Points of negotiations with cloud provider

Before signing of SaaS contract the companies should think over the plan of return of data, agreements on the level of service and the strategy of agreement cancelation.

At contract negotiations on use of software in the form of service (SaaS) it is worth thinking of its possible termination in advance. And that is why. By 2013 20% of users of SaaS will pass to own software, unrolled in the organization. And by 2014 a half of users of SaaS will be convinced that their costs exceed expectations.

It is interesting to note that with growing of SaaS this type of service more and more becomes complicated. There are several precontractual councils.

• Estimate the costs for transition process at contract cancelation if SaaS will not yield the necessary result. Possible alternatives — outsourcing business processes and transition to internal software.
• Think over the requirements for storage lives of documental data, security and observance of standards.
• Make sure that will not impose you in the form of service useless software and unnecessary functions.

During negotiations it is necessary to pay key attention to price protection which would limit growth of rates at treaty extension and granted the companies the right to reduction of payments when falling the prices. In agreements on quality of service it is important to stipulate powerful penalties and a possibility of cancellation of the contract at abnormal idle times or systematic malfunctions. It is desirable that the company could also regulate the level of use of resources at business recession.

As regards the prices Gartner notes that in SaaS contracts the impossibility to reduce a subscription fee during subscription validity period usually makes a reservation.

Regarding failures of SaaS providers service usually consider force majeur circumstances idle times because of suppliers and interruptions in work Vnterneta. Customers should get a grasp of the legal wording of the contract that idle times because of SaaS providers did not escape them punishment easily attentively.

Also the question of data protection — especially is critical if you need to return information to the hands for other model of use of software. Gartner advises that requirements to data security and confidential information protection in details registered in the agreement, and accepted standards were annually certified.

Also the points concerning return of data are not less important. The companies should stipulate specifically a format and points of order of data transmission at their return of SaaS provider. Besides, the companies should enter the condition which is completely prohibiting removal of data without the consent of the owner.

Also conditions of cancellation of the agreement are important. In the points concerning termination of SaaS contract at the initiative of the customer it is necessary to stipulate a question of one-time return of unspent means.

The main practical difficulties at migration in the Cloud

• It is difficult to understand SLA and to consider risks at transfer of service
• Deal with functionality of services and the portal
• Cost estimation on services and resources in a cloud
• New security risks, acquaintance to IAM
• Frequent changes in cloud services and adaptation to these changes
• Data management, additional efforts on change of their architecture because of regulators
• The organization of hybrid model in practice, the different technology stack, difficult network topology complicate seamless integration.

Make sure that terms of agreement are a subject of negotiations

Though agreement negotiation during negotiations can seem self-evident, many cloud providers, including Google, Microsoft and Amazon, usually do not allow to make changes to the version of the agreement, reasoning it with the fact that special conditions for different clients undermine model of providing collective access and positioning of providers in the market. It does not mean as if the enterprises should not use services on standard conditions. But it is necessary to understand the risks connected with it.

At flexible terms of service you should be convinced that they are more profitable, than any standard agreement or it with which you can only express consent, having clicked a mouse. And also that the agreement cannot be changed unilaterally. If these conditions are not complied, your company should reserve the right to terminate the agreement at significant deterioration in its conditions, without bearing for it any responsibility.

Make sure that the structure of the prices does not deprive a cloud of its advantages

Cloud services open possibilities of fast scaling of solutions, more complete use of assets and the general expense reduction. But terms of agreement can impose restrictions for these advantages. For example, SaaS providers limit number of the provided jobs, IaaS providers — the minimum duration of use of infrastructure. You should try to obtain that the agreement did not limit capability of the enterprise to control expenses at expected models of work in clouds. Negotiations on use of software need to be held according to the practice which developed at you and to assume discounts depending on volume or the term of the agreement, differentiation of licenses according to roles of users and change in price restriction in the future.

Draft the agreement on the service level taking into account the available experience

Agreements on the service level (SLA), as well as in a case with any IT service, should reflect a full range of services. For example, as the cloud provider will be responsible for connection to the Internet and infrastructure, availability of services should not be defined by means of monitoring of the server in DPC. In the agreement a certain user interface and performance of requests, timeliness of accomplishment of the major packets of tasks and time of reaction/elimination in case of failure can make a reservation.

