After an outage that hit Air Canada, National Bank and others, a lawyer and security expert offer tips on what to look for in cloud service agreements
In January, an IBM
server cluster went down due to a power failure, leaving several of its high-profile tenants — Air Canada, National Bank, Equifax and Laurentian Bank — in digital darkness for a brief while.
The episode may have raised a question in the minds of some of the companies relying on cloud providers to safeguard their data: when disaster strikes, how much can we trust them to do the right thing?
Trust starts with the ink on your contract, says Graham Thompson, president of Ottawa-based Intrinsec Security Technologies Inc
., a company that specializes in cloud security. Read your service agreement very, very carefully before signing it, he says. Don’t assume that if something goes wrong, your priorities will be the same as those of your cloud provider. Caveat emptor
“For example, if there’s a virus outbreak,” he says. “Well, the provider, your cloud provider or your traditional IT provider, their perspective of it is going to be, we need to a) keep this out of the press; b) make sure nobody else is impacted; and then c) get this one client back up and running. Whereas, of course, the client, their priority is to get back up and running. You can see how there’s a bit of a mismatch there.”
So, how do you avoid choosing a provider who isn’t on your wavelength? And more to the point, what should you look for in a contract?
For starters, he says, the contract should spell out “real, enforceable penalties” for breaches by the providers. Buyers should also make sure they understand the level of technical support they are entitled to (some plans offer support only Monday to Friday during business hours, for example).
Another thing cloud customers tend to overlook in managed services agreements is whether or not there is a provision for the fate of their data once the contract is terminated, adds Véronique Wattiez-Larose, a partner at McCarthy Tétrault
“What people often forget about is when you actually end the relationship with that provider, you actually have to recuperate your data. So, how are you going to do that [and] in what format is it going to be delivered to you? Just sort of walking through the entire process — that’s not necessarily covered by the more standard-form agreements.”
Wattiez-Larose adds that if you aren’t a National Bank or Air Canada, you have all the more reason to take the time to make sure the contract is kosher. “For the bigger players, on both sides of the table, that is, the cloud agreements are probably not that much different from any classic outsourcing agreement,” she says.
“But as you get smaller then obviously your leverage gets smaller as well. And because of that change in the business model, then, you may not have as much protection in those agreements as the bigger guys.”
Steven Rodin, CEO of Toronto-based Storagepipe Solutions Inc
., wrote in an e-mail message that as a cloud provider, his organization strictly adheres to the agreements it makes with its customers, which “spell out both our responsibilities and customer responsibilities for data protection.”
“We stand behind those responsibilities and commitments,” he wrote.
A power outage, which wouldn’t fall under his company’s responsibilities, would nonetheless be a very unlikely accident at Storagepipe, Rodin wrote.
“We have both Uninterrupted Power Supplies (UPS) and backup diesel generators that feed power to our data centre. The building also has four environmentally-compliant diesel fuel storage facilities which can house up to 44,000 gallons of fuel for the generators. The data centre also features fully redundant underground power connections and can be switched on seamlessly via an automatic protection and control mechanism.
“In other words, a power outage on our end should be the least of your worries.”
Wattiez-Larose says there are bound to be many more disputes between providers and customers in the future, but most of them of them won’t be made public.
“At least for the larger businesses,” she says, “most of these contracts have arbitration provisions, so that disputes won’t actually go to court. They’re going to go to private arbitration, which obviously provides the advantage of confidentially.” Related Download Sponsor: Optimized Security and Simplicity for Complex Distributed Enterprise Networks This IDC Analyst Connection looks at the the benefits of using a UTM platform integrated with network connectivity and how it will save the enterprise money, reduce the number of vendors' products needed to be purchased, improve the communications between devices, offer the opportunity for organizations to deploy more sophisticated capabilities, and vastly improve security. Register Now