One way to ensure that your cloud-computing contract covers all the issues that will be important to your company is to begin the process of exploring cloud vendors with a request for proposal (RFP). A solid RFP can be an effective way to compare and identify the best cloud services to meet your needs while also serving as the starting point for your cloud-computing contract.
As you draft the questions that make up the RFP, your cloud-computing contract will be shaping up as well. Every issue that's important to consider when developing a cloud-computing contract should also be addressed in the RFP. And by asking multiple vendors how they propose to fulfill your needs, you not only obtain a firm understanding of the relative benefits provided by each vendor, but you also gain insight into where additional negotiations may be needed and what each vendor's starting point in those negotiable areas may be.
If you have built a team to address cloud risk-mitigation issues, it can play a key role on the RFP team by developing RFP questions and evaluating vendors' responses in relation to their particular areas of expertise and responsibility.
Some companies won't bother with an RFP for cloud services because they believe that all cloud vendors, especially infrastructure-as-a-service (IaaS) vendors, provide essentially the same functionality. But not all cloud vendors are created equal, and as the cloud market continues to evolve, vendors will attempt to distinguish their services from the competition.
As an example of the sorts of differences you can expect an RFP to uncover, a service-level agreement (SLA) guaranteeing "four nines" (99.99%) availability can be a big differentiator compared with a "three nines" (99.9%) SLA. (Do the math. With three-nines availability, the expectation is for close to nine hours of downtime per year. With four nines, it's less than one hour.) Then there's the very definition of "uptime." Some cloud providers may consider scheduled maintenance to be uptime, while others don't. An RFP, properly formulated, can help you find that out. And what does the vendor offer in the way of guarantees that it will meet the SLAs it commits to?
There are many elements of a cloud vendor's infrastructure and security to evaluate, and vendors vary widely in this regard as well. By including an infrastructure/security questionnaire in the RFP, you can gain valuable insight into whether or not a particular cloud vendor runs a sufficiently tight ship to meet your needs. You'll also want to ascertain what certifications or other third-party verification the vendor may have to validate its infrastructure/security claims. If you find that a given vendor's response in this area meets your needs, then you should spell out its current infrastructure/security mechanisms and certifications as minimum requirements in the contract.
RFP responses can also demonstrate quite clearly that a particular vendor doesn't even understand the question that you're asking. For example, if your company is in an industry that faces regulatory compliance issues, you'll probably need to mention relevant legislation, such as GLB, HIPAA, FERPA or SOX in the RFP. If a vendor doesn't even know what those acronyms stand for, take that as a bad sign.
Vendor responses can also serve as your starting point for understanding where the cloud vendor's responsibilities will end and yours will begin. This information is essential for you to plan for the vendor management resources you'll need to have in place to monitor SLAs, recertifications, renewal pricing, data breach response management and other contract compliance issues.
The cloud remains a new and evolving market, so craft your RFP questions in a sufficiently granular fashion, with each requiring responses that go beyond a simple yes or no. This may make for a long list of questions, but it will go a long way toward avoiding unclear vendor responses and outright misunderstandings, and make the results of your RFP process much more useful and effective.
Interested in learning more about cloud computing risk mitigation via contract negotiation and vendor management? Then please sign up for my seminar Contracting for Cloud Computing Services, Oct. 29-30, in Washington, D.C. I look forward to seeing you there.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.