The purpose consists in development of limited set of metrics which guarantee that the incomplete satisfaction of customer needs will be violation of SLA. For each metrics it is necessary to eliminate the exceptions which do not have accurate criteria (for example, the breaks in service caused by need of urgent repair, and a concept of 'urgency' is not defined). Your enterprise should pay attention not only compensations for violation of SLA, but also to the careful analysis and elimination of its reasons. Finally your enterprise should be protected from long idle times and have rights to break off the agreement in the presence of chronic problems.

Consider influence of the collective platform on a company performance

Your enterprise should assess the consequences of providing services using the platform of collective access and proactively solve potential problems of the current activity. For example, the agreement with provider should provide that your organization will have an opportunity of the choice of the break accepted for it in service for carrying out technical works and will be beforehand notified on all actions affecting service.

Procedures of management of releases should conform to requirements of the enterprise which will have the right to use the penultimate version of software, will not complete testing of the latest yet. It is necessary to provide a possibility of loss of functionality of release (or change of structure of software packages as additional function) and to mitigate effects of it due to determination of the minimum time for notification, it is right to work vaguely long with the former version and a rupture of the agreement without indemnification to provider. Try to estimate in advance the needs for management of releases which can result from integration and adaptation, at approval of the prices of access to test environments. Otherwise you risk to receive the big account for the addresses to them.

Pay attention to transition to a cloud and an exit from it

Deployment in a cloud and the expiration or the termination of lease also require the attentive relation. As for transition to a cloud, you should be convinced that actions of provider are accurately defined and to agree about SLA at installation and configuring of the application and also at data loading. If additional professional services are provided on deployment, it is necessary to achieve that by default they were tied to key cloud services. At failure from use of a cloud the provider should help with the organization of migration, including export of data and their scheme in the approved format. It is necessary to think also of the requirement of periodic archiving of data to mitigate current or connected with features of the contract of difficulty on the way of their ordered transfer. Whatever good was the agreement with provider, your enterprise should not expect much more from it something. The best protection is the checked possibility of easy transition to other provider and on other solution. Heads of IT departments should remember that the lack of confidence in safe transition to other provider strongly weakens positions of the enterprise at negotiations and narrows a range of the options which are available for it.

The most important article of the agreement - about conditions of its termination. Nevertheless it often does not receive due attention. There is nothing eternal near the Moon therefore it is important to handle all issues of parting to trifles. By default, most likely, will offer you 30-day term for a withdrawal from a treaty. At the same time for such term to find an alternative and to make data migration happens it is impossible. We saw that good providers offer 60 or even 90 days. It is necessary to understand that at the guaranteed decline in income because of the termination of the commercial relations with you the provider will be not really motivated to you to help. There were cases when clients met difficulties with obtaining the data back. Sometimes providers refuse to ensure safety and reservation of data 30 days later after termination of the agreement. Therefore importance of study of this article of the agreement cannot be revaluated. Try to achieve for yourself six-months time for notification of provider about termination of the agreement in return and documentary process of removal of data from provider.

Point on geographical placement of data/applications and regulation of access

Initial edition of draft agreements on cloud services often contains imperceptible point on the right of the contractor to change geography of physical placement of data of the client.

At the same time from where sensitive information will be stored, depends how and on the basis of what laws of the country will treat it. For example, in the United States of America cloud providers are obliged to open data of the client upon the demand of state bodies. Russia is in the company of India, China and the most part of the countries of Europe where there are legislative restrictions for disclosure of information containing the state secret or personal data. Therefore it is important to pay attention to this point and to demand if not to approve then beforehand to notify the client on plans for change of the location of data.

Besides, there is a practice of subcontracting of the specialized companies for placement of data. In that case it is necessary to trace that the contractor bore responsibility for breaches of agreement from subcontractor as for own violations.

