The cloud is a wonderful place when everything is going well, less so when something goes awry, as FSN contributing editor, Lesley Meall, discovers when she looks beyond cloud computing at the associated terms of service and service level agreements.
Google hit the headlines during February 2011 when its Gmail service crashed, separating rather a lot of people from their stored emails and contact information – and not for the first time. Initial estimates put the numbers affected at between 150,000 and 500,000, generated endless column inches about waking up to find that all of your emails had vanished (which could be a mixed blessing), and gave lots of people the opportunity to wail on about the general unreliability of cloud services. But when the smoke cleared, it became apparent that things were not quite as they had seemed.
The number affected fell to 40,000 (just 0.02% of all Gmail users), no email or contact information was actually lost (access was restored within 12 hours), only users of the free service were affected (Google Apps for Business Customers pay for a Service Level Agreement that assures 99.9% uptime), and the failure was attributed to a software upgrade (which can also affect on-premise installations, which the user must then fix). ‘When we discovered the problem we immediately stopped the deployment and reverted to the old version of the software,’ blogged Ben Traynor, Google VP of engineering and site reliability czar.
Not all failures of cloud computing services can be fixed quite so easily. In June 2010, for example, power outages at Intuit’s data centre in San Diego crippled its primary and backup systems for more than 24 hours, in two related incidents. This took out the corporate website and deprived small business users of access to TurboTax Online, QuickBooks Online, Quicken and QuickBase, the on-demand payroll and payment processing software, and all of the associated hosted data. Although no data was irretrievably lost, during this debacle, business was affected.
The blogosphere was awash with users threatening to vote with their feet, which some have doubtless done. Intuit’s chief information officer Ginny Lee apologised for the ‘frustrating experience’ and promised to ‘learn’ from the unfortunate series of events. But this is something we can all do, as they highlight the need for those who sign up for cloud-based software and services to pay attention to the associated ‘terms of service’ or service level agreement (SLA). Drop by the Intuit website and look at the terms of service for users of Intuit QuickBooks Online; you don’t need to read it all, just skim down to sections 8, 9 and 10, which cover the Disclaimer of warranties, Limitation of liability and indemnity, and Changes to this agreement or the services.
It’s not pretty, but it’s not unusual. Many cloud providers have built similar disclaimers into their ‘terms of service’ and ‘service contracts’, whilst carefully avoiding anything remotely approaching a formal SLA, or the availability and performance guarantees associated with one. Where cloud providers do commit themselves to an SLA, there is a marked tendency to tilt the balance of risk firmly in the direction of the user. All of this is fine when you are happily exploiting the benefits of cloud computing, such as accessibility, flexibility, and deployment speed, and everything is going well. But the cloud delivery model is not without risks, and when things do go wrong, some SLAs are about as much use as a chocolate teapot.
As a buyer, you might reasonably expect an SLA to offer a guaranteed minimum level of service and to provide some sort of financial compensation when things go awry. But if this is so, you may be in for a series of disappointments. Let’s take Amazon’s Elastic Cloud Compute as an example. At first glance, the SLA, which you can read here, does appear to offer the required assurances, but look more closely. Although it ‘guarantees 99.95% availability of the service within a Region over a trailing 365 day period’, if the service is ‘unavailable’ for a qualifying period, the result is ‘an SLA service credit’ against ‘future Amazon EC2 payments’.
Very large organisations may have the power to push cloud service providers to shoulder more of the risk, by providing ‘liquid damages’ for SLA violations. They may also be able to insist that the service provider take responsibility for proactively monitoring faults and service disruptions, or even get their lawyer to successfully convince the service provider to issue appropriate compensation automatically, without the need to go through a 10-step process in order to get a service credit or a financial payment. But for a lot of organisations, if this isn’t already built into the standard SLA, the likelihood of being able to negotiate for these is slight.
It is the nature of the beast that cloud services are characterised by a high degree of contract standardisation, and terms are consistent for every customer. Buyers need to consider this, as it differentiates cloud services from other types of outsourcing and managed services. It is not unusual for these to result in partnership-style relationships between buyer and vendor, but cloud service contracts do not lend themselves to this. Another cause for concern with cloud serving contracts is the extent to which they may be varied during the lifetime of a contract, so its important for buyers to clarify which parts of a contract may be subject to change, when this might take place, and what the notification period will be.
The analyst firm Gartner sees a lot of cloud sourcing contracts and SLAs and there are very marked differences between those written ‘with larger, more mature corporations, or the consumer side of the market, in mind’ and those that have been created for small and medium businesses. Gartner also reports that cloud service contracts from traditional service providers, for their private cloud offerings, tend to include more generally acceptable terms and conditions. Gartner also sees many cloud-sourcing contracts that don’t even go as far as describing cloud service providers’ responsibilities, and which would not meet the general legal, regulatory and commercial contracting requirements of most enterprise organisations.
Not that contract terms which favour the provider, system downtime, and the lack of hard cash by way of compensation for it, are the only potential contract-related problems with cloud-based service delivery. The analyst firm Gartner has identified these and some other areas of risk that buyers should consider when contracting for cloud services. These include limited protection on renewal and lack of guarantees on future terms associated with subscription and ‘pay as you go’ agreements, and the fact that many service providers reserve the right to change terms and conditions at any time – and this has happened on a number of occasions.
According to Gartner analyst and research vice president, Alexa Bona, those involved in sourcing cloud services need to understand key areas of risk and act appropriately. ‘It is essential that organisations planning to contract for cloud services do a deep risk analysis on the impact and probability of their risks,’ she urges, and then decide on an approach to mitigate for the issues that they consider most critical – and revisit this at frequent intervals during the lifetime of the contract. ‘This might cost additional money, but it is worth the effort,’ suggests Bona. ‘Risk should be continuously evaluated, because contracts can change – sometimes without notification.’