Roundtable: Best Practice for Cloud Sourcing

Daniel Shap, Managing Counsel CIBCDr Sam De Silva, Partner, Penningtons Manches LLP

Workload risk profile

Deployment model

Contractual framework

Cost savings / efficiencies

Lower

Private

Robust

Less

Higher

More

“Boilerplate”

Public

x - axis = risk-reward spectrum

number of workloads moved to cloud

typical public cloud contract

y - axis = total number of workloads

19th Annual Canadian IT Law Association Conference, Toronto, 26-27 October 2015

Roundtable: Best Practice for Cloud Sourcing

Dr Sam De Silva, Partner, Head of the IT & Outsourcing Group,Penningtons Manches LLP, Oxford, UK

Procurement approach Understanding service categories / deployment

methods Best practice for due diligence Enterprise cloud strategy Key legal and commercial issues EU Expert Group: Cloud Service Level Agreement

Standardisation Guidelines

Outline

“Negotiating” approach Standard commoditised offering, therefore limited

flexibility or ability to change– focus on key areas of risk – “devil is in the detail”– contract evaluation should be a key part of provider

selection

Risk assessment exercise is crucial– need to ensure proper contract evaluation is carried out – evaluation needs to be documented/audit trail– where risk is identified – how has that risk been mitigated/

managed?

Role of Integrators

Procurement Approach

Service categories– Saas– IaaS– PaaS– XaaS?

Deployment models– Public– Community– Private– Hybrid

Service Categories / Deployment Modes

Financial, Commercial & Legal

Technology and Operations Customer Interviews

Risk management:• past disputes, investigation,

litigation and security breaches• legal and regulatory compliance• evaluation of internal controls• review of business continuity plan• analysis of third-party and other

exposure• review of client prioritization• insurance coverage

General capability overview:• security, intrusion detection and

prevention systems• systems management• help desk

Commercial management:• overall vendor review Achievement

of related IT goals• approach to contract negotiation• transition planning and

effectiveness• pricing transparency

Project capability overview:• capacity expansion/allocation

requirements (present and future)• proposed expansion actions• detailed review of transition

planning

Service management:• efficiency of knowledge, skills• reporting timeliness and efficiency• existence and frequency of service

credits

Security• who owns and controls infrastructure• deployment and delivery methods• security controls in place• physical location of infrastructure

elements• reliability reports

Service delivery:• overall ability to meet SLAs• results of customer satisfaction

surveys• SLA achievement during transition• Ability to meet disaster recovery

and business continuity requirements

Best Practice For Due Diligence

Enterprise Cloud Strategy

Limited supplier obligations Limitations and exclusions of liability Suspension and termination clauses Supplier lock-in and transitioning Regulatory compliance Service level agreements Supply chain / subcontracting

Risk assessment - Key contractual and legal issues (1)

Typical obligations, warranties or other safeguards of sourcing or hosting contracts are not included in cloud computing contracts Due to their commoditised approach, cloud computing contracts typically contain less onerous obligations on the supplier Undertake “gap” analysis

Limited Supplier Obligations

Limiting liability of cloud provider to a level that is not in line with the potential risk

Risk with limiting the liability of the cloud provider to the amount paid

Issues include:– almost total exclusion of liability– limited financial cap– exclusion of certain types of loss (e.g. direct losses (US

contracts) indirect loss and/or data loss)– force majeure definition

Liability

“Hair” triggers for service provider suspension and termination rights

Pitfalls of suspension clauses– impact on continuity– low barrier for suspension of services/unplanned

interruptions– minor non-compliance may lead to significant remedy for

the supplier

Termination for convenience by the supplier– notice period– exit obligations

Suspension or Termination (1)

Termination for convenience by the customer– typically cloud computing contracts allow for easy exit for

the customer– check contracts for termination for convenience because

not always the case or such exit does not come cheap

Risk of cloud provider going out of business or restructuring its service portfolio – data escrow

Suspension or Termination (2)

Usefulness of termination for convenience No implied obligation to assist in data transfer and disengagement Everything depends on your contractual agreement Pricing

Supplier lock-in and transition

Regulatory Compliance

Often not part of standard offering SLA without “teeth”/targets Points of attention:

– definition of availability– how is the availability calculated by the provider?

e.g. 10 outages of six minutes versus 1 outage of 1 hour

– service measurement period

Service Level Agreements

Complex supply chain Limited visibility/control Lack of due diligence Prior written approval for “key” subcontractors /

change of subcontractors Scope of services Right to “step-in”/direct contract with subcontractors

Supply Chain / Subcontracting

European Cloud Computing Strategy – State of Play

Identification of safe and fair contract terms for consumers and small firms

Consideration of best market practices and Data Protection Directive

Improving legal framework for cloud computing contracts in order to strengthen confidence

Working papers:

http://ec.europa.eu/justice/contract/cloud-computing/expert-group/index_en.htm

Objectives of Expert Group on Cloud Computing Contracts

Cloud Select Industry Group – Service Level Agreements (C-SIG-SLA)

Over 100 industry participants Published guidelines in June 2014 available:

http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines

To be tested with users, particularly SMEs To be discussed with Expert Group on Cloud Computing

Contracts Feeding into efforts of international groups - ISO

Cloud Service Level Agreement Standardisation Guidelines (1)

Overview of concepts/definitions Series of service level objectives

– performance– security– data management– personal data protection

Limitations/challenges– guidelines only– recommendations from EU– no clear thresholds

Cloud Service Level Agreement Standardisation Guidelines (2)

Questions?