Alex Hamilton, principal at Radiant Law with a background in IT outsourcing contracts, said that public cloud is very different from traditional IT outsourcing.
"You'll never get to a point where you're happy with the contract," he said. "You'll never be satisfied with the terms.
"SLAs are full of holes," Hamilton continued, "and yet the performance is generally very good. And you can monitor it. But how do you build trust in this new environment? You need to work out fall-back options, and an exit strategy."
Hamilton was speaking at the Computing Data Centre Summit 2013 during a panel debate on the proliferation and impact of "as-a-service" offerings, which was moderated by Andy Burton, founder of the Cloud Industry Forum.
The other panelists were in broad agreement that public cloud is a very different beast to traditional IT outsourcing and that the issue of trust must be approached in a different way, given the nature of the contracts.
"You have very little power," said Simon Davey, group head of IT at insurance brokers Kerry London Group. "Service credits are pretty meaningless if you've lost your transactional website for a week".
Steve Howes, managing director of the Rail Settlement Plan for the Association of Train Operating Companies (ATOC), agreed that compensation from public cloud providers is generally inadequate.
"Credits offer spurious comfort. On average the reputational loss far outweighs the compensation," he said, going on to advise users not to transfer risk to the supplier, to be rigorous in exercising due diligence and to try to get some audit rights. However, this could be easier said than done, as Richard Giles, IT director retail at Ladbrokes, explained.
"When we first suggested going with Google Mail our legal department went into a spin," Giles said. "They said ‘the contract is highly biased, and 99.8 per cent uptime is not a great figure', so we raised this with Google but they said the contract was non-negotiable. As a large PLC this is not a position that you ever expect to find yourself in."
Set against this lack of flexibility, though, Giles said he never heard a bad reference about Google Mail so decided to use the service, with the proviso that no sensitive or important data was to ever be put in the Google cloud.
However, where more mission-critical systems are involved, Giles emphasised the importance of taking control, which, he said, might seem counter-intuitive in an outsourcing deal.
Describing a separate contract involving the outsourcing of Ladbroke's transactional web site, he said: "They have the engineering skills but we understand the requirements. We didn't let them do what they wanted to do. They said ‘you're backed by an SLA so why would you care?' - but there's no way the SLA can compensate for any financial loss."
"SLAs are generally there to change behaviour," said Hamilton. "But in a public cloud provider they won't change behaviour, because they want to get everyone on the same system and give everyone the same service. Service credits are a fig leaf."
[Turn to next page]