Do employees unknowingly put their employers in an untenable position by clicking “I accept” to a cloud vendor agreement? When was the last time you carefully read through a complete set of click through terms and conditions before you clicked “accept”?
Yet, every day, your staff or your contractors casually click-through agreements on their way to cloud nirvana. Yes, even in your company – where public cloud use is likely more rampant than you know. The most likely scenario is that your developer orders up a development tool, pays for it with your corporate credit card, blithely accepts the agreement, and gets to work—just like we all do when downloading the latest smartphone app.
And here’s the problem. Some terms in those agreements would make your general counsel’s hair light on fire if they read them.
It’s important these agreements be vetted both for legal weight and to make sure they align with your corporate strategy and values. What ability does the cloud provider have to shut down service without notice, for example? What is the plan should that happen? Is it clear who is responsible for what in case of a data breach? When international, national, or local law conflict over an issue, which prevails? When a click through term conflicts with a broader agreement between vendor and customer, how does that resolve?
Getting these agreements right, of course, is important not only for customers but for the industry as a whole. Before using a company’s services the customer should have clear awareness of legal liabilities around risk and assurances that are “on the paper” of their vendors. In addition to precise and clearly written click through agreements, it’s also helpful for cloud service providers to publicly post their security policies to demonstrate how they are driving higher standards. This transparency can differentiate providers, because potential customers are standing on the sidelines waiting for their security concerns to be addressed
Slowly, with respect to security standards this situation is improving. In March of this year, Amazon’s AWS Data Processing Agreement was approved by the Article 29 Working Party (WP29), a coalition of European Union data protection authorities. The changes will comfort customers that Amazon uses high standards of security and privacy as their data moves through or outside the EU, according to the company. This is a big step forward in the right direction.
Companies should take a page from Amazon’s playbook and start addressing those customer fears by making sure protections are in place and well understood. But the responsibilities don’t end with cloud services providers. Service users need to work to mitigate these issues by educating employees on the responsibilities these agreements pose and by sharing best industry practices for working in public cloud.
Public cloud has created a very different risk environment for businesses globally. But make no mistake, the burden of responsibility is shared, between the service provider, any third parties, and your company and its employees and contractors. Understanding these risks and defining operational policies to protect the enterprise and its customers are critical, but not a reason to restrict use of public cloud. The economic and innovation benefits are far too attractive to blindly ignore. Find a trusted partner to help you navigate the landscape, but be sure, do not assume a standard click through has your best interests at heart.
Michael Liebow is global managing director for the Accenture (News - Alert) Cloud Platform, a secure, scalable, enterprise-ready cloud integration system that provides management and control over hybrid cloud services. Michael leads a large portion of Accenture's cloud investment, myriad of ecosystem partners, and a global team to build and operate Accenture’s cloud platform business.