With many clients moving towards cloud computing models and looking to outsource certain components of their business to cloud service providers, we often get asked to advise clients on the legal risks associated with opting for a single-cloud strategy versus a multi-cloud strategy.

A company is reliant on one cloud vendor to provide all elements of the cloud solution if it opts for a single-cloud strategy. The advantage of a single-cloud strategy is that the company is only required to manage one vendor when it comes to assessing the vendor's overall performance. The main issue with a single-cloud strategy is the lack of vendor flexibility and difficulty migrating to an alternative service provider, which often leads to companies choosing the multi-cloud strategy because of the wider degree of flexibility, capabilities and commercial benefits it offers.

One of the main risks we raise when it comes to choosing a single-cloud strategy is that it may lead to vendor lock-in, which refers to any one (or all) of the following situations:

  • where it is more economical to remain with the same cloud vendor than to try and switch to another vendor because of the costs involved in doing so;
  • where the company is stuck with its original vendor because of the difficulty of moving databases or undergoing a cloud migration; and/or
  • where the business becomes dependent on the cloud service, including any third party software that is incorporated into the business's processes, for continued business operations.

Vendor lock-in becomes a risk to the business in the following instances:

  • where the cloud vendor's quality of service deteriorates and fails to meet the agreed service levels;
  • if the cloud vendor makes major changes to their product offerings which results in the product no longer being fit for the company's business needs;
  • if the cloud vendor stops providing the cloud service entirely; or
  • where the cloud vendor unilaterally imposes a substantial price increase, knowing that the company is "locked in".

In order to mitigate these risks, the advice we generally provide to companies is for them to:

  • research the cloud vendor and request a proof of concept to assess the technical viability and suitability of their cloud solution;
  • keep data in a portable format, and not in the cloud vendor's specific format, to ensure that data is easy to move from one environment to another;
  • keep internal backups of all data, thereby eliminating the need to extract the data from the cloud vendor and ensuring that the data is easily accessible and available to host the data elsewhere; and/or
  • reduce dependency on one cloud provider, and rather opt for a multi-cloud

A multi-cloud strategy is almost always a more attractive option to companies because of the fact that: (i) the company is no longer dependent on one cloud provider to provide a core component of its main business; (ii) it offers the company reliability and redundancy because the majority of the cloud solution will still function and operate even if one of the cloud services are unavailable; (iii) it introduces flexibility in the type of cloud solution that can be established; (iv) the company is able to negotiate pricing benefits with each cloud vendor; and (v) the collaboration between various cloud services may create somewhat of a competitive advantage for the company within its industry.

However, choosing a multi-cloud strategy comes with its own risks and legal implications, some of which are explained below.

Firstly, the multi-cloud strategy requires interfacing with all cloud vendors. This means that the company is required to manage its contracts specifically in respect of the each vendor's processes and their technological capabilities. This also requires the company to be more alert in respect of the data being stored and processed by each cloud vendor to ensure that the company manages and is able to mitigate the risk of any security compromises or data breaches.

Secondly, where the various cloud services need to talk to one another in order to harmoniously deliver the cloud solution to the company and its customers, latency becomes a risk. The extent of any latency may depend on the integration of the various clouds, the geographical distance between data centres, and the extent of the interaction required between multiple clouds. This could have a material adverse effect on the continued business operations of the company, especially where the cloud solution is a core service to the company's overall service offering.

Thirdly, as a result of there being many components to the multi-cloud strategy, the company runs the risk of being exposed to greater vulnerabilities, such as data breaches due to cloud misconfiguration, as well as cyber-attacks.

Finally, the company may not have enough negotiation power to negotiate favourable legal positions with all of the cloud vendors, leaving the company exposed to additional risk and liability, low availability or uptime commitments, limited warranties and remedies, and no or very low service credit offerings.

Essentially, each company needs to determine what their risk position and appetite are before deciding which strategy will be best for their business needs and operations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.