Tony Conaghan and Ray Marshall

Cloud Computing Legal Primer Pt 3: Do you have an umbrella ready in case it starts raining?

Tony Conaghan and Ray Marshall

16 July 2015

IT

In the final part of our three part series on cloud computing legal issues, we will be looking at the commercially critical but often crucially overlooked importance of having a strategy in place for disaster recovery or should business needs necessitate a transition to a new cloud service provider.

 

When you do not have actual control over your resources, reliability of supply is key. Every hour that you do not have access to the resources you need is an hour of lost income. For essential systems (e.g. file repositories or Software-as-a-Service) even a short outage can be a crippling blow to an organisation’s productivity or for their customers / clients. Where we once had the worry that one day the office might burn down and we would lose everything, should we be worrying about what would happen if any of those cloud services were ever to be unplugged?

 

Uptime and disaster recovery

 

Despite heavy investment in Australia’s data infrastructure, economy of scale across the continent remains difficult to achieve locally. Many cloud services remain provided from offshore data centres in major international network hubs such as Singapore and Japan. Not only does the increased length of the backbone on which you rely increase the possibility for a breakdown somewhere along the line, but these locations can be just as susceptible to natural disasters as your own office if not more. In 2010, a company completed a transfer of its existing customer data resources to centralise all of its customer data in a new data centre… in Fukushima.

 

In these circumstances, it may be reflex to look at the agreement with the cloud service provider to determine what uptime standards and support they have on offer. However, many cloud services are provided with broad exceptions that enable service providers to waiver uptime and response times in practice yet still advertise e.g. a “99.9999% uptime guarantee”.

 

Service level agreements and cloud contracts are also often in a standard form which may not provide any detail to the actual risks. What if the data centre the services are operated from is based in an area known for natural disasters? Who supplies bandwidth, hardware and other infrastructure, and are those suppliers reliable? Is the facility shared with other service providers, and what physical security measures are in place to prevent physical damage to data storage hardware?

 

These risks are even more significant when you consider that many cloud services used by businesses today are targeted to the consumer market rather than the enterprise market and may not provide the level of support required to ensure business continuity. Enterprise services, while usually more expensive, are also likely to come with enhanced support more suited for business needs.

 

Transition and data retrieval

 

Cloud services are a hotbed of innovation, with many new service providers successfully competing with established players for services. With global reach, the opportunity for niche specialisation also becomes economical, providing a more tailored service than a larger supplier may be able to provide off-the-shelf.

 

However, a diverse market with many niches also presents a risk of vendor lock-in. Should you ever find yourself in the position of having to retrieve your data from a cloud service (for disaster recovery measures, to transition to a new service, or for any other reason), you may find that your data has been stored in a format which is incompatible with any other cloud service, requiring time consuming and costly reverse-engineering to enable you to transition to a new service or otherwise use the data.

 

Of course, even after you have retrieved your data (in whatever form), you may find yourself unable to use the data for the simple reason that you do not know what to do with it once you have it, or ever confirmed that your backups were valid and up-to-date…

 

To avoid these outcomes, ensure that your data is treated in compliance with industry accepted storage standards and that you maintain, and practice, disaster recovery procedures with up-to-date backups.

 

Cloud services are good and useful tools, and most of the time, the benefits these new tools have to offer far outweigh the risks. But where we once had a box with essential records hidden away in the garage, we might want to look at finding room for another box.

 

Questions to consider

 

  1. What service levels are provided in the service agreement? What are the exceptions to these service levels?
  2. Where is the data physically stored? Is the connection between this location and your office at risk of being disconnected or degraded?
  3. What third party services is the service provider reliant upon? Are these services reliable?
  4. How frequently does the service provider make backups? Where are these backups stored? Does the service provider have disaster recovery policies? Does the service provider regularly run disaster recovery test scenarios to ensure service continuity?
  5. Does the service provider use industry approved data storage formats and standards?
  6. Are you able to download your data at will? Are you able to continue using this data without any further assistance from the service provider, e.g. to transition to another service?