Making the leap to cloud ... but not with blind faith

At Gilbert + Tobin, we have a problem with our email: We have far too much email, as lawyers generally need to keep almost every document that relates to the work they do, having no limit on the size of their mailboxes.

Our largest mailbox is pushing 45 GB, and we have quite a number of users whose mailboxes are in excess of 20 GB. These are numbers that would make a Microsoft Exchange architect blush, as the system was just not intended to handle that volume of data on a per-user basis.

So our IT department has been exploring ways to manage our escalating email infrastructure and storage requirements.

The other day I attended a pitch from a cloud vendor that provides a hosted email archiving solution. It was one of the best vendor presentations I’ve attended. The product is well developed and slick, and would allow us to move all our archived emails off our infrastructure.

Naturally, the offering reflects sound industry practice in relation to security and resiliency: Our data would be stored on infrastructure in an active-active configuration in two geographically diverse tier 1 data centres; our data would be encrypted in transit and at rest.; the vendor's security procedures are certified to ISO27001, and so on.

And if that wasn’t attractive enough, when finance crunched the numbers on the capex and opex savings, as one of the owners of our business I couldn’t help but think it was a forgone conclusion that we ought to implement such a solution.

I’m sure you’ve heard similar stories countless times, and I’m telling you nothing new. But this is something you may not have heard: After reading the contract, which the vendor expects us to sign from start to finish, I soon discovered that what was being offered to me did not seem to stack up.

The contract doesn't require the vendor to implement the security procedures I described above, it does not contain adequate promises in relation to the protection of personal information to enable us to comply with our statutory privacy obligations to our staff and clients, and it does not limit where and in what type of data centre they may move our data to.

And as if that wasn’t bad enough, if we could find something the vendor had failed to do under the contract, it didn’t accept responsibility for the integrity of the data it stores for us (hello, it’s a data archiving solution), and the financial limits on the its liability meant it would never be worth suing them for anything anyway.

If you think I’m being a typical bah-humbug lawyer, and we should just dive in and embrace the future, imagine if you’d asked my firm to handle the most sensitive and strategic piece of legal work your organisation is involved in. Would you be comfortable with every email you exchanged with us being stored by a vendor on these terms?

That experience is not unique, unfortunately. In fact, it is the exact opposite – every cloud services customer who looks at the contract offered by their vendor would almost invariably be faced with exactly the same issues. So when you buy cloud services off the shelf, you’d better be comfortable with the brand you’re dealing with, because I can almost guarantee you’re not buying anything by way of legal protection.

Take the standard terms of one of the largest cloud service providers, for example, that will remain nameless. Service credits aside, the cloud provider excludes its liability for damages of any kind, be they direct or indirect. That’s an astounding approach.

But if that exclusion is ineffective, the vendor goes on to make it clear that its not liable for any outages (scheduled or unscheduled), the cost of obtaining replacement services, any unauthorised access to your data, or any loss or corruption to any of your data. It’s really quite incredible.

Do you think your customers would do business with you on the basis that no matter how badly you performed, you’d bear no responsibility?

The chasm between what cloud vendors promise and what they commit to doesn’t seem to be slowing the move to cloud, given all the other benefits (particularly, in the current economic climate, the benefit to the bottom line). In the last 12 months, I’ve seen the adoption of cloud services start to accelerate, so that even large corporate clients are starting to move (or consider moving) significant and business-critical environments to the cloud.

However, these are rarely done on the basis of the standard terms or offerings, and in many cases the arrangements are more akin to managed services than cloud services as such.

There is no doubt the cloud is here to stay, but I fear that it will take a major outage or security incident affecting a large corporate in a very public way before customers will start to realise how important the commitments (and not just the sales pitches) provided by cloud vendors are. Just ask Target in the US how big an impact an IT security disaster can be on your business.

Come back and ask me in six months whether we’ve made the leap to the cloud, but also ask me on what terms.

Tim Gole is a partner at Gilbert + Tobin.


Copyright © 2014 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act