Cloud-based infrastructures and applications are part of almost every company’s IT architecture. With each cloud service provider relationship, the CIO must carefully read, negotiate and sign a contract outlining service-level agreement (SLA) performance, security, data privacy and ownership, data sovereignty compliance and termination procedures.
A shared understanding of the client’s needs and the provider’s capabilities and offerings is critical to a successful relationship. Accordingly, it is essential that CIOs purchasing cloud services be able to clearly educate the provider on the company’s needs, history with cloud, relationships with other providers and reasons for seeking this infrastructure. The provider can then best deliver a package of services to meet these requirements.
During contract negotiations, the provider often offers further education on how to create a comprehensive plan for using cloud services as well as detailed insight on the topics of security, data access and general risk. This is important as there are still misconceptions about cloud services, such as what happens to information once it leaves the client’s data center. This symbiotic information sharing will lead both parties to a more meaningful agreement when reviewing the services contract, especially as it relates to the following six key items, identified by Mark Kristiansen, SVP and general counsel, Dimension Data Americas, that are usually the most contested.
About Mark Kristiansen
Mark Kristiansen is Dimension Data Americas’ senior vice president and general counsel. He manages the legal affairs for the Americas, overseeing risk and compliance, corporate governance, mergers and acquisitions, litigation, contracts, employment and labor, as well as intellectual property issues. Mark joined Dimension Data in 2001 after the company acquired Proxicom, where he held a similar role. He received his Juris Doctor from the College of William & Mary School of Law in Williamsburg, Va. Mark received his B.A. in Spanish literature and Political Science from Brown University. He is admitted to practice law in Maryland and is a member of the American Association of Corporate Counsel.
Six Cloud Negotiation Tips
Click through for six tips and best practices CIOs should keep in mind when negotiating cloud services, as identified by Mark Kristiansen, SVP and general counsel, Dimension Data Americas.
First, what do the CIO and IT team mean when they say SLA, i.e., how would they define these agreements and the service provider’s responsiveness? CIOs must have a clear understanding of what the provider’s SLA will cover, if it will meet the company’s needs, and how responsive the service provider will be if an outage occurs or server goes offline. The broad level of service availability is 99.999 percent.
Additionally, the parties’ contract must clearly outline what may occur if the SLA terms are not met. Will SLA credits be given and at what percentage are these SLA credits topped off? CIOs can also look into how often the provider does not meet their SLA requirements and determine if there is an underlying reason why a failure continues to occur and how the provider is remedying the situation. This research will provide a solid understanding of the provider’s customer service practice.
Security of a client’s information and data is paramount and every CIO wants to know how robust a security offering is provided by each partner and if it meets all the industry regulatory requirements. Service providers will want to show they have built security protocols into the underlying architecture that meets ISO, SSAE, HIPAA and other requirements and provide methods to encrypt the data at rest and in transit. At the same time, service providers must make clear the extent to which they have access to the client’s data and applications in the first place.
Not only must CIOs worry about the various issues particular to their market, such as finance and health care, there are governmental regulations associated with the location of the company and provider’s data center. Data sovereignty looks at how and where information is stored and maintained and then accessed from specific geographic regions. CIOs should ask how a cloud provider handles privacy rules and if privacy impact assessments are done for each offering. Is the provider adhering to the data sovereignty regulations across all the geographic regions?
Cloud service providers and their clients continue to debate where to draw appropriate lines to allocate risk associated with loss of any data. The more effectively a service provider can demonstrate its security capabilities and adherence to regulatory concerns, the less risk the service provider will expect to bear.
Contract Termination/Data Ownership
The termination procedure between a client and cloud service provider must be clearly spelled out in the contract and understood by both parties. Additionally, the provider should make the client’s data available for a specific amount of time before it is removed from the cloud infrastructure. On average a provider may keep data and applications for an additional 30 days after a contract ends to provide the client with enough time to transfer it to a new system. After this time period, it is common practice for the provider to delete the information and repurpose the infrastructure resources for another client.
An important question a CIO must ask centers on, “Is the cloud infrastructure vetted by a third party?” These outside validations examine how the cloud infrastructure is built and maintained and provide authentication to the provider’s claims.