Much has been written, including by me, about the risks (and benefits) of cloud engagements. I think a step back maybe in order – perhaps even two steps back. That is, I think it is far too easy to lose the forest for the trees in considering the cost-benefit of a proposed cloud engagement.
Recently, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance for financial institutions regarding cloud engagements (http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf). While directed at businesses in the financial services industry, the guidance provides some very sound advice that every business should consider. Specifically, the FFIEC’s primary point was: treat cloud engagements as you would any other outsourced technology engagement. While that seems overly simple, consider that many businesses do not take that approach. Rather, in considering a cloud engagement, many businesses start with the premise that they have to expect far less protection than they would receive in a traditional technology transaction. That is very unfortunate, but highlights the current state of cloud contracting.
I suggest every business start their cost/benefit analysis of a potential cloud engagement by asking the same questions and expecting the same level of protection that it would in a traditional locally hosted transaction or any other form of comparable outsourcing engagement. Setting expectations low at the outset shouldn’t be the de facto approach to cloud contracts.