Channel, vendor and customer must see eye to eye to get the best results - but what happens when something goes wrong?
Everywhere, business customers have migrated or are about to migrate into the cloud to get the benefits of teaming up with IT partners on a grander scale than ever before.
The resultant blue sky can be dazzling. Yet working out who is accountable - and for what - can get complicated; what happens when the weather changes and everyone's actions diverge?
Out of sight might well be out of mind, but what you don't know can hurt you, cloud law experts say.
Alex Roxon, sales executive at systems integrator and cloud services provider Frontier Technology, which offers hosting, IaaS, data management and access services for organisations of all sizes, notes that the current state of the cloud - where the industry is at, who is using it and what they're using it for - means that legal concerns have become increasingly critical.
Many of the issues are not entirely resolved in the provider's mind - let alone the mind of the customer. For instance, the spend through the government's G-Cloud procurement network has reached £180m but users still have concerns about such a service, especially around data privacy and security, Roxon says.
Nevertheless, the market for cloud continues to expand, not least because of the cost advantages.
"In 2014 the average IT budget is 44 per cent hardware, 31 per cent software and 25 per cent cloud or MSP for this financial year. And cloud spending in 2014 is 49 per cent on web hosting, 44 per cent email hosting, 38 per cent backup and disaster recovery, filtering 36 per cent, and application hosting 26 per cent.
"Twenty-six per cent of the latter is productivity solutions, such as cloud file sharing, CRM and so on," Roxon says. "We're not talking about Angry Birds."
And then there's the spread of BYOD and BYOA to consider, as well as expanded regulatory requirements, he notes.
In the loop
Frank Jennings, cloud lawyer and partner at DMH Stallard, says there are several main strands to managing legal risks in the cloud. There are loopholes that exist within cloud services arrangements in terms of liability, and then there are new rules with new fines attached, which may vary from country to country.
"Over the past couple of years we have noticed that cloud behaviours are a lot more serious, yet there are contract loopholes. For example, ‘as is' services, and services credits as sole remedy," Jennings says.
There may in fact be no guarantees for the customer at all. Providing cloud services "as is" might have worked well at some point in the early days in California, but is almost certainly not going to prove sufficient for the customer that has moved, or wants to move, business-critical IT assets into the cloud, he says.
He notes that providing credits in case of acceptance of some liability as a sole remedy might be a step up from "as is".
Yet although it is certainly better than nothing, it generally means the customer's only easy route to compensation is effectively a discount on purchasing more of the same - more of a product or service that has already to some extent failed to satisfy. This seems like cold comfort at best, and a poor level of protection.
Customers need some degree of certainty and effective routes of recompense, particularly in the areas of data loss, security and privacy, and that needs to be related to location of data storage, Jennings says.
So cloud providers and the channel partners that work with them are going to have to go further, sticking their necks out and being prepared to commit to a greater level of liability, with appropriate penalties for failure.
Failing that, the market will surely not reach full fruition.
"If you are putting your data into a cloud and relying on your cloud provider to look after it, what happens if that provider loses it, locks it or destroys it? And the contract says they are not liable for any of that?" says Jennings.
"And there are migration issues. It's easy to get into a cloud, but how do you move out of the cloud? You find out you're locked in. Or, everything is in a proprietary system. Did you read the contract? And did your procurement or IT department agree?"
An otherwise standard services-level provider may be offloading a cloud services part to a public cloud provider - so they too need to check that other party's contract as well to protect themselves and their customers.
Don't fail at the detail
It's not enough to be assured by the cloud provider that the service will never fail, and that their data is secure - as that is technically unlikely to ever be the case, especially in public cloud, even though the services may be more reliable and robust than they used to be.
So Jennings really emphasises the importance of paying attention to the fine print, down to the terms and conditions of the software licensing agreement that many people, too often, simply accept without question.
Customers can and do get into trouble for detail missed in the terms and conditions which they are then held to have agreed to - such as a clause which says that anything they do with their data is at the customer's own risk, a clause which really does exist in some current cloud services contracts.
"What if the cloud provider goes bust?" asks Jennings. "I hardly need mention [failed channel player] 2e2."
Robust security is also important: certification to international standards can be helpful to channel providers, even though compliance can be onerous.
"Don't abandon IT principles," says Jennings. "Call in the experts, adopt a data policy, and test, test and test systems again."
Jennings is also author of the Cloud Industry Forum's Contracting Cloud Services - A Guide to Best Practice which identifies common areas of ambiguity in cloud contracts and offers guidance.
Protect yourself - or your customers?
