Negotiating Terms of Service for Cloud Computing

Issues discussed in this guidance are similar for both subscription-based cloud service and free cloud services. However, the default agreements for public cloud providers typically do not provide adequate safeguard measures for an individual organization’s security and privacy needs. Contact your IT department for more information regarding security requirements. The relationship between consumers and cloud computing providers is contractually governed by the Service Level Agreement (SLA). This serves as a covenant between the consumer and service provider of the expected level of service. It states specific parameters and minimum levels for all areas of service provided. The SLAs must be enforceable and address specific remedies that apply when the contract is not met adequately. Before signing an agreement, a thorough assessment and evaluation of the service provider and the lifecycle of the service should be conducted to determine if the service provider can meet the consumer’s needs. Not all terms of an SLA are negotiable. But negotiations should at a minimum address areas described in greater detail below.

Performance and Monitoring

A typical SLA outlines metrics such as uptime/reliability, throughput, and service response times to determine whether the provider is delivering the agreed-upon service. This requires some method for monitoring service as well as a common understanding of performance definitions. The SLA must clearly define the metrics to ensure a mutual understanding of the obligations and expectations for both consumers and providers. To assess potential violations of the contract, the agency may want to specify a neutral third-party organization to monitor the performance of the provider. Otherwise the consumer is liable for any breaches that occur with loss of data or availability.

The role of the SLA is not limited to determining uptime and performance/monitoring. Other issues often covered include data preservation, data privacy, and security. As with any contract, you must understand the terminology and legal ramifications of the document. Confirm all desired business and legal requirements are met in writing. Ultimately the consumer is responsible for understanding how the provider will honor its contractual obligations. Additionally, in accordance with G.S. § 147-22.89, state agencies must “develop and continually review and update as necessary a business and disaster recovery plan with respect to information technology.” In addition, executive branch state agencies are also subject to Executive Order 102-Continuity of Operations and Continuity of Government Planning. This executive order, issued in 2006, commands all executive state agencies to “prepare a Continuity of Operations and Continuity of Government Plan to ensure the State’s ability to deliver essential services under any circumstance.” Records hosted by cloud providers are subject to both G.S. § 147-22.89 and E.O. No. 102 and need to be addressed and provisions made to ensure the data is accessible in a disaster.

Performance Considerations

Tab/Accordion Items

Availability refers to operational performance and user access to the system. Uptime is the amount of time the system can be expected to run without interruption. More critical applications require an increased level of availability in the cloud. The agency must determine the level of reliability required to meet this need. Downtime is defined as failure to deliver the expected service. Two types of downtime must be considered when choosing a service provider: the amount of planned downtime and the frequency of unplanned downtime. Planned downtime includes any time planned for applications to be offline to perform system maintenance or enhancements such as system upgrades. Unplanned downtime occurs by hardware or software failure. When defining availability requirements consider the following:

  • What are the operational consequences if the cloud is down?
  • Can you quantify the cost to your agency?
  • What do you consider a “reasonable” or acceptable amount of time to be down?
  • How might downtime affect user experience or perception of the agency if you are delivering content to your citizens via the cloud?
  • Levels of required availability will drive the costs of cloud computing. Be sure your requested availability is appropriate to the business need as the cost may increase dramatically if you demand 24/7 service or “hot” sites.

The SLA should establish any compensation paid by the service providers based on the number of hours the system or service is down. In addition to the amount of acceptable downtime specified in the SLA, it may also be helpful to look at the reliability of the underlying technology. Is the technology sufficient to provide the required amount of service? Does the cloud vendor have the capability of hosting your content at more than one site? Is it sufficient to address your needs for Continuity of Operations Plan (COOP) and disaster recovery? What provisions does the provider have in place in order to address shortcomings in the service?

The use of cloud technologies requires an office to relinquish some control and oversight of data as well as the security of the data. While cloud computing is intended to simplify operations and reduce costs, it may require greater governance and oversight. Offices should develop organizational controls for cloud computing that align with in-house technology practices. One way to test a vendor’s services is to use it as a development or test environment. Your office should develop policies and best practices for implementing and testing services (i.e., comply with statewide standards). Additionally, your office should develop and deploy a comprehensive audit system or workflow process to ensure that data is stored, protected, and used in accordance with office practices.

