COMMENTARY | COLUMNISTS | MATT STAMPER

Four questions to ask when negotiating the cloud

Cloud computing is changing how organizations and companies implement their IT infrastructure for the better. There are a host of financial and operational benefits in doing so. Because these platforms leverage many well-known technologies, such as virtualization and pools of storage, there are many factors that go into making such a system reliable and viable for organizations — all of which can be beneficial provided the pieces are working well together to create a seamless and secure environment for your sensitive data.

Implementing a cloud computing system can present some security and reliability issues for businesses if not adequately assessed and evaluated prior to the deployment. There are significant legal implications as well that no organization — be it private, public, academic or nonprofit — is exempt from observing.

If your data is already in the cloud, or if you’re thinking about expanding your usage of such offerings, make sure you’ve got these questions answered to an appropriate level of satisfaction before moving forward:

1. What’s the service mix? There’s a huge amount of variance between cloud computing providers on what they actually do for clients. It’s critical to know what services are in scope and how they are covered, including security, monitoring, backup systems, audits and information assurance controls. Documentation of regular and one-time work performed must also be made available for an adequate period of time to cover your operational and legal requirements. Remember, detail counts.

2. Who actually manages the data centers? Some cloud service providers own and operate their own data centers, while others use third-party facilities to deliver their services. Control over the infrastructure is an important consideration when looking at providers and their service offerings. Regardless, there are a few things to check out — chief among them are the key controls of such facilities. This includes reviewing access procedures, capacity management, staff background checks, power management and fire suppression procedures. Additionally, data center operators should be able to explain how they will respond to and communicate with customers on incidents as well as configuration change orders in their standard service level agreements. Where the data center actually resides geographically will also have legal implications, so know this ahead of time.

3. Who’s liable when? In addition to data centers, many cloud service providers utilize other subcontractors to fulfill certain elements of their overall offering. While many don’t hide this fact, it is often not specified as to under what circumstances subcontractors are liable when things go wrong. Be sure to ask the tough questions in advance, such as: Does the subcontractor have to provide the same quality of service as the cloud services provider? What are the subcontractors’ limits of liability? How will disputes be resolved? It’s important to get answers to these points before signing a contract. You can see why “click-here,” also known as wrap-around, agreements can be challenging. Otherwise, finger-pointing will be the primary response during an adverse incident, which does no good for any of the involved parties.

4. What happens if a relationship is terminated? It’s critical to outline how the exit strategy will be executed prior to signing a services agreement. Things such as data removal, deletion and transfer must be spelled out in advance. Chain of custodies must also be outlined throughout the process with clear and mutually agreed upon security protocols.

For many organizations, owning, maintaining and supporting IT infrastructure is no longer deemed of strategic value. That’s true, but only when the cloud alternative is stable and operating within secure, reliable and legal standards. With a bit of due diligence and some good planning, cloud services could very well offer your organization a cost-effective, flexible and secure approach to IT and business requirements for years to come.


Stamper is the vice president of managed and professional services at redIT. Ray is an attorney with Sheppard Mullin Richter & Hampton LLP.

User Response
0 UserComments