Unlike in the early days of enterprise cloud computing, cloud providers are more willing to adapt standard contract terms to enterprise needs. Part one of this SearchCIO feature on cloud contract negotiations reviewed contract terms and conditions, data storage considerations and security provisions. Part two examines cloud provider liabilities, cloud exit strategies and the importance of peer review in cloud computing contract negotiations.
Standard contracts often hold the cloud provider harmless if anything goes wrong. So it's important for companies to take a close look at a cloud provider's liabilities in the event of a security breach or severe service issue, said Michael Davis, CTO at cybersecurity company CounterTack, which has its own cloud contract and also advises clients on cloud-related security issues.
Providers will often claim to have insurance to cover a breach, but many companies make the mistake of not asking for a copy of that insurance policy as verification.
"If their servers go down, often times they are only held up to the value of the contract. In many cases, that is way too low," Davis said.
Companies should also do a little digging. For instance, if a cloud provider claims to have a security officer on staff who is in charge of coordinating a potential attack, company executives should ask to speak with that person.
"Very few companies will call to see if these people exist," Davis said.
Cloud contract: Exit strategy
"When we were stepping into contracts years ago, it was this exciting thing," said Cynthia Nustad, CIO at HMS, a healthcare management services company. "Now that you may have had a turnover or two in cloud providers, you realize it's important to figure out your exit strategy before you decide on your entrance strategy. What happens if something goes wrong? What if a bigger company buys the company that's providing the cloud? Their goal is to get their teeth in you, and our goal is to make sure they don't get in too deep. You have to protect your company in the long term."
For one thing, it's important for a contract to stipulate that the company owns the data.
"As you ramp up the number of cloud providers you use, your data is now spread across those plains," Nustad said. "So you have to negotiate up front that you own that data."
Consultant Andy Sealock advises his clients to make sure the contract stipulates that in the event the cloud provider fails to live up to its end of the agreement, the company can pick up its data and leave.
"You need rock-hard provisions that say the cloud provider needs to deliver the data within a certain time period in a format you can use with a schema to understand the data," said Sealock, managing director of Pace Harmon, which helps match clients with cloud service providers. "You can't let your data be held hostage."
CIOs should do their homework
Cloud contract negotiations can take anywhere from a few weeks for fairly simple contract talks to several months for contracts in industries with especially sensitive data, including healthcare and financial services.
Cynthia NustadCIO, HMS
"I tell my folks that it's a pretty sophisticated negotiation," Nustad said. "You need to sit across from them and make sure everyone is aligned."
And it takes work beyond the negotiation table, too. CIOs should network with peers, comparing notes on providers and sharing contract strategies.
"Talking CIO to CIO without the vendor involved is a very healthy dynamic," Nustad said. "You can share key points to watch for in negotiations."
John Donohue, associate CIO of technology and infrastructure for the Penn Medicine-University of Pennsylvania Health System, agreed that peer input is crucial. "If someone used a particular vendor with success, it can jumpstart your selection process," he said. "It's not only about how many gigabytes of storage you need. It's about finding the right provider for you and your space, one that understands your industry culturally."
Chris Moyer, VP of technology at ACI Information Group, also recommends searching social media sites and third-party review sites to read what others have to say about a cloud provider.
"Some people will promise you the moon, but not everyone can give it to you," Moyer said. "Go beyond looking at a company's website and talking to other people they have recommended."
Not every company will have the leverage to negotiate for too many bells and whistles. Bigger companies with bigger cloud budgets have a better shot at winning some custom contract protections than smaller companies, experts said.
"You have to be at a certain size to make it worth their while," said Colin Whiteneck, senior manager, Deloitte Consulting, who helps clients with cloud contracts.
Bill Martorelli, a principal analyst with Forrester, said even with some of the vague language cleaned up, IT leaders should understand that cloud providers may not be willing to provide the kind of guarantees that give CIOs the level of comfort they are looking for.
"Try to do the best you can, but you have to go in with your eyes open," he said. "You're not going to get a warm blanket of protection in the public cloud that you felt you had when going to traditional IT outsourcing. You can't have it both ways. You can't have all the flexibility of the new world with all of the protections of the old world."
Yet some say cloud contracts have come a long way in a short time -- and many are pleased that companies are getting around some of the broad, vague language found in standard contracts.
"We are getting more wins on custom [contracts]," Sealock said. "The industry is maturing and the market is demanding it, and we're going to see more and more of it."
About the author:
Dina Gerdeman is a freelance writer and editor covering business news and features. She lives in Massachusetts.