At least once a month I get an email from someone or another offering to teach me (for a fee!) how to take advantage of cloud computing so that my 'business can prosper'. The blurb is always the same and goes along the lines of ‘how to use free tools on the Internet to make life and work more manageable’.
I have no doubt that many small business owners who are conscious of reducing their capital expenditure and increasing productivity take up these offers, but it makes me wonder whether these self proclaimed cloud experts are really aware of the legal implications for migrating IT infrastructure to the public cloud. In practice, I’m guessing that the cloud expert would tell me how to install the Dropbox or Google Drive client software, move my important files & folders across, wait for everything to sync up, then show me the way of the future by opening an Excel spreadsheet on my iPhone.
As you might suspect, there is a little more to it than that. The legal implications of placing your valuable data into the public cloud are not to be ignored.
Let me be clear: putting your data onto a public cloud service does not mean it will be openly available to the world. A public cloud service is one such as Dropbox for storage (infrastructure-as-a-service or ‘IaaS') or FreeAgent for bookkeeping (software-as-a-service or ‘SaaS') - where your files or data are stored alongside that of other customers using the same hardware and is almost always off-premise. Your data is still supposed to be secured, encrypted and backed up - but because you’re sharing the service with others, the prices are lower. This isn’t a remotely new concept - web hosting providers like 1&1 have been offering shared hosting services for years with the option to upgrade to dedicated servers for an increased cost. The apparent upsides are clear: reduced costs on IT hardware, no need to worry about making backups, remote working becomes easier, etc. So what’s the problem?
Public cloud services operate in a different way to traditional IT outsourcing. The ‘old’ way of doing things is to get an expert in who will assess your needs, order the appropriate hardware, install it for you, then charge a hefty ongoing fee for maintenance and technical support. This would be done on a case-by-case basis and would most likely be accompanied by a lengthy outsourcing contract depending on the size of your operation.
Cloud services turn the entire concept of IT outsourcing around: it is up to you to shop around the various providers (so while considering Dropbox for storage, you might also take a look at OneDrive, Google Drive, Box, Apple’s new iCloud, etc) and make a decision based on the price and the terms of their standard contracts. You should also understand that you have no room to negotiate. Public cloud providers aim to cater to the majority which means there is not much scope to negotiate individual terms with smaller customers.
This is why it is important to carefully read and understand the terms of service being offered by the provider - they may all look the same, but small differences in wording can have huge knock on effects. For example, Rackspace Cloud specifies that that the governing law for their services provided to English customers is English law, while all Dropbox users worldwide (free and paid) are subject to the laws of California.
This means that any dispute with Rackspace could be taken to the English courts, while any dispute with Dropbox would need to go to a court a little further away. Not such a big deal if you are a multinational commercial organisation, but not ideal if you are a 10 man company based in Reading. As a small business owner/cloud customer, this is what you need to look out for when considering a provider:
1. Try to understand where the provider fits into the stack. The stack is how your chosen service provider operates - Dropbox uses Amazon S3 as its backbone for storage. Google Drive uses Google’s own servers, and Box operates their own CDN. Knowing how the provider is set up may help provide assurance about what will happen if there is a problem down the line and give clues as to how reliable the service might be.
2. Free vs paid. Think twice before entrusting your valuable files and data to a free service. It might look great and have a slick phone app, but when considering data security and integrity, just remember - you get what you pay for.
3. Does/will any of your data infringe the provider's acceptable use policy? Different providers will have different definitions of exactly what is acceptable and what is not.
4. Who has the ultimate responsibility for your data? You might be surprised to find out that most cloud providers are not liable for the confidentiality or integrity of the data they store. That means you still need encrypt particularly sensitive data, and keep local backups of everything in the event that the cloud provider suffers a catastrophic loss.
5. How long will your data be stored? What happens after your relationship with the provider comes to an end? Some providers will hold onto it for a set amount of time, while others may discard it immediately after your relationship ends.
6. What format will your data be stored in? Can it be migrated to another system without much trouble? Many SaaS solutions are built on software which can generate standard format XML or XLS files.
7. Where will your data be stored physically? Yes, it’s on the cloud but there is still a physical drive somewhere in the world holding your data. Is that location physically secure? Who owns the building the servers are sitting in? What happens if that building catches fire? Does the physical location comply with the UK’s Data Protection Act? The more you know about how your chosen cloud provider operates, the safer you will be from catastrophic data loss.
8. What sort of warranty does the provider offer, if any? I’ve yet to see a cloud services provider offering a comprehensive warranty - most standard contracts will try to exclude any warranty relating to the performance of the service.
9. Who is liable in the event of a direct loss of data or service? What about indirect loss stemming from that direct loss, like losing your own clients? US law generally provides that liability for direct loss can be excluded, while in England this is not so easy. Liability for indirect losses is almost never admitted.
10. What happens if there is downtime? All your files are online, your Internet connection is up, but you can’t access your cloud provider. Now what?
Migrating to the public cloud is a great way for small businesses to reduce upfront and ongoing costs, but it’s not as easy as simply signing up and copying your files into the right folder. A careful comparison between the providers and analysis of their standard contracts might make you lean towards a provider you had not previously considered. If your business is dependant on IT infrastructure it is essential to think about these matters before blindly signing up to the next free service that comes your way. Private cloud solutions are an alternative, providing a halfway house between full IT outsourcing and shared hosting, but at an additional cost.
What it boils down to is how serious you are about protecting the integrity of your data, and how accessible you want that data to be. If you are a growing business and are looking to scale up while keeping costs down, migrating to the cloud is a sensible solution - so long as you are aware of the risks.