In January, an IBM
server cluster went down due to a power failure, leaving several of its high-profile tenants — Air Canada, National Bank, Equifax and Laurentian Bank — in digital darkness for a brief while.
The episode may have raised a question in the minds of some of the companies relying on cloud providers to safeguard their data: when disaster strikes, how much can we trust them to do the right thing?
Trust starts with the ink on your contract, says Graham Thompson, president of Ottawa-based Intrinsec Security Technologies Inc
., a company that specializes in cloud security. Read your service agreement very, very carefully before signing it, he says. Don't assume that if something goes wrong, your priorities will be the same as those of your cloud provider. Caveat emptor
“For example, if there’s a virus outbreak,” he says. “Well, the provider, your cloud provider or your traditional IT provider, their perspective of it is going to be, we need to a) keep this out of the press; b) make sure nobody else is impacted; and then c) get this one client back up and running. Whereas, of course, the client, their priority is to get back up and running. You can see how there’s a bit of a mismatch there.”
So, how do you avoid choosing a provider who isn't on your wavelength? And more to the point, what should you look for in a contract?
For starters, he says, the contract should spell out “real, enforceable penalties” for breaches by the providers. Buyers should also make sure they understand the level of technical support they are entitled to (some plans offer support only Monday to Friday during business hours, for example).
Another thing cloud customers tend to overlook in managed services agreements is whether or not there is a provision for the fate of their data once the contract is terminated, adds Véronique Wattiez-Larose, a partner at McCarthy Tétrault
“What people often forget about is when you actually end the relationship with that provider, you actually have to recuperate your data. So, how are you going to do that [and] in what format is it going to be delivered to you? Just sort of walking through the entire process — that’s not necessarily covered by the more standard-form agreements.”
Wattiez-Larose adds that if you aren’t a National Bank or Air Canada, you have all the more reason to take the time to make sure the contract is kosher. “For the bigger players, on both sides of the table, that is, the cloud agreements are probably not that much different from any classic outsourcing agreement,” she says.
“But as you get smaller then obviously your leverage gets smaller as well. And because of that change in the business model, then, you may not have as much protection in those agreements as the bigger guys.”
Steven Rodin, CEO of Toronto-based Storagepipe Solutions Inc
., wrote in an e-mail message that as a cloud provider, his organization strictly adheres to the agreements it makes with its customers, which “spell out both our responsibilities and customer responsibilities for data protection."