As anyone familiar with the IT industry will know, there is currently an incredible amount of buzz surrounding the concept of cloud computing. It is widely seen as one of the most important new developments in the IT sourcing market in the early twenty-first century and is predicted to transform the way in which IT is bought and used by consumers and businesses alike. This article seeks to explain what is meant by cloud computing and examines some of the commercial and legal issues involved with this new services model.
What is cloud computing?
In broad terms, cloud computing may be taken to describe a scenario where a supplier offers a customer access to IT over the internet on a service or utility basis. The aim is to provide a customer with convenient, on-demand network access to software or hardware resources on a shared basis.
Breaking this down further, it is possible to identify three distinct service delivery models to which the term ‘cloud computing’ tends to be applied: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
SaaS: SaaS is based on the Application Service Provider (ASP) model which was much hyped at the end of the twentieth century. Under this model, rather than software applications being installed locally at a customer’s premises, the relevant software applications are remotely hosted and managed by an IT supplier and the customer accesses these over the internet. This will often enable a customer to use and, critically, pay for computing resources as and when they are required - so-called ‘on demand’ or ‘utility’ computing. This model is well established in the consumer space (e.g. Google Apps) and for certain enterprise functions (e.g. the CRM applications provided by Salesforce.com), but is also gaining popularity for other applications.
PaaS: In the PaaS model, parties can host their own applications on third party web-based platforms in order to distribute them to end users. This model removes barriers to entry by acting as a distribution channel for new entrants.
IaaS: In an IaaS arrangement, the provider makes available certain computing resources, such as processing, storage and networks, enabling the customer to deploy and run software on that infrastructure – whether for its own use or to support customer-facing services.
The classic cloud computing service is usually made available to a large number of different customers, who will all be using the same server infrastructure. This ‘multi tenant’ model as it is sometimes known, brings obvious cost benefits by enabling IT suppliers to leverage economies of scale. However, IT suppliers are also increasingly using cloud computing delivery models to provide services to single organisations, particularly in relation to more bespoke applications and in circumstances where security is a concern.
The cloud computing market
Initially cloud computing was regarded as being most useful to individuals and SMEs who required only standardised software applications. However, this is gradually changing as confidence has increased in the reliability of the internet and encryption technologies have become more sophisticated. As a result, the market has become more accepting of the cloud computing model and there is a discernible shift in attitudes towards this model amongst larger corporates and even the public sector, who until relatively recently have been wedded to more traditional forms of IT sourcing.
A further trend is for organisations to use cloud computing as one element within a broader multi-sourcing arrangement – enabling them to be flexible in choosing IT services that best meet their needs. Other organisations, on the other hand, still see value in contracting with a single outsourcing service provider who acts as a “Services Integrator” drawing together a number of cloud-based services and taking responsibility for ensuring these are integrated with non-cloud IT components and legacy or bespoke systems.
Legal and commercial issues
Given the diversity of cloud computing arrangements, the appropriate commercial and contractual structure to be adopted needs to be considered on a case-by-case basis. However, the following issues are likely to be relevant in most cases:
Service and performance
The performance and quality of cloud computing services are primarily monitored by service level and service credit mechanisms. The key measures for cloud services will be availability (at system and application level) and system response times. The cloud provider and the customer will have different views on where service availability should be assessed. The cloud provider will be keen to ensure that the point of measurement for service availability is at their servers (which means that only server downtime will be assessed), whereas the customer will want the point of measurement to be at their PCs (so that the measurement assesses the extent to which the cloud services are available to the customer).
However, many cloud providers look to avoid service level and service credit mechanisms altogether, offering their services on an “as is” basis and providing only minimum warranties as to service functionality. This is because cloud services are not immune to downtime and the cloud provider will be keen to limit its liability to the customer, especially in a multi-tenancy model where the service provider could find itself liable for multiple claims from multiple customers. In the absence of any contractual guarantees, customers may have little option but to fall back on the cloud provider’s reputation and track record as an indication of service reliability.
