February 24, 2012

Cloud Computing Services, Caveat Emptor

Recent Entries:

Why Meetings are Inefficient

Wireline Carrier Idea

Wireless Carrier Idea

Low Hanging Fruit

It seems as though we do not go through a single day without one pundit or another touting Cloud Computing Services (also known as Software as A Service or SaaS) as the next big thing in computing. At first glance, there are many enterprise advantages to using these services, not the least of which is cost. However, in some circumstances, engaging such services can pose an existential risk to a large enterprise which is often not considered when evaluating the service offerings.

Large enterprise IT departments have gradually evolved a tendency to do less and less in-house, preferring to outsource services such as help desk and general IT to third party firms. The classic IT model for large enterprises with thousands of PCs, internal networking, large server farms or mainframes has become so cumbersome and expensive that such companies are understandably looking for ways to reduce ongoing costs. IT personnel are relatively expensive, require continuous training development, and a full in-house service requires many such resources. Furthermore, IT expense is seldom other than an overhead function, i.e. it doesn't directly drive enterprise revenue. Taking a cost center department-specific view, lowering or containing cost is usually bullet-one on the IT executive's yearly objectives. In contrast, the enterprise-wide view may yield different analysis results, as the business could be put at risk with a simple IT cost-cutting approach in some cases, especially when the core business of the enterprise rests on the IT infrastructure.

Much of this IT cost reduction focus follows on the wave that saw the outsourcing of previously in-house software development and call centers to overseas third party providers. As consultants, we have seen many unintended consequences which are the direct result of such decisions.

When it comes to software development it becomes an issue of where the business intelligence and assets are located. Without sufficient internal resources who fully understand the developed software, the enterprise is now fully dependent on the provider for even trivial issues. Furthermore, there is an element of intellectual property risk which must be carefully managed. The last decade has shown many examples where outsourced development led to intellectual property losses. Those losses, we would argue, more than offset the cost savings associated with outsourcing. A case of risk not being properly assessed during the RFP process.

Call centers are a different matter, in this case the risk issue is the loss of control over an enterprise's customer base. That loss of control can be direct and/or indirect, the direct is simply that a third party is now executing customer-facing actions on behalf of the firm, the indirect is that those actions may alienate their customer base. Again, these risks are difficult to determine and often are not included in the cost analysis. Many examples exist of companies pulling call centers back into their enterprise after a failed outsourcing adventure.

In an ideal world, the business decision to outsource services would be a straightforward financial one between comparable in-house and outsourced offerings. However, this is seldom the case, as risk elements are typically understated when it comes to the outsourced offerings. That is not unexpected, as the RFP team typically understands their internal situations much better than what the outsource vendors are offering. They are also not as adept in knowing what interface costs will be needed to fully manage the outsource vendors. These cost-reduction projects are typically planned with very little time, which also works against a robust risk assessment.

What kind of enterprise risks are we talking about, when it comes to cloud computing services?

We see two types of risk scenarios which should be considered, contractual liability and sovereign interference risk.

Contractual Liability:

Contractual liability is a significant issue, when running an in-house IT department the liabilities reside within the enterprise. No matter what happens, the company is responsible. How do the cloud computing services compare? Not very well, actually, in most cases the service company assumes practically no liability. Below is an excerpt from the standard terms of one major supplier, which illustrates the issue.

"10. Disclaimers.

THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE.

11. Limitations of Liability.

WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM FAILURES OR OTHER INTERRUPTIONS; (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (c) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR (D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES’ AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS PRECEDING THE CLAIM."

The above set of terms basically provide an "as-is", no guarantees, service. The full liability rests within the enterprise just as it did when providing the services in-house. If a company is considering putting enterprise critical data or applications on such a service they need to be fully aware of the lack of liability coverage. In cases such as this, the only recourse a company would have is to stop doing business with the services firm, which is a mere subset of the incurred costs for a major failure. These terms are not unusual, most of the major players use a similar disclaimer approach. We suspect that many such contracts have already been signed by IT managers, and fully expect that we will be hearing horror stories during the next few years, subsequent to a severe breach or failure of the services.

If the enterprise had negotiated some service levels and full liability into the contract, the ongoing service cost could approach or exceed the in-house one, so that isn't necessarily a viable solution either. We do strongly recommend that the general counsel's team be part of any decision making prior to signing such an agreement, as a solo IT manager experiencing this worst case scenario is in a "career limiting" position if the risk is accepted without consultation.

Sovereign Interference:

Sovereign interference risk is the risk that the government or governmental agency will interfere with the enterprise's business. That risk, while remote, can be catastrophic under the right circumstances. Assuming an enterprise whose data or applications are mission critical, the locating of such within an external service increases the possibility of sovereign interference. The reason is that in most cloud scenarios, the enterprise is not the only customer of the provider.

Suppose the enterprise has contracted cloud web servers within a local zone, and by chance another customer is running an illegal web-bot controller service within the same cloud. The FBI swoops in to the data center and confiscates all the servers as evidence. Now, not only is the enterprise offline until other arrangements can be made, but the data that is core to the business is exposed in an insecure manner. The FBI, or government, cannot be sued to recover damages and the provider is not responsible under their contract.

Before the reader suggests this scenario is farfetched, it has actually happened many times in data centers, even when the enterprise owns the equipment within its leased rack space. Law enforcement is not elegant when it comes to gathering evidence, consequential harm occurs to others without recourse. In the case of cloud services, it is even harder to excise only the offending party.

If the equipment/servers are actually located within the enterprise, the company is better protected from unreasonable search and seizure. The general counsel's team earns their keep by mitigating this sort of risk.

Conclusions:

The real benefit of cloud computing is therefore not first and foremost cost, for enterprises with mission-critical needs, but rather scalability. In such cases, the enterprise should deploy internal cloud architectures where all of the physical assets are not shared with other parties, and where the enterprise can best mitigate their liability exposure. That solution speaks well to both liability scenarios while still partaking in the primary benefits of the cloud.

Submit Comment:

Complete Article Listing

 

Copyright © 2012 Arbitor.com All Rights Reserved. Last modified: 12/3/2012