Category Archives: Applications

Cloud Computing Contracts

Clouds over Lake MichiganUntil only a few years ago, most of the software we purchased was installed on servers located in datacenters we owned. Sometimes we managed the software, sometimes an outside vendor managed it for us. But the software was almost always on a physical server housed under our control.

But this is 2013, and many government and private organizations have adopted some variation of a cloud-first strategy. A large number, if not a majority, of the services we purchase are delivered via software located on servers outside of our physical control. Our websites sit on Rackspace or Amazon or SquareSpace servers. Our HR/Payroll software may reside on a Sage or Kronos or SAP server cluster. Even our ILS software is now often based remotely in a Polaris or LYRASIS datacenter. Bibliocommons, probably the best discovery layer available, is offered only as a hosted solution.

The point is, many of our tools which we formerly put on local servers are now run from remote servers. Whether you call this “cloud” or “hosted” or “remote”, it all boils down to the same thing — someone else controls the hardware and runs or manages the software. You and your library are no longer in full control regarding access and management. (For this post, I will use the phrase cloud-based to refer to any software installed on a server or cluster of servers outside of your physical location.)

Don’t misunderstand. I am a huge proponent of cloud-based services. They are often easier to manage, better protected, more feature-rich, and cheaper to procure than the old solutions. But the steps we have to now go through to select and purchase cloud-based services has fundamentally altered the procurement process. We used to source software, perhaps purchase some professional services and maintenance, and sign a simple contract reflecting these points. With cloud-based services, the procurement process has been dramatically altered and it is still changing.

If you are about to purchase a cloud-based product, you have a few more things to investigate than you did in years past. I have placed links at the end of this post that direct you to several of the sources I use in reviewing cloud-based services and contracts. It’s easy to get lost in the large amount of information and recommendations in the documents, but it helps to see what’s discussed most frequently. You will want to follow your local organization’s purchasing policy with regard to contract formulation. But if your organization has not rewritten its cloud-computing contract and procurement requirements, you may want to start lobbying today. If you are responsible for your organization’s data and/or network, you may want to counsel change. I strongly suggest consulting your organization’s legal advisor for assistance in finalizing any contracts.

There are a myriad number of points you could insert into cloud-based contracts. If you research the documents linked below, and the many articles available on crafting cloud-services contracts, you will see just how many variables are involved. Here are a few things I now look for when buying a cloud-based product:

Network Cabling1. Service level agreements (SLA) and compensation for outages

Things will break and there will be outages. You want to make certain that your contract clearly spells out response times for service interruptions, compensation for major outages, and what key performance metrics will be identified as measures.

Does the vendor notify you of outages? How quickly? Is there a Help Desk ticketing system in place for your use? How many services or people need to be impacted before the issue is automatically escalated? Before compensation kicks in?

If the outage or service interruption results in corrupt or lost data (not a data breach), what are your options for recovery and/or compensation?

If the vendor updates the service and specific functionality that you depended upon is lost, what happens? Can you cancel your contract without penalty? Does the vendor have to compensate you for the lost functionality?

Not every possible scenario can be defined in the SLA, but it is this part of the contract you will rely upon when things break and service is interrupted. Make certain the SLA is easy to understand and looks out for your needs.

2. Data — Who owns it and who can get access to it?

Most U.S. public libraries do not have legal requirements to store data in a particular nation, but some government and private organizations do have this requirement. Make sure you know if yours is one of them.

If the cloud-based service breaks, does the vendor’s promise to repair everything include the restoration of your data? What kind of backups does the vendor maintain, and what is the frequency of backup?

If you cancel your contract, how long do you have access to your data and in what format can it be returned to you? If the data is in a proprietary format structure then it will be useless to you.

Security breaches happen, but the disclosure of personally identifiable information — of staff or customers — can have significant financial and PR ramifications. The vendor should have clearly defined security measures in place to protect your data. Similarly, the vendor should have contractually defined notification procedures in place for contacting you in the event of any security breach.

Who is responsible for damages, fines, etc? Security breaches can often result in large financial penalties and settlements and the contract should clearly define liability and any limitations. It does you no good if the vendor denies responsibility for data breaches and leaves you to cover all of the costs.

