It is no the intention, to discuss the “click-through” type of public offerings and contracts here. I’d rather reflect on some of the specific areas in contracts between enterprises and cloud service providers offering privately build but and externally managed IaaS and PaaS services.
The mentioned specifics are either derived from the specifics of cloud services or are a constant source for risks and failures regardless of cloud or traditional outsourcing.
All the potential risks could be grouped by the following categories:
- Security and data privacy
- Service scope and service definitions
- Contract termination/exit conditions
Security and data privacy risks are derived from cloud specifics obviously, in this case “resources pooling” and “broad network access”. Best practices in setting up tailored contracts between enterprises and cloud service providers will address the usual regulatory and statutory compliance, data protection and security requirements (i.e. data protection laws, “white labelled countries”). But there are a few areas, where even “best practice” might be lost:
- data protection laws and respective data location agreements might be at risks due to sub providers of the cloud service provider accessing data from abroad
- data protection laws and respective data location agreements might be at risk with global service delivery models of the cloud providers, where in fact, data location has been agreed but access to the data by the support staff in foreign locations is not being addressed.
Service scope and description will lack of sufficient definitions and level of granularity (in comparison to traditional outsourcing) due to the immaturity of enterprise-ready cloud offerings. This immaturity will lead to unresolved assumptions (integration topics, capacities/volumes, SLA capabilities like “objective,” “measurable” “verifiable”). Potentially, this will lead to complete chaos in terms of the differentiation and demarcation between “standard service items”, “non-standard” items aka “changes” and complex changes aka “projects”.
In general, it would help if both parties agree on “true-up” and “grace” periods giving both, provider and customer, enough time to address detailed scope and service definitions.
Contract termination/exit conditions and respective risks will inherit some cloud specific again.
- Cloud contracts will have a much shorter lifetime than the traditional ones
- Back-sourcing will not be an option anymore at all
- Onboarding of new service providers will become management routine
- Business continuity and data protection goals (as discussed previously) will become a much tougher task managing cloud contract terminations.
Therefore, the contract should ensure agreements on exit/transition costs, responsibilities and key personnel involved, data transition and de-integration methodologies as well as data disposal guarantees.