Gartner recommends to include in the agreement point on access restriction to some classes of data only by the ISO certified personnel of cloud provider, having excluded the third parties. Usually belong to such classes: personal data, including financial and tax information, tables, structures of tables, files and also any data which are classified or mentioned as the service or commercial information.

Data security

Contracts of cloud providers contain or quite foggy descriptions of conditions of data security provision, for example, "according to industry standards", or explicit failure from the responsibility that transfers all completeness of responsibility for security, backup and data recovery to the client. Important not only carefully to work the service level under this article of the agreement, but also to demand obligatory annual certification, for example, from ISO/International Electrotechnical Commission (IEC) 27001 certifications, Payment Card Industry (PCI) DSS certifications, SSAE16, SOC or already arising cloud standards of security: Cloud Security Alliance (CSA), Shared Assessments Program, FedRAMP.

The unsatisfactory result of certification should impose the obligation under the notification on it of the client on the contractor, and to the client - to allow to require agreement cancelation. Gartner demonstrates: providers agree to such conditions today. It is important also that providers were obliged by the agreement to report to the client on all cases of cracking or date leak. And not only yours, but also other their clients (cross-notification), it is also desirable within 48 hours.

Personal data

As soon as a talk on cloud computing began, personal data became the most obvious target for criticism from bankers. Really, according to us, the few providers agree to take the responsibility for security of personal data. Nevertheless precedents already appeared (restriction of the geographical region of placement of data). Large providers already agree to such restrictions. Gartner recommends to clients to insist also on placement of data within jurisdiction, convenient for you. It is necessary to consider the applied legislation as in the USA there are legislative arrangements exempting in some cases providers from liability enshrined in commercial agreements. These cases relating, as a rule, to national security issues allow state agencies to request data, even being under protection of commercial agreements. Gartner recommends to insist on an obligation of provider to announce such cases to the client.

What the cloud provider can hold back

There are highlights to which the client should pay attention when choosing provider of cloud services and which without fail need to be found out before work.

Information on the equipment

The equipment of provider is the cornerstone which is the cornerstone of reliability of a cloud platform. But quite often high quality, reliability and operability of the equipment of provider is only the advertizing slogan which does not have under itself any evidential basis.

What the cloud provider can not tell the Client about:

First, about equipment model. Than the equipment model is more senior, especially decline in production and reliability of a cloud is probable. Surely focus attention on what model of the equipment is used by provider. Use of modern models of the equipment reduces your risks.

Secondly, about an equipment class. The equipment class is higher, the cloud platform of provider is more functional and is more productive. Cases when the provider uses the equipment of a low class in work are not so rare. Do not forget to find out on what equipment of a class the cloud platform is under construction.

Thirdly, about equipment manufacturers. In the market there are offers of different price categories. If the cloud provider uses servers from a cheap segment, the probability of their exit is out of operation extremely high. Use of the cheap equipment from the unknown producer certainly reduces the cost of services of provider for the end customer. But in this case, it is better to pay slightly more expensively, but to be sure of smooth operation and of reliability of servers.

Fourthly, about smooth operation of the equipment. Failures happen to any, even the most reliable equipment. The main thing here - timely implementation of duplication and reservation of data and also lack of a uniform point of failure. Make sure that servers of provider have the dubbed power supplies and coolings, and have sufficient power reserve to cope with unexpected jumps of consumption of computing resources. Not less important aspect is the organization of a storage system: it is dubbed or locates two independent controllers. All network equipment should be dubbed, and failure in work of any element of a system should not affect operation of the equipment in general.

Performance of a disk subsystem

Parameters of cloud resources include computing powers of the processor (GHz), RAM (Gb) and disk space (Gb). These parameters are extremely important for the client, it is necessary to approach their choice especially carefully. Always it is necessary to remember that influence operation of application not only the amount of a disk quota, but also itself it is productive a disk system.

When the cloud provider selects disks of different types under the client's infrastructure, performance of these disks does not make a reservation as this factor depends also on the loading consisting of work of other clients of provider in a cloud.

Thus, the only correct criterion for evaluation of performance of disk space is the number of transactions of reading record per second (IOPs) and level of delays at the appeal to disks (Latency, ms).

Surely specify whether the cloud provider gives an opportunity to manage Iopsami and whether it can provide information on disk arrays of its infrastructure. When the cloud provider promises guaranteed performances of performance, the problem of the choice by the client of type of disks is irrelevant.

Platform and its security

Reliability and security of the platform where the cloud platform is placed - it is one of the most important factors when choosing cloud provider. Even if the provider agreed to show to future client the platform, it does not guarantee its reliability, and statements that the equipment conforms to the standard on category of reliability Tier III, in practice can be only words. Quite often providers mislead clients, hoping that that will refuse carrying out the actual demonstration because of unwillingness to waste time or because of a lack of the corresponding engineering knowledge.

To avoid similar misunderstanding, for the client will be to request more simply and more reliably from provider certificates of the international organization of Uptime Institute:

• Tier III Certification of Constructed Facility;
• Tier III Certification of Design Documents.

If the cloud provider locates the certified infrastructure, the client can be sure of quality and reliability of the platform offered it.

Support and service

Having decided to unroll own infrastructure in a cloud, the client should be sure that support and service of this infrastructure will be carried out at the highest level. The main thing at the same time – to find out, how exactly at cloud provider processes of a maintenance and support of a cloud are organized.

Work with incidents should be constructed on consecutive transparent algorithms which prevent loss of any incident, ensuring at the same time smooth operation of business of the client and spending a minimum of time for recovery.

The provider should guarantee following to certain regulations at making changes in infrastructure. In other words, all changes should be planned, approved with the client, are tested and implemented so that there was no agreement breach about the level of service.

Pay attention to compliance of technical service (support service) of cloud provider to the following criteria:

• Availability on all 24/7 channels.
• The appeal to provider via several channels: e-mail, website, chat, phone, Skype.
• Accurately fixed response time on the address, time of the solution of standard requests, time of the solution of an incident.
• Informing on carrying out scheduled works, on incidents and their solution;
• Active help of a vresheniya of the problems which are beyond agreement and formal description of service.

Type of activity of the company of provider

The companies offering cloud services in the Russian market, as a rule, are engaged in the following types of activity: Cloud providers. The companies which are engaged only in providing cloud services. Usually such companies locate own equipment which is placed in leased data centers.

Directly data centers. Recently practically each data center renders services in lease of virtual infrastructure as addition to services in placement of the equipment. Some data centers render cloud services independently, some sign the partnership agreement with cloud provider.

System integrators. For the last few years practically each system integrator included in the list of the services providing a cloud in lease. But in connection with presence at integrator of a huge number of other IT services, attention by the residual principle is paid to cloud services.

Telecom providers. As the telecom provider has all conditions for creation of the channel to a cloud, such companies include in the list of the services as well services in lease of clouds. Larger providers will organize a cloud independently, less large – having signed the agreement with cloud provider.

As a rule, if the minimum list of services in clouds is necessary for the client, telecom operators can independently close this requirement. If it is about a difficult complex of the worked services, then the company at which the cloud service is the main profile will become the best choice. Cloud providers in this case are more technical and are better organized. Besides they can easily vary with price adjustment of services for each client.

At the initial stage of development cloud services are at telecom operators which independently render similar services. And the most worked services with technical and from the organizational party at the companies which specialize in providing cloud services. Besides, it is the simplest to agree about correction of conditions of providing service will be with the companies for which cloud services are the main activity (specialized cloud providers and data centers). At the same time it is worth paying attention to that cloud services were a priority, but not the only type of activity of provider that will provide to the client a guarantee of a certain financial stability of the supplier.

SLA

The provider is obliged to approve and record a certain level of service of standard service requests in SLA: target parameters of time of the solution or the fixed solution term. The provider bears the financial responsibility for violation of the SLA parameters. In addition, the provider should offer the client individual parameters of quality.

But the client needs to remember also that SLA and the financial responsibility of the supplier is not a guarantor of the fact that layer management of service functions at all. To be convinced of it the client should check whether information on the SLA parameters gathers, analyzed and adjusted by provider.

• On the materials PCWEEK and Club.CNews.ru