The move to the cloud is popular but it is still new. In most of the cases it provides significant cost benefits to the companies given that it is done right. As you have guessed by now, the “done right” part boils to the cloud contract. In most of the cases the cloud contract terms favors (or biased to) the cloud vendor. Even worse, there are cases where the cloud vendors change the contract terms without the businesses realizing it.
I have worked through the most important points that you need to address with your cloud contract to ensure that things work as intended after the cloud move.
Service Levels and Vendor Commitment
I have yet to see any cloud contract that takes into customer’s needs rather than favoring the vendor. There are all the cloud contracts out there who promise above 99% service levels however there is no commitment by the vendor nor there is no penalty. Even the cloud contracts fails to address the service levels precisely (instead they place vague terms.)
In a talk with my friend, who is working for a cloud vendor, he admitted: “Thanks God the client does not have anything in place to measure our service levels. When I look from my side, I see negative service levels: there is no point in time that everything works. It is either this or that broken.”
That means, even though there is the contract and there is the service level, you yourself have to monitor your service levels. I recommend considering employing monitoring tools such as Microsoft’s System Center Operations Manager or outsourcing this to a professional company.
Backup, Restore, Data Migration
Many of my clients think that since their servers are located in the cloud – the vendor’s premises – the backup and restore issues are automatically carried out. The reason for this belief stems from the fact that if the physical host fails, the machines are automatically transferred to another host and everything continues to work; eh, wasn’t this the notion of the cloud?
Dead wrong. Your servers are located in the cloud vendor’s premises and it is only easier to make backups there. If it is not stated in your contract, it is your responsibility to take care of your data. Files can be deleted, servers may crash, changes need to be reverted and it is all about your business. Is the cloud provider running your servers? Yes, and it doesn’t care a bit about your data loss. When you address the backup issue, I recommend you to define a restore time, specifying the time frame to access your backed up data.
I recommend you to consider the future and make sure that your cloud provider has to make your data available immediately if you decide to move your infrastructure to a different cloud provider. Most probably you will be moving data to the new provider with backup-restore procedure (to keep the file and folder permissions at the very least), you also need to address how to receive your data back: tape drives? temporary NAS/DAS installment on the cloud provider’s datacenter? online migration?
Data Ownership, Security, Privacy, Notification System
Let’s begin with the simple question: who is the owner of your data once it is transferred to the cloud provider? You? I hope so. If you think you are as sure about this as your name, then I recommend you to check other vendors’ agreements which you have signed to date (Facebook will be a good start). It may be very very possible that the agreement states the cloud provider as the owner of your data once you upload it to the provider.
After you secure the ownership of your data, then you need to address the security and privacy of your data. Depending on the cloud service you are negotiating, your e-mails, your files, your knowledge, your media may be residing on the provider’s datacenter. How will the provider be ensuring that your data is secure both physically and virtually: physical access controls (think about biometric identification), security team(s) working round the clock in shifts, file encryption?
If you have guarantee your data’s safety, you have to explicitly address your data’s privacy: your files are already there and if it is not encrypted, then it is “big data” that the cloud provider can use it for its own gains: whether locally or providing it to the third parties. Make sure that none of your data, even one single bit is private. Ensure heavy penalties are explicitly stated in the contract.
What if bad guys won and the cloud provider suffered from a data breach? How will your company be notified? Did the vendor define post-breach procedures?
Legal Compliance, Auditing
The cloud vendor must comply with the laws and regulations to operate its business, that is for sure but there are also regulations that your business needs to comply. Depending on your business, this may be your patients’ health records, your customers’ demographics and the like. Does the cloud vendor has the necessary means helping you for the legal compliance? What if the cloud provider has datacenters worldwide for disaster recovery and you have sensitive information that you legally cannot store outside your country?
And finally how can you be sure about all these? Are there any audits? By whom? Normally the cloud provider should be performing internal audits a couple of times per year, plus it should be audited by third parties at least once a year to ensure that the compliance is in top shape (things tend to loosen if there are not enough checks in place). Do not hesitate to ask the cloud provider if you can also make audits.
You decided to move the cloud because you have seen significant benefits to your organization. However, you also need to make sure that the situation does not turn the opposite: the best case paying for something you do not receive and the worst case paying for more than keeping things as they are (keeping it in house). Once you do your homework and review the contract once again with the critical eye that we have mentioned
- Featured image: http://www.asergeev.com
- Speedometer: http://www.easyvectors.com
- IT Audit: http://www.hexagon-it.co.uk