The cloud computing market is evolving rapidly. New as a service (aaS) platforms are appearing and the dichotomy between public and private cloud domains has been fractured into many different shades of hybrid cloud alternatives. And while many of the key issues – privacy risk, data location, service commitment – remain the same, service providers' commercial offerings are becoming more flexible.
Over the past 18 months, we have even started to see changes in the "take it or leave it" approach to cloud contracts. Negotiations of cloud contracts have started to occur. But at this stage in cloud computing's evolution, even more so than for traditional ICT contracting, the key is to know what can be negotiated and how much.
The global cloud computing market is reportedly worth approximately $157 billion in 2014, and is expected to reach $290 billion by 2018. The market is growing at an annual rate of almost 50%. North America continues to represent the largest share of the global cloud market with over 50% of the market, followed by the EMEA region with approximately 29%.
Software as a service (SaaS) is still the biggest sell, followed by infrastructure as a service (IaaS) and platform as a service (PaaS). The Big 3 aaS cloud offerings represent 90% of the global cloud market according to a recent survey.
Flexibility and cost savings are still the main drivers for customers selecting cloud services – while security and privacy remain the top concerns. Interestingly, some customers are starting to consider cloud offerings as a means of improving the security of their data, taking the view that leading cloud providers have more expertise in protecting data and are able to invest more heavily in evolving technologies.
As the cloud market continues to grow in volume terms, the diversity of the market offerings is also increasing. There is more competition than ever before in most of the main cloud market segments, with well-publicized price cuts, more service offerings and many, if not most, software providers examining ways to move into service-based offerings. Traditional market leaders such as Microsoft and IBM experience year-on-year growth. Reputation and cost are the key factors in cloud vendor selection, followed by performance assurance related issues.
In general, most large cloud providers are showing a renewed focus on multinational clients: the cloud providers want to move up the value chain and target larger institutional clients. Outsourcing arrangements now increasingly encompass a cloud computing element, and some cloud providers are prepared to offer managed services to mimic elements of so-called "traditional" outsourcing.
Genuine adoption by regulated entities, especially financial services institutions, is next big target; although the take-up is not helped by the reticence of regulators in some key global markets (with the notable exception of the United States) to provide a road map to assist regulated entities' engagement of the cloud model. Nevertheless, reticence to adopt a multi-tenanted cloud solution in regulated sectors is being eroded by the availability of aaS models available through virtual private cloud services and dedicated servers.
It remains axiomatic that contracts for cloud computing services are generally implemented on the provider's terms. Even projecting forward the current rate of evolution, it is hard to see that core principle changing. However, contract terms are increasingly negotiable to some extent; although the degree of negotiability pales in comparison with the contracting model in traditional services-based outsourcing.
In our experience there continues to be a (resigned) acceptance from most customers of the providers' terms – i.e., the terms are what they are, and there's a general recognition that that is the place to start. After all, if a customer organization expects customization of services and a genuine negotiation of service terms, then maybe the cloud is not the right place to be considering as a solution for those specific services.
Nevertheless, we have experienced greater negotiability compared to 18 months ago, and we anticipate that trend continuing in the future. The contracting areas where we perceive most scope for negotiation tend to be commercially oriented issues such as price, privacy and security, scope and service levels, and liability caps. Technical areas, such as the variability of service elements that depend on specific data center features, do not lend themselves to negotiation because the shared service nature of cloud facilities limits the ability of providers to agree on changes in those areas. These are areas where customers often show their naivety of how cloud computing works by asking for changes that directly contradict the commoditized nature of the service offering. That said, some providers do not help themselves by justifying their refusal of almost every requested change based on the invariability of the technical solution, even when an issue is plainly commercial and not technical.
Among the key issues that recur in cloud contract negotiations are:
- customer control and visibility over subcontracting: there is a general reluctance of providers to allow approval over, or even to identify, subcontractors. Often, that can be for very good reasons, especially in a public cloud situation;
- the limitation of the provider's ability to change the nature of the services provided: again, there may be very valid reasons for this depending on the nature of the services, but, typically, the negotiation ought to focus on the commercial implications of such changes rather than the basic right itself;
- privacy and data security commitments by the provider;
- rights of the provider to suspend services under circumstances such as non-payment or violation of an acceptable use policy;
- limitation of liability;
- termination assistance provisions allowing the customer to extend service for a period after termination or expiration to allow migration to the replacement solution; and
- the stretching of some common contracting provisions into some pretty unfamiliar directions. One motto to bear in mind when reviewing cloud terms is "never assume that you know what's in a provision based on its heading." Force majeure provisions are a good example. You may have thought that it would be hard to reinvent force majeure, but in some cloud instances force majeure seems to be elastic-sided enough to capture "changes in the taxation basis of services delivered via the Internet" as a force majeure event.
Another area where some providers have not helped their industry's cause is in the proliferation of complex, multi-document contract structures which are often poorly updated and oddly worded. Customers need to wade through the many pieces of paper and URL links, and (with a lack of consistency among the documents) frustration mounts and patience wears thin. These multi-layered contract structures are unwieldy and often, when quizzed, even the providers' representatives cannot navigate their way around them. It would be beneficial if the cloud industry generally – and some notable large cloud providers specifically – were to address this contracting approach over the next couple of years.
PRIVACY AND SECURITY
MoFo's Global Privacy Group has already written extensively about the privacy implications of moving data to the cloud. The conjoined issues of privacy and security remain center stage in most cloud contract negotiations. The key issues typically are who is responsible for data security and how obligations should be allocated between service provider and customer. Importantly, there may be a different analysis between different types of cloud services, e.g., between IaaS and SaaS for example. But it is worth understanding the exact commercial and legal implications of a provider that commits only to be responsible for the "security of our network" and expects its customer to be responsible for the "security of its data."
Typically, of course, providers are more willing to take responsibility for the integrity of their networks, while attempting to steer clear of obligations in relation to data. However, some service providers now accept that a failure to improve their privacy offerings may compromise future growth in certain markets and be a competitive disadvantage.
So, for example, there is an increased willingness to adopt the EU model clauses for data transfer, and most of the large cloud providers are reacting to commercial pressures from Europe-based clients to offer services from ring-fenced European data centers. Despite this, there is still a lack of appreciation among many customers of the difference between commitments in relation to data "at rest" (i.e., where the data are stored) and where data can be accessed from.
In general, most cloud contracts are still relatively light in terms of service level commitments, with availability being the main measurement metric. There is no sign yet of widespread (or, indeed, early stage) acceptance of the EU's standardized SLA suggestions.
In terms of remedies for service failure, the concept of providing credit via further services or contract extension is still prevalent despite the illogicality (from a customer perspective) of accepting more of the same as a service remedy.
The old maxim "Be careful what you wish for" applies to the cloud market at this stage of development. Many commercial users of cloud services have chafed at the "take it or leave it" approach to cloud contracts. But, now that some degree of negotiation is becoming possible in some areas of the cloud market, it is clear that users need to understand more than ever what can realistically be negotiated.
At the same time, users need to distinguish more clearly their reasons for adopting cloud solutions in the first place and understand the specific sector of the market that they are seeking to access. If users perceive the risks to be so great that contract negotiation seems essential before putting services in the cloud, it is possible that they need to consider whether the services that they have in mind properly belong there in the first place.
In general, customers need to approach cloud computing transactions with realistic expectations. It is unrealistic to expect to re-negotiate a provider's cloud contract terms materially on a project with a relatively low cost/value. Providers are either technically constricted or simply commercially unwilling to devote expensive commercial management time or legal resources to negotiate the terms of a project with a relatively low margin or revenue generation.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved