Vendor Self-Preservation
The point was made perfectly clear in the last post, cloud service providers have complete control over all aspects of your data that resides on the providers’ network. Why have cloud service providers established such extreme controls on their networks? The reason is a matter of self-preservation for your provider. Legislators have increasingly used “safe harbor” laws to make the Internet industry self-policing. For instance, the Digital Millennium Copyright Act (DMCA) provides hosting providers with a free pass from liability if the provider demonstrates a swift and positive response to every claim regarding copyright infringement. Here’s an ironic twist. While the law treats provider’s users as innocent until proven guilty, the same law coaxes providers to treat you as guilty upon accusation – hence, being allowed to discontinue your service at the drop of a hat.
No right-thinking provider would routinely or deliberately treat a customer unfairly. However as in the case of WikiLeaks, sometimes the pressure is a tad too much to bear. Two high-profile examples where pressure was over the threshold are in the cases involving Amazon Web Services and PayPal. Amazon Web Services and PayPal cut-off services to customers without:
- Judicial review
- Useful explanation
- Workable recourse
Lesser-known companies such as Tableau and EveryDNS followed suit. In fact, even a Swiss bank found a convenient loophole. Doubtless each was under enormous legal pressure and scrutiny.
This torrent of submission indicates a fundamental flaw in Web-mediated services that doesn’t exist with in-house infrastructure. While the Internet itself may have a high immunity to attacks, however a provider operating services through the pipeline that is the Internet is not equally immune. A company may have the strength to withstand even a technical outage. However a disruption due to political forces or a full-fledged termination of service is likely to put a company out of business that is dependent on the cloud for critical infrastructure.
The terms of service of many providers include termination clauses. Most companies have lived with these termination clauses because the risk is evaluated as manageable. A state investigator wanting to take a firm’s sales system offline would need to enter the premises and use force, as well as get a judge to agree to that use of force. In contrast, a business’ sales network hosted in the cloud can be taken offline instantly by an unknown authority, for reasons that are not always communicated, and with no way for the affected company to get back online.
The situation gets worse. A claim from a service provider that terms of service have been breached most often leaves companies without a viable avenue for recourse or compensation. This is true regardless of what the provider says about technical outages. In many cases a court battle ensues to expedite getting back online. A court battle is not desirable even assuming the firm has access to legal representation in the country where the provider is based because in the time it takes for the court case to end, the company may be out of business. Finally, if the service a company has been utilizing is proprietary software then finding an alternative provider will probably mean analyzing and reallocating the company’s infrastructure. This process can prove extremely costly and time-consuming, and may prove permanently debilitating if the firm’s revenue stream is reduced or eliminated.
That previous scenario may seem excessively pessimistic. On the other hand it’s worth noting that PayPal didn’t take action against WikiLeaks. PayPal moved against the Wau Holland Foundation. The Wau Holland Foundation is a nonprofit organization that had been supporting WikiLeaks as one of several activities driven by the foundations’ charter. It’s becoming commonplace for DMCA notices to incur collateral damage, similar the notice that blacked out 1.5 million educational blogs over a disputed student handout. As the media industry’s war on fair-use increases, we can expect more laws to be passed that have more collateral effects – all excused by terms of use.
Learn Self-Defense
What can your company do to minimize these above-mentioned risks? After all the smoke has cleared there’s really not much a company can do. This problem is under-recognized and overdue for attention. However you can try to apply these three principles.
- You need a commitment, backed with substantial penalties, so that your provider will never take your service offline intentionally without a substantiated and validated court order, whether you are notified in advance or not. Phrases like “at our absolute discretion” are a red flag. Your infrastructure and discretion are what matters. Until there’s proof of judicial review, no service should be rescinded without the provider being penalized. Seek providers willing to make that commitment, or if you have the negotiating power, ensure your contract includes this idea and supersedes the terms of use.
- Select providers that deploy well- documented open source software. Open source software makes discontinuing servicing with a provider much easier. Avoid solutions where the only company benefiting from software freedom is your provider. Choose open source software which is community-backed rather than controlled by your provider. Your provider may be concerned that you are escaping its lock-in that proprietary software provides and therefore charge you more, however it’s worth paying extra to get the additional value software freedom creates.
- Create a backup plan for how you would operate the service in the event your provider suspends an agreement with your company. Consider having a backup provider or even a “private cloud” available. Retain copies of your runtime environment in virtual memory ready for deployment. This strategy may seem like a lot of effort and expense to cover a fairly remote possibility, yet when a firm commits to outsourcing all or part of the business to the cloud, don’t concede the freedom of running the business in the bargain.