Liability for service failure
Pure cloud providers tend to offer services on standard terms which tend to be heavily weighted in the supplier's favour in terms of liability for service failure. Customers, on the other hand, often see a cloud computing arrangement as an outsourcing and seek to achieve levels of risk transfer which are in line with more traditional delivery models. However, a balance needs to be struck between price paid for services and risk and liability assumed by the cloud provider.
Customers will want to ensure that the cloud provider has appropriate business continuity plans in place. These may include the provision of alternative facilities in the event of theft, flood or fire and escrow type arrangements.
While the customer will be keen to have the right to audit and test the cloud provider’s alternative facilities, the cloud provider is likely to resist negotiating such a right into the agreement, especially where the provider is offering multi-tenant services which could lead to multiple audits by multiple customers. Certificates of compliance or accreditations may provide the customer with the required comfort.
Some cloud providers will have “one-too-many” escrow arrangements in place. Alternatively, the customer can seek an independent arrangement with a third party, such as NCC and Iron Mountain who offer escrow services specifically in relation to cloud computing arrangements. Cloud computing escrow arrangements differ from other escrow arrangements as, because both the source code and the object code are held remotely, the customer will need to ensure that their escrow arrangement comprehensively covers both types of code.
Data portability on exit is also an important consideration as customers will want to ensure that they are free to move data easily between service providers and/or bring data back in-house. Insufficient attention to this issue can lead to a customer becoming ‘locked in’ to a current supplier. Some customers will want to protect themselves further against the risk of being unable to access their data by maintaining their own back up arrangements, although this will clearly negate some of the cost benefits of having adopted a cloud service model in the first place. As with more traditional outsourcing arrangements, it is advisable, where possible, to include an exit plan in the agreement, setting out specifically each party’s obligations on termination of the agreement.
The cloud provider will not always own the intellectual property rights in the software that is the subject of the cloud computing service. It is therefore important to establish the licensing rights of the cloud provider and ensure that relevant third party licences are in place where necessary.
Terms and conditions for many standardised cloud offerings often provide the service provider with broad rights to use the content stored on its servers, including rights to pass this information on to third parties. The customer should take care to ensure that they identify any rights they are agreeing to provide to the service provider and to limit them where necessary. This is particularly the case where the customer is intending to store personal data or confidential information on the cloud.
Data protection laws
European data protection laws do not fit easily with the cloud computing model, where the customer is unlikely to know at any one time when its data is moved or where it is stored. It can therefore be difficult to know exactly who (supplier or customer) is responsible for data protection compliance and so far there has been little guidance on this issue from national data protection authorities.
Where data is stored in the UK or within the EEA, the parties must comply with the Seventh Data Protection Principle (contained in the Data Protection Act 1998) which requires that the data controller ensures that the data processor is appointed under a written contract, and also that the data processor has adequate information security procedures in place. The customer may wish to impose further requirements on the supplier particularly in relation to security of data, e.g. how the supplier holds the data and audit rights.
Data location and transfer
The Eighth Data Protection Principle (also contained in the Data Protection Act 1998) applies where data is transferred outside the EEA. This principle requires the data controller to ensure that the importing country provides an adequate level of protection for personal data, considering the circumstances of the transfer. This can be difficult with cloud computing services as service providers may use a number of server farms in different locations and do not always provide information on where data will be held.
Customers should ensure that they have visibility of the security arrangements the service provider has in place in respect of data it holds and that they satisfy themselves that these are sufficient given the nature of the data that will be stored within the cloud. Steps that a service provider should typically take would include ensuring continuous physical security is maintained at the premises where the relevant infrastructure is located, that only security vetted personnel have access to those locations and that back-ups of the data are made at regular intervals.
Many companies have begun to embrace cloud computing as a viable alternative service arrangement which brings significant cost and efficiency benefits. However, customers of cloud computing services need to be alive to the legal and commercial risks associated with this delivery model and seek appropriate contractual protections in respect of them if they are to maximise the opportunities that this new development undoubtedly brings.