Sydney storms and the Cloud

In the aftermath of the recent storms that wreaked havoc across Sydney and Melbourne, many would have heard of the related havoc caused to some well known customers of global cloud providers when the ensuing floods caused wide ranging outages across their services. Some commentators claimed the event showed the vulnerability of the cloud as a means of supporting key business applications, while others said the fault lay with customers who elected to have those applications and business data held solely in Australia instead of allowing the company to operate its usual multi-zone backup model where applications and data are held in off-shore locations, such as Singapore.

Like many things, we think the truth lays somewhere in between.

There is no doubt that the use of cloud as the primary platform for storing company data and key business applications carries the risk that if (or when) the data centre housing those applications goes down, so too will the company’s ability to transact its business. And, as we know, when servers within a data centre go down due to power failure often the applications running on them also power down and in some cases those applications can take hours or even days to restore.

But in many cases those risks can be mitigated or even removed entirely by the customer making the right choices when entering into its cloud arrangement. Customers must take the time to understand, technically and contractually the key service resliency metrics, or guarantees, being offered by the provider (nearly always a question of price) and assess whether those meet its business needs, and do so before those metrics or guarantees are tested in a real disaster context. In part, this requires the customer to put to one side their concerns around the legal risks of transferring data off-shore and explore whether in fact the business truly is best served by a cloud service in which data remains entirely within one city or “region”, such as Australia.

Are all cloud providers the same on service resiliency metrics?

The answer is no. Generally speaking, for most small to medium businesses the level of resilency even at the base service offering of any reputable cloud provider operating a tier 3 or 4 data centre will exceed the level of resiliency the organisation could afford if managing those services itself.

However, there are significant differences between the levels of resiliency offered by cloud providers at different price points, as there are in their contractual terms. As always, the devil is in the detail.

For example, a cloud provider’s ‘standard service’ option will typically limit the provider’s obligation in relation to the crucial “restore to 100% service capacity” measure to restoring those services “as soon as possible using commercially reasonable efforts”. In Australia the term “commercially reasonable efforts” has little practical meaning. Only at the ‘premium service’ options will a provider usually commit to hard resolution times and even those vary significantly.

Moreover, in their standard contract documentation, cloud providers inevitably describe service resilency metrics in very broad terms. This is understandable given their desire for uniformity across ubiquitous public cloud offerings, however these broad statements can cause misunderstandings as to the level of protection against operational disturbances a customer  is actually purchasing.

Do concerns over data privacy and security justify a solely in-country cloud solution?

Much has been written about the risks associated with the transfer of customer data to overseas locations, particularly from certain sections of the industry in relation to privacy and security. In part, the evolution of the cloud as a technology platform prompted the 2014 amendments to Australia’s privacy laws with the effect that the organisation transferring the data to an overseas location remains liable for the acts and ommissions of its contractors in those locations. And of course, it’s highly likely that mandatory data breach notification laws will be passed in Australia in the near term, potentially along with some form of statutory cause of action for victims of serious privacy breaches.

Does this mean that all customer data should ideally remain behind the customer’s firewall, and at a minimum within Australia? We think no. Customers should never assume anything when it comes to a provider’s level of security compliance and must always undertake a full risk assessment before deciding to locate data in an off shore cloud environment. However, having done (or not done) that, it may be that the additional level of redundancy that can be achieved by a provider running ‘hot stand-by’ sites in off-shore locations outweighs the privacy and security risks in respect of some categories of business data and applications.

Through adequate due diligence of the provider’s technical offering and track record in security compliance, and ensuring appropriate contractual terms are in place, the risks associated with off-shore data transfers can be managed. It’s worth noting the evolution in thinking by the Australian Government in its “cloud first” policies. Its absolute prohibition on data transfers to off shore locations has been replaced with a more flexible model of agreeing to off shore transfers where the risk is justified and manageable.

Conclusions

The time to assess the appropriateness of a customer’s cloud services resiliency is not after a disaster, as the recent Sydney storms have shown. Customers should instead use the opportunity in less pressure circumstances to review its terms and conditions to ensure that the cloud provider’s availability guarantees are adequate for its business and that decisions made with respect to redundancy locations remain appropriate.  As the cloud market has matured and become more competitive, and portability issues reduced, cloud providers are more willing to accommodate customer concerns. It’s never too late.

If you have any queries regarding this article, please contact:

Simon McDonald
Partner, Technology & IP
M: +61 402 843 198
E: smcdonald@pageseager.com.au

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy