One of the most heavily negotiated provisions of a cloud computing contract is the provision dealing with physical and data security. Several years ago, the typical Application Service Provider (ASP) agreement required the service provider to comply with “industry standard security practices” while performing the services. Customers and service providers soon realized the “industry” didn’t have a defined set of security standards.
Today it is not uncommon for customers and service providers to spend many contentious hours negotiating the physical and data security requirements in their agreements, often resulting in a lengthy exhibit to the agreement. The tension arises from service providers, on the one hand, wanting to have a consistent set of security standards across their customer-base to allow for the efficiencies of a cloud-based model, and customers, on the other hand, wanting to negotiate specific and customized security requirements based on their internal controls and policies. I’ve seen cloud computing transactions crater over this issue.
A few days ago Andreas Antonopoulas of NetworkWorld wrote an interesting article in which he argued that security will rescue the cloud computing industry. Indeed, Antonopoulas suggests that with infrastructure-as-a-service (IaaS) becoming commoditized, service providers can use security “to up-sell each customer with a high profit margin product to balance out the dismal or loss-leading margins of the core product.” Antonopoulas raises a good point, and as the industry continues to mature, it will be interesting too see whether service providers offer robust security provisions as a differentiator in their contracts. I know many customers who would welcome such a development. Of course, the elephant in the room will be the amount of liability service providers will accept if they fail to live up to their security obligations. That’s a topic for another day.