In “Four Barriers to Cloud Due Diligence,” I explored a few factors that contribute to the complexity of performing due diligence on a cloud vendor.
When an enterprise moves to the cloud, it hands off its servers, networks, and even its data to its provider. All that it’s left with is a contract. Therefore, a CFO needs to ensure that that contract is comprehensive, balanced, and enforceable, preferably in a legal jurisdiction that suits the needs of his or her company.
Prior to signing a contract in which the cloud services are core to the business and critical to the viability of the organization, there are certain things a CFO absolutely must keep an eye on. (For commodity cloud services such as platform and infrastructure, e-mail, and file storage, CFOs can take a less rigorous view; however, some of these points will still be relevant.)
1. Get a wet-ink contract: Early cloud adopters largely were consumers and small businesses, and the majority of cloud contracts were concluded online in the form of a click-through “I Accept” button or some similar mechanism. In almost all instances, these contracts contained clauses that permitted providers to amend the terms of the contract unilaterally. In general, this approach is not appropriate for most corporate and government organizations, and presents a potential risk should the vendor’s changes not be in your organization’s best interests. If your cloud initiatives are critical to your organization, seek a fully encapsulated wet-ink contract that cannot be changed without approval by both parties.
2. If you can, negotiate: Unless you have considerable purchasing power, it’s unlikely that you will be able to negotiate contract variations with a major cloud provider. The business model underpinning the public cloud (especially software-as-a-service) is the concept of standardized multitenancy in the provider’s infrastructure and applications, analogous to apartments in a large building. The provider is the landlord; you’re the tenant. However, should you be in a position to negotiate, try to ensure that minimum functionality standards are guaranteed. This is especially important in SaaS contracts, where the vendor may elect to terminate parts of its service portfolio. If your organization depends on services that have been terminated, it’s your problem, not the provider’s. In other words, you don’t want to be evicted without someplace to go.
3. Protect your back: Your contract should specifically exclude the possibility that you can be terminated without cause at the vendor’s convenience. Unless approved by you, the provider should not be able to terminate contracted services, period. If you can’t get a contractual guarantee on that point, think hard and long before signing up.
4. Safeguard your right to terminate: A big part of the public cloud’s value proposition is that the provider automatically (and without extra charge) takes care of all upgrades and maintenance. This typically includes the addition (or removal) of features. Should any of these changes alter the application’s functionality in ways that are not in your best interest, you should be able to terminate the contract without penalty. This caveat applies mostly to SaaS.
5. Be sure you can get out easily: Should you exercise your rights to terminate the service, what are your vendor’s obligations in terms of providing appropriate assistance to allow you to transfer out in a smooth and orderly manner? This includes the provider’s obligation to retain your data for an acceptable period of time.
6. Make sure you can’t be bullied: Unlike on-premise IT assets over which you have physical control during a legal dispute with a software vendor, you may be exposed to a system shutdown by your provider if you get into a legal dispute. For example, you may elect to withhold payments for services you feel have not been rendered, or have been rendered inadequately. That, in turn, could trigger termination of your service, leaving you without a critical business capability. You should be fully informed as to the service continuation obligations your contract places on your provider.
7. Demand full disclosure: It is not uncommon for SaaS providers to use other providers (e.g., infrastructure-as-a-service or platform-as-a-service providers). What assurances does your vendor offer in regard to privacy and data residency in its cloud ecosystem? If some of these IaaS or PaaS parties are foreign-owned, does that affect your regulatory and compliance obligations? You should know the score.
8. Guard against mergers and acquisitions: The cloud landscape is volatile, and your provider may be bought by another outfit at some point in the future. It is important that you enshrine in the contract the principle that the contract constitutes an irrevocable guarantee of continuous service and that it’s binding on all parties and their successors through the provider’s supply chain.
9. Maintain your right to audit: As the consumer of cloud services, you should have the right to employ an independent and qualified auditor to validate the performance of your provider under the terms of your contract. The role of cloud auditor is clearly explained in Section 2.4 of the National Institute of Standards and Technology Cloud Reference Architecture.
10. Know who you’re dealing with: If your cloud provider is owned by a company you’ve never heard of, registered in the Cayman Islands, would this be a problem for you? Maybe it should be. You should know who you’re dealing with in terms of the vendor’s corporate structure and ownership, as well as the legal jurisdiction to which it answers. The recent decision by the Australian government to ban Chinese technology giant Huawei (the world’s second-largest telecommunications company behind Sweden’s Ericsson) from bidding on a huge contract to supply equipment for Australia’s national broadband network due to the government’s concerns over cyberattacks originating from China (and Huawei’s close ties to the Chinese government) is an example of how ownership structures can be relevant to cloud decisions.
CFOs need to realize that the cloud-service provisioning model is very, very different from conventional outsourcing, managed services, or on-premise IT offerings. Buyer Beware should be the CFO’s default position. It just might save your organization when the chips are down.
Former CIO Rob Livingstone is an author, speaker, academic, and consultant with substantial real-world cloud experience. Join Rob at one of his many free live webinars at navigatingthroughthecloud.com.