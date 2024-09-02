Reliance on these services introduces significant challenges, writes ​Ross Nicol

Cloud services provide an agile and cost-effective IT solution. Instead of purchasing and maintaining software and physical IT infrastructure, cloud services offer benefits including cost reduction, scalability, and on-demand access to cutting-edge technology. This covers everything from data storage and backup solutions to fully managed key end-user facing applications.

However, reliance on these services also introduces significant challenges, particularly in terms of control, security, and the negotiation of supplier terms. This was underscored by the global repercussions of the CrowdStrike outage, which highlighted the potential vulnerabilities inherent in cloud-based solutions.

Advertisement Hide Ad

Advertisement Hide Ad

Sign up to our daily newsletter , get the latest news and reviews from our specialist arts writers Sign up Thank you for signing up! Did you know with a Digital Subscription to The Scotsman, you can get unlimited access to the website including our premium content, as well as benefiting from fewer ads, loyalty rewards and much more. Learn More Sorry, there seem to be some issues. Please try again later. Submitting...

We have seen first hand, in our dealings with senior leaders at global organisations, a trend towards a “cloud-first” strategy. This approach is not without its concerns, particularly regarding cybersecurity, data management, regulatory compliance and the dominance of major cloud service providers. Liability arising from cloud solution failures is another concern. Customers can feel limited in their ability to effectively manage risks when control of their data has been outsourced to the cloud.

​Ross Nicol is an IT partner at Addleshaw Goddard (Picture: Renzo Mazzolini)

The CrowdStrike outage serves as a stark reminder of the tangible risks associated with cloud services. Centralised control by providers, while efficient, can lead to significant disruptions that fail to consider the specific business needs and risks of the customers affected.

Mitigating risks requires a careful approach to negotiating cloud service agreements. Standard terms often offer limited room for negotiation, reflecting the mass-market nature of these services and their pricing models. It is typical for standard terms to offer few contractual assurances and financial liability will be limited.

That said, cloud service providers are alive to the legitimate concerns of customers and even standard terms will usually seek to address these concerns, to varying degrees. In practice, providers will also negotiate terms depending on the size of the transaction and negotiating power of the customer. Ideally a cloud services agreement (whether part of standard or negotiated terms) should address the following key issues:

Service Performance: Service levels (such as availability) and remedies for a performance failure are key. Remedies may include practical remediation steps and/or financial compensation payments.

IT Security, Data/Regulatory Compliance & Business Continuity: Robust security provisions should be included, along with provisions ensuring data protection and other regulatory compliance. Equally important are business continuity and disaster recovery arrangements.

Operational Control: Provisions ensuring customer involvement in system changes which could impact business operations would ideally be included, albeit providers will resist provisions that would impact service delivery for its wider customer base.

Termination/Breach of Contract and Liability: Should termination be the appropriate remedy for the customer then the contract should address termination and exit arrangements (e.g. in respect of hosted data). A claim for breach of contract may accompany termination and it is important to ensure appropriate and acceptable liability provisions are included.

Advertisement Hide Ad

Advertisement Hide Ad

For those situations where negotiation is limited or not possible, the focus shifts to technical and legal due diligence to assess and mitigate risks. This involves a thorough examination of the solution and contract terms from the perspectives of resilience, compliance, and potential liability. Engaging technical and legal expertise in this process can provide invaluable insights and support.

In conclusion, while cloud services offer significant advantages to organisations, they also present a complex array of challenges that require careful consideration and management and a comprehensive understanding of the associated risks.