VOX

We've all been there. We're downloading new software when a window pops up, asking us to scroll through and review an endless amount of legal text. In a hurry, we click "I accept" without thinking much of it. We install the software not knowing what we just agreed to, feeling the chances are minimal; there will be negative consequences.

But many enterprises looking to accelerate the adoption of a hybrid multicloud approach to reduce their data center footprint and drive business agility are experiencing unpleasant surprises. That's because when an executive or cloud architect signs these end-user license agreements (EULAs) with their cloud service provider (CSP), they often don't take the time to review these increasingly complex documents. And who can blame them? As a result, enterprises don't fully understand the risks and responsibilities contained within them.  

For example, most are not aware of who owns responsibility for data management in the cloud. Buried in all that "legalese" is text saying that the customer, NOT the CSP, is responsible for data privacy, compliance, data protection, and the uptime of their cloud-based applications. This might seem counterintuitive or difficult to comprehend. But it is the truth. And there is little the enterprise can do to change these restrictive terms.

Background about EULAs

End-user license agreements first became commonplace in the 1980s, as a way for software vendors to combat piracy. Many early EULAs were only a few paragraphs long, and the information contained within them was simple: Don't copy our software. Over time, they have become more complex, sometimes exceeding 30 pages.

Some of the increasing complexity, especially with today's cloud vendor EULAs, reflects the complicated nature of running a business in the cloud. We couldn't have envisioned sophisticated cloud data security issues and data privacy regulations like GDPR, impacting how we store data in the cloud, 20 years ago. As EULAs have become more complicated, it's more important than ever to read them carefully. And when possible, to make sure the risks and responsibilities are better understood.

How is a EULA different from an SLA?

It's helpful to distinguish a EULA from a cloud service level agreement (SLA). An SLA has the same intent as a EULA – both are a contract between the CSP and the customer/end-user. But SLAs are typically shorter, with more plain-speaking language, and are more consumable by an end-user without a law degree. An SLA usually provides some guarantees by the CSP around service uptime and other service requirements.

By comparison, a EULA is longer, repetitive, and intentionally unclear, and even those with a legal degree might find them daunting. Part of the reason EULAs are so dense in legal jargon is so that lawyers can argue any point they want because you can interpret the complexity in any direction. This means that the side with the better lawyers will likely win regardless of the language's intent.

A EULA is usually designed for one purpose: protecting the rights of the CSP, not the customer or end-user. Unlike an SLA, a EULA doesn't provide any guarantees of service levels for the customer.

Why cloud EULAs are an emerging issue

Veritas partners with all of the top cloud service providers, and we work with customers to maximize their cloud infrastructure and optimize their cloud workloads with multi-cloud management tools. We're hearing from more customers that have experienced a cloud service outage impacting an application's performance or had their service throttled by their CSP. These customers may have had unrealistic expectations of cloud performance based on misunderstanding the EULA. Now, they're trapped.

The misconception of responsibility doesn't stop there. Our 2019 Truth in Cloud report found that 84 percent of enterprises mistakenly believe that their CSP is responsible for data protection. These issues related to misunderstanding cloud service EULAs will only become more urgent as more enterprises pursue a hybrid cloud approach.

The best way to embrace a cloud-first approach is with your eyes wide open. Understanding the benefits and potential risks of a multicloud approach starts with transparently acknowledging your company's responsibilities under the CSP EULA.