All service consumers should have some basic rights to protect their interests. If cloud services are commoditized, providers should offer stronger customer guarantees across areas such as ownership of data, service-level agreements and technical requirements. However, service providers vary greatly in the protections they currently offer, if protections are offered at all. In addition, both providers and consumers share responsibilities for the relationship, and each side must take action to achieve proper business outcomes.
This article defines the six rights and one responsibility of service consumers. Our goal is to provide a starting point that will help both providers and consumers establish and maintain successful business relationships. Additional critical rights and responsibilities will emerge as cloud services mature.
The council focused primarily on enterprise use of the public cloud and the issues that might drive enterprises to a more private offering. The emergence of general-public providers in the cloud challenges enterprises that need guarantees of service performance. General-public providers of cloud services deliver generalized services to massive numbers of customers for economies of scale, so the business model prevents these providers from offering service consumers customized treatment. This article does not address enterprise-private cloud providers, which provide services only to the enterprises that sponsor them.
Rights and Responsibilities of Cloud Service Consumers
Here are six rights and one responsibility that pertain to consumers of cloud computing services.
1. The Right to Retain Ownership, Use and Control of One’s Own Data
Many cloud service providers do not explicitly state their position on the issues of ownership, use and control of data. When a service provider hosts data, processes and applications on behalf of a service consumer, does the provider now gain the right to use, access or manipulate those resources without the permission of the service consumer? The common-sense answer is certainly not. However, without a statement from the provider to this effect, there is a potential risk to the service consumer.
Service consumers should retain ownership of, and rights to use, their own data. The issue is clear-cut when only the service provider accesses the service consumer’s data. It becomes more complicated when multiple parties access the data, such as in a business-to-business service in which suppliers and customers access the data as well as the service provider.
2. The Right to Service-Level Agreements That Address Liabilities, Remediation and Business Outcomes
All computing services suffer slowdowns and failures, including cloud services. However, cloud service providers seldom commit to recovery times, specify the forms of remediation or spell out the procedures they will follow. Moreover, providers that do offer these kinds of guarantees do so only for their own environment. (Although the overall performance of the service—which is what matters to the consumer—also depends on the network that connects the provider and the consumer and on the consumer’s own systems.) Service-level agreements often describe commitments in technical terms, such as throughput and uptime, but these don’t necessarily make sense for the consumer’s business.
Cloud services require different kinds of service-level agreements, depending on the type of service provided. To make service-level agreements relevant to the business, providers do not have to customize them for every consumer; rather, the agreements should comprehensively address the business issues implied in the type of service offered.
For example, suppose a service consumer runs an application that consumes a certain amount of CPUs. The consumer then introduces a new offering, which causes traffic on its website to shoot up. The provider’s contract should not simply guarantee a certain turnaround time for adding capacity; it should specify how it will deliver that capacity, including the technology, technical limits and technical requirements of the provider, the procedures by which the capacity will be added, and pricing.
3. The Right to Notification and Choice About Changes That Affect The Service Consumer’s Business Processes
Consumers buy services to support their business processes. Once they have signed up with a provider, any change to the terms, such as prices or upgrades, could damage the business because the cost to switch to a different provider is high.
Every service provider will need to take down its systems, interrupt its services or make other changes in order to increase capacity and otherwise ensure that its infrastructure will serve consumers adequately in the long term. Service providers cannot guarantee that no service disruptions will occur, and must declare whether they allow service consumers to opt out of changes. Instead, protecting the consumer’s business processes entails providing advanced notification of major upgrades or system changes, and granting the consumer some control over when it makes the switch. Such changes might include upgrading a software-as-a-service application, implementing salesforce.com, introducing new versions of services, changing the location from which the service is provided, entering or exiting a business, shuttering a facility and so on. Allowing the service consumer some flexibility over when the change happens might involve setting a date for system changes but allowing the consumer to defer them, say, for a month so that it can choose the time that least disrupts its business or that allows it to better prepare.
