Amazon Web Services, Okta and Stripe suspended or terminated service to Parler after the organised mob invasion of the US Capitol building in January. Not only did this effectively result in Parler’s business being shut down, but it was also a public demonstration of the willingness of technology service providers to “deplatform” undesirable customers.
Because organisations often depend on key public cloud providers for business-critical applications, executive leaders are re-evaluating public cloud risks in light of such actions.
Reasons for cloud contract termination
Deplatforming does not happen often, but it does happen. Technology service providers (TSPs) have rejected, terminated or announced they would no longer support contracts with certain companies before.
For example, Mastercard, Visa and PayPal terminated services to Pornhub, a YouTube-like site for adult videos, in December 2020, and Salesforce changed the language in its terms of service in 2019 to deny services to gun retailers.
Most TSPs require in their contracts that customers adhere to an “acceptable use policy” (AUP). The exact nuances of an AUP vary by company, yet almost all service providers at a minimum prohibit illegal activities, as well as content that exposes the provider to excessive risks.
Parler and PornHub represent different forms of “excessive risk” for providers, usually a high bar to reach given laws that shield service providers from liability. However, some more conventional organisations can fall foul of AUPs. A security provider, for instance, may fall foul of its cloud provider’s AUP if it conducts penetration testing or other “Red Team” attacks for customers.
Another example is where a business operates activities that are illegal in one or more countries, but not in their own. Despite activities being legal in its home country, businesses may be at risk with international service providers regardless of whether or not they also serve customers located in countries where those activities are not legal.
Businesses may also have their cloud service suspended if they lack effective cyber security and are repeatedly breached in a fashion that might be dangerous to others (for instance, where breached instances are used as part of a botnet). This risk exists in every industry, even the most uncontroversial ones, so it needs to be considered by every executive who knows their cyber security practices are lacking.
Some customers may also be concerned that deplatforming could occur as a result of the “voice of society” – employee activism, shareholder activism, corporate activism, and other forms of internal or external pressure driven by a particular cause – an interesting phenomenon we’ll be covering more in this year’s Gartner Summits.
Different service providers will have different stances toward such pressures, but assuming the public and media have influence in TSP decision-making is the recommended understanding when looking to mitigate risks.
What should be done to reduce risk exposure?
Few legitimate business customers are in any significant danger of breaching an AUP in a way that would result in suspension or termination.
However, to reduce the risk, Gartner recommends businesses negotiate an enterprise agreement, rather than operating on a click-through. While click-through agreements can be acceptable for pilot projects and short-term solutions for the pandemic, or as a “bridge” to an enterprise agreement, organisations should strive to obtain enterprise agreements wherever feasible.
At the very least, customers should negotiate amendments that may be required for risk reduction. As part of your cloud sourcing standards, ensure that AUP-related concerns are addressed through appropriate contract language that provides AUP clarifications or exceptions. All such contracts should be reviewed by legal counsel with experience examining cloud provider contracts.
It is also important to implement appropriate governance for cloud-hosted content. Implement appropriate content moderation and governance on all user-submitted content that is hosted in cloud environments for which you are responsible or liable. This includes any environments that you might share with your customers, partners or suppliers. While automated filters are likely to be useful, they may not be adequate, especially if you host consumer-submitted content. Gartner believes that content moderation for user-generated content is an emerging C-suite priority.
The third recommendation from Gartner is to create a cloud exit strategy. A cloud exit strategy is a vital step in identifying and managing cloud supplier-related risks. When you develop contingency plans for a cloud exit, use realistic scenarios and time frames, keeping in mind the non-renewal notification periods stated in contracts. In software as a service (SaaS), this may be as short as 30 days. In the case of most contractual concerns for cloud infrastructure as a service (IaaS) and platform as a service (PaaS), you will have one or two years to execute an exit.
IaaS providers – such as Amazon Web Services, Microsoft Azure and Google Cloud Platform – will normally work with customers that have an enterprise agreement on good-faith cure efforts, because they usually believe that violations are unintentional. When the cloud provider is forced to take enforcement action – for instance, because the customer is endangering the safe operation of the platform – it is likely to do so in a targeted fashion, by suspending or quarantining specific customer elements rather than suspending the customer as a whole.
While the risk is low for legitimate businesses, it cannot be ignored, and a little due diligence could go a long way to save your business from being deplatformed.
Lydia Leong is a research vice-president at Gartner.