CIO Decisions

Mastering the cloud contract

Sergey Nivens - Fotolia

Get started Bring yourself up to speed with our introductory content.

Negotiating cloud contracts: A new era for CIOs

As cloud spending grows, providers are easing up on the 'my way or the highway' approach. Here's how to negotiate a cloud contract with terms and conditions that work for your enterprise.

CIO Cynthia Nustad remembers the early days of the cloud, when IT didn't have much wiggle room in negotiating cloud contracts.

Seven years ago or so, the vast majority of cloud service providers offered a standard cookie-cutter contract to businesses, said Nustad, CIO at HMS, a healthcare management services company. Many providers balked at accepting any real liability, and they certainly shied away from signing what is known in the healthcare industry as a business associate agreement, which has the provider assuming some shared risk in the event of a data breach.

It was enough to make many CIOs squirm at the thought of signing a cloud computing contract -- and Nustad, who was an IT leader for another company in the healthcare industry at the time, ultimately decided to walk away.

Cynthia Nustad, CIO, HMSCynthia Nustad

"Those first movers really dictated the contract," she said. "Maybe you could negotiate on price or add-ons, but the core service was pretty vanilla and hardened. It was, 'You can sign here, and that's your only choice.' Back then, we just couldn't do it. The cost of data breaches were so high, we couldn't go in that direction."

Today, however, many cloud providers are not blinking at signing those business associate agreements. "Things have changed significantly," Nustad said.

Cloud computing is growing rapidly and in some cases, that growth has spurred a change in the nature of cloud contract negotiations, giving IT leaders more of an edge.

Forty-two percent of IT decision-makers are planning to increase spending on cloud computing in 2015, according to IDG Enterprise's Computerworld Forecast Study 2015. IDC predicted late last year that by 2016, IT will shift 11% of its budget away from traditional in-house IT delivery toward various versions of cloud computing as a new delivery model. And IDC predicts public cloud spending will reach $127 billion by 2018.

The shared technology that is the backbone of the cloud allows providers to offer their services at a price point that is tough for CIOs to resist. Yet because of those cost savings, cloud providers often expect companies to sign take-it-or-leave-it deals with little, if any, flexibility, said Andy Sealock, managing director of Pace Harmon, which helps match clients with cloud service providers.

"What we've found is that cloud service providers lean on that way too much and use it as an excuse not to provide the kind of service our clients want to buy," Sealock said.

But more and more, CIOs and IT experts agree, as the market matures and an increasing number of cloud providers make the game more competitive, CIOs are now getting around this one-size-fits-all approach as they seek -- and win -- contracts with more safeguards and even custom features to fit their business needs.

Andy Sealock, managing director, Pace HarmonAndy Sealock

"If you're a serious customer and bringing business to the table, the service provider is happy to talk, because it's a sales opportunity," Sealock said. "A lot of the big players like Amazon and Microsoft will negotiate, but even some of the smaller players will negotiate as well because sometimes they're hungrier for your business and are more apt to customize things."

Sealock said it can take some pressure to get a provider to move beyond standard forms. "A lot of times it takes a competitive RFP because otherwise, they will tell you to pound sand," he said.

Cloud contract negotiations today are about a lot more than price and service-level agreements. Here's a look at some provisions and other factors IT leaders should keep in mind when negotiating their next cloud contracts:

Negotiating cloud contracts: Terms and conditions

Many cloud providers will say, "Our terms and conditions are what's on our website." But providers have been known to revise terms without notice, said Colin Whiteneck, senior manager, Deloitte Consulting, who helps CIOs with cloud contracts.

"You need to get them to negotiate so they give you specific Ts and Cs," Whiteneck said. "If they're not willing to negotiate, you tell them you don't even want to see their proposal."

Even if a provider insists on sticking to standard terms, it's important for a contract to spell out that those terms should apply through the length of the contract to avoid having to swallow any future changes that might be unfavorable to the business.

Data storage

John P. Donohue, associate CIO of technology and infrastructure for the Penn Medicine-University of Pennsylvania Health System, said it was important for the healthcare provider to have a good handle on where its cloud providers are storing data.

"We really wanted to understand where the data was being held, and we wanted them to notify us if they were going to change the place where it was being held," he said. "Cloud providers often take advantage of the lowest-cost hosting place and will reassign it. We wanted to be able to veto that."

Some providers will charge a company for transfers between data centers. Besides, many contracts are vague in the areas of data retention and whether the provider has any liability with regard to how and where data is stored, Whiteneck said.

As the cloud is evolving, many countries are developing new data privacy laws -- in some cases requiring that certain data be stored within that country. "It's important to understand where your data is and how it's being protected so you can comply with regulations in different countries as those regulations constantly change," Whiteneck said.

And if a provider decides to partner with another company in a way that changes the structure of data storage, companies should be notified.

"I had a customer who found out that seven months earlier the provider had moved to another company for storage, and this changed the security that the customer thought was in place," said Michael Davis, CTO at cybersecurity company CounterTack, which has its own cloud contract and also advises clients on cloud-related security issues.

Security provisions

A company should ask the cloud service provider to "pop the hood" on its architecture and design to show how networks are linked, how data is backed up, where data is stored and how it is kept secure, Sealock said.

"You need to do your due diligence to find out: How resilient will you be from a disaster recovery? How often are they taking snapshots of data and storing that? How are they going to prevent bad things from happening?" Sealock advised. "You won't get that level of detail unless you ask for it. A contract is ink on paper. You need an end-to-end view."

Cloud providers often take advantage of the lowest-cost hosting place and will reassign it. We wanted to be able to veto that.
John Donohueassociate CIO of technology and infrastructure, Penn Medicine-University of Pennsylvania Health System

Penn Medicine's Donohue said when it comes to security, cloud providers often say they "will match best practices" or "follow industry standards," but that kind of vague language doesn't provide him with enough reassurance.

"We wanted to be very specific about how they would keep our data secure both physically and virtually," he said.

In standard cloud contracts, a company is often not allowed enough access to do their own security testing without the cloud provider's approval, but a company should make sure it is able to perform its own security tests, Davis said. The financial service and healthcare industries in particular are required to perform certain scans and tests.

Michael Davis, CTO, CounterTackMichael Davis

"If you don't get that and you start doing some security testing, the provider might perceive it as a real attack and shut down your services," Davis cautioned.

Companies also need to find out how the provider responds in the event of a security breach. In some cases, providers are not contractually required to report a hacking incident, Davis said, citing the example of a company that didn't know it had been hacked until executives read about the breach in The Wall Street Journal.

"You want to require providers to give you at least 48 hours' notice before they go public with a breach," Davis said.

In terms of other security provisions, Davis said his company sought a granular level of access control, allowing some employees to view data without the ability to modify or delete any information, whereas others might have greater access.

"Some cloud providers' access control is weak. They give people either full access or no access," Davis said. "You give [employee] Bob full administration rights, and you just hope he doesn't delete something important."

In part two of this SearchCIO feature on negotiating cloud contracts, Gerdeman delves into cloud provider liabilities, cloud exit strategies and peer review of cloud providers.

About the author:
Dina Gerdeman is a freelance writer and editor covering business news and features. She lives in Massachusetts.

Article 3 of 7

Next Steps

Dina Gerdeman's last feature for SearchCIO was an examination of how CIOs are beefing up security strategies in the wake of recent data breaches. Her prior SearchCIO feature was about early CIO adopters of hybrid cloud.

Dig Deeper on Contract negotiations and legal issues