Showing results for 
Search instead for 
Did you mean: 
Level 1

The Top Dangers Lurking in Your CSP EULA

At Veritas, we hear these questions from customers all the time: What do you mean my files were deleted because they were not in compliance? My cloud service provider (CSP) isn't backing up my data? How can my CSP fine me for violating protocol? How am I supposed to make sense of these protocols?

What customers often don't realize is they, not their CSP, are responsible for data protection and compliance. If they don't take action, the consequences can be financial, reputational, and even legal.

As we discussed in "Cloud EULAs are Complex – Why You Need to Read the Fine Print" post, it's no surprise that many enterprises, like ourselves, quickly agree to the terms of their CSP end-user license agreement (EULA) without carefully reading them. They do not agree with the terms out of stupidity. These are complex and lengthy documents not easily understood by someone without a law degree. So many times, an enterprise cloud administrator will quickly scroll through and click "accept," presuming the CSP had drawn up terms that would offer reasonable protection for customers. But the truth is, they often fall short of expectations.

As cloud adoption grows, the EULA must also become more expansive to mitigate the risk of exposure by the CSP. This makes the situation more difficult for the end-user. Most EULAs are growing longer and more complex as the CSPs take on more work for their enterprise customer and manage more data and applications. As this scenario unfolds, what are the worst potential pitfalls hiding in a typical cloud service provider EULA?

Here are the top three:

  1. The customer, not the CSP, is responsible for workload downtime due to cloud outages. Let's say your IaaS, PaaS, or SaaS vendor experiences an outage, and that causes a workload to fail or degrades the performance of a mobile app. It could mean lost sales or unhappy customers. Some EULAs will refund the customer lost minutes due to the outage, but the CSP's customer is ultimately responsible for lost revenues and/or labor costs. This can get costly quickly.
  2. Customers are responsible for data protection in the cloud. Transferring data from on-premises systems and storing it in the cloud introduces new risks. Most CSP EULAs put the responsibility on the customer to protect, govern, and recover their cloud-based workload data. Some customers may be entirely relying on the CSP for data protection, or have a security problem in their setup. This means if there's a DDoS attack that takes down a cloud provider, and your website or apps with it, your company owns complete responsibility for any lost data or breaches.
  3. The customer is responsible for meeting compliance regulations. New data privacy regulations, like GDPR and CCPA, require companies to delete a customer's personal data in some instances permanently. Yet as our 2019 Truth in Cloud report found, just six in ten companies have guarantees from their cloud service providers that data will be deleted if there is a contract termination. Many EULAs don't provide this guarantee. This can mean stiff penalties and damage to your business' reputation.

Additionally, other hidden potential pitfalls in EULAs include the CSP's ability to throttle users when their servers are being flooded with requests and provisions prohibiting the storage of classified information on the CSP's servers. Some EULA pitfalls may only affect a small number of users compared to others but still have a significant impact.

Always keep in mind that the EULA is an instrument designed to protect the CSP's rights and interests, not the customer needs.

The good news is we at Veritas are working hard to help our customers stay ahead of the game. In so doing, we can help minimize risks and reduce the financial, operational, or reputational "hit" they take when scenarios such as those above and others occur.