If an ex-employee or anyone else takes legal action against you and issues a legal demand to the vendor for your data, what will the vendor do to notify you of this action? Will you have legal recourse before the vendor discloses the data? Will you or your legal representative be able to review the data and remove any personally identifiable information before the vendor hands it over? Remember, the data is no longer on a server in your datacenter, it is not under your direct physical control.

How long does the vendor retain backups and archives of your data? Does this comply with any legal requirements your organization may have regarding data retention? And if you cancel your contract with the vendor, how long will they retain the data and what recourse will you have should litigation or law enforcement ask the vendor to turn over your data once you no longer are their customer?

3. Get me out of here — Ending your contract

What recourse do you have regarding termination of contract? You should be able to terminate the contract at any time. If a penalty is to be applied then this should be in the contract.

Also, as mentioned above, it should be stated how long you will have access to recover your data and whether or not your data will be retained by the vendor following contract termination.

Your data should be returned to you in a usable format. You should not have to rebuild databases in order to transfer the service to a new vendor. The format in which your data is accessible to you should be defined.

Conclusion

This is a simplification of the many issues that now come up in cloud contract negotiation. Cloud-based services have fundamentally altered the way IT manages and implements solutions. Now that the data and servers are no longer under our direct control we need to adopt new procedures and requirements that protect the library and its many interests. Getting these formalized may be complicated and time-consuming, but it is of vital importance. Make sure the decision-makers in your organization understand these new complexities. The old way of crafting software and service contracts has changed.

Documents & Links 

If It’s in the Cloud, Get It on Paper: Cloud Computing Contract Issues, by Thomas Trappler via Educause

Creating Effective Cloud. Computing Contracts for the Federal Government. Best Practices for Acquiring IT as a Service (PDF), via the Chief Information Officers Council

Legal and Quasi-Legal Issues in Cloud Computing Contracts (PDF), by Steve McDonald via Educause

Best Practices for Negotiating Cloud-Based Software Contracts (PDF), a DoD ESI Whitepaper [8/5/13 link appears down]

Security in the Cloud: What nonprofits and libraries need to know to secure their online data, via Techsoup

Cloud Legal Project (U.K.) via the Centre for Commercial Law Studies (CCLS) at Queen Mary, University of London

Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now, via Stanford Technology Law Review

MySpace and Data Portability

This is rather exciting news via TechCrunch.

MySpace is announcing a broad ranging embrace of data portability standards today, along with data sharing partnerships with Yahoo, Ebay, Twitter and their own Photobucket subsidiary. The new project is being called MySpace “Data Availability” and is an example, MySpace says, of their dedication to playing nice with the rest of the Internet…

…But with Data Availability, partners will be able to access MySpace user data, combine it with their own, and present it on their sites outside of the normal widget framework. Friends lists can be syncronized, for example. Or Twitter may use the data to recommend other Twitter users who are your MySpace friends.

The data sharing is dynamic, meaning it is updated constantly. And that also means user permission is not a one time thing. At any time a user can change or revoke the rights of a third party to access the data. Those third parties are “being held to strict terms of service,” says MySpace, which prohibits them from storing the data or using it once permissions are revoked.

Full post.

Article: Google Docs … so what – the ONE reason why you should care

From Mike Riversdale comes this excellent post on Google Docs:

Google Docs doesn't live in the 'document' world. Oh it has similar naming conventions, it uses all the jargon that we're used to and it pretends to be a document … but it's not because it comes from the 'words' world view. It knows that the words you're gonna edit are, 99.9% of the time, going to want to be loved by many more than you. And being on the Web they know that the world of connected people at your fingertips is massive. Not only is there the list of attractive people in your contacts list but there is everyone with an internet connection!

…Wikis live by understanding the connectivity of their environment and the innate desire of 'words' to love all and be loved by all. In the future there will be no difference between a Google Doc and a wiki page … in fact, it may be so close already it's just a matter of semantics and opinion.

Read the full post here.

Trying Mofuse for Mobile Viewing

This is the free version of Mofuse — you have to link to a unique URL. The full version is $3 a month but can go directly to your own URL.

If you have a mobile, give it a try.