Whilst cloud computing is by no means "new" (and in fact has been in around in "hosted services" form since the 1990s, at the very least), it has clearly now moved into a new and more mature phase, with more sophisticated and stable solutions able to offer a far greater array of services, and for increasingly business critical functions. As cloud computing accordingly enters into this "enterprise" phase, it creates challenges for the traditional outsourcing market, both in terms for how X-as-a-Service offerings replace arrangements which might ordinarily have been approached as a form of outsourcing transaction, and in relation to how cloud services appear in the supply chain. So what are the trends being seen in the market in this regard?
If it looks like a duck, walks like a duck, and quacks like a duck…..
It is fair to say that some deals that are now called a "cloud" deal are - in fact - simply an outsourcing arrangement which has been repackaged/renamed, but where the fundamental elements remain the same. So, if a customer engages with a service provider to switch its current inhouse function so as to be provided remotely from the service provider's locations and systems….is that properly termed a cloud deal, or an outsourcing one?
The reality is that the issues and commercial underpinnings of the more conventional outsourcing deal and the cloud variant in this instance are the same. This is certainly the attitude of - for example - the financial services regulators, with the FCA in the UK (for example) grouping its contract requirements and guidance for cloud services together with other forms of IT services (see guidance note FG 16/5)
This has created some challenges for some of the larger public cloud service providers (such as AWS, Microsoft Azure etc), given that their standard (and very pro-supplier) contract terms do not readily cater for the requirements of such regulators for audit rights, for example. However, it seems as if they have decided against trying to rail against the attitude of the regulators, and have instead adopted the approach of putting out standard form addenda to their standard contracts, for use whenever they deal with financial services clients who are subject to such regulatory requirements. However, customers in other sectors should be equally aware of such requirements and their associated addenda, as they will at least show what such service providers are capable of agreeing in relation to such issues.
More generally, then, we are seeing customers push back on standard cloud service offerings and basing their contract requirements on the business criticality of the services, and looking to incorporate many of the protections that they would ordinarily have expected to see in a typical outsourcing contract.
Public vs private
Customers have rapidly developed their understanding of private cloud offerings, such as to view them in the same way as hosted services style outsourcings have been seen in the past, ie so as to allow for a more end to end negotiation, frequently based upon a customer-produced contract template.
For so called public cloud offerings (ie where services are offered on a "one to many" basis from shared infrastructure - in the case of PaaS and IaaS services - or on the basis of a common code base vis a vis SaaS services), the contract terms on offer have frequently been put out on a "take it or leave it" basis, with the service provider arguing that their services should be viewed more as a commodity service, and with a lower level of contract recourse against/risk borne by the service provider. If challenged on this, some service providers have argued that one of the reasons why they cannot accept a higher level of liability to a particular customer is because if something were to go wrong with a public cloud offering, then it would be something which would affect all of their other customers too, such that opening Pandora's Box by indicating a willingness to accept a higher level of liability to one customer would run the risk of all of them asking for the same concession, leading in turn to a risk of insolvency in future based on just a single service outage.
But is this actually true? In reality, even with a SaaS service, whilst there may be a common code base in use, there will ordinarily be separate instances of the underlying software product being used to support each client, which increasingly is capable of being configured in different ways, and which will be hosted across separate sets of infrastructure/data centres. It is accordingly entirely possible that an issue with such services could affect just a limited number of customers, or even just one. We are accordingly seeing an increasing push back from the buy side against excessive limitations or exclusions of liability, based on this increased understanding as to the mode of delivery of the services.
If it ain't broke…
In the same vein, customers are increasingly looking back at some of the provisions that they were used to getting in their "old" outsourcing contracts, and asking why the same principles should not apply in the new cloud enabled world.
To take one example….termination assistance. Some cloud contracts seem to treat termination as a matter of the dropping of a guillotine blade, ie whereby use of the relevant cloud service simply ends as at the point of termination. Contrast this to the usual approach with an outsourcing transaction, whereby the service provider would be obliged to continue the provision of services for a period of time (usually multiple months) so as to enable the customer to have an opportunity to transition the provision of the relevant services back in house, or to an alternative provider. The realisation has now dawned with customers that switching from one cloud-based solution to another is far from a simple or near instantaneous matter, and that in reality a lengthy period of transitional usage of the relevant cloud services will be required, exactly as would have been the case in the "traditional" outsourcing world. We have likewise seen cloud-based service providers accept this requirement in their contract negotiations.
The supply chain issue
Customer requirements for larger outsourcing transactions will frequently include statements as to flexibility, speed of deployment, the ability to "dial up and dial down" capacity and transaction volumes, and the avoidance of minimum spend commitments.
Previously, service providers might have had to try to accommodate such requirements on the basis of their own systems and capacity, which would place limitations on what they could do. However, the reality today is that - in relation to infrastructure at least - they will frequently instead look to utilise the capabilities and capacity of the larger cloud suppliers such as AWS, and layer their own service offerings on top.
The difficulty that this creates, however, is that the AWS standard contract terms (and those of their peers) are - as mentioned above - VERY supplier friendly. To take but one example, the standard provisions in such contracts regarding any failure of the services to be provided in line with their related specifications are that the service provider will "try" to resolve the underlying issues, but that if it cannot do so (without any particular time frame being set for this), then the contract can be terminated but on the basis that the sole and exclusive remedy for the customer thereafter is for it to be repaid any amounts it has pre-paid for the remainder of the relevant subscription period which is then being terminated.
So, this leaves a service provider who is negotiating an end to end outsourcing agreement with a particular customer in a potentially difficult position; assuming that the customer is then looking to put in place a market standard outsourcing agreement with the array of liability provisions, termination rights, warranties, indemnities etc that one would associate with such a contract, the ability of the service provider to flow down such provisions to its cloud-based subcontractor (upon whom it may be genuinely dependant for material elements of its service delivery capability) may be extremely constrained.
In such circumstances, the service provider may:
About the Author
Kit Burden is a Partner at DLA Piper. He specialises in the areas of outsourcing and complex technology transactions, advising both users and suppliers of IT, and outsourcing services and in relation to all aspects of the procurement process. His work ordinarily involves him on business-critical projects frequently valued in the hundreds of millions of pounds. Major clients he works for include UBS, Dixons Carphone, RBS, Lloyds Banking Group, CMC Markets, TUI, HSBC, HCL Technologies, Vimpelcom, Wipro and Allied Irish Banks, as well as various major insurers and retail banks and other large corporates and providers of IT and outsourcing services. He is identified as a leading IT and outsourcing lawyer by all of the leading legal directories, including the Legal 500, Legal Experts and Chambers, who variously describe him as "a brilliant IT lawyer" with "a grand reputation", and who "really does add value" to a deal. Chambers also lists him as one of only two lawyers with a "Star" reputation for outsourcing, and describes him as "an outsourcing guru".