By Todd R. Weiss
Savvy IT executives who are looking to reach agreements with cloud vendors must have two key goals in mind at the table: making sure that their businesses get exactly what they need and not leaving the negotiations until every question has an answer and every variable has been addressed in writing.
That's the advice of Thomas Trappler, a cloud contract expert who lectures regularly on this critical subject.
Trappler, who for the last 10 years has worked as the director of software licensing for UCLA, has been covering cloud contracts in his work for years and offers a list of 5 keys to ensuring that your company ultimately enters into the best cloud contract for your organization:
- 1. Your company is buying a service, and service is the key word to keep in mind
"The service is just an end result," Trappler said. "So think in terms of what you need, the minimum levels of the services and how much those services will be avail to do your company's work. Perhaps that means certain times of the week or day."
What is critical is that you need to put into the contract exactly what you expect and demand from your vendor, he said. "Think about what is important to you. Then put a metric in for each step so it can be measured. Attach to each metric a minimum service level that the vendor should meet, how will be measured and what will happen to vendor if they don’t meet it."
It's not a monetary penalty that you want if the metric isn't met, he explained. "You don’t want money. You want to motivate the vendor to reach the metrics. It's something to use to draw the conversation in during negotiations."
- 2. It's all about the data
As you go into the negotiations, always remember that it's your data that you are asking a vendor to oversee and protect, said Trappler. "It may be sensitive, restricted or regulated, but it's being put out there in someone else's care."
That means you must ask every possible question about how the vendor will be watching over it to protect your business, he said. "You want to know about how you can be sure that your data is being treated correctly. You want to be sure that there is no dilution of your ownership rights in the vendor's possession or processing of the data."
Then you also want to get in writing what will happen when the day comes for you to end the vendor's contract, he said. "One really important thing to ask is how do you get your data back when it's time to move on? What formats will the data be in? What's the process? How will this be done? In the contract, you have to point out the specifics of what you want to happen."
- 3. Ask about the security steps used by the vendor
Even if it already seems self-explanatory, put into the contract all the details that specifically address how the cloud vendor will protect and secure your critical business data, said Trappler.
"Ask how is it being kept safe?" he said. "Tell the vendor, 'you now have my data, and in the ideal world I've embraced your technology and now I'm dependent on it.' Find out how they are truly protecting it."
That means that you need to know the security standards that they will use for the data storage, and that you can write in methods to confirm that those practices are being undertaken, said Trappler. "Make sure their claims meet what they say that they do. Ask to have it shown and proven."
Among the important security standards to ask about and specify in the contract are ISO 27001 and AICPA SSAE16 standards, which can help your organization have ultimate confidence in the vendor's handling of your data.
- 4. Include contract details about vendor management
When your company moves to a cloud infrastructure, it "tends to be a paradigm shift, from building and maintaining it on your own to a contractually-managed relationship where you are now paying someone outside your domain to do it for you," said Trappler. "So how do you know if they are doing it right?"
That's why you have to include vendor management details as part of your contract, he said. "Ideally, it is going to be a long-term relationship. So ask in the contract how will this relationship work out after today? What will it cost? What happens if the cloud vendor gets bought or merges with another one? What happens when the vendor outsources a service you are buying from the vendor? It's all about relationships and managing that relationship with a contract."
- 5. Preparing the right contract is even more important than choosing the right vendor
"The cloud is too big for any one person to handle," said Trappler. "So go forth and don’t do this on your own. Go back to your IT shop and build a team" to tackle the cloud in your work. And that team, he said, should include more people than just those in your IT department. "The cloud touches on many areas," he said. "It can include attorneys, security people, and others. That team can be there to establish guidelines and best practices for how your organization can adopt cloud services."
In the end, there's a lot to review, to cover and to include in the contract phase, said Trappler.
"Sometimes it can seem rather overwhelming," he said.
That's why having a well-written and constructed contract can make all the difference for your evolving cloud efforts.
Are there other steps not mentioned here that you have included in your cloud negotiations on behalf of your companies?
I'd love to hear about them so I can share them with other readers here on Clearing Up the Cloud.
Todd R. Weiss is an award-winning technology journalist and freelance writer who worked as a staff reporter for Computerworld.com from 2000 to 2008. Weiss covers enterprise IT from cloud computing to Hadoop to virtualization, enterprise applications such as ERP, CRM and BI, Linux and open source, and more. He spends his spare time working on a book about an unheralded member of the 1957 Milwaukee Braves and watching classic Humphrey Bogart movies. You can follow him on Twitter @TechManTalking. You can contact him at firstname.lastname@example.org