It takes a team to create a good cloud contract
- 25 September, 2012 16:59
Is your head spinning?
I know that everything that I have said in this series of columns on the risks associated with cloud computing (and my advice on how to mitigate those risks) is a lot to take in. I've seen that "deer in the headlights" look on a few faces when I have taught my two-day "Contracting for Cloud Computing Services" seminar. How, they are wondering, are they going to effectively address all of these issues on their own?
They shouldn't try.
In fact, it takes a team to make it all work. You need to pull that team together from existing resources within your company. Titles and roles will differ from one organization to another, but these are the stakeholders who will have the most to contribute to your cloud-computing effort:
The business process owner -- This person may have identified the need for a given cloud service in the first place, and so he or she has no trouble seeing the benefits of the service. Less clear to the business process owners is the existence of risks. You must engage them as part of the team, or face the prospect of them proceeding on their own without any strategy for mitigating those risks.
The IT vendor management team -- You should make this group responsible for managing the overall relationship with the cloud vendor, from investigation to contract negotiation, use of the cloud service and on to end of life. The vendor management team is typically also responsible for leading and managing the activities of the cloud stakeholder team.
Technical personnel -- The right technical folks can effectively compare a cloud service to current practices, identify and implement integration points between a cloud service and in-house systems, and identify and manage the impact of a cloud service on the organization's infrastructure, including network capacity.
Security and policy professionals -- There's no one better to evaluate the security practices of the cloud vendor relative to the type of data involved and the business criticality of the service, and identify whether use of the cloud service aligns with existing organizational policy.
Representatives from the legal department -- Cloud computing can have wide-ranging legal implications, and the cloud is so new that legal precedents may not yet exist. It's important to engage legal counsel to identify legal issues (such as indemnification and limitations of liability) related to the contract with the cloud vendor, and determine whether use of a given cloud service is in compliance with your obligations under the law.
Procurement staff -- If a purchase can't proceed without passing a procurement office review, you'll want to bring these folks into the loop. The cloud brings new risks that procurement personnel may not be familiar with. If you don't want your cloud purchase stuck in purchasing, it will be essential to educate and engage the procurement staff.
Audit, compliance, governance and risk management gatekeepers -- These people are responsible for ensuring that organizational activities are compliant with government regulations and internal policies. Again, the challenges and risks of the cloud are novel enough that you could trip up here, so engage these gatekeepers early so that you can collectively identify and address all the issues in advance.
As in the story of the blind men who tried to describe an elephant after each had touched a different part of the beast, each stakeholder will bring a different perspective to the cloud. Some will see benefits, and others will see risks. Each perspective is valid, but they must all be brought together to get the big picture. Only then can you make a balanced decision regarding whether or not the benefits of adopting a cloud service outweigh the risks.
Working together, the team can help your organization effectively adopt cloud-computing services by doing the following:
* Monitoring and managing your relationship with the cloud vendor to ensure continued adherence to the contract terms, and determine how to effectively address when things don't go right.
* Establishing and disseminating standard processes appropriate to the acquisition of cloud-computing services, including developing guidelines and best practices regarding the appropriate use of cloud-computing services.
* Investigating and implementing opportunities for organization-wide contracts with cloud vendors to establish improved terms and conditions, including those that override the terms of click-through agreements to provide additional protections for end users.
Are you building a cloud risk mitigation team? One way to pull it together is to send key stakeholders to a "Contracting for Cloud Computing Services" seminar. The next one will be held Oct. 29-30 in Washington. I look forward to seeing you there.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.
Brace for change: An interview with Tony Hayes of ISACA
Rethinking the worst case
The brand called CIO
Motorola turns to the Moto G's price to reserve its smartphone fortunes
Virtual desktop computing service: The next cloud disruptor?
Efficient Data Management in Three Simple Steps
Gartner reports that Business Intelligence, Mobile Technologies and Cloud Computing rank 1-2-3 as the 2013 Global CIO Technology Priorities. These three trends, labelled the “Perfect Storm” of new technologies, are transforming every link in the IT value chain, promising to deliver more efficient, responsive and dynamic IT operations. But this also means massive shifts in the way IT applications and services are created, deployed and maintained. This whitepaper aims to help you begin the journey to efficient modern data management
Building a Strategic Archive
For years, most companies have dealt with the evolving dynamics of data archiving by addressing an immediate need rather than building a long-term strategy. But over time, putting all information on costly storage is likely to be very expensive. This whitepaper explains why it’s time for organizations to start to strategically evaluate archive solutions for capabilities they need, both now and in the future. While no technology is future proof, an archiving solution can make you “future ready.”
Deliver Enterprise Mobility with Security and Performance
Mobility and the consumerisation of IT pose key challenges for IT around scalability, security and application visibility. In this whitepaper, we look at complete, integrated and scalable solutions that deliver apps and data to any device with full security and a high-performance user experience. Learn more!