Forming a successful relationship with Cloud providers comes down to the fine print, Truman Hoyle Lawyers partner, Hamish Fraser, has advised IT departments.
Speaking at the Implementing Information Infrastructure Symposium (IIIS) in Sydney, Hoyle said a good Cloud contract should create a legal relationship and gives people rights -- an protection -- from "cowboy" Cloud providers.
"[A contract] identifies who the parties are and allocates risk," he said at the event, co-hosted by Computerworld Australia and SNIA ANZ. "It also sets out consequences and is very precise, or it should be.
"It should set out who are the parties of the contract, what [services] are you buying and where is it being delivered."
While Fraser warned IT departments about the contract pitfalls of cowboy providers, even established companies could offer sub-optimal terms.
"A service level agreement (SLA) [I have] seen from Amazon recently looked good on the surface because it included a clause that said if it was not up by a certain amount of time, the customer would get their money back," he said. "In fact, when you drilled into it, the customer had to notify Amazon themselves that it was down.
"To do that, they had to had to have information that was available on the Amazon system that they may or may not have had. The customer also had to lodge that within 10 days of the end of the month or they wouldn't get a cent back."
He cited another SLA which stated that if the agreement was terminated for convenience, the customer had 30 days to get its data back. If it was terminated because of a breach, the customer could never get its data back.
"The danger is that the vast majority of people don't read contracts," he said. "We value the proposition of something like Facebook and we hope that the provider will do the right thing by us.
"With a site like Facebook, when it gets so big even though there is a contract, you can vote with your feet [and leave] or voice your opinion on its privacy changes such as the Facebook facial recognition application."
Fraser then turned to the services people buy in the Cloud such as through Google and took delegates through the clauses.
"According to Google's contract, the vendor and its partners do not warrant that Google services will meet your requirements. `Google services will be uninterrupted, timely, secure and error free,' he said.
"So Google go to some length to tell you that they are not making too many promises. That's fine if it is free and you realise the risks when you put the data up into the Cloud," Fraser said.
He then showed Facebook's agreement which `does not guarantee that Facebook will be safe or secure. Facebook is not responsible for actions, content, information or data of third parties.'
According to Fraser, while companies can get some fantastic services from the Cloud, it was important to think about what services you are buying when you put your information in there.
"If you are a provider, could you distinguish your services by making sure that it does do some things that you promise it will do. What is the value proposition that you are selling?
He also slammed some Cloud vendors for drafting contracts that, because of the different definitions and "fluffiness" of the Cloud, were "silly and not very helpful."
"There is a degree of maturity that is yet to occur in the supply of vendor services. One I like is that the vendor may change the terms of this agreement at any time by posting a new version on the vendor Cloud website. They could rewrite the entire contract, change the entire liability regime and they don't even have to tell you about it," Fraser said.
"You are stuck as a consumer, of that service, with that new contract. It's questionable if that is enforceable but it is indicative of the Wild West nature that we are seeing."
However, he added that some vendors were trying to distinguish themselves by offering contracts that made more sense.
In summary, Fraser said that while Cloud contracts were not the perfect mechanism they were a "necessary evil."
"Without a relationship established between the buyer of the service and the seller of the service what have we got? We have no relationship, money won't change hands and as a customer we will have no interest in acquiring the service if they can't be certain about what they are getting," he said.
Because Cloud contracts are still a "little wild" he advised people to think about what goes in your contract and be sensible about it.
"The lawyer's job is to protect you from anything but sometimes to make money in business you have to take a risk so make a considered risk and think about what you are supplying.
He also advised delegates to watch the privacy regulatory landscape because it will change in Australia once legislative changes, as a result of the Australian Law Commission review three years ago, were complete.
"The News of the World phone hacking has highlighted that privacy is going to be stepped up and that clearly affects Cloud computing because 70 per cent of that is personal information," Fraser said.
The IIIS was co-hosted by Storage Networking Industry Association A/NZ and Computerworld Australia.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU