By Paula Klein

As businesses and government agencies increasingly begin to host applications in the public cloud, they realize that it's a new frontier in terms of contract negotiations. Service levels, data access, scalability and security are just a few of the issues that CIOs need to ensure before the services are deployed. And while some of these concerns are similar to outsourcing contracts of the past, there are new wrinkles to consider as well.

You "have to understand and define mission success," says Julie Boughn, CIO of the U.S. government's Centers for Medicare and Medicaid Services (CMS). "Success is not building a system; business outcomes are key, and that has to be critical for cloud-based services."

Boughn is currently interested in cloud models for low-risk administrative operations such as e-mail and office applications. For example, CMS, a division of the Health and Human Services agency, uses a customer service capability to track and manage public relations events. Managing that in-house would require a custom-built program and new computing resources, she says, and since it's not mission-critical, CMS is using Salesforce.com as the service provider for the application. Service level agreements need to address very specific details, such as how many concurrent users need to be supported, she says.

No Room for Compromise

While federal agencies are being urged to explore cloud options by federal CIO Vivek Kundra, Boughn will pick and choose applications carefully. "To me, cloud doesn't absolve us of our responsibility to reach our business goals," she says. "CMS' business is operating the Medicare and Medicaid programs so that nearly 100 million beneficiaries receive health care." That core mission can't be compromised even if cost-savings may result.

While CMS is a long-time user of IT outsourcing, putting its core transaction processing system in the public cloud is a long way off – if ever. CMS is really a very large health insurer in terms of what we do, Boughn says, and "massive amounts of data" are handled every day. "I don't think I could find a provider to do our unique type of processing at the quality and scale we need," she says. Moreover, the issues of security and privacy, require a high level of trust in the service provider, Bough says.

Scott McPherson, CIO at the Florida House of Representatives, is well aware of the trust needed when hosting applications on the public cloud. The Sunshine State hosted its census-data collection, myflorida.com, on Microsoft's Azure cloud platform using Silverlite storage earlier this year. The legislature saved about $300,000 by not investing in new hardware and not using state resources for the project. And while security and privacy are very important, McPherson says that the Florida House wanted the data to be publicly available, since it will be used for redistricting purposes later in 2011 and 2012. There are some grey areas though, he admits.

"We look to Microsoft to provide security; that's what the cloud is. We are aggressively working with [Microsoft] to ensure this," he adds. At the same time, McPherson says that the state website announces that information supplied becomes public record unless it's exempted. "There isn't an expectation of privacy when you file in the state of Florida," he says. The federal census bureau protects its data, as does Microsoft.

Too Much Trust?

Shahed Latif, a partner in KPMG's Advisory Services who co-authored a book titled Cloud Security and Privacy (O'Reilly Media, 2009), believes that some customers are too trusting of their vendors and they forget that due diligence is a critical part of contract negotiations. "Most cloud contracts are still building maturity," he says. In particular, small businesses or those without huge procurement departments have to be careful about what they're getting in the cloud.

One biotech firm he worked with realized some assurances were missing after it signed a contract, according to Latif. At that point, the company had to involve the legal team, procurement, IT and the business group to push for greater protections. "Many early adopters are now working backward," he says, trying to put safeguards in place after they've signed on to a service.

A better approach is to be proactive, he says. "Don't be led by a vendor; have your questions ready when you approach [the vendor] and use the same evaluation methodology you would for other vendors." Good cloud providers should be able to respond to your specific needs.

Like Boughn at CMS, Latif says to carefully consider what applications to put in the cloud; "if it's too sensitive, don't do it." He also offers a checklist of criteria that customers should consider when selecting a cloud provider. (See sidebar.)

Florida's McPherson also offers some caveats for cloud contract negotiations. While he says he doesn't have very granular service level agreements with Microsoft for his application, it is "absolutely essential if you're going to move large amounts of critical data to the cloud." Particularly if you need to be compliant with Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) requirements, he says, contracts have to be very specific.

McPherson describes three key issues that cloud providers need to address "before it's really mainstream." These are: security and privacy; capacity planning to be sure applications can scale without latency or loss of performance; and connectivity, which means there should be alternate ways to get data for disaster recovery.

The third point is especially important as the Florida House looks to new cloud services, he says. "We're hopeful that the redistricting program goes well based on the success of the census program," he says. Yet, he admits that "this is an experiment for us. We won't put new apps in the cloud until we know they're secure. We know the Internet is a single point of failure."