Some information technology leaders have grown concerned that the multiprovider deplatforming of Parler represents a new cloud computing risk that organizations may not have previously been aware of. However, the reality is that for most businesses, there is a very low probability of sudden suspension or termination by a cloud provider.

Still, because organizations often depend on key public cloud providers for business-critical applications, IT leaders – especially those who contracted in haste for new cloud services at the start of the COVID-19 pandemic – should ensure that their cloud contracts provide reasonable terms and conditions, including adequate time to cure any contractual breaches that could result in suspension or termination of service.

What are the scenarios that put organizations at risk of contractual breaches?

Most service providers adhere to global internet norms for acceptable use. Each provider expresses such norms contractually, through terms of service and an acceptable use policy or AUP.

An AUP is incorporated by reference into contracts and can almost always be unilaterally changed by the provider without advance notice. Although terms of service and AUPs do vary — usually reflecting different providers’ appetites for risk — at a minimum, providers prohibit behavior that is illegal or that exposes the provider to technical or business risks.

Service providers in the United States are normally shielded from liability for good-faith content moderation — or the lack of moderation — by Section 230 of the 1996 Communications Decency Act. However, this shield is not total, and notably, federal criminal activity, sex trafficking and intellectual property infringement are not protected. Consequently, service providers are more likely to engage in strict enforcement of AUP violations that are not protected by the liability shield.

Most organizations are at low risk of breaching the AUP of a cloud infrastructure-as-a-service provider, such as Amazon Web Services, Microsoft Azure or Google Cloud Platform. However, the following conditions put organizations at higher risk of breaking an AUP in such a way that would be grounds for suspension or termination:

• Inadequately securing cloud resources in a way that would allow them to be abused
• Inadequate management of end-user behavior
• Inadequate content moderation

Importantly, organizations cannot breach the AUP because of their corporate identity. For instance, political organizations, religious organizations and businesses in “undesirable” industries such as tobacco are not at greater risk by their nature. A breach in cloud IaaS is the result of actions on the cloud provider’s platform.

Furthermore, organizations that run large-scale applications on an IaaS provider will typically negotiate enterprise agreements, which usually offer a minimum of 90 days to resolve a breach of contract prior to suspension. Click-through agreements — like the one Parler had — allow immediate suspension or termination for a breach of the terms of service or AUP, with a limited grace period. It’s also important to remember that cloud providers may not react to AUP violations in a standardized way because each violation involves a unique set of circumstances.

Bottom line: Virtually no cloud-adopting organization will have the same high-risk circumstances as Parler: (i) failing to moderate content effectively related to the commission of federal crimes and (ii) operating on an AWS click-through contract.

What makes a customer undesirable?

The use of any service provider depends on a relationship of trust and mutual business benefits. Naturally, most businesses want to avoid customers that represent a high degree of risk, which might be defined and evaluated in different ways.

Beyond AUP breaches, liability concerns, abuse or fraud concerns, activism concerns and competitive concerns are the key items that could impact enterprise relationships with their cloud provider. Organizations within particular industries (such as “vice” businesses) may be at greater risk of being regarded as undesirable. Although IaaS providers generally serve any type of customer, some software-as-a-service providers may choose to be more selective about the nature of their customers.

Regardless, Gartner recommends having an open and honest dialogue with any prospective cloud providers to ascertain their willingness to enter into a relationship with your organization and expand that relationship over the long term.

What are the key recommendations to reduce risk exposure?

Examine potential risks for cloud contract nonrenewals, unattractive renewal proposals and changes in business conditions that might lead you to seek alternative solutions or providers.

First, negotiate an enterprise contract, rather than operating on a click-through, with your cloud provider. While click-through agreements can be acceptable for pilot projects and short-term nonproduction use, or as a “bridge” to an enterprise contract, organizations should strive to obtain enterprise contracts wherever feasible.

Second, implement appropriate content moderation and governance on all employee-generated or user-submitted content that is hosted in cloud environments for which you are responsible or liable. This includes any environments that you might share with your customers, partners or suppliers. Gartner believes that content moderation for user-generated content is an emerging C-suite priority.

Third, create a cloud exit strategy — which is not the same as an exit plan. Rather, it is an exercise in identifying and managing cloud-vendor-related risks. If you decide to create a contingency plan for exiting a cloud provider, use realistic scenarios and time frames.

Do not underestimate the complexity, cost and risk of a cloud provider exit. In most cases, it takes at least a year to exit a cloud provider. Replacing a complex SaaS application and all of its integrations is an expensive and risky proposition that may require multiple years of effort. In IaaS and PaaS, balance the need for cloud portability against agility and cost. If you choose to invest in portability, prioritize the strategic long-lived applications, since short-lived tactical applications are less likely to need portability.

Lydia Leong is a distinguished vice president and analyst with Gartner Inc. Leong’s coverage is focused on cloud computing and infrastructure strategies. She wrote this article for SiliconANGLE. Join her and her colleagues at the 2021 Gartner IT Infrastructure, Operations and Cloud Strategies Conference, taking place in the U.S. Dec. 6-8.

Image: geralt/Pixabay