Why the contract matters
Card underscores the inherent risk any company assumes by outsourcing key technology functions and says there is no shortcut for internal risk management and due diligence.
"Where part of a company's IT infrastructure is provided by third parties (including outsourcing, shared services, intercompany management services, SaaS, or cloud computing) the effective execution of those services must be governed through the related service contract," Card says. "Indeed the outsourcing or relegation of day-to-day operational duties of any IT operation or business process does not discharge the executive officers or the board from their continuing governance duties of oversight and supervision."
Businesses that enter into a cloud computing contract should focus on outcomes and let the service provider work out the specifics of delivery and execution, for the greatest protection, according to Card. This puts all of the liability for those outcomes on the shoulders of the service provider.
"Whereas a license of software assumes the risk of that software's possession and proper use (subject to a limited warranty term,) a service provider assumes the entire risk of acquiring and using all of the tools necessary to perform the service," Card says. "Regardless of how your data processing services are structured, that performance risk transfers to the service provider based on the provider's agreement to provide and deliver operational 'results' and outcomes."
You get what you pay for
Cloud computing is attractive because it looks like a low-cost solution for updating infrastructure and outsourcing, but as Card points out, sometimes, "You get what you pay for."
He adds that many cloud computing offers start out low priced, but once requirements for security and reliability are built into the agreement, the price can rise substantially. A customer who needs data stored on a secure server in California, rather than some outpost in Africa, is going to pay top dollar for that computing solution. It's these incremental costs, once factored into the agreement, that can price some cloud computing solutions too high to justify the risk.
"Because of the recession, companies are feeling a lot more financial pressure, and cloud computing looks like an easy way to drive down costs," Card says. "That's understandable, but dangerous."
He's concerned that some businesses that adopt cloud computing to drive down costs might later regret the decision.
"In more capable economic circumstances they might revisit that approach," Card adds. "There has been an over priority of price over risk management."
So what does all of this mean about the future of cloud computing? Fundamentally, the model works best when dealing with low-risk, high-volume commodity computing. Once proprietary, service differentiating data enters the cloud, there are a whole host of potential risks.
Service providers too, need to assess the risk they are taking on by ensuring a certain level of service and thoughtfully consider those risks when pricing, both when adopting cloud solutions and when offering it to their customers.
The fever for cloud computing continues to rise, but with so many legal, regulatory, compliance and governance issues involved in any cloud computing agreement, it's easy for service providers and enterprise customers alike to make critical, game changing mistakes. Cloud providers can avoid these pitfalls learning from the many mistakes made by others and by addressing the issues surrounding cloud data ownership and clearly communicating it to their customers. And for the customers, it's still "buyer beware."
