Helder Almeida - Fotolia

Cloud contracts are still a minefield

Cloud computing is maturing in the enterprise space, but the contracts that underpin cloud services have not evolved at the same pace

As cloud take-up accelerates and a more diverse group of organisations consider it, the contracts that underpin cloud-based services need more expert attention.

The ease with which cloud services can be implemented and used is lulling businesses into accepting contracts without the right oversight, and this is putting them at risk. It is even possible, if standard contracts are not changed, for a company to have its contract terminated and data deleted for late payment.

One area of concern is data protection and where contracts place risk for this. For example, cloud customers could face fines large enough to put them out of business if data is stolen or accidentally made accessible. This is why it is essential there is clarity over who is responsible for what and who is taking on the risk.

There is currently a stand-off between cloud suppliers and their customers over risk. But they need to come to a compromise as cloud services hit the mainstream – and recent analysis suggests they are.

In the final three months of 2016, cloud-based contracts accounted for a third of overall IT outsourcing in Europe, the Middle East and Africa (EMEA), according to figures from ISG. Taking into account contracts worth €4m or more, ISG found that in the last quarter of 2016, €3bn was spent on IT and business process outsourcing, with the cloud-based as-a-service proportion of this reaching a record €900m.

Cloud-based services are attractive because they offer low upfront costs, flexible service levels, continuous automatic upgrades and subscription payments. The ease with which these services can be implemented means they are often described as “plug and play”, but this might deceive users into forgoing a thorough examination of the contracts that underpin them.

Weigh up cloud risk

Small and medium-sized enterprises (SMEs) in particular are agreeing contracts without understanding what they are committing to. Meanwhile, the CIOs of large firms are having to explain to their boards that they will have to take on some risk if they want a particular product.

“SMEs are accepting without thinking, which scares the hell out of me,” says Bob Fawthrop, a seasoned IT outsourcing consultant and director at Bob Fawthrop Associates. “Businesses need to understand the associated risk because they will be fined if data is lost.”

In Fawthrop’s experience, only about 25% of cloud contracts protect the customer, and these are the ones that have been put together with some kind of commercial oversight from the customer side.

CIOs have to let their boards know that in selecting a particular cloud product they must be willing to take the associated risk

Part of the problem, he says, is a tendency for suppliers to post everything from the price to the contract on the web as URLs, and they expect customers to sign up to them, which many do.

But he warns there are some areas where businesses need a certain level of customisation because of regulations, such as those around security. “There are a number of areas where suppliers will want to take zero risk, but the classic customer stance is that the supplier should take on the risk,” he says. However, suppliers are reluctant to add to the price to take on the risk because the low cost of the services is one of their main attractions.

For example, he cites a case he was involved in where a cloud-based financial transaction supplier that was going to move data from one system to another would not take responsibility for data loss, despite the fact it was moving the data.

“There is a stand-off between the [customer and supplier], but they have to arrive at a compromise,” says Fawthrop.

Contracts must catch up as the take-up of cloud services increases. “The cloud suppliers have to be more realistic about what they are willing to do. Some of them are, and have created an addendum to their terms and conditions to fit customer demand, but many are not being realistic and refuse to make changes,” he says.

This latter group includes a wide range of suppliers, from the large global providers of cloud-based solutions right down to small ones. This, he says, means CIOs have to let their boards know that in selecting a particular product they must be willing to take the associated risk.

Obligations are scattered throughout cloud contracts

Fawthrop warns that obligations are “scattered throughout” cloud contracts, often in the form of a URL link to a web page, and that businesses should insist that all the obligations are put together in one place.

URL-based agreements, which are being used as contracts, can be changed at any time, so customers need to attach the terms listed on the web page on the day it was signed or dateprint when the URL was included. This will protect them against changes in pricing that were not agreed. “Contracts currently make it possible for prices to go up without agreement,” says Fawthrop.

And it is not just SMEs that are facing challenges in achieving the right cloud contracts.

Independent consultant Vincent Cohan has headed IT infrastructure and operations at a number of large global companies, including Time Warner, AXA and Thomson Reuters. In his time, he has completed a number of cloud adoption strategies, and migrated applications from legacy environments to private cloud infrastructures and public cloud services such as Amazon Web Services (AWS), Google CloudMicrosoft Azure and Microsoft Office 365

Cohan says there is increasing pressure on large and small businesses to “cloud up”, and it is not surprising that many rush into agreements. “I could easily imagine an organisation without tight contracting controls, or without cloud deal experience, just jumping into these agreements in the interest of saving time,” he says.

