The current mantra in today’s world may be, “To the cloud!”, but recent events should give some pause to businesses and users alike in their race to the cloud and the benefits that cloud computing potentially offers.
In April, Amazon.com’s Amazon Web Services data center suffered an outage over several days that disabled hundreds of popular websites hosted by it. AWS and Microsoft suffered another (unrelated) outage in August. In October, Research in Motion’s BlackBerry users across the world suffered a four -day long data outage resulting in lost emails and other data. These outages were ultimately repaired, but some goodwill and credibility were lost in each case: AWS gave customers service credits, while RIM gave customers free apps. However, RIM is now facing class action consumer claims for losses stemming from the outage. Whether the result of hackers or system failures, these failures illustrate the ongoing risks that providers and users of cloud services face in the event of a system wide failure. More importantly, these failures represent untold amounts of lost revenue to cloud computing businesses and users.
While users of cloud services can usually do little on their own to prevent such disruptions on the provider’s side, there are several important contractual considerations that should be fully understood before signing onto the cloud and entrusting a cloud-service provider with your business’ viability, data and your customers’ data.
Before entering into any cloud services arrangement, any business must consider the terms of the Service Level Agreement, which, among other things, sets forth the terms of the amount of up time that the service is guaranteed to be available, the scope of the provider’s responsibility in the event of any service outages, and the type of network maintenance and security measures implemented. Many SLAs may be vague as to these terms.
Cloud providers often promise something like “99.95 percent” service availability over a trailing time period; It is incumbent upon the prospective cloud user to understand fully what such terms mean, how that 0.005 percent duration of downtime is defined, and how it may impact one’s business.
Such downtime itself may likely be separately defined from an actual service outage, however. In the AWS example I mentioned, because of how the outage was defined in the SLA, the nature of the outage lasting several days was not in fact a legal breach of the SLA, which also contained a 99.95 percent up time guarantee; a fact of little consolation to its customers.
As such recent events have shown, it is of mission-critical importance for businesses engaged in the cloud to be familiar with how outages are defined and how emergencies are handled — what and when disaster recovery plans are put into effect, the existence of redundant resources, the speed of reinstatement, and what types of reimbursement or compensation are available in the event of an outage leading to the loss of business.
Privacy and security measures are also of utmost concern, especially given the current trend of mobile cloud computing via apps on cell phones. Businesses should always take into account the transmission of data across secure mobile channels, from secured devices, but what level of encryption does the cloud services provider use within its mobile applications to protect your information, and is it suitable for your needs?
What types of controls are in place to monitor user level access and authentication issues? Also, is there physical data separation of your information from that of the provider’s other cloud customers?
Consider a “worst-case” scenario where your company’s otherwise trustworthy cloud service provider’s servers (which are located in a different country that does not have the same protections for confidential information) are legally seized in connection to a separate legal action in which you are not involved.
What happens to your data that resides on the same servers as the seized hardware, and how do you go about securing and regaining control of your information? Physical data separation (data silos) can mitigate such possibilities and should be explored in the appropriate circumstances. Security measures such as high level encryption can mitigate the potential for loss of sensitive data arising from such a seizure or in jurisdictions where the servers are located, which offer less protection to your data.
Finally, cloud users must also be familiar with what happens to your data when the cloud services are discontinued — for how long is the data still available to be accessed? How do you get your data back in a format that you can use?
Or, is your data destroyed? If so, how is it destroyed? Is it possible that the cloud provider could still access the data for data mining purposes?
While unlikely that your business cloud service provider could retain such access, it is not beyond the realm of possibility — users of Google’s Gmail service may already have the contents of their emails used for data mining purposes — particularly in instances where social media networks are implemented by businesses.
For example, a business may use social media network such as Facebook; it is possible that Facebook may retain your business’ data for data mining purposes even after the businesses ceases using Facebook and closes its account. All of these questions should be resolved in the contract before you trust your business information to the cloud.
Any businesses engaged in the cloud should further consider the extent to which its resources and technical architecture allows for added resilience against provider-side outages. Planning for such extra resilience to your cloud will be an added cost, but may be worthwhile depending on the extent to which such up time is critical to your business.
In the AWS outage situation not every hosted site was impacted; some sites (such as Netflix) had implemented various secondary protocols in place that saved their sites and their businesses from going down during the outage.
In the end, therefore, it is not enough to simply accept at face value the promises contained in a cloud provider’s SLA; it is incumbent upon the cloud user or business to fully understand what the SLA terms means to its business in practice, how its business may be impacted by potential service outages, and to determine whether additional systems are required to be in place to mitigate whatever risks may exist.
David K. Hou is a senior associate at Boylan Code LLP, concentrating his practice on Commercial Litigation and Intellectual Property matters. For more information, contact David at (585) 232-5300 or firstname.lastname@example.org.