Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses
As Cloud Computing continues to capture the hearts, minds and other assorted organs of business folk everywhere, the economics of outsourcing services to the Cloud come more and more into focus. Here’s one element that I don’t think is being paid much attention, however*:
While most of the cost/benefit analysis is being discussed as it relates to the “consumer” side of Cloud, the providers themselves have an equally burgeoning issue surfacing as it relates to cost; satisfying right to audit clauses.
Almost all of the Cloud providers I have spoken to are being absolutely hammered by customers acting on their “right to audit” clauses in contracts. This is a change in behavior. Most customers have traditionally not acted on these clauses as they used them more as contingency/insurance options. With the uncertainty relating to confidentiality, integrity and availability of Cloud services, this is no more. Cloud providers continue to lament that they really, really want a standardized way of responding to these requests**
These providers — IaaS, PaaS and especially SaaS — are having to staff up and spend considerable amounts of time, money and resources on satisfying these requests from customers.
When I negotiated contracts for outsourced services, I always required an RTA clause. It was non-negotiable. I also acted on them several times in response to an issue or request from an auditor/regulator.
If you aren’t writing these clauses into your contracts, you should be. For those of you who have done so, good on you for being diligent. To those providers who are eating it with the load this renders, I feel your pain but I fear it will only get worse.
* This WordPress theme makes indented captions look like quotes. This is a highlighted section written by me and is not a quote from someone else. Sorry for any confusion.
** This is where/why Cloud providers should get involved with the Cloud Security Alliance — we can, as a community, facilitate both expectations and deliverables from both the consumer and provider perspective…