Monday, March 14, 2011

Four Risks CIOs Should Address When Contracting for Cloud Services

Although cloud offerings are rapidly maturing, the immaturity of cloud service contracting means that many contracts have structural deficits, according to Gartner, Inc. Gartner has identified four risky issues that CIOs and sourcing executives should be aware of when contracting for cloud services:

Cloud Sourcing Contracts Are Not Mature for All Markets

When analyzing cloud sourcing contracts, it is often obvious whether the cloud service provider wrote the contract with larger, more mature corporations, or the consumer side of the market, in mind. For example, there are cloud service contracts from traditional service providers for their private cloud offerings; these tend to include more generally acceptable terms and conditions. Gartner also sees many cloud-sourcing contracts that lack descriptions of cloud service providers' responsibilities and do not meet the general legal, regulatory and commercial contracting requirements of most enterprise organizations.

Gartner advises organizations to carefully assess the risks associated with cloud sourcing contracts. Areas such as data-handling policies and procedures can have a negative impact on the business case (for example, additional backup procedures or a fee for data access after cancellation) potentially creating compliancy issues and cost increases, and indicating specific risk mitigation activities.

Contract Terms Generally Favor the Vendor

Organizations that successfully outsource, evolve more partnership-style relationships with their vendors. Cloud service contracts do not lend themselves to such partnerships -- mainly because of the high degree of contract standardization-- where terms are consistent for every customer, and service is typically delivered remotely rather than locally.

An organization needs to understand that it is one of many customers and that customization breaks the model of industrialized service delivery. Cloud service contracts are currently written in very standardized terms, and buying organizations need to be clear about what they can accept and what is negotiable. To manage cloud services contracts successfully, organizations need to manage user expectations.

Contracts Are Opaque and Easily Changed

Contracts from cloud service providers are not long documents. Certain clauses are not very detailed, as URL links to Web pages detail additional terms and conditions. These details are often critical to the quality of service and the price (such as SLAs) for uptime or performance, service and support terms, and even the description of the core functionality of the offering. Clauses that are only fully documented on these Web pages can change over time; often without any prior notice.

Organizations need to ensure that they understand the complete structure of their cloud sourcing contract, including the terms that are detailed outside of the main contract. They need to be sure that these terms cannot change for the period of the contract and, ideally, for at least the first renewal term without forewarning. It is also critical to understand what parts of the contracts can be changed and when the change will take place.

Contracts Do Not Have Clear Service Commitments

As the cloud services market matures, increasing numbers of cloud service providers include SLAs in URL documents referenced in their contracts and, in fewer cases, in the contract itself. Usually, the cloud service providers limit their area of responsibility to what is in their own network as they cannot control the public network. Things are improving, but service commitments remain vague.

When deciding whether to invest in cloud offerings, buyers should understand what they can do, if the service fails or performs badly. They should understand whether the SLAs are acceptable and if the credit mechanisms will lead to a change in the providers' behavior; if not, they should negotiate terms that meet their requirements -- or not engage.

More information on cloud services can be found at

No comments: