by Thomas Wailgum

Cloud-Computing Services: “Fine Print” Disappointment Forecasted

Apr 21, 2010
Cloud ComputingEnterprise ApplicationsIT Leadership

A new Yankee Group study of enterprise cloud computing services finds cloud contracts full of disclaimers, ambiguous uptime guarantees, and uncertain privacy policies and compliance claims.

This is the type of analyst report headline that cloud computing vendors don’t want to read: “Empty Promises and Tough Luck: Yankee Group Exposes the Cloud’s Fine Print.”

That’s the crux of Yankee Group’s latest research effort, Cloud 99.99: The Small Print Exposed, by VP and senior research fellow Camille Mendler.

Mendler examined the terms of service, service-level agreements (SLAs) and privacy policies for 46 software-, infrastructure- and platform-as-a-service (SaaS/IaaS/PaaS) offerings from 41 vendors. Those included stalwarts such as Amazon, Google, Microsoft and

Not surprisingly, the report uncovered some not-so-good news.

“Cloud vendors offer enterprises poor service guarantees and limited financial redress if their service fails,” notes the report. “Get-out clauses are rife, and worryingly, robust privacy policies are rare, potentially exposing enterprises to litigation. Enterprises must take a close look at the small print before they proceed, and develop proactive strategies to get the best out of cloud services.”

Mendler offers several key areas that enterprises and CIOs need to watch closely or they could suffer:

1. Slippery SLAs: “Whatever the number of 9s offered, ‘uptime’ definitions vary, and service demarcation points for uptime are rarely end to end,” Mendler writes. “Vendors also tend to play fast and loose with scheduled maintenance windows.”

The study found that just half of service providers offer SLAs, and “none offer financial compensation when they fail to perform against them.” Mendler also claims that timelines to fix site problems are typically “notional” (or conceptual), and that customers should expect “limited reparation other than service credits or the ability to terminate their contract.”

2. Cagey Compliance: “SAS-70-certification is not a blanket guarantee of safety or survivability,” the report states. “Enterprises should also seek ISO 27000 credentials, and check vendor adequacy against international data protection regulations.”

3. Self-Serving Metrics: “Beware vendors acting as both judge and jury in determining service performance,” Mendler notes. “The use of third-party performance monitoring tools must become table stakes for credibility.”

The report appears to be both a warning to customers and a call to action for the growing number of cloud computing vendors.

“Cloud service providers better clean up their act fast because major investment decisions hang in the balance,” Mendler says in the press announcement. “Enterprises need transparency, professionalism and certainty to invest in cloud services—few providers are stepping up.”

Do you Tweet? Follow me on Twitter @twailgum. Follow everything from on Twitter @CIOonline.