Why it pays to read the small print on Cloud contracts

If vendors are looking to utilise seamless solutions regarding leasing or loan provisions (to name two) then cloud-based services will usually fit the bill.

Yet these objectives can only be achieved if standardised application connections (APIs) allow cloud service providers to link their software to other applications to create a new digital ecosystem.

Given the vehicle leasing industry isn’t without its challenges – not least the need for driving down costs and better managing vehicle assets; access to data unsurprisingly remains key.

This applies whether a company’s back office or its customer facing operation happens to be in the firing line.

But cloud services aren’t monolithic and where one type of solution may meet the needs of a particular company, other enterprises may take a different route.

For example, one cloud service may provide infrastructure, such as virtual machines and other resources to subscribers.

Better known as Infrastructure as a Service (IaaS), cloud providers in these cases supply resources on-demand from their large pools of equipment installed in data centres.

Cloud providers typically bill IaaS services on a utility computing basis – the cost reflecting the amount of resources allocated and consumed by the client.

PaaS (Platform as a Service) on the other hand is a variation of IaaS, though in this case the customer only manages data and applications.

Other elements, such as uptime and operating systems are managed elsewhere.

At the two extremes are ‘on-premises’, where systems and software are entirely managed by the company and Software as a Service (SaaS), which is entirely managed elsewhere.

Beyond this nomenclature a distinction also needs to be drawn between Public and Private clouds.

In a public cloud-hosting solution, services are distributed over a network that is open for public use and is often provided for free.

Generally, public cloud service providers such as Amazon Web Services (AWS), Microsoft, Alibaba, Google and IBM, own and operate the infrastructure at their data centres. Customers purchase or lease a private connection.

In 2018, these five providers accounted for nearly 77% of the global IaaS market, up from 73% in 2017; AWS was the biggest vendor (47.8%), followed by Microsoft (15.5%), Alibaba (7.7%), Google (4%) and IBM (1.8%), according to consultants Gartner.

A measure of AWS’s reach can be seen in a multi-year global deal it sealed with Ford and Autonomic – the latter being the creator of the Transportation Mobility Cloud (TMC). Under the deal, the availability of cloud connectivity services and connected car application development services for the transportation industry will be expanded.

What this means at the coalface is additional partnership and business opportunities for automakers, public transit operators, large-scale fleet operators and software developers.

Autonomic, for its part, will also work with independent software vendors and system integrators to offer vehicle connectivity services and capabilities for developing connected vehicle cloud services, vehicle features and mobile applications to automotive manufacturers and mobility application developers. Meanwhile, other major customers of AWS include Uber, Lyft, Tata Motors, Hyundai and Volkswagen.

Yet whether companies opt for a public, private or hybrid (public and private) strategy, the cloud services garden isn’t always necessarily a rosy one – a case in point being the major data breaches suffered by a growing number of companies.

In 2019 Capital One Financial Corporation was hit by one of the largest data breaches ever to hit a major bank. The point of interest here (beyond the obvious) is that Paige Thompson, the hacker accused of perpetrating the breach, once worked as a software engineer at AWS, of which Capital One is a customer. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

It is unclear whether Thompson ever had access to Capital One data when she was working for AWS and, with her trail delayed until 2022, the details are yet to be revealed in court, but it has brought into sharp relief how inter-dependent companies and cloud service providers have become.

Denver-based Citizn Company (which builds tools to help individuals and businesses understand the contracts they sign) pointed out in a subsequent briefing note that large companies such as Capital One often have custom negotiated contracts. It added that millions of smaller enterprises may simply accept their cloud provider’s click-through agreement as offered on-screen.

After looking at the click-through agreements for some major cloud providers in the US and analysing how any data breach issues might be resolved under each, the results make for disturbing reading.

According to Citzn’s interpretation, most customers would be out of luck trying to recover any damages for a data breach. Furthrmore, contracts may require them to defend their cloud provider against lawsuits brought by victims of any breach.

The moral of the story? There may be choices out there, but make sure your head isn’t in the clouds. Ensure you’re making the right choice by reading the fine print.