Part of the problem is that cloud is still a new model for many, including large organisations, and it is essential that decision makers understand what they are agreeing to, says Cohan.

“A big challenge is helping internal stakeholders focus on issues that really matter. These include termination rights, intellectual property protection and liability,” he says. “Another challenge is clearly identifying situations that can result in a suspension of service, and incorporating safeguards, where possible, including advance notice and adequate remedy periods.”

URL-based agreements are a huge risk. Cohan gives an example of a major cloud supplier’s standard agreement: “It gives them the right to terminate your service and erase your data if you are 15 days late in payment. It’s questionable whether they would actually take that action after 15 days, but the risk is there unless the agreement is modified to address it.”

Scrutinise and negotiate cloud Ts&Cs

Cohan does not think contracts have changed to keep up with the increased adoption and maturity of cloud services. He says one problem is that businesses, including their IT leadership, have expectations of deals based on traditional hosting deals that don’t correspond with the public cloud model.

Like Fawthrop, he believes some companies are “too passive and don’t adequately scrutinise the agreements, or don’t have centralised control over their execution in the enterprise”. 

Without proper controls, he warns, a well-intentioned business stakeholder with a credit card can commit a company to bad terms.

Cohan insists businesses should not view a standard contract as a take-it-or-leave-it option. “The biggest mistake is the assumption that there is little or no room for negotiation,” he says. “That might have been truer in the early days, but even the big players like Amazon and Microsoft will negotiate terms as long as it makes business sense for them.”

While cloud providers won’t agree to terms that could jeopardise the service or undermine scale advantage benefits through bespoke services, they will be willing to negotiate if they see an opportunity to grow their business.

Prepare for contract termination

Cohan urges businesses to prepare for the deal ending even before they agree it. “It will sound pessimistic, but I believe the single biggest issue is understanding what happens if you or your provider decide to end the agreement. You don’t want to be raising this topic for the first time when you are in the midst of a divorce,” he says.

Standard agreements don’t offer much protection in this situation, he says, and businesses must understand, for example, the timeframe and support the provider is obliged to provide for transition.

But there is hope for companies of all sizes if they approach a contract in the right way. “Don’t be reluctant to negotiate on key points that are important to your business,” says Cohan.

“You need a good legal team, but you also need cloud buyers who understand IT”
Steve Larrabee, independent advisor

Steve Larrabee, now an independent advisor, spent 29 years working through the ranks at Mars, holding roles including global CIO. At Mars, he says, the strategy was to use cloud conservatively in certain targeted areas, such as software as a service such as Salesforce.com or cloud-based HR applications, rather than more heavy-duty software such as enterprise resource planning (ERP) tools.

Despite its conservative use of the cloud, he says Mars still had to treat contracts with the same rigour as previous outsourcing agreements, and even for a large company it took time to get the cloud contracts right. “It would take a couple of months to make sure we got things like the right level of responsiveness and the right upgrades,” he says.

Larrabee says the contribution from the IT team during negotiations is vital with cloud service contracts. “You certainly need a good legal team, but you also need buyers who understand IT.”

The cloud brings opportunity and complexity, and handing so much of the IT to a third party is a big step. He says a “half buyer and half IT expert” is useful to have around the negotiating table. 

The balance is essential. Fawthrop warns that too much IT input can be a hindrance to coming up with an enabling, business-focused agreement. “Conventional IT thinking does not necessarily apply,” he says. “Scope, service levels and compliance may all require non-IT thinking. It obviously helps to have some IT knowledge, but business understanding is far more important.”

Read more about cloud contracts

  • Cloud contracts are notorious for being weighted in favour of providers, but, for an industry still grappling with how best to win the trust of users, it’s a risky way to do business.
  • Cloud contracts offer great benefits, but they can put organisations at significantly greater risk than conventional IT service contracts.
  • The days of cloud service contracts heavily skewed in the provider’s favour are fading. Robust adoption and increased competition are giving CIOs an edge in contract negotiation.

Read more on Infrastructure-as-a-Service (IaaS)