Drawing up the right cloud contract with your supplier

With firms' networks changing and expanding rapidly in response to business needs and the move to the cloud, it's now more important than ever for organisations to build flexibility and agility into their cloud service provider contracts.

The cloud is supposed to deliver service provision flexibility to cut costs, but how true is this, particularly as cloud service contracts are commonly offered with ill-defined service level agreements?

Cloud contracts should take account of the ability for server and application requirements to be relatively easily scaled up - or scaled back - to meet business requirements. This reduces costs as resources are only paid for when they are needed.

Quick to Market

A key advantage of cloud services is the ability to launch new products and services in potentially hours rather than weeks.

A new website can potentially be launched in minutes, rather than weeks, on cloud services such as Heroku (owned by Salesforce.com) and Amazon Web Services. But it can still take a week for hosting providers to make infrastructure changes. Such delays are no longer acceptable and have to be remedied with the help of tighter cloud-related contracts.

And some service level agreements offered by cloud providers are not worth that much when all you get back are service credits when something goes wrong, and you have to make a big effort of claiming them.

The ability for end users to easiliy specify and change their cloud connectivity and data management requirements is seen as key to making sure they have true agility in their cloud network.

A cloud provider should be able to automatically provision a cloud server in seconds instead of days, and they must be able to meter usage and bill accurately.

Companies must also be able to instantly manage, automate and streamline all elements of a cloud platform, including the management of physical and virtual resources. This must cover improved time to delivery, agility, cost efficiency, visibility and control - and cloud contracts should spell such capabilities out.

Cloud Contract Defects

But many cloud contracts have "structural deficits", according to Frank Ridder, a Gartner analyst. He said, "Cloud service providers will need to address these structural shortcomings to achieve wider acceptance of their standard contracts and to benefit from the economies of scale that come with that acceptance."

Ridder said, "It's essential that organisations planning to contract for cloud services do a deep risk analysis on the impact and probability of their risks, and they should also plan mitigation for the most critical issues.

"This might cost additional money, but it is worth the effort. Risk should be continuously evaluated, because contracts can change - sometimes without notification."

The bottom line is this, CIOs and cloud vendors are going to have to initiate a new way of working together. Businesses need to establish clear SLAs (service level agreements) with their cloud provider from the outset.

It is also necessary to establish who has overall control of fault resolution, and how quickly faults will be resolved if they occur. It is important for CIOs and their teams to treat IaaS (infrastructure-as-a-service) deployments in the cloud as they would any IT service, and applying best practice learned from procuring on-premises equipment.

Cloud Service Level Agreements

To establish agile service provider contracts, SLAs cannot be standardised. Performance that is acceptable for one service will not be for another, and everyone must understand the performance targets. In addition, thresholds should be set for cloud service providers, by using benchmarks based on service levels historically achieved by the internal IT organisation.

Both sides must also sign up to and understand what service credits or compensation will be honoured if SLAs are missed. And can 99.999 percent reliability actually be guaranteed by the service provider, and does the business user really need to bear the cost of premium reliability for every service?

Before contracts are signed by companies, service providers' claims about service levels should be validated against reports of problems from other end-users. At the same time users should make sure service requirements are aligned with business requirements, as different departments for instance, may require different service levels.

Monitoring your cloud

Also, cloud buyers must have 24/7 visibility into the performance status of their cloud services. Many cloud service providers offer their clients online portals that provide access to real-time data on the performance and status of their managed infrastructure and services. Some also provide automated reporting and alerts.

But don't rely exclusively on the monitoring and reporting offered by each cloud service provider. Consider deploying an independent system to monitor the availability and performance of both your internally managed and external cloud applications to get an overall view.

With all these issues in mind it is also worth noting that some cloud providers are now perhaps giving in to the demands of cloud users when it comes to contracts.

Cloud Contract Market Changes

According to research from Queen Mary, University of London, combined legal and market factors may be forcing cloud providers to offer more flexible contract terms.

Queen Mary's research examined how and why cloud providers have begun to negotiate standard contract terms to apparently better meet cloud users' needs, minimise their operating risks and address legal compliance obligations.

The research, by the Cloud Legal Project at the university's Centre for Commercial Law Studies, was based on interviews with global and UK cloud providers, cloud users, law firms and other market participants.

The university report found the top six types of cloud contract terms most negotiated were service level agreements, provider liability, data protection and security, unilateral amendments to service features, termination rights and lock-ins/exits, and intellectual property rights.

Professor Christopher Millard, lead academic on the Cloud Legal Project (CLP), said, "These are the key contractual issues of concern to users in the cloud market." He said, "To remain competitive providers may have to be more aware of user concerns, more flexible in negotiations and more willing to demonstrate the security and robustness of their offerings."

The research suggested that larger companies with bigger cloud budgets would be the first to benefit from better cloud business terms, but that these changes would eventually filter down to smaller companies as cloud providers' business models changed.

The four risky issues for CIOs when contracting for cloud services:

Cloud sourcing contracts are not mature for all markets: When analysing cloud sourcing contracts, it is often obvious whether the cloud service provider wrote the contract with larger, more mature corporations, or the consumer side of the market, in mind.

Contract terms generally favour the vendor: An organisation needs to understand that it is one of many customers and that customisation breaks the model of industrialised cloud service delivery. Cloud service contracts are often written in very standardised terms, and buying organisations need to be clear about what they can accept and what is negotiable.

Contracts are opaque and easily changed: Contracts from cloud service providers are often not long documents. Certain clauses are not very detailed, as URL links to web pages detail additional terms and conditions. These details are often critical to the quality of service and the price (such as SLAs) for uptime or performance, service and support terms, and even the description of the core functionality of the offering. And clauses can change over time - often without any prior notice.

Contracts do not have clear service commitments: Usually, cloud service providers limit their area of responsibility to what is in their own network as they cannot control the public network. Things are improving, but many service commitments are still vague.

For more information on HP cloud services, visit http://www.hp.com/uk/cloudinaday