Gartner Global IT Council for Cloud Services Outlines Rights and Responsibilities for Cloud Computing Services

The Council Defines Six Rights and One Responsibility of Service Consumers That Will Help Providers and Consumers Establish and Maintain Successful Business Relationships

STAMFORD, Conn., July 12, 2010 � All cloud services customers should have some basic rights to protect their interests, and Gartner, Inc.’s Global IT Council for Cloud Services has defined six rights and one responsibility of service customers that will help providers and consumers establish and maintain successful business relationships.

Gartner has established the Global IT Council for Cloud Services to facilitate successful business relationships between cloud service providers and consumers. The Council, which consists of CIOs of large enterprises that consume cloud services and Gartner analysts, has made identifying key rights of service consumers and how they might be upheld, a key priority.

“If cloud services are commoditized, providers should offer stronger customer guarantees,” said Daryl Plummer, managing vice president and Gartner fellow. “However, service providers either do not offer protections or vary greatly in the protections they do offer. We believe that the Global IT Council for Cloud Services can facilitate improvements in industry practices that will benefit not only IT customers and clients, but also developers, vendors and other stakeholders.”

The Gartner Global IT Council for Cloud Services is examining the most pressing issues affecting cloud computing today, and the Council has identified six rights and one responsibility of cloud computing services consumers that it believes will enable providers and consumers to work more productively together. They include:

The right to retain ownership, use and control one’s own data � Service consumers should retain ownership of, and the rights to use, their own data. The Council insisted on the importance of data security in the issue of ownership and control. The provider must specify what it can do with the consumer’s data. Lack of clarity on this point can lead to costly legal battles. Lastly, the consumer could lose control of its data if the service provider goes out of business or is sold to another company. The original contract or service-level agreement must provide for the clear disposition of the service consumer’s data, in case the provider can no longer provide service.

The right to service-level agreements that address liabilities, remediation and business outcomes � All computing services � including cloud services � suffer slowdowns and failures. However, cloud services providers seldom commit to recovery times, specify the forms of remediation or spell out the procedures they will follow. To make service-level agreements relevant to the business, providers do not have to customize them for every consumer; rather, the agreements should comprehensively address the business issues implied in the type of service offered. The provider’s contract should not simply guarantee a certain turnaround time for adding capacity; it should specify how it will deliver that capacity.

The right to notification and choice about changes that affect the service consumers’ business processes � Every service provider will need to take down its systems, interrupt its services or make other changes in order to increase capacity and otherwise ensure that its infrastructure will serve consumers adequately in the long term. Protecting the consumer’s business processes entails providing advanced notification of major upgrades or system changes, and granting the consumer some control over when it makes the switch. Such changes might include upgrading a software-as-a-service application, implementing, introducing new versions of services, changing the location from which the service is provided, entering or exiting a business, shuttering a facility, and so on.

The right to understand the technical limitations or requirements of the service up front � Most service providers do not fully explain their own systems, technical requirements and limitations so that after consumers have committed to a cloud service, they run the risk of not being able to adjust to major changes, at least not without a big investment. Service consumers and providers must do a better job of keeping each other informed about their technical limitations, particularly for complex, long-term projects or complex architectures and systems.

The right to understand the legal requirements of jurisdictions in which the provider operates � If the cloud provider stores or transports the consumer’s data in or through a foreign country, the service consumer becomes subject to laws and regulations it may not know anything about. Service providers have not done a good job of explaining which jurisdictions they put data in and what legal requirements the service consumer must, therefore, meet. The service consumer needs reassurance that the provider does not violate any country’s rules for which the consumer may be held accountable.

The right to know what security processes the provider follows � With cloud computing, security breaches can happen at multiple levels of technology and use. Service consumers must understand the processes a provider uses, so that security at one level (such as the server) does not subvert security at another level (such as the network). Without this knowledge, service consumers risk security violations caused solely by the provider not accounting for the ways in which consumers might use a service. Service consumers also need to understand a provider’s business continuity plans, so that they can ensure that their own operations continue in an emergency. Service providers are not consistent in explaining either their security processes or their business continuity plans.

The responsibility to understand and adhere to software license requirements � Providers and consumers must come to an understanding about how the proper use of software licenses will be assured. On the one hand, providers must be held harmless, if the service consumer puts the software it licenses from a third party in the cloud yet violates the licensing agreement. On the other hand, the provider should not agree to an audit directly by the vendor, if the consumer owns the software licenses. The service consumer must take charge of the audit, because it needs to consider the whole context � both what the consumer runs in the cloud (perhaps using several service providers) and what it runs on its own infrastructure.

Seven Rights and Responsibilities Benefit Both Service Providers and Consumers

“These seven rights and responsibilities will benefit both service providers and service consumers. Respecting these rights will require effort and expense from providers, but securing the rights will encourage enterprises to put more of their business into the cloud,” said Mr. Plummer. “However, the seven rights will not become a reality unless enterprises insist on them when they negotiate with service providers. We urge all enterprises to do what they can to establish these rights and responsibilities as the standard for cloud computing.”

Additional information is in the Gartner report “Gartner Global IT Council for Cloud Service: Rights and Responsibilities for Consumers of Cloud Computing Services.” The report is available on Gartner’s website at

A panel of Gartner analysts and CIOs will discuss the recommendations of the Gartner Global IT Council for Cloud Services at Gartner Symposium/ITxpo in Orlando, FL., at 8 a.m. EDT on Wednesday October 20, 2010. More information is available on the event website at

About the Gartner Global IT Council

The Gartner Global IT Council brings together IT leaders to discuss a chronic challenge and to develop a common approach to solving it. A Council is facilitated and moderated by Gartner, but it represents the members’ views, not necessarily Gartner’s views. Council meetings encourage free, open-ended discussion that will result in actionable real-world recommendations and drive fundamental changes in the way the IT industry works.

The Gartner Global IT Council for Cloud Services includes CIO members from companies including Dow Jones; Lincoln Laboratory, Massachusetts Institute of Technology; Home Box Office; American Life Insurance; Orkla; Tata Steel; Estee Lauder; International Finance Corporation; Pirelli; Marathon Oil; State of Michigan; and Anheuser-Busch InBev.

About Gartner

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit