A few years ago I was discussing cloud computing with a client. They were pioneers in the now ubiquitous metaverse who had developed solutions to field level encryption of physical documents. Remarkable technology and I was surprised they had no plans to migrate their IT systems. When I asked why, the chief engineer dismissed the idea with a deadpan, “The cloud? Other people’s servers.”
Concerns about the security of using other people’s servers has broadly given way across sectors to the realization that it is often a company’s best option to shield behind the walls of big cloud providers such as Salesforce, SAP, Microsoft Azure, AWS and Google Cloud. They may be regular targets of criminal and state-sponsored hackers, of course, but the reality of a connected world is that any online system can be attacked from anywhere by anyone. At least a business can be assured that throwing in its lot with the big cloud means benefitting from the very best cyber-security protocols available. It should be said that smaller cloud providers are now generally as secure as the main players but, even then, may well make some use of the larger provider’s services. Dropbox, for one, has a mix of own servers and space with AWS.
Migrating a company’s IT to the big cloud will often satisfy certain IT security obligations owed under a companies’ contracts with its customers and supply chain, as well as under the General Data Protection Regulation and the UK Data Protection Act 2018. But, as noted by my cynical client, the cloud comprises very physical servers located in real places. Exactly where is important to determine as some contracts will prohibit certain types of data (such as personal medical or commercially sensitive information) been processed in certain jurisdictions. That may be due to the counterparty’s own corporate policy or the laws of their home country. Similarly, GDPR and DPA 2018 place restrictions on which countries personal data can be transferred to. If that data is to be transferred to the US, for example, the cloud provider will need to provide a GDPR-compliant data processing agreement unless they have adopted adequate binding corporate rules. This follows the decision of the EU’s Court of Justice in July last year to invalidate the EU-US Privacy Shield programme, which itself replaced the previous Safe Harbour regime, also invalidated by the Court.
Regulatory compliance aside, it is rare to be able to negotiate to any great extent the terms on which cloud servers are made available. This is both a result of the sheer bargaining power of the big cloud providers and a function of their business model, which is to treat the servers so far as possible as a commodity service: scalable by volume but generally delivered on a take it or leave it basis. This translates into very tight limitations of liability for loss and service level agreements which may not guarantee the kinds of uptime some businesses would rely on. The counterbalance to this is that actual reliability is high enough that for many companies it is a reasonable risk to accept the big cloud terms. Even then a business should ensure its own contracts with customers incorporate equivalent protections.
Perhaps though the biggest driver to migrate to the big cloud will now be climate change. As companies start to commit to various Net Zero targets, it is essential to transition to IT systems which consume renewable energy, maximise resource efficiency and reduce plastic and electronic waste. Widely reported figures for the big cloud indicate that businesses which have migrated use nearly 80% fewer servers, over 80% less power and reduce carbon emissions by nearly 90%, both as result of scale efficiencies and due to the big cloud providers’ own switch to renewal power.
The long term economic and political impact of a few big cloud providers hosting the IT systems of the world’s companies is, of course, another matter.