While this may be because they feel cloud providers are meeting their SLA commitments, a study by Queen Mary University has shown a myriad of problems with cloud SLAs. APM Group, the CIF’s independent certification partner, has called on users to review SLAs with care, pointing to the CIF Code of Practice as a means to vet potential cloud suppliers.
The research, conducted in Q3 2013, polled 250 senior IT and business decision-makers to gain insight into attitudes, experiences and trends across the UK end user community. Although concerns about data security and data privacy ranked highly among end users during the migration process, just one in five (20 per cent) stated that they were concerned about contractual liability for services if SLAs are not met.
According to Richard Pharro, CEO of APM Group, the CIF figures betray a lack of awareness as to the importance of cloud contracts when selecting a CSP:
“That just one in five of respondents cite concern over contractual liability for cloud services is a concern in itself. In the wake of recent service provider closures, such as that of Nirvanix, 2e2 and Doyenz, which were unexpected and left users and their data vulnerable, we would have expected this figure to be a good deal higher. As these cases attest, by failing to pay proper attention to cloud contracts, business may be putting themselves, and their data, at risk.”
Last year, a study by Queen Mary University of London (QMUL) identified common clauses in a wide range of both off-the-shelf and negotiated cloud contracts that raised cause for concern. These included attempts by suppliers to avoid liability for failures, service level agreements that do not match the needs of the business, incompatibility with EU data protection rules, and the right of suppliers to change service features without notice.
“Unfortunately, some cloud providers are opaque in the way that they operate,” he continued. “The prevalence of click-through licenses, some of which are littered with unfair terms and conditions, highlighted by QMUL, drives home the necessity of the Cloud Industry Forum’s Code of Practice (CoP).”
“CSPs that have certified against the CoP are required to operate in an open, straightforward and transparent way that has been vetted by CIF. The public disclosure requirement ensures that all key information about services, organisational set-up and contracts is readily available, to ensure that end users can make informed decisions about their choice of provider,” Pharro concluded.