Laws and regulations may complicate security and privacy for cloud computing adoption as specific data requirements applicable to your office must be followed regardless of where the data lives. Requirements pertaining to government or industry-related regulations, confidentiality, and privacy controls must be addressed by the service provider before you begin using their technology.

Other issues to examine include the process of controlling and granting access to the cloud and ensuring that data is protected. Ultimately, it is the responsibility of the office to ensure that legal and/or regulatory requirements are met.

Service Interruptions

Despite claims for uninterrupted service, even major cloud providers such as Microsoft® and Amazon® can experience service outages. If your agency is using or plans to use cloud services, you need to protect yourself in the event of a service outage and to ensure business continuity. It is important to explore what can be done to prepare for possible interruptions and what backup measures are or should be in place in the event of an outage. Although the SLA establishes the expected uptime from the service provider, it is impossible to predict unexpected or prolonged service interruptions. In accordance with G.S. §147-22.89, offices should have a continuity of operations plan ready in the event of a service outage. If an office loses access to the data, all their operations hosted or managed in the cloud could come to a halt. This may prevent the office from providing services or information to their clients as well as create a legal liability for failing to provide these services.

A cloud-specific contingency plan should be developed and integrated with a preexisting Continuity of Operations Plan (COOP). The office should determine its operational needs, requirements for storage, classification of data, and determine acceptable risk levels for information held in the cloud. Any solution must meet the agency’s particular operational needs by determining risks, requirements, and classifying data assets. Your office should examine how they intend to use cloud technology—as a storage site that mirrors locally hosted data, the sole storage entity for data, or as a collaboration tool while documents are being drafted. Things to consider while developing a COOP to address offsite data held in the cloud include:

  • Identify what data is most critical for continuing operations.
  • Identify data that contains sensitive or personally identifying information.
  • Determine duration of data retention and how often it needs to be backed up.
  • Determine how employees will communicate in the event that they lose access to email or data.
  • Determine if it is feasible to use a third party provider to maintain an additional copy of the data. This could be crucial to data recovery.

Certain applications and data can withstand downtime without significant impact and work well for storage in the cloud. Items such as time-sensitive or critical data may be less suited for use or sole storage in the cloud and should be maintained locally. This includes mission-critical data of your organization that could create a security and/or legal risk if breached. Using cloud services does not need to be an “all or nothing” endeavor; your agency can put as much or as little data into the cloud as necessary to meet its business requirements.

While business continuity pertains to how an office would function in the event of some sort of interruption, disaster recovery focuses on the technology systems that support business functions and is a subset of business continuity.

When selecting a cloud service provider, pay close attention to the provider’s disaster recovery plan and the specific details established in the SLA. It is important for your office to:

  • Understand what constitutes a disaster
  • Know who can declare a disaster
  • Be aware of what measures are in place to minimize impact to operations
  • Know the Recovery Point Objective. This includes how current the data must be and how much data loss the agency can tolerate
  • Know the Recovery Time Objective—how quickly the agency needs to be operational after any disaster

All potential providers should detail their service interruption strategies, such as a hybrid in-house/cloud system, disk backups, or off-site data replication. These are important to ensure minimal losses in the event of a disaster.

Testing is a critical element of a disaster recovery plan. This enables potential problems to be identified and addressed before they occur. Testing also provides an opportunity to verify projected recovery times and data integrity in advance of an incident. Continuity of Operation Plans (COOP) should be viewed as “living” documents that must regularly be updated to reflect the current state of system requirements, disaster recovery procedures, organizational structure, and policies of the agency. Your disaster recovery process and procedures should be documented and available in multiple locations.

