Much has been said about the challenges of managing a multi-cloud environment, as more organizations deploy various cloud services from different vendors. One key aspect of this management challenge is how to handle all the contracts that come with using multiple cloud providers and services.
“Not all cloud contracts are reviewed and negotiated using the same internal processes and procedures,” said Adam Mansfield, a practice leader at UpperEdge, an advisory firm that helps organizations with sourcing, negotiation, legal and program management issues.
“Some cloud contracts, driven by the cloud vendor’s ability to circumvent a client’s process, are reviewed and executed by a line-of-business executive” such as the head of sales, the chief marketing executive, etc., Mansfield said. “Procurement, and even an IT executive, may have not been involved or if they are, it is more often the case they are brought into the discussion at the very end, when the deal is already cut.”
This leads to situations where there are not uniformed provisions and commitments in place across the organization, Mansfield said. “Not surprisingly, the deals that are often cut with the line-of-businesses are also usually not competitive, or they are full of downstream ‘gotchas,’” he said. “Having to manage cloud contracts that have different levels of price protections, flexibility and service-level commitments is very challenging.”
In addition, not all cloud vendors will agree to the same terms. “Each vendor has their own specific thresholds regarding what they can and can’t offer in terms of contractual commitments,” Mansfield said. “Smaller cloud vendors may be more flexible and accommodating to win an organization’s business, where other more established and market-leading cloud vendors may take a hardline approach.”
Cloud computing to a large extent has become a “confusopoly,” with muddled marketing that makes it difficult for customers to make informed decisions, said Sten Vesterli, principal at IT consulting firm More Than Code. “Each vendor makes sure to use different metrics so customers are unable to make a straight comparison,” he said.
A lack of standard language around much of what is offered in the cloud market can also present difficulties with contracts for cloud services.
Here are some tips and best practices for negotiating, maintaining and managing cloud service contracts in a multi-cloud environment.
Create a sourcing or procurement department to oversee all cloud contracts
Many organizations already have a central function that manages all sourcing and procurement matters. The same should be true for cloud services contracts as they become more prolific and complex.
“Put in place an internal process in which all cloud contracts must go through the procurement and/or sourcing department,” Mansfield said. “It is certainly appropriate for line-of-business executives and IT executives to be part of the negotiation. But there needs to be an understood process in place that is also followed.”
This department can help ensure that there is a unified message that is effectively and consistently communicated to the cloud vendors involved. It starts with establishing the rules of engagement and goes all the way through contract execution, Mansfield said.
“During the negotiation, cloud vendors and their sales teams are very good at circumventing the process and taking control of the negotiation by navigating within organizations to gain leverage through their interactions,” Mansfield said. “Think of this as a form of the ‘divide and conquer’ approach.”
Having a unified message around the key items that are going to be negotiated is critical, Mansfield said. For example, upfront discounting, long-term price certainty, a highly flexible model, meaningful SLAs, etc.
The sourcing/procurement function can also serve to help keep cloud vendors in line in terms of which services can be delivered. “In order to negotiate most effectively with a particular cloud vendor in the portfolio of a multi-cloud environment, you need to empower yourself with insights into what the particular cloud vendor can and cannot do when it comes to a specific item being negotiated,” Mansfield said.
Knowing the thresholds as well as the specific things that a cloud vendor is able to offer will not only add leverage to a customer’s negotiation, Mansfield said. It will also speed things up internally. “You won’t waste time fighting for something that is unobtainable, and it allows for proper internal expectations to be set and managed,” he said.
Negotiate customer-specific service-level agreements (SLAs)
To ensure the expected level of service quality, availability and performance organizations should require an SLA for each service provided, and the SLAs should be specifically designed to meet the needs of the customer. Every enterprise has its own specific requirements, processes, workloads, etc., so a “cookie-cutter” approach doesn’t work.
“Most cloud providers offer an SLA, but don’t include it in the standard contract language,” said Steve Ermish, CTO at Opkalla, an IT consulting firm. “Most times the SLA is referred to as a separate agreement via URL embedded in the contract. This allows the company to offer one standard SLA for all their customers and consequently change their SLA on a regular basis.”
In addition, the penalties for not meeting SLAs are usually quite low and not material enough to compensate a customer’s loss of business, Ermish said. It’s up to the customer to understand when and how these changes might impact the business, and then what the risk might be to the business if providers fail to meet their SLAs.
“Negotiating a customer-specific SLA in your cloud contract allows you to hold the cloud provider more accountable based on your terms, and to be compensated much more to your benefit,” Ermish said.
Keep in mind that SLAs associated with a multi-cloud environment tend to be more complex, because the nature and amount of issues to be addressed are greater, said Francoise Gilbert, general counsel at the Cloud Security Alliance (CSA), an organization that provides education and best practices related to cloud security.
“For example, certain features, specifications or choices might conflict with each other,” Gilbert said. “An incident may have a domino effect due to the multiple layers and the complex environment.” An SLA might cover a variety of services, different types of data, and long-term vs. short-term issues, he said.
“A distinction should be made between negotiated SLAs and non-negotiated SLAs,” Gilbert said. “Large companies with significant needs are often able to negotiate certain terms of their SLAs. Smaller companies with less leverage, might have little ability to negotiate the terms of their SLA, and may need to rely on other means to understand and address the risks that these contracts may generate.”
Agree on security breach and data protection language
At a time when security breaches are so prevalent, it’s not uncommon for cloud providers to be attacked on a daily basis, Ermish said. This risk is magnified when companies are using multiple cloud services from various providers.
“In the event a cloud provider is compromised and your data is breached, it could pose serious business and financial risks to your company, depending on the type of data exposed,” Ermish said. “Most companies don’t quantify the cost of their data falling into the wrong hands and trust the cloud provider will protect them.”
It’s in the best interest of the cloud providers to minimize their own liabilities because of the magnitude of the cost of each customer’s potential damages and lawsuits, Ermish said. By negotiating specific breach language into each cloud contract, an organization can apply a financial layer of protection to compensate for its own data breach responsibilities, and also gain the flexibility to exit contracts for cause.
While many cloud service providers have sophisticated security programs, others don’t, Gilbert notes. “When a business plans to purchase cloud services, it should ensure in advance the service provider they plan to use has in place the necessary security measures and can demonstrate the existence, efficiency, efficacy and reliability of these measures for the specific type of data to be hosted and processed in a cloud,” he said.
Businesses should take the time to ask specific questions, request and review the disclosures concerning the security program, and evaluate the nature and quality of the levels of security provided, Gilbert said. This includes, for example, examining the results of prior security testing. “Failure to conduct a deep dive into security programs could have drastic consequences,” he said.
As for data protection specifically, the first thing to do after signing a cloud provider contract is prepare to move data, Ermish said. “Often overlooked in a cloud contract is how your data is defined, treated, uploaded, protected and ultimately recovered when a contract is terminated,” he said.
Specifically, businesses need to define things such as what data is considered the company’s intellectual property, and if that data will be accessible in any way by the cloud providers.
“You will be surprised to find that cloud providers sometimes use machine learning to read your data for their own analytics and marketing use,” Ermish said. “When your contract is terminated, how will you recover your data, and will it be in the same format as when it was uploaded? Will you need to pay for your data or satisfy specific contract terms before you can have your data back?”
Agree on price protection and termination language
Most cloud contracts are subject to rate changes as well as automatic price increases, which can range from 5% to 10% annually, Ermish said.
“It’s important to negotiate fixed pricing for the life of a cloud contract,” Ermish said. “The customer sometimes may need to offer a committed minimum spend, or payment upfront. Also ask for fixed pricing to be included in the contract. Like the SLA, if the cloud provider references an external pricing schedule, this can be changed on a regular basis without notifying customers.”
It’s also important to be clear about termination terms. “The most important part [of contracts] is to have an exit plan in place from the beginning,” Vesterli said. “If you can make a credible threat to take your business elsewhere, you have the power in the relationship. If you can’t, the vendor has the power.”
Organizations are typically enthusiastic about getting new cloud services and technologies implemented, and in many cases aim to push contracts through the approval process as quickly as possible, Ermish said. But they often overlook their options if they are not happy with the product or service before the end of the contract.
“Without specifically negotiating termination language, it will always be in the cloud provider’s favor,” Ermish said. “Most often, when signing a cloud contract, the customer will owe the amount for the entire term regardless of how the contract is terminated.”
By taking the time to negotiate termination language into each cloud contract, an organization can create leverage and vendor accountability for the flexibility to negotiate other important things such as contract renewal, price and other changes. “At the very least, it provides you with a way to leave a cloud provider with minimal risk to your company,” Ermish said.
One of the benefits of a multi-cloud strategy is flexibility, and organizations need to maintain that in the contract dealings.
“Customers hope to avoid vendor ‘lock-in’ and retain flexibility to allocate workloads and projects among providers, and select among the best available cloud solutions over time,” said Scott Stevenson, a partner at law firm Culhane Meadows, whose practice focuses on negotiating cloud contracts.
“In order to realize these benefits, customers need to focus on preserving flexibility in their cloud contracts,” Stevenson said.
Keep up with the changes in cloud contract dynamics
The cloud ecosystem has evolved at a fast pace, Gilbert said. “The nature of cloud services has expanded, and the number of individuals, companies and government agencies that rely on cloud to process their data has increased,” he said.
As with other types of contracts, cloud service agreements have evolved in many ways, Gilbert said. Cloud service providers are identifying new contract structures that work best for them, and cloud customers need to become more aware of what they can or cannot negotiate, he said.
“It has been necessary for contracts to evolve to address more or different products or services, different risks or threats, new laws and related legal requirements,” Gilbert said. “It has been necessary, as well, to change contract provisions to take into account new legal theories asserted by litigants, and lessons learned from litigation, class actions, or enforcement actions initiated by regulatory agencies.”
Shift from a “buy-in-advance” to a “buy-as-needed” approach
Many companies moving applications to the cloud will make contractual commitments or buy reserved instances too early, said Kim Weins, vice president of cloud strategy at IT services provider Flexera.
“For example, a company that was moving a significant number of applications to the cloud made six figure reserved instance purchases before they had moved the applications,” Weins said. “They were now paying every hour for compute capacity that they were not yet using.”
When the company completed the move, it found that the compute instances it needed were different from its contract and the reserved instances were wasted.
“Instead, move and optimize workloads and then negotiate discounts,” Weins said. “You can also buy reserved instances or a savings plan at any point in time — not just when you renew an enterprise contract — and those savings are far higher than your enterprise negotiated discounts.”