Healthcare Matters

So you’re in the middle of selecting your second cloud services provider and your list of qualifying questions is twice as long (versus half) as the list you had when you made your first choice. Not good. Knowing what questions to ask, especially when it comes to Software License Agreements (SLAs), Quality of Service (QOS) agreements (QOS is all about network service guarantees) and data security issues are fundamental. The rest of the stuff might be considered icing on the cake, but who doesn’t like icing?

Although we talked about the emergence of Cloud Service Brokerages (CSBs) in yesterday’s post, Gartner continues to publish helpful information that keeps turning up all over the net. So with proper accreditation to Gartner, please enjoy the following “cloud provider contract negotiation check list.” I thought it might be helpful because, like everything else, you only tend to get what you ask for.

• Despite the significant business-criticality of certain cloud applications, Gartner analysts have seen numerous contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.

• For service-level agreements (SLAs) to be used to steer the behavior of a cloud service provider, they need to be accompanied by financial penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable, in terms of your negotiating leverage and pressure on the provider, because no vendor likes to have to give money back, once booked.

• More cloud providers realize that they need to add guarantees and quality measures for the services they sell in the cloud. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organizations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences.

• As part of the cloud-sourcing strategy, procurement and security executives should ensure that the provider’s security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. The analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it.

• Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some infrastructure-as-a-service (IaaS) providers don’t even take responsibility for backing up customer data. If organizations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organization taking responsibility for disaster recovery.

• If the cloud provider is complying with privacy regulations for personal data on behalf of the organization, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else (this becomes more complicated if they have to share data with a third party — e.g., a cloud infrastructure provider — which is common for many software-as-a-service [SaaS] solutions) and that they will only do what the customer (the data controller) says they should do.

• Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. This gives the cloud provider considerable negotiation leverage in the event of any dispute over payment. Organizations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. Some providers are removing disputed payments from this clause.

• A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six-month notice for the provider to terminate, unless they have materially breached the contract.

• Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organizations should try to negotiate for higher liability protections. Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved.

Once again, I want to thank Gartner for posting such valuable and practical advice. Cloud computing is providing small, medium and large organizations a phenomenal and timely opportunity to leap frog traditional learning curves and acquire game changing capabilities. The fact that the market resembles the “wild west” at the moment should not be a deterrent, but a call for careful planning and execution led by experts who know the terrain.

—Tom Finn