For more information on developing a disaster recovery plan, the NIST Contingency Planning Guide for Federal Information Systems and Michigan's Government Cloud Protection Initiative offer suggestions specifically tailored to government agencies. The Council of State Archivists developed records-related emergency training for state and local governments through the Intergovernmental Preparedness for Essential Records Program (IPER). This information, which includes material related specifically to North Carolina, is available upon request.

Cloud Computing and Records Management

Introduction to cloud computing and related records management considerations.

Costs

Much of the cloud’s appeal stems from the claim that it significantly reduces IT costs, allowing your agency to shift more resources to core functions. While this is the case for many organizations, it is not necessarily always true. Often cloud services contain hidden costs. Most cloud services are based on a subscription model in which the organization pays a subscription fee to the service provider, minimizing upfront costs. However, unanticipated fees may complicate forecasting true service costs. Offices must understand and determine the total cost of operations and fees that may be charged before signing an agreement.

A Return on Investment (ROI) analysis will increase understanding of the true costs associated with adopting cloud services. At minimum, a comprehensive ROI should address hardware savings and possible infrastructure costs, personnel savings associated with reduced IT support, increased organizational efficiency, as well as monthly service provider subscription costs. Beyond the subscription fees, there are often additional charges from the service provider that are often overlooked in the ROI assessment. 

Cost Considerations

Tab/Accordion Items

Service providers often charge for data transfers in and out of the cloud based on the volume of data transferred. Be mindful of upload and download rates. And ask your vendor if rates will vary from year to year or remain constant for the duration of the contract.

Some cloud services may also require you to purchase the software in order to manage your data. Often, vendors sell different configurations of software or “seat licenses.” Typically, each person using the software or system requires a license to do so. This can be quite expensive or may limit your use of the product and create inefficiency if only a handful of people can use it. Another popular configuration is “concurrent” licenses. In this model, the buyer purchases a limited number of licenses but those licenses can be shared across several people. When talking with vendors, be sure to ask how you will manage the data in their offering and if that is part of the cost or if that is additional.

To use cloud applications with in-house applications you may need to pay for integration. Costs depend on the extent of integration. Integration can be performed by the service provider and typically is an added expense, separate from the initial subscription.

Efficient use of cloud services depends on a fast and reliable network connection. The North Carolina Office of Information Technology Services offers a Wide Area Network (WAN) to any authorized government entity in the state. WAN costs are calculated by use. Larger data will need a bigger “pipe” to get through. Is the existing level of bandwidth used by your agency sufficient to meet your specific cloud computing requirements? If you require greater bandwidth usage in order to use your cloud technology that may require an upgrade, resulting in increased costs. Be sure to understand the costs before you proceed.

IT best practices typically include a provision for backups of data. As you consider the “cloud,” consider the level of responsibility for the service provider to maintain data backups. Is this service included in the core cost of the agreement? Or is it a feature that must be purchased separately? Determine if there is an initial cost for implementing a backup system and monthly fees for the service.

Security and Privacy

Privacy and security issues must be adequately addressed before adopting cloud services. An understanding of your office’s security and privacy requirements will be important in developing a compliant solution. Assessing the terms of service in the SLA is important for deciding if the service will adequately meet your office’s needs. As you begin to examine security and privacy requirements, it will be important to consult your IT department.

Removing Data from the Cloud and Avoiding Vendor Lock-in

It is important to know what will happen to your data upon termination of the contract:

  • How can it be retrieved?
  • In which form and format?
  • If you enhance your data in the cloud, will you also get a copy of that data as well? Or is the agreement solely for the original data?
  • Will the service provider be required to keep the data on its systems during a transition period?

A key element to consider is whether or not there will be a charge to extract data from the cloud. Providers typically charge per gigabyte for transferring data in and out of the cloud. So understanding the overall cost before committing to a vendor is important.

As the agency negotiates the Service Level Agreement with a service provider, take the time to clarify your agency’s ownership rights of all data that will be stored in the cloud. The SLA should develop provisions for returning or destroying data as directed by the agency, as well as a timeframe for completion. For data that will be returned to the office, protocols for how data is formatted and secured are important to establish. Due diligence and well-informed decisions are the best preventions to lock-in. Negotiating an SLA that clearly articulates the level of portability expected from a provider is crucial, as well as an understanding of who owns the platform, data, and tools. One best practice is to conduct a pilot of both putting data in and extracting data from the cloud. In doing so, you can determine how your agency will best accomplish these tasks.