4. The Right to Understand the Technical Limitations or Requirements of the Service Upfront
Service consumers often turn to the cloud to support long-term initiatives. During this time, either the consumer or the provider will inevitably make major changes to its environment, such as data migrations, capacity increases, server upgrades and network changes. Most service providers do not fully explain their own systems, technical requirements and limitations. After consumers have committed to a cloud service, they run the risk of not being able to adjust to major changes, at least not without a big investment. Service consumers and providers must do a better job of keeping each other informed about their technical limitations, particularly for complex, long-term projects or complex architectures and systems.
5. The Right to Understand the Legal Requirements of Jurisdictions in Which the Provider Operates
The ease and speed of deploying and using cloud services also make it easy for service consumers to overlook critical legal issues. If the cloud provider stores the consumer’s data in a foreign country, or transports the data through one, the service consumer becomes subject to laws and regulations it may not know anything about. Service providers have not done a good job of explaining in which jurisdictions they put data in and what legal requirements the service consumer must therefore meet. Some providers may not want to say where they locate data for security reasons.
Service consumers need reassurance that the provider does not violate rules in any country and leave the consumer accountable. For example, suppose a provider starts running a service from Germany and then moves it to China—will the provider act as a safe harbor? Alternatively, the service consumer’s business may require it to locate data only in one country or certain countries. The provider may not have facilities in those countries. Enterprises need to know where a service provider they are considering would put their data so that they can make an informed decision about whether to use cloud services.
6. The Right to Know What Security Processes the Provider Follows
With cloud computing, security breaches can happen at multiple levels of technology and use. Service consumers must understand the processes a provider uses so that security at one level (say, the server) does not subvert security at another level (say, the network). Without this knowledge, service consumers risk security violations caused solely by the provider not accounting for the ways in which consumers might use a service. Service consumers also need to understand a provider’s business continuity plans so that they can ensure the continuity of their own operations in an emergency. Service providers are not consistent in explaining either their security processes or their business continuity plans.
The key to this right lies in good communication. The provider must explain its security processes and reliably notify consumers of any potential breaches. However, service consumers must have enough sophistication to understand the implications of these processes for a cloud architecture. In addition to security, the provider must explain its business continuity plans and demonstrate that they work, by performing monthly drills, for example. This information will help the service consumer better manage risks and keep its own operations going in an emergency.
7. The Responsibility to Understand and to Adhere to Software License Requirements
Software licenses for on-premises deployments can be confusing enough, and cloud deployments simply add to the number of questions. For example, can the consumer transfer licenses from an on-premises deployment to a cloud deployment? In general, software vendors do a poor job of explaining the possibilities and requirements of software licenses for cloud computing. The responsibilities lie more with the service consumer in partnership with a vendor than with the cloud service provider. However, service providers may place themselves at risk should they fail to recognize or limit their liability with regard to non-cloud-oriented software licenses being used inappropriately for cloud deployments.
Providers and consumers must come to an understanding about how the proper use of software licenses will be assured. On the one hand, providers must be held harmless if the service consumer puts the software it licenses from a third party in the cloud yet violates the licensing agreement. On the other hand, the provider should not agree to an audit directly by the vendor if the consumer owns the software licenses. The service consumer must take charge of the audit because it needs to consider the whole context—both what the consumer runs in the cloud (perhaps using several service providers) and what it runs on its own infrastructure.
Conclusion
These seven rights and responsibilities will benefit both service providers and service consumers. Respecting them will require effort and expense from providers, but securing them will encourage enterprises to put more of their business into the cloud. These rights and responsibilities will enable service consumers to make more informed decisions before signing up with a provider—they can use them today as a checklist of questions to ask providers. But these seven rights and responsibilities will not become a reality unless enterprises insist upon them when they negotiate with service providers. And enterprises must also take on the additional responsibilities the rights imply. We urge all enterprises to do what they can to establish these rights and responsibilities as the standard for cloud services.
For more information on the cloud rights and responsibilities and the work of the Gartner Global IT Council, visit its website at
www.gartner.com/globalitcouncil.
Content
