Know Your (Cloud) Rights: Gartner Inks Cloud Computing Bill Of Rights

The Bill Of Cloud Computing Rights

When it comes to cloud computing services, all consumers and businesses should expect to have some basic rights to protect their interests, or so says Gartner.

With that in mind, Gartner has created its Global IT Council for Cloud Services, a body put together to facilitate successful business relationships between cloud service providers and consumers. The Council comprises mostly CIOs of large companies that consume cloud services and Gartner analysts. The group has defined a set of key rights to govern cloud computing and help providers and consumers be successful.

"If cloud services are commoditized, providers should offer stronger customer guarantees," Daryl Plummer, managing vice president and Gartner fellow, said in a statement. "However, service providers either do not offer protections or vary greatly in the protections they do offer. We believe that the Global IT Council for Cloud Services can facilitate improvements in industry practices that will benefit not only IT customers and clients, but also developers, vendors and other stakeholders."

Plummer added: "These seven rights and responsibilities will benefit both service providers and service consumers. Respecting these rights will require effort and expense from providers, but securing the rights will encourage enterprises to put more of their business into the cloud. However, the seven rights will not become a reality unless enterprises insist on them when they negotiate with service providers. We urge all enterprises to do what they can to establish these rights and responsibilities as the standard for cloud computing."

Here we take a look at the six rights and one responsibility of cloud computing as set forth by Gartner and the Global IT Council for Cloud Services.

Data Ownership, Use And Control

The first and most important cloud computing right is "the right to retain ownership, use and control of one's own data," Gartner said. Cloud computing users should retain the ownership of and their rights to use their own data and providers must specify what it can do with a consumer's data.

"Lack of clarity on this point can lead to costly legal battles," Gartner said.

This right also protects users in the event that a service provider goes out of business or is sold to another company. Gartner said the original contract and SLA must provide for clear disposition of a customer's data if the provider can no longer offer its services.

SLAs That Address Liabilities, Remediation And Business Outcomes

Cloud computing users should also have "the right to service-level agreements that address liabilities, remediation and business outcomes," according to Gartner.

Gartner said all computing services, including the cloud, can suffer slowdowns and failures; but that cloud providers rarely commit to recovery times, specify the forms of remediation or spell out the procedures they will follow in the event of an outage. Gartner said cloud computing service providers must make SLAs relevant to businesses by addressing the business issues implied in the type of service offered. The provider's contract, Gartner said, should not only guarantee a certain turnaround time for adding capacity, but should specify how it will deliver that capacity.

Notification Of Changes

Cloud computing customers should have "the right to notification and choice about changes that affect the service consumers' business processes," Gartner said. Essentially, Gartner is saying that cloud computing service providers should give their customers a heads up when major upgrades or system changes are afoot, giving those customers a certain level of choice and control when a system is taken down, service is interrupted or other changes are made to increase capacity or alter infrastructure. Whether its upgrading a SaaS application, implementing salesforce.com, adding new versions of services, changing service locations, entering or exiting a business, or shutting down a facility, cloud computing users should have some lead time.

Understand The Cloud's Limitations

Gartner suggests cloud computing customers have "the right to understand the technical limitations or requirements of the service up front." This right takes a stab at service providers that do not fully explain their own systems, technical requirements and limitations before the customer signs on the dotted line and has committed to the service. And once the ink dries cloud computing customers are clued in and may not be able to adjust without a significant investment.

"Service consumers and providers must do a better job of keeping each other informed about their technical limitations, particularly for complex, long-term projects or complex architectures and systems," Gartner said.

Get To Know The Legalities, Jurisdictions

Cloud customers have "the right to understand the legal requirements of jurisdictions in which the provider operates," Gartner noted. If a cloud computing service provider stores and transports customer data in or through a foreign country, the customer becomes subject to the laws and regulations of that country, regulations that customer may not know about. Gartner said service providers so far have done a poor job explaining to cloud customers which jurisdictions they put data in and what legal requirements the service customer must meet. Gartner said the customer needs reassurance that the provider doesn't violate any country's rules for which the consumer may be held accountable.

Is It Secure?

When it comes to cloud computing security, customers have "the right to know what security processes the provider follows," Gartner notes.

"Service consumers must understand the processes a provider uses, so that security at one level (such as the server) does not subvert security at another level (such as the network). Without this knowledge, service consumers risk security violations caused solely by the provider not accounting for the ways in which consumers might use a service," Gartner said.

Customers also need to understand a provider's business continuity plan, Gartner said, so customers can ensure that their own operations continue in an emergency. Gartner said that so far cloud service providers are not consistent in explaining either their security processes or their business continuity plans.

Know And Follow Software License Requirements

Lastly, and this isn't so much a right as it is a cloud computing responsibility, Gartner said cloud users and providers have "the responsibility to understand and adhere to software license requirements." That means both providers and consumers have to come to an understanding about how the proper use of software licenses will be assured.

"On the one hand, providers must be held harmless, if the service consumer puts the software it licenses from a third party in the cloud yet violates the licensing agreement. On the other hand, the provider should not agree to an audit directly by the vendor, if the consumer owns the software licenses. The service consumer must take charge of the audit, because it needs to consider the whole context -- both what the consumer runs in the cloud (perhaps using several service providers) and what it runs on its own infrastructure."