Telcos make best cloud providers: lawyer

Networking and telecommunications companies were most likely to succeed as cloud computing providers, according to Gilbert & Tobin partner Peter Leonard.

Speaking to the International Association of Privacy Professionals (iaapANZ) in Sydney yesterday, Leonard addressed contractual concerns in establishing cloud service agreements.

Enterprise-grade cloud services called for more control, customisation, data integrity, data portability and accountability than typical consumer services, he said.

And while flexible, scalable cloud services may be "a CIO's dream", they were also a "general counsel's nightmare".

Cloud arrangements typically involved various components, including a vendor's terms of service, terms and conditions, service level agreements, privacy and acceptable use policies.

Leonard highlighted several risks of enterprise cloud computing, including platform complexity, jurisdictional borders, infrastructure, third-party data access, and the potential insolvency of a cloud provider.

The most secure cloud service providers were those that were highly invested in protecting their reputation and customer trust, he said.

He highlighted Cisco as one such vendor for whom controlling network vulnerabilities was central to its business.

"The reputational damage they [Cisco] will suffer in the event of data losses and vulnerabilities are a very, very powerful influence on their behaviour," he said.

"You can have the best contract in the world; If you've got it with a straw man, it's not worth lighting a fire with."

Telecommunications companies were also likely to succeed in the market, he said, since they had greatest control over the service delivery mechanism.

Optus in October launched its cloud solutions suite that offered customers "slices" of computing power and storage from a data centre in Sydney.

Telstra's upcoming 'Silver Lining' service also was expected to offer server and storage infrastructure as a service to Australian enterprise and government customers.

Both offerings were underpinned by VMware, EMC and Cisco technology.

"Telecommunications carriers have particular advantages by managing all the parts of the infrastructure," Leonard mused.

"I think what we will increasingly see is telecommunications companies becoming either the primary cloud providers or entering into joint ventures with providers like Salesforce.com ... in order to support the delivery of service."

New age outsourcers

Leonard described cloud computing arrangements as "nothing more than an outsourcing contract" - with the added complexity of data that could be offshored and moved across international borders.

David Pegrem, Head of IT Risk at the Australian Prudential Regulatory Authority, agreed.

"Concerning clouds ... we don't consider that the rules of the game have changed," he said, noting that APRA enforced the same obligations for cloud services as for outsourcing.

Financial institutions were bound by APRA's 2006-7 outsourcing standards and are required to consult with the authority prior to offshoring data.

APRA also encouraged institutions to implement appropriate risk and governance processes, ensuring their abilities to meet core obligations in the face of service provider failures.

So far, APRA observed limited adoption of cloud services by Australian financial institutions in areas like customer relationship management, messaging and collaboration, and "private clouds".

But "the profile is changing", he said, highlighting targeted offerings from Microsoft, IBM, Amazon, Google, Salesforce.com, Fujitsu, HP/EDS, CSC, Oracle and Cisco.