A similar issue of concern is cloud lock-in. In this situation, the agency is stuck, or locked-in, with their current provider because of the complications and costs of switching to a new vendor. The use of a cloud solution could potentially require buying into the specific protocols, standards, and tools of the provider. This could make future migration costly and difficult. There are three types of cloud lock-in:

Types of Cloud Lock-In

Tab/Accordion Items

Can the agency remove its data and if so in what form? Is data returned from the cloud in the same format in which it was uploaded? Can you get everything exported in total or only certain slices or views? What is the cost to extract this data? Is it included or is it a separate fee? Does the data extraction include the log files and analytics? In what format(s) is the data available—proprietary to the software or open?

The platforms built to provide applications and services are typically proprietary and can make migration between providers with different platforms cost prohibitive. Does the provider use a proprietary programming language, data model, or run time environment?

Cloud providers offer a variety of tools to customers. To avoid tool lock-in, you need to ensure a cloud provider’s provisioning and monitoring tools are “compatible” with different kinds of infrastructure. Would the use of third party web services from the provider require you to find or build alternatives?

E-Discovery Guidelines

Electronic Discovery (“E-Discovery”) is the legal process of gathering electronic information from each of the parties in a lawsuit. When responding to E- Discovery requests, employees should consult the attorney for his or her state agency or local government. E-Discovery in the cloud presents a new set of challenges as ownership and control, cost, destruction of data, and jurisdictional issues must be considered. Courts generally do not distinguish between data in possession and data under control for purposes of discovery. In 2011, the North Carolina Rules of Civil Procedure (NCRCP) was amended to address issues related to E-Discovery. It now states that electronically stored information (ESI) and “reasonably accessible” metadata are subject to discovery in civil litigation.

 

E-Discovery Considerations

Tab/Accordion Items

Data sourced to a cloud system should remain the legal property of the agency. NCRCP 34 establishes the scope of the request as being in the "possession, custody or control of the party upon whom the request is served." While the Service Level Agreement (SLA) should clearly articulate the agency’s ownership of data, it should also make clear that if the provider is subpoenaed for documents held in the cloud, the provider may be obligated to provide data based on its possession and custody. Conversely, the agency maintains its responsibility to preserve and produce data that is not in the party’s “possession” or “custody,” but nonetheless is within its “control.”

The provider may have either enhanced or limited technological capabilities that may impact the cost of preservation and access. For enhanced technologies, a more in-depth search may be required because the data can be searched at little or no cost.

Records retention and disposition schedules serve to cut costs for discovery and storage, as well as reduce risk. These schedules allow agencies and offices to destroy records after certain time thresholds have been met. By destroying records in a timely fashion, agencies and offices can save considerable time and money during E- Discovery. However, providers are not necessarily bound to adhere to the agency’s retention policy and could inadvertently expose the agency to greater litigation risk by retaining data longer than the records retention schedule proscribes. Conversely, data intended for permanent or long- term retention might be accidentally erased or overwritten by the provider’s server, thereby breaking public records law. The SLA should address the provider’s obligations, if any, to uphold the agency’s retention policy, as well as measures for recovering data or providing compensation in the case of permanent data loss.

The use of cloud services may increase litigation exposure by providing additional areas for jurisdictional determinations. It is important to select a provider who stores data only in jurisdictions where the agency is prepared to defend litigation as cloud servers may be located in other states, federal circuits, or even another country.

In addition to the areas outlined above, the SLA should specify the provider’s obligations should the agency become the subject of a subpoena or other legal or governmental request for access. If possible, negotiate with the provider to establish a policy of notification to the agency as soon as the provider receives any request, before they provide access to any data, and to cooperate with the agency’s efforts to manage the release of data. It will be extremely important to consult your legal department for assistance with specific questions or advice.

Off