The legal framework for service levels around cloud computing has not kept pace with the advance of the technology itself, with customers often ill served by IT suppliers as a result. Cloud services contracts must do more for customers - and cloud suppliers may be protecting themselves at customers' expense.
That is an opinion that emerged from a discussion of the legal issues affecting cloud computing, among other IT trends, hosted by specialist technology law firm Kemp Little in the City of London this month.
Chris Hill, senior associate at Kemp Little, said it is now generally accepted that cloud computing represents a chance to boost productivity and deliver value in the business world - yet projects are still failing to deliver.
"Large chunks of functionality can be outsourced to specialised providers, delivering huge economies of scale," Hill said.
Calum Murray, partner and head of commercial technology at Kemp Little, added that the terms and conditions, and service levels backed by an appropriate contractual environment, have some way to evolve. This is partly because the products and services have advanced beyond the original intention of the once-pertinent legislation.
"This area has probably not moved as quickly as the technology," he said.
Early cloud services contracts tended to reflect the large-scale, public cloud, one-to-many, commoditised characteristics of the early cloud services providers - big players such as Google. As the market diversified and shifted, however, with more types of cloud services and providers emerging, people have continued to rely on the same or similar contract methodologies and practices.
"Very simply, we are now in a world of cloud services where there are more parties involved, more stacks of technology, and services. And at the other end of the spectrum, you have the commoditised services," Murray said. "One-to-many services, for example, are usually much cheaper than private-cloud services."
Commodity-cloud type contracts and service levels are often more or less non-negotiable and simply do not offer the flexibility that many customers require, and there is often a large offloading of liability in the customer's direction, he noted.
There needs to be more customisation of terms according to specific needs and time taken in conversation with the customer about the detail of the cloud services required.
The business customer itself should be taking a more proactive role here - as cloud providers themselves may not, if they're not pushed and the current situation is simply accepted by customers, as so far it often has been.
"And they need to be taking things outside the department, and bringing them into the contract," Murray said. "So it's still a seller's market."
Things need to change, all agree. Charles McLachlan, associate at sister consultancy Kemp Little Consulting, told CRN after the presentation that the gap between what customers want and what they're getting with cloud represents an opportunity for a savvy IT channel company to be innovative with service levels and contracts.
A clever, careful VAR, systems integrator or distributor could work out a winning solution for customer and channel, taking back some value for the provider and boosting their trusted adviser reputation. "Someone could really differentiate themselves," McLachlan said.
Eight questions for the channel to answer for business customers
1. Is data more secure on-premise than in the cloud?
2. Does the type of cloud affect the security of data?
3. If there are concerns about data security in the cloud, should you stay on-premise?
4. What steps can a business take to increase the security of its data in the cloud?
5. Can you keep data secure outside the UK and EU?
6. Are BYOD and data security compatible?
7. Passwords, encryption, tokenisation. How else can you protect your data in the cloud?
8. Can insurance provide adequate cover for data loss?
Source: Secure your data in the cloud, a February 2014 report by DMH Stallard which harvests answers from a range of cloud providers in the UK channel
Managing cross-border risks in the cloud
Advice to providers and customers from DMH Stallard: it remains legal to store, transfer or handle data beyond the jurisdiction of provenance - however, care must be taken to comply with the right legislation. Relevant acts in the UK are the Data Protection and Regulation of Investigatory Powers Acts; in the US, they are the USA Patriot and Foreign Intelligence Surveillance Acts. For the EU, the Data Protection Directive and the draft General Data Protection Regulation (GDPR) are key for compliance.
The trouble with laws in general is that they are moveable feasts - not only can they be superseded by new and different legislation, but their interpretation in different cases can set or remove a precedent that might turn out to be pertinent to an individual situation or certain business activity.
Best practice is probably to get regular advice on law changes, and to act with caution regardless - the EU's Data Protection Directive may be interpreted differently by each of the 28 member states. The UK Data Protection Act, which can be seen as the relevant UK statute, delivers a degree of clarity - but getting it wrong as a data processor or data controller can mean - currently - a £500,000 fine by the Information Commissioner's Office. A 2014 bill - the Data Retention and Investigatory Powers Bill - passed the House of Commons and Lords as this article went to press and could change things further. At the EU end, fines in future might be up to five per cent of global annual turnover if the draft GDPR is ratified. The US approach, on the other hand, diverges most from the EU and UK views; they have both Federal and State laws as well as the so-called Safe Harbour provisions around the export of data which should be adhered to."And in the US, there is no Federal law protecting data in quite the same way as there is in Europe," says DMH Stallard partner Frank Jennings ( pictured, above left ).