When Indian energy giant Nayara Energy sued Microsoft on Monday for cutting off all paid-for services with no notice, it highlighted a relatively new risk for CIOs to worry about.
This goes beyond a vendor not delivering what it was supposed to, or outages that halt services. It raises the ugly scenario of a major partner deliberately cutting off services to an enterprise for any of a wide range of reasons.
In this instance, the cutoff was sought by the European Union (EU), in an attempt to pressure Russia to back off its assaults on Ukraine. But what if the requester was a government that just didn’t like what an enterprise said or did? What if the vendor itself was upset with the customer?
One extreme defensive move for an enterprise would be to implement full redundancy for anything not hosted on-premises. Redundancy for data protection is relatively straightforward, but having multiple email, supply chain, or e-commerce services is very expensive and disruptive. What are the odds that it would even be needed? Whatever those odds were, they just became much higher.
“[This is going to require] new tabletop exercises where you go through these new scenarios,” said Erik Avakian, technical counselor at Info-Tech Research Group and former longtime CISO for the Commonwealth of Pennsylvania. “It is now prudent to have this type of disaster recovery resilience.”
Avakian added that many enterprises are already, to varying degrees, dealing with data redundancy, but duplicating apps and other executables is much more challenging. “Duplication of executables conversations are not [yet] happening,” he noted.
In a statement released along with the lawsuit filing in India, Nayara said that the litigation is occurring because Microsoft imposed an “abrupt and unilateral suspension of critical services. Microsoft is currently restricting Nayara Energy’s access to its own data, proprietary tools, and products — despite these being acquired under fully paid-up licenses. This decision, based solely on Microsoft’s unilateral interpretation of recent European Union (EU) sanctions, sets a dangerous precedent for corporate overreach and raises serious concerns regarding its implications on India’s energy ecosystem.”
Microsoft did not respond to a request for comment, but its move was presumably in response to an EU regulation that called for “further restrictive measures.”
Some industry observers and analysts said that moves like this may require new contractual wording, but not everyone agreed.
Cameron Powell, a technology attorney with the law firm Gregor Wynne Arney, said Microsoft might have considered the contract valid, but simply calculated that it would cost them more money to defy the EU. That means that Microsoft might then have to compensate Nayara.
In other words, a good contract may get the enterprise its money back, but not necessarily the needed services.
Reevaluate third party vendors
Powell said that enterprises should reevaluate all third party vendors they use and consider having more local partners to avoid this kind of situation. Nayara “should have had an Indian provider all of that time” and they could have also made more extensive use of open source so that they could more easily move between competing environments. He also suggested evaluating hosting more applications on-prem.
This situation should force changes to risk evaluations during audits for third party risk, Powell added.
The ability to yank all services with no warning already exists in most technology contracts, within the terms of service, Powell pointed out. It typically states that violating any term of service could merit termination. Microsoft could have argued that selling fuel to a sanctioned state, Russia, in this instance, could violate those agreements.
Roger Grimes, a defense evangelist at risk management vendor KnowBe4, said this incident can and should change CIO third party strategies.
“CIOs need to look at their contracts and future contracts and review them in light of this type of disruption,” Grimes said. “I think this event is a new world type of event that now has to be considered when signing cloud service contracts going forward.”
Grimes added that this underscores the fact that enterprises often have less control of their environments than they assume.
“I think one of the most stressful outcomes of the abrupt disruption is the customer’s access to its own data. This example illustrates why it is super important for customers to understand who owns the data, and do they still get access to data stored on a cloud system when their subscription is cut,” Grimes said. “It’s never been more important to pay attention to the saying that cloud means someone else’s computer.”
Info-Tech’s Avakian said that one of the biggest concerns about the Microsoft-Nayara situation is that all services could be killed with no warning or notice.
“The abruptness of it is one of the biggest problems,”Avakian said. “A grace period would have been important.”
In this case, the abruptness of the Microsoft action may have been by design. The EU likely wanted the action to be punitive and painful, to send a strong message to any other company thinking of selling critical services to Russia. Had Microsoft given Nayara a few weeks’ notice, the company would have likely felt far less pain.
“The reliance on any one provider brings up a lot of things about the operational disruptions [possible today]”, Avakian said. “Microsoft is in a weird position, being in the middle.”
Read More from This Article: Welcome to the new world of risk: Microsoft cuts off services to energy company without notice
Source: News