There are a number of provisions you need to consider when putting together a contract for cloud services. Broadly, these relate to the services to be provided and service levels.
Service descriptions in cloud contract agreements can be vague – it is important that they are clearly specified.
Key points when agreeing a contract include:
- Ensure there is a service description that is precise enough to be relied on – but not so technical that it is difficult to understand. While the marketing and technical documents can be useful guides, neither are likely to be pitched at the correct level to form the actual service description.
- Check whether the service is being offered on a ‘reasonable endeavours’ basis only, or something more concrete.
- Check whether the supplier can change the services without your consent or without sufficient notice – and whether this could result in you losing key functionality, or the cloud service no longer working with other aspects of your IT system.
- Consider whether you need a period of testing or acceptance before paying the charges in full. Not all cloud services are ready ‘out of the box’ – it is important to check compatibility with your other systems at the outset.
Be mindful of your business plan when you place the initial order for your cloud service: are you intending to expand your business? Think further than your immediate business requirements.
One advantage of cloud services is the flexibility to change the level of service provided as required. Any professional cloud supplier should ask if you have any expansion plans to enable them to design the best fit for your business – in the short, medium and long term. In some cases, there may be little difference in cost.
Always ask a cloud supplier the costs of adding more applications, services, users and storage to ensure that these are not disproportionate or would obstruct expansion. Also, be mindful of your own protocols and procedures for increasing services. Due to ease of use, there is a risk that you consume more of the cloud service than intended, which can mean higher than anticipated bills. Ensure that the contract makes it clear who has authority to instruct increases in usage and how you will be notified if services are being used above a certain level.
Always ask if there are any additional charges for configuration, project management, implementation and support. Likewise, find out if there are charges or notice periods for decreasing your service requirements.
The responsibility for software licences can be a source of potential confusion with cloud computing.
Where the service involves the provision of software or applications (known as ‘software as a service’), the provider should arrange all necessary usage permissions.
However, if the service you are receiving involves the provision of a software platform or infrastructure, you will be responsible for ensuring that it is properly licensed. Make sure you are clear whether it is the provider's responsibility to arrange and manage any requisite software licences together with the payment of any associated fees, or whether this falls on you as the customer.
The service levels, which are often set out in a separate service level agreement (SLA) schedule, will cover:
- the availability and performance standards to which the services are to be provided
- the remedies available if the service fails to meet the terms of the SLA
Particular areas of the SLA to look out for include system availability, support and maintenance, and remedies for unscheduled downtime.
The time a computer system is operating is called uptime. It is usually shown as a percentage. Care should be taken in understanding how this percentage is calculated because it will allow for service outages when your data is not available. For example, if a provider specifies an outage as being anything of 30 minutes or more, and the service is not functional for 29 minutes, uptime may still be 100%. You should check whether these outages will be announced in advance and whether they will occur outside of your normal working hours.
The definition of ‘up’ is also important. Your cloud system may be ‘up’ according to your SLA even if a number of features are unresponsive, provided that core systems are available. Ultimately, your availability figure should mirror the time you actually have access to a fully functional system (or, at least, functional in all critical respects).
Ask your provider for evidence of its history of downtime and the measures that have been taken to prevent similar incidents in future. You could also contact reference customers of the cloud provider.
Given the nature of the cloud service (and certainly public cloud), support and maintenance should be included as part of the standard pricing model, since this will be required to keep the service operational. However, it may be that only basic support is included in your package, with premium support available at an extra cost.
Pay particular attention to helpdesk opening hours, as well as response times and procedures. The initial helpdesk response may simply log the problem with a further call back to provide substantive support.
Like most modern IT systems, cloud arrangements depend on internet availability. Also, your IT equipment will need to be of a certain technical specification to access the cloud service. You should ask whether your provider will offer advice on, and support with, checking the necessary equipment and internet connection required for optimum cloud system performance. Your provider may also advise on contingency plans for internet outages.
Your provider should give a clear explanation of the remedies for unscheduled downtime. Key issues are:
- Will you automatically receive service credits (in other words, a reduction in charges) in the event of failure?
- If so, are these set at a meaningful level?
- Is any further compensation available in the event of serious outages?
Given that using cloud services effectively involves ceding control over aspects of your computing system, failure to consider business continuity and disaster recovery (BC/DR) could have a major impact on your business. This is particularly important if client data or crucial business functionality is moved to the cloud.
You should review the provider's BC/DR plan and ensure it is robust and comprehensive, and perhaps also that it is regularly updated and tested.
Your own BC/DR plan should address other factors that could cause you to lose access to your system, such as failure of your internet connection or a power cut. As part of BC/DR planning, to ensure there is no single point of failure, you should regularly test, and consider having fallbacks for, key resources, such as your internet service.
In establishing at the outset what is included in your subscription and what will incur further cost, you ask about upgrades to the service. Will you get upgrades automatically and, if so, how frequently? While frequent upgrades for security or functionality sound attractive, you should consider the compatibility of the cloud solution with your other IT systems. For example, if you are using the cloud for email, does this integrate with your document storage system, and how will upgrades affect this compatibility?
In using a cloud computing system, you will give the supplier control over a number of areas that could impact on the security of your data.
The contract should spell out the security provided to ensure compliance with best practice and any applicable data and security regulations. This is often done by referring to the provider's IT security policy, which may make reference to international standards such as ISO 27001/ISO 27017. Bear in mind that data stored on a cloud platform could be lost through a malicious attack or a data wipe by the service provider. Always carefully review your provider’s backup procedures as they relate to physical storage locations, physical access, and physical disasters and ensure that you have, if required, an independent recovery plan in place.
Your provider should also give assurances about the technical specifications and security of the data centre storing your data. There are various industry standards that can be used to check the quality and facilities of the data centre, including issues such as staff vetting.
Furthermore, your cloud provider should undertake to audit the facilities of its data centre at least annually. But do consider the true value of any audit findings produced by a provider. For example, will an audit report for a service provider (who may have shared cloud premises all over the globe) provide enough detail on the specific data centre where your server will be held, and perhaps even the specific area of the premises where your server sits?
Cloud security also depends to a large extent on the measures your firm takes. For example, your staff should use strong passwords and two-factor authentication. You should ask your provider to adjust settings so the use of strong passwords by staff is mandatory, there is an automated routine for passwords to be updated and the strength of user passwords is audited.