A number of studies I’ve recently read indicate that more enterprises will use cloud services in 2013 than ever before. This fact is not lost on many of my software vendor clients, who are transitioning many of their on-premises products into cloud-based offerings.
The problem many of these vendors are facing is the inability to address data privacy and security demands placed upon them by their customers due to the weak contractual protections offered by the vendor’s hosting providers. As a result, the time and cost savings expected by leveraging the cloud model are lost by extended contract negotiations between the vendor, customer, and hosting provider.
Here is a typical example:
(1) Software vendor wishes to offer its cloud-based service to a financial services company.
(2) The financial services company sends the software vendor its detailed requirements for information security controls, data privacy, breach detection and response, security program details and systems, disaster recovery, encryption, physical security, and data destruction and certification.
(3) Software vendor reviews the contract with its hosting provider to determine whether the financial services company’s security requirements can be met.
(4) Software vendor discovers that its hosting provider only commits to something like “we will implement reasonable and appropriate measures designed to help you secure your content against accidental or unlawful loss, access or disclosure.” (See, for example, Amazon’s Web Services Agreement, Section 3.1.)
(5) Panic ensues.
Generally, at this point the software vendor is left with a couple of options: One, attempt to renegotiate its hosting provider contract to incorporate the voluminous information security controls demanded by its financial services company customer, or two, convince the financial services company to drop its demands and accept language similar to Amazon’s above. You can guess how well each of these options will work out.
So what is a software vendor to do?
Before accepting a hosting provider’s contract, know your target customer base. Are your customers regulated by laws like Gramm-Leach-Bliley or HIPAA? Is your service likely going to be storing sensitive information of your customers? If the answer to these or similar questions is yes, then selecting a hosting provider willing to accommodate and contractually commit to specific data security protocols is paramount. Many enterprise users are feeling both internal and external pressure to shave costs and move certain services and data into the cloud – even if doing so creates heightened risks and liabilities. But simply explaining to these users that “our hosting provider doesn’t provide these assurances” usually won’t cut it.
In my next post, I’ll discuss certain tactics software vendors can use with their hosting providers to create more robust and meaningful protections for them, and their customers.

In total agreement, Dan. On of the things we learned early on at Buzzient is that Amazon’s default Terms of Service and SLA’s are designed for enterprise users. So, there’s a risk and capabilities gap. This is both the opportunity to set SLA’s with customers, as well as an opportunity for independent cloud hosting providers to differentiate. Great article.