How to get what you paid for after signing on for cloud services.
The decision to partner with a cloud vendor has been made; now the more difficult part begins. IT owners must negotiate an iron-clad contract to ensure the promise of cloud becomes a reality for their business.
According to Thomas Trappler, Director of Software Licensing at UCLA in California, the process doesn't need to be such a challenge if IT professionals know what to include in the cloud contract. Trappler, who co-authored the book "Contracting for Cloud Services," says negotiating the ideal contract for your needs upfront will enable a more successful cloud implementation. And while the book includes a 137-point checklist, Trappler highlighted several key items in a recent interview for CA Technologies and its Cloud Luminaries series.
To start, Trappler advises cloud customers to incorporate any verbal promises of service into writing for the contract. While the sales pitch may sound all well and good, it won't hold up in a few months when the cloud services you've contracted fail to meet your expectations.
"Your best bet is to find out what they can do, and, if that meets your needs, then codify that in the contract," Trappler says.
The types of things you will want to include in the contract range from availability metrics to security measures the vendor has in place. And it's not always what you might expect, according to Trappler. For instance, when considering availability, be certain to ask about and incorporate any scheduled downtime the vendor has planned. Despite contracting for, say, "five-nines availability," scheduled downtime during peak business hours for you could wreak havoc on your contracted metrics - and the vendor could be off the hook if you didn't account for the time in the contract, Trappler explains. And, perhaps more importantly, your business could suffer.
"Oftentimes the definitions will exclude from the definition of uptime, or exclude from the definition of downtime, any downtime that was already previously scheduled or announced for maintenance or fixes. Suddenly your 99.9% uptime is actually less than that, but it doesn't count up against your downtime," Trappler says. "If they're always going to be down on the third Saturday of every month and that's your peak monthly processing time, you can be in a world of problems."
The same attention to detail must be taken when addressing the vendor's security. There are several aspects of security that should be considered, and they aren't always obvious. For instance, there is the information security aspect that includes the types of firewalls being used and data encryption. Then there is the physical security angle some might not consider, Trappler says.
"Physical security sometimes gets forgotten; old-fashioned stuff. Does the cloud vendor have a security policy? What is it? What are they doing for access control? Do they have guards and fences and traditional things like that? Are they in a non-descript location?" Trappler explains.
And customers need to also consider infrastructure management as it relates to security when building a cloud contract "because they're so intertwined." For instance, the vendor's change management and patch management processes will impact your service and should be considered when drafting the contract. Also the vendor's disaster recovery and business continuity plans need to be known upfront to ensure your business and data is protected.
"The latter is more on the infrastructure side, but they are so intertwined. Where is your security if their data center crashes, if it goes down or it gets hit by disaster," Trappler says.
Customers must also plan for the end of service when beginning a contract with a cloud vendor. That means understanding what will happen to your data when you are no longer a customer and ensuring the vendor doesn't keep any remnants of your data. Key points to consider are: what is the process in which you data comes back to you?; what specific timeframe does it come back to you?; and what format does it come back to you in? Understanding these metrics upfront will ensure a smooth exit.
"I know this sounds like ‘Find your divorce lawyer before you get married,' but that's the key element. You're in there as a service... and you need to know how you're going to get out of that," Trappler says.
How did you handle cloud contract negotiations? What advice could you offer others on how to build a secure cloud contract? Please leave a comment here, let me know via Twitter @DDubie or e-mail me directly at Denise.Dubie@ca.com.