Cloud computing considerations that every firm needs to consider

Image for post
Image for post
Photo by Rafael Garcin on Unsplash

I’ve read countless books about cloud computing and using a travel analogy; these books tell the reader how beautiful the cloud is to visit. They detail the possibilities, technological advancement, how the cloud revolutionizes IT, and much more. For the most part, everything in these books is accurate.

There are other types of travel books that encourage visits to exotic sites but focus on cautioning the visiting how not to be a crime victim, how not to offend the locals, and similar. And all travelers need to consult both types of books to ensure an enjoyable and safe trip.

I recently finished a book about cloud computing that fits into the second category. In Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements (ABA Book Publishing 978–1641053549), editors Lisa Lifshitz and John Rothchild have written a most resourceful book by lawyers, for lawyers, that nonetheless is quite valuable for non-lawyers such as me.

While other cloud books talk about all the potentials, this book takes a pragmatic approach to remove the hype of the cloud. The editor’s reference a legal term puffery, which is a statement or claim that expresses subjective rather than objective views, which no reasonable person would take literally.

When it comes to the cloud, there’s much puffery. The goal is to eliminate that puffery when you sign on the dotted line. The authors cover a tremendous amount of material and topics, but let me highlight some of the most important ideas they discuss.

In law, puffery is a promotional statement or claim that expresses subjective rather than objective views, which no “reasonable person” would take literally. Puffery serves to “puff up” an exaggerated image of what is being described and is primarily featured in testimonials.

There are those selling cloud services that engage in puffery. But the truth is that puffery exists everywhere. When you buy a computer at a consumer electronics retailer, go to a car dealership, buy jewelry, and much more. The key is to know it when you see it in the cloud.

The stakes are much higher when it comes to cloud services for your company. But that is where a cloud contract can help. While the salesperson may engage in puffery, the cloud contract is where the rubber meets the road, and the firm agrees to what they will do in practice. Legitimate firms will certainly filter out the puffery.

What is crucial is that the cloud contract clearly and explicitly details what the cloud service provider (CSP) contractually agrees to. By having that stated in the agreement, you are protecting against the irrational exuberance of the salesperson and have protection to ensure that the CSP is legally mandated to deliver specific services.

It’s also crucial to ensure that your legal counsel has a thorough understanding of various cloud computing platforms, technologies, virtualization, and containers. If the person reviewing the contract doesn’t know the difference between PaaS & IaaS, or what a container-orchestration system is, you likely have the wrong person reviewing your cloud contract.

There are different variations on the saying of fast, good, or cheap — you can’t have all three. When it comes to the cloud, customers can’t have their cake and eat it too by demanding the cheapest services, while simultaneously demanding warranties and the reduction of liability exclusion provisions.

Part of what makes many cloud services affordable is their standardization. A cloud customer needs to know that if they want the low price, they are forfeiting customization.

It’s also important to dispel the false perception that the cloud is always cheaper. The cloud can often be cheaper, faster, and more resilient. But it can also be much more expensive and slower, if not architected and maintained correctly.

Cloud consumers need to know that the freemium model (portmanteau of the words free and premium) can be deceptive. Cloud computing demands that the consumer know what they are getting into and have a complete understanding of all the pricing possibilities. For too many, after getting into the cloud, they have a significant case of sticker shock.

Cloud consumers must take heed to avoid falling into the trap of thinking that security comes automatically with moving to the cloud. CSP offer significant security and privacy capabilities. But it is the responsibility of the customer to make sure they are used and used correctly.

Read any security documents from CSP, such as AWS, Azure, Lenovo Cloud Solutions, or any others, and you will encounter the notion of a shared responsibility model. The shared responsibility model means precisely what it says — that you and the CSP are responsible for security. Firms that don’t understand that perfectly well will find themselves with a cloud solution that has significant security problems while it has Six Sigma uptime.

Many customers consider areas such as security, privacy, uptime, availability, and much more when it comes to the cloud. But they fail to consider what happens in the event their CSP declares bankruptcy. While the major players have good balance sheets, there have been many CSP who have declared bankruptcy and left their clients in the lurch without access to their data.

Cloud contracts need to state that the customer will retain the ownership of any confidential or proprietary data, such that any confidential or proprietary data is not considered part of the bankruptcy estate. If that is not the case, then the customer will find that while they may have petabytes of data within a CSP, they are locked out of their own data. Horrifying scenarios like that can be obviated with foresight and a robust cloud contract.


The cloud has revolutionized IT. What could take six months 15 years ago, can be done in 30 minutes in the cloud. But with all the potential of the cloud, comes the possibility that things can go wrong.

The more cloud consumers know about the cloud, the better they will be. Because the best cloud consumer is an educated one.

I work in information security at Tapad. Write book reviews for the RSA blog, & a Founding member of the Cloud Security Alliance and Cybersecurity Canon.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store