Our organisation has a problem. We have far too much email. Lawyers generally need to keep almost every document that relates to the work they do, and as a result we have no limit on the size of our mailboxes. Our largest mailbox is pushing 45gb, and we have quite a number of users whose mailboxes are in excess of 20gb. These are numbers that would make a Microsoft Exchange architect blush, as the system was just not intended to handle that volume of data on a per-user basis.
So our IT department has been exploring ways to manage our escalating email infrastructure and storage requirements. The other day I attended a pitch from a cloud provider who provides a hosted email archiving solution. It was one of the best vendor presentations I’ve attended. Their product is well-developed and slick, and would allow us to move all our archived emails off our infrastructure. Naturally, their offering reflects sound industry practice in relation to security and resiliency. Our data would be stored on infrastructure in an active-active configuration in two geographically diverse tier 1 data centres. Our data would be encrypted in transit and at rest. Their security procedures are certified to ISO27001, and so on.
And if that wasn’t attractive enough, when finance crunched the numbers on the CAPEX and OPEX savings, as one of the owners of our business I couldn’t help but think it was a forgone conclusion that we ought to implement such a solution.
So far, I’m sure you’ve had this experience countless times, and I’m telling you nothing new. But then I did something that you may not have done. I read the contract which the vendor expects us to sign, from start to finish.
The contract does not require the vendor to implement the security procedures I described above. It does not contain adequate promises in relation to the protection of personal information to enable us to comply with our statutory privacy obligations to our staff and clients. It does not limit where and in what type of data centre they may move our data to. And as if that wasn’t bad enough, if we could find something they had failed to do under the contract, they didn’t accept responsibility for the integrity of the data they store for us (hello, it’s a data archiving solution), and the financial limits on their liability meant it would never be worth suing them for anything anyway.
And if you think I’m being a typical bah-humbug lawyer, and we should just dive in and embrace the future, imagine if you’d asked my firm to handle the most sensitive and strategic piece of legal work your organisation is involved in. Would you be comfortable with every email you exchanged with us being stored by a vendor on these terms?
And this experience is not unique, in fact it is the exact opposite – every cloud services customer who looks at the contract offered by their vendor would almost invariably be faced with exactly the same issues. As a result, when you buy cloud services off the shelf, you’d better be comfortable with the brand you’re dealing with, because I can almost guarantee you’re not buying anything by way of legal protection.
Take the standard terms of one of the largest cloud service providers, who for these purposes will remain nameless. Service credits aside, the cloud provider excludes their liability for damages of any kind, be they direct or indirect. That’s an astounding approach. But if that exclusion is ineffective, they go on to make it clear that they’re not liable for any outages (scheduled or unscheduled), the cost of obtaining replacement
services, any unauthorised access to your data, or any loss or corruption to any of your data. It’s really quite incredible. Do you think your customers would do business with you on the basis that no matter how badly you performed, you’d bear no responsibility?
But the chasm between what cloud vendors promise and what they commit to doesn’t seem to be slowing the move to cloud, given all the other benefits (particularly, in the current economic climate, the benefit to the bottom line). In the last 12 months, I’ve seen the adoption of cloud services start to accelerate, so that even large corporate clients are starting to move (or consider moving) significant and business-critical environments to the cloud. However these are rarely done on the basis of the standard terms or offerings, and in many cases the arrangements are more akin to managed services than cloud services as such.
There is no doubt the cloud is here to stay, but I fear that it will take a major outage or security incident affecting a large corporate in a very public way, before customers will start to realise how important the commitments (and not just the sales pitches) provided by cloud vendors are. Just ask Target in the U.S. how big an impact an IT security disaster can be on your business.
Come back and ask me in 6 months whether we’ve made the leap to the cloud. But also ask me on what terms.
This article was first published on cio.com.au.