12/11/2020

Enterprise software giant, SAP, recently announced it will accelerate the transition of its core business from on-premise licences to cloud-based solutions for all its customers, which include the vast majority of large corporates throughout the world. See more in ‘SAP's move to the cloud spells admin drama for companies’.

SAP are not alone in promoting their cloud offerings over traditional software licences.  Over the past few years, the migration to cloud solutions from a wide range of providers has been increasingly prevalent.  Various organisations have preferred to remain primarily on-prem based, particularly for business critical systems or applications handling sensitive information.  There are many factors which influence the decision to opt for a cloud solution over an on-prem alternative.  While there may be benefits in adopting cloud solutions, they are not without their own set of risks and issues, some of which we consider below.

What is the true cost of moving to cloud solutions?

There are so many different pricing models offered by software vendors and this only increases when considering cloud options as well.  But is switching to the cloud beneficial in either the short or long term?  Here are some things to consider:

Has your organisation already purchased perpetual licences for on-premise software for which it is now expected to pay a subscription fee? 

Will the upfront fee, already paid for the perpetual licence, be credited against subscription fees?  These sunk costs should be factored into any decision to move to the cloud.

How will growth or decline in usage affect cost? 

Some cloud solutions are priced based on usage volumes (such as documents processed, profiles created or MB stored) whereas an existing on-premises solution might be enterprise-wide or user based and its fees not dependent on underlying usage.  It is common practice for a cloud solution to be priced such that the fees at the change-over date are roughly equivalent, with the result that any growth in usage may come at additional cost.

Do you require customisations or enhanced availability or support? 

With on-premise solutions, an organisation may have some control over this and may be able to engage different IT service providers to meet its requirements.  For a cloud solution, customised solutions may not even be possible or if they are, the only option may be to engage the cloud provider which eliminates the competitive tension usually required to achieve cost savings.

What assurances do you have that the cloud solution will be available for as long as you need it? 

Even end-of-life on-premise products may, in some instances, continue to be used on an unsupported basis (this comes with its own risks but might be appropriate for some non-critical applications).  However, this isn’t an option for cloud solutions where the vendor can shut down servers, forcing customers to migrate to alternative solutions based on the vendor’s timetable.


How is your data affected?

Who owns your data?  

It may seem obvious, but you should ensure that your contractual arrangements maintain your ownership rights over your data without exceptions.  If the cloud service creates new data, you should think about who should own that too.

What can the cloud service provider do with your data? 

While you may maintain ownership, you should carefully understand what rights the cloud provider has to use or commercialise it.  Some providers include rights in their contracts to analyse their customers’ data or commercialise aggregated sets of de-identified data.  This should be considered against the type of data you have and the sensitivity of it, what obligations you may have to third parties in respect of data you hold (for example. data about your customers), as well as the commercial value of the data to your organisation.

How will you know what data is yours?

It is important that your data is kept separate from other customers’ data.  The logical and physical separation between the data of different customers is usually less well defined (or undefined) in cloud platform services.  Companies should review the segregation mechanisms used to ensure that their data is kept separate and protected from security breaches.


What security and back-up measures apply?

Think of the lengths your organisation goes to ensure the integrity and availability of its data. How will you ensure that your cloud service provider has mechanisms to do the same? 

While cloud service providers will usually have in place a better standard of security than many organisations (as well as the resources necessary to continually improve its security), customers will have far less control over security in the cloud. 

Who performs backups and where are they stored?

If your provider doesn’t regularly backup your data, you may need to ensure that you have the ability to do so yourself.  Even if your provide performs backups, you should consider whether the purpose of backing-up is achieved if the same organisation is running your primary and redundant systems.   

Once controls are agreed, how will you ensure they are maintained?

It may be beneficial to have regular audit and/or rights to carry out penetration testing to be able to test that your cloud service provider’s security measures are adequate for your purposes.  Another means of managing risks could be an inclusion of a service level regime that incentivises providers to delivery on their promises.  However, the nature of many cloud services don’t provide customers with these kinds of rights.

And what if an incident occurs? 

There should be clear processes in place and responsibilities defined to respond to and manage that incident.  This may include adapting your own incident response plans to contemplate security incidents affecting a cloud provider.  You should ensure that you have an appropriate level of support in the case of such incidents.


Your legal obligations continue to apply in the cloud. How will you ensure compliance?

Are there Privacy Act implications? 

Cloud service providers often store data overseas.  This may trigger restrictions in the Privacy Act 1988 (Cth) (Privacy Act).  The Australian Privacy Principle 8 (APP 8) and section 16C apply when an organisation discloses personal information overseas.  APP8.1 states that before an organisation discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information.  It is also key to note that when an organisation discloses personal information to an overseas recipient, it will be liable for any acts by that overseas recipient that breach the APPs.  While guidance published by the OAIC indicates that transferring personal information to a cloud service provider may not be a “disclosure” for the purposes of APP8, this guidance is not legally binding and is, in any event, subject to a number of conditions listed in the OAIC’s guidance. 

Are you subject to industry specific regulations?

Customers who are subject to APRA Prudential Standard CPS 234 (Information Security) (CPS 234) have obligations to ensure the security, integrity and availability of their information assets.  A cloud service provider will almost certainly be considered to be managing your information assets so there are minimum requirements under CPS 234 which must be flowed down.

Are you a Government entity? 

There are various record keeping obligations on Federal and State/Territory agencies, such as State Records Act 1998 (NSW) (Records Acts). The Record Acts typically prevent agencies from taking or sending records out of the jurisdiction without approval. Approvals may need to be arranged if cloud vendors cannot guarantee records will remain in the required jurisdiction. 

How will the decision affect your customers and other stakeholders? 

If the data relates to your customers, suppliers, employees, or other stakeholders, you should consider if your contractual arrangements with them permit you to keep and process that data in the cloud.

 

Authors: Andrew Hii, Mark Ferguson, Catherine Gamble

""