Wednesday, August 4, 2010

Cloud Services Lack Protection

If cloud services are commoditised, providers should offer stronger customer guarantees. However, service providers either do not offer protections or vary greatly in the protections they do offer.

This is the view of Daryl Plummer, managing VP and fellow at Gartner. He says basic rights are needed to protect cloud services customers' interests, and both cloud service providers and consumers must understand their rights in order to establish successful business relationships.

With this in mind, Gartner's Global IT Council identified existing loopholes between cloud computing service providers and their clients, with regards to the rights and responsibilities they should follow. ”These deficiencies range from retaining ownership, understanding technical limitations to software licence requirements, among others,” explains Plummer.

The council, comprising CIOs, senior IT leaders and Gartner analysts, believes understanding cloud rights and responsibilities will enable service providers and consumers to work more productively.

"However, the rights will not materialise unless organisations insist on them when they negotiate with service providers,” adds Plummer. “We urge all organisations to do what they can to establish these rights and responsibilities as the standard for cloud computing."

The council recommends that service consumers retain the right to own, use and control their data. The think tank stresses the importance of data security in the issue of ownership and control, saying the provider must specify what they can do with the consumer's information, since lack of clarity on this point might lead to costly legal battles.

On the same note, says the council, the consumer could lose control of its data if the service provider goes out of business or is sold to another entity. The original contract or service-level agreement must provide for the clear disposition of the service consumer's data, in case the provider can no longer provide the service.

Finally, the council proposes the right to notification and choice about changes that affect the service consumer's business processes. It explains that this entails providing advanced notification of major upgrades or system changes, and granting the consumer some control over when it makes the switch.

The council also suggests that consumers ensure they understand the technical limitations or requirements of the service upfront. In many cases, service providers do not fully explain their own systems, technical needs and limitations. This means that after consumers have committed to a cloud service, they run the risk of not being able to adjust to major changes, at least not without a big investment, the group explains.

Legal-wise, says the council, service consumers must understand the legal requirements of jurisdictions in which the provider operates. The body notes that if the cloud provider stores or transports the consumer's data in or through a foreign country, the service consumer becomes subject to laws and regulations they may not know anything about.

With cloud computing, security breaches can happen at multiple levels of technology and use, notes the council. It recommends that service consumers understand the processes a provider uses, so security at one level (such as the server) does not subvert security at another level (such as the network).

Finally, understanding software licence requirements is another responsibility over which cloud services providers and consumers must come to an understanding. They must decide how the proper use of software licences will be assured, according to the council. On the one hand, providers must remain blameless if the service consumer puts the software it licenses from a third party in the cloud yet violates the licensing agreement.

On the other hand, the provider should not agree to an audit directly by the vendor, if the consumer owns the software licences. The service consumer must take charge of the audit, because they need to consider the whole context, the council concludes.

IT Web

No comments:

Post a Comment