Everyone knows the big virtues of using cloud computing services: They're cheap, you can scale them on demand, and they're fault-tolerant. Everyone also thinks they know cloud computing's vices: a variety of security and management concerns. What a lot of people have been missing, though, is that there's another real problem with cloud computing: legal liability.
You see, the default contract from Amazon Web Services and the other major public cloud providers puts the onus for any privacy trouble that might develop on you, the customer, not them. So, say that 100,000 of your best customers' records end up on WikiLeaks because your cloud provider's security is breached. Who do you think is going to be legally and financially responsible for the leak and any damages it causes? You can probably guess, but I'll tell you anyway: If you signed the standard cloud contract, you are. Never mind that it was the cloud provider's security failure; you're the one who will be stuck with the bills. Lucky you.
[ Get the no-nonsense explanations and advice you need to take real advantage of cloud computing in the InfoWorld editors' 21-page Cloud Computing Deep Dive PDF special report. | Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. ]
According to one report from SearchCloudComputing, Eli Lilly, the pharmaceutical giant, is fighting with Amazon over just these kinds of issues. Amazon's Werner Vogels denied the story's contention that Eli Lilly had walked away from AWS. "Eli Lilly is still very much a customer and has not dropped their use of AWS," wrote Vogels. Be that as it may, not everyone is content with Amazon's contract policies. Burton Group analyst Drue Reeves said at the Burton Group's Catalyst conference, "We don't feel like there's enough transparency in Amazon. We would like to trust you [but need more information]."
Trust is important. Eli Lilly was burned publicly once before by an accidental release of the email addresses for nearly 700 subscribers to its Prozac.com email alert. The company certainly doesn't want a repeat performance of that, and no company wants to be left holding the bag in the event of a data breach because of the negligence of a cloud provider.
So, what can you, as a corporate officer, do about this? Tanya Forsheit, founding partner at the Info Law Group has some advice. First, Forsheit told me, you should be aware that "many providers of cloud services tends to offer one-size-fits-all contracts. You shouldn't just sign up for them. You need to negotiate."
In fact, Forsheit thinks you should start looking at the legal aspects of any cloud deal long before you get around to talking about the contract. "You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract. You should ask them what kind of privacy and security controls they have, whether they'll let you audit their security, and what they will agree to in regards to liability. These are all places where there's room to compromise. On your side, you need to know what level of risk you're ready to take. If a provider won't agree to even consider negotiating, that's a big red flag, You need to be ready to walk away from the deal."
Many companies, Forsheit said, find walking away hard to do. "Companies get excited about a solution or provider because they think the service is great or the cost is great, but they need to look at the business and legal concerns. Far too often, legal issues aren't looked at until it's too late, or not at all."
On the other side, Forsheit noted that cloud providers' legal policies and security and software audit standards vary. For example, Salesforce, the CRM (customer relationship management) power, will let customers audit their operations and is compliant with SAS (Statement on Auditing Standards) 70, a service auditing standard. Others aren't.
"At the end of the day, the provider wants you to agree to their terms. Many won't accept reliability and liability terms. Or, for example, they'll want to limit their liability to what you paid them for their services," said Forsheit. This could easily end up being mere pennies on hundreds of thousands of dollars in damages.
So, is moving to the cloud still worth it for your company? It may very well be, but before making the jump, you need to have your in-house counsel, as well as your IT staff, go over the package. And, Forsheit added, "If you don't have the expertise internally, find outside counsel to go over each proposed deal with you."
Or, as I'd sum it up, when it comes to cloud computing, it's better to be safe than sorry regarding both the legal and technical issues. Good luck.
Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at firstname.lastname@example.org.
Read more about management and careers in Computerworld's Management and Careers Topic Center.
This story, "Thinking of moving to the cloud? Send in the lawyers first" was originally published by Computerworld.