Ben's Book of the Month: Review of "Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements"

Posted on by Ben Rothke

Many people sign up for a vacation timeshare after a persuasive 60-minute presentation, sometimes involving free food and alcohol. They often don't realize what they’ve gotten themselves into, long after they have signed on the dotted line and obligated themselves to decades of timeshare debt.

In some ways, cloud computing is similar to timeshares. People see the benefits but don't understand what comes along with ownership. While there are plenty of books that help cloud architects design cloud systems, and books on cloud security for cloud security practitioners to secure them, I've yet to come across a book that details the legal angle of cloud computing.

In Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements (ABA Book Publishing 978-1641053549), editors (and lawyers) Lisa Lifshitz and John Rothchild have written a most original book by lawyers, for lawyers, that nonetheless is quite valuable for non-lawyers such as me, and readers of this blog.

While other cloud references detail cloud potential, this book takes a pragmatic approach to remove the hype of the cloud. The authors reference the legal term puffery, which is a statement or claim that expresses subjective rather than objective views, which no reasonable person would take literally. Yet with cloud computing, claims abound, often based on puffery, which too many in IT take literally.

While written by lawyers primarily for lawyers, everything in the book is readable by those without a law degree or experience in the legal field, except for the last two chapters. This is a book that should be read by anyone involved with cloud computing.

When it comes to the cloud, there's much puffery. The goal is to eliminate that puffery when you sign on the dotted line. The contributors cover a considerable amount of material and topics that can educate you as to the legal aspects of engaging cloud providers.

There are those selling cloud services that engage in puffery. But the truth is that puffery exists everywhere. When you buy a computer at a consumer electronics retailer, go to a car dealership, buy jewelry and much more. The key is to know it when you see it in the cloud.

The stakes are much higher when it comes to cloud services, and this is where a cloud contract can help you. While the cloud salesperson may engage in puffery, the cloud contract is where the rubber meets the road, and the firm agrees to what they will do in practice. Legitimate firms will certainly filter out the puffery.

What is crucial is that the cloud contract clearly and explicitly details what the cloud service provider (CSP) contractually agrees to. By having that stated in the contract, you are protecting against the irrational exuberance of the salesperson and have protection to ensure that the CSP is legally mandated to deliver specific services. And the book shows, in great detail, how to do that.

It's also crucial to ensure that your legal counsel has a thorough understanding of various cloud computing platforms, technologies, virtualization and containers, and more. If the person reviewing the contract doesn't know the difference between PaaS and IaaS, or what a container-orchestration system is, then you likely have the wrong person reviewing your cloud contract.

If you read any security documents from CSPs, you will encounter the notion of a shared responsibility model. The shared responsibility model means precisely what it says—that you and the CSP are responsible for security. Firms that don't understand that correctly will find themselves with a cloud solution that may have Six Sigma uptime but significant security problems.

The authors cover all of the critical areas related to the cloud and associated legal areas. This includes how to evaluate cloud vendors, understanding cloud agreements, SLAs in cloud contracts, negotiating techniques, cloud contracts, exit agreements and more. If cloud users put the sage advice details from the book into their environments, they can ensure that their cloud solutions and relations with the CSP can be much more productive.

The more cloud users know about the cloud, the better they will be, because the best cloud consumer is an educated one. For those who want to be cloud educated before they sign on the expensive dotted line, reading Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements should be a contractual requirement.

Ben Rothke

Senior Information Security Manager, Tapad

Cloud Security

cloud security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs