This is the last post on the Enterprise Cloud Computing Series that we started a few weeks back.  We have left one of the most complex topics for the very end:  How do we negotiate a contract with a cloud computing provider?  What are the main potential pitfalls to avoid?  What areas must be addressed in the different legal documents?  What can and cannot be negotiated? 

To cover this topic, I would like to reference Gartner's report 'IT Procurement Best Practice: Nine Contractual Terms to Reduce Risk in Cloud Contracts'.  These are the nine terms this study lists as key to understand in cloud deals to mitigate excessive risk: 

Uptime Guarantees. Despite the significant business-criticality of certain cloud applications, Gartner analysts have seen numerous contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved 

Service-Level Agreement Penalties. For service-level agreements (SLAs) to be used to steer the behavior of a cloud service provider, they need to be accompanied by financial penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable, in terms of your negotiating leverage and pressure on the provider, because no vendor likes to have to give money back, once booked 

Watch Out for SLA Penalty Exclusions. More cloud providers realize that they need to add guarantees and quality measures for the services they sell in the cloud. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organizations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences 

Security. As part of the cloud-sourcing strategy, procurement and security executives should ensure that the provider's security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. The analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it 

Business Continuity and Disaster Recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some infrastructure as a service (IaaS) providers don't even take responsibility for backing up customer data. If organizations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organization taking responsibility for disaster recovery 

Data Privacy Conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organization, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else (this becomes more complicated if they have to share data with a third party — e.g., a cloud infrastructure provider — which is common for many software as a service [SaaS] solutions) and that they will only do what the customer (the data controller) says they should do 

Suspension of Service. Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. This gives the cloud provider considerable negotiation leverage in the event of any dispute over payment. Organizations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. Some providers are removing disputed payments from this clause. 

Termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six months notice for the provider to terminate, unless they have materially breached the contract 

Liability. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organizations should try to negotiate for higher liability protections. Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved.

I hope you have found this series useful and can now better understand cloud computing.  Although this is the last post of this series, keep tuned for other posts on this topic! 

Now that we understand all the technical options around cloud computing, it is time to look at the business side of the equation:  What are the pros and cons of a cloud solution from a financial and risk management perspectives?



Potential benefits of the cloud

Cloud technology, with its different options and potential setups, offers enough flexibility to provide value to many different types of organizations.  Some of the benefits of cloud storage are:

1)  There is no direct dependency on any single server or piece of hardware which makes it easier to ensure business continuity in the event of a disaster

2)  Additional storage or server space is available as needed with no specific action required while over provisioning is avoided in a pay-as-you-go model

3)  Access to entire storage and server pool can be accessed from a single point

General considerations when moving to the cloud

At the same time, it is important to be aware of potential pitfalls and to prioritize requirements.  Some important considerations are:

1) Although the ability of the cloud to provide data redundancy across multiple and disparate servers can give great confidence to users, you also need to allow for the worst-case scenario where your cloud provider goes out of business and takes access to your data along.

This is a possibility that needs to be covered in the Service Level Agreement (SLA) with a specific remediation process detailed in order to minimize the waiting time for compensation was the worst to happen.

2)  It is important to ensure that the provider you choose can meet your key requirements to the specified level.  These requirements will vary depending on industry and location of the business but will likely include compliance, security, data handling and recovery.  It is also important to ask your vendor about business critical issues such as availability, security and compensation from the start.

The best way to understand a provider’s capability is to look at its track record and to request referrals from clients.  And, just to be on the safe side, ensure that you have an alternative provider to whom you can migrate with certain ease should requirements not be met at some point by your current vendor.

3) It is relatively easy to understand how moving from on-premises software to a SaaS model will affect your internal IT and support requirements since the external provider will support every aspect of the software deployment, management and access. 

It may not be as easy to fully gauge the impact of moving to an IaaS model.  Although all aspects of the infrastructure should be covered by your provider, you are still responsible for monitoring, managing and developing your on-demand infrastructure. 

4)  Software licensing may be a difficult topic.  An example of a company that has already ‘ported’ its licensing agreements to its cloud offering is Microsoft with its Office 365 product.   But the license document is longer and more complex to understand than the licenses offered with traditional Microsoft products, which tend to be quite complex already. 

In any case, many companies do not yet have fully developed licensing agreements for their cloud products meaning that the agreements may not cover all possible product configurations or all possible deployment locations. 

Financial considerations when moving to the cloud

There are also some specific financial considerations that need to be taken into account and that will help you focus your analysis around the benefits and drawbacks of cloud technology.

Below is a table comparing how some key financial factors play in an on-premise model versus a cloud computing model.

The focus of this post was to give readers a general overview of some key considerations when analyzing, designing and negotiating their cloud setup.  Next week’s post will walk us through how to incorporate all these considerations in the different legal agreements necessary to seal the deal.



References:
1)  The Ultimate Guide to Cloud Computing - MagBook, Cloud Pro - www.magbooks.com - @DennisMagBooks
2)  IDC Blog 
3) Wikipedia
4) PC Mag series of articles titled 'What is Cloud Computing?'
5)  Forrester Research - 'Talking to your CFO about Cloud Computing'

A few weeks back, in the second post of this series, we talked about the difference between cloud computing and cloud services.  Specifically:

1)  Cloud services – Consumer and business products, services and solutions that are delivered and consumed in real-time over the internet.  The key word used around cloud services is Software as a Service (SaaS).

2)  Cloud computing - The IT environment that enables the development, delivery and consumption of cloud services.  The key words used around cloud computing are Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

Most people are familiar with SaaS, whether they use it as consumers – Facebook, Twitter, iCloud – or as employees – Salesforce’s CRM, Citrix GoToMeeting, Google Docs.  The provider manages every part of the infrastructure, from the servers to the OS to the data and the application.  You, as an end-user or a company, can access the service without worrying about how anything works.

The concepts involved in cloud computing are less well understood since many of us have not been directly exposed to them.  For this reason, we will devote this blog to discussing PaaS and IaaS in more detail.

IaaS – Infrastructure as a Service

In this case, the vendor manages all the hardware aspects of the system.  The provider will source and maintain servers, storage and network, while providing and managing the virtualization software that separate the physical drives from the virtual machine you are running, which is required to create a true cloud infrastructure.  The user will be charged on a ‘pay as you use’ basis with the user having total freedom in deciding the OS, middleware and software he wants to run on the provided infrastructure. 

Typical examples of services provided as part of IaaS are replication, backup and archiving, powerful computers and network load balancing and firewalls.  Examples of IaaS providers are Amazon EC2, Microsoft, Rackspace, VMWare and Citrix. 

PaaS – Platform as a Service

PaaS is somewhere in between IaaS and Saas.  It is not a finished product that can be directly accessed by end-users but it also not a tabula rasa where anything can be built.  In this case, the PaaS vendor provides IaaS capabilities as well as the OS, middleware and runtime software.

PaaS provides a platform to develop and deploy applications while it frees you from selecting, managing and upgrading lower layers of software. The flip side is that you are developing software specific to a certain platform that you do not control, making it

Although PaaS will allow you faster development times and therefore faster time-to-market, the flip side is that the provider controls a larger piece of your hardware and software environment, potentially making you more dependent on them and harder to migrate to a different vendor.  For example, if the standard runtime or middleware environments have been customized by the provider in any way, any calls included in your software that take advantage of those customizations will need to be changed if a migration takes place.

SPI Model

Together, SaaS, PaaS and IaaS, the most common cloud computing service models, form the SPI model. 

Below is a chart showing simplified explanations for the three main layers of cloud computing that will help you visualize the differences.

XaaS – Anything as a Service

Although the SPI model is the best known and most commonly used model in cloud computing, there are also other emerging services that are slowly becoming part of the cloud jigsaw.  Examples are:

1)  MaaS – Monitoring as a Service:  Monitoring of infrastructure and applications to proactively improve efficiency and reduce downtime risks, has always been important for businesses.  MaaS provides the option to offload a large majority of these costs by having it run as a service as opposed to a fully invested in-house tool.  Other advantages include easy setup and purchasing process.

2)  CaaS – Communication as a Service:  It enables the user to utilize enterprise level VoIP, VPN, PBX and Unified Communications without investing in the purchase, hosting and managing of the infrastructure.  

After discussing, in previous posts, the different types of clouds - public, private and hybrid - and now, in some detail, the different flavors of cloud services and cloud computing, we are ready to move to the last posts to discuss how to analyze financial benefits and how to negotiate a cloud services contract.  

References:
1)  The Ultimate Guide to Cloud Computing - MagBook, Cloud Pro - www.magbooks.com - @DennisMagBooks
2)  IDC Blog 
3) Wikipedia
4) PC Mag series of articles titled 'What is Cloud Computing?'

The term cloud computing is widely used in computing today.  This blog sets out to try and answer two fundamental questions:

·  What is Cloud Computing?
·  What are Cloud Services?

Whether you realize it or not, you’re almost certainly already using cloud-based services in the form of Gmail, Google Docs, Office Web Apps, Facebook, Twitter, iCloud (coming shortly) and DropBox.  These are applications that run on the ‘Internet’ or, we could say, on the ‘Cloud’. 

They are all different applications with different purposes but they all have in common that they are not running on you PC, laptop or tablet.  You access them on-line (although they may have off-line versions that synch-up as soon as you are back on-line, like Gmail and Google Docs) from any location and computer; you do not worry about updates or upgrades; you do not worry about viruses or security; you do not worry about disk-space.  They are in the Cloud and somebody else is responsible for all those things.

Although this definition is not completely accurate, as a first approach we could say that cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).

Many authors have specifically outlined the parallel that can be drawn with the electricity grid, wherein end-users consume power without needing to understand the component devices or infrastructure required to provide the service.  The evolution has taken place over 100 years where we have gone from each company / household having its own source of electricity, to local / regional companies providing it to a small area, to national / international companies providing it across a nation or an entire continent.  This evolution is similar to the changes we are seeing in computing and applications but at a much faster pace.

Now, think about this same concept applied to a company, whether big or small.  All the applications that the corporation uses – CRM, ERP, accounting, finance, logistics… - can move from local hard-drives, on-premise servers and data centers, where they reside today, to the cloud.  The company doesn’t have to invest in buying, maintaining and improving its servers and database infrastructure, it uses a global infrastructure provided by a specialist and shared with many other companies in a secure manner. 

Before we go any further, it is important that we understand the distinction between ‘Cloud Computing’ and ‘Cloud Services’.   IDC describes them as:

Cloud Services – Consumer and Business products, services and solutions that are delivered and consumed in real-time over the internet.

Cloud Computing – Is the IT environment that enables the development, delivery and consumption of cloud services.

That is, the applications that you use that reside in the cloud are cloud services.  The people that developed those applications did so using cloud computing tools.

Cloud Services

So, what are the key attributes of a cloud service?  IDC provides a handy checklist to determine whether or not something should be called a ‘cloud service’.  Some of the key points are:

·  Third-party provider – It is a commercial offering
·  Location agnostic – The service could be running anywhere in the cloud
·  Accessed via the Internet – Probably via a web browser but it could also be via a ‘gadget’ you have downloaded on your laptop / tablet.  This is the case, for example, for Twitter.
·  Minimal/no IT skills required to implement – You, or your company, use it as a utility but are not responsible for it.  You have instant – or very quick – access to it from day one
·  Pricing – Consumer apps are often free.  Corporate offerings have clear, usage-based pricing
·  Shared resources – A single service will be shared by many customers while allowing for different tailoring for each of them

You will also hear cloud services being called Software as a Service.  We will focus on this concept in a future blog.

Cloud Computing

But then, what is cloud computing?  It is the IT foundation for cloud services and consists of a growing list of technologies and IT offerings that enable cloud services.  It includes:

Cloud Platform Services – Also known as Platform as a Service (PaaS).  It delivers a computing platform and/or solution stack as a service.  It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers.

Cloud Infrastructure Services – Also known as Infrastructure as a Service (IaaS).  It delivers computer infrastructure – often platform virtualization – along with storage and networking capabilities.

Servers – It is the hardware (multi-core processors) and software (cloud-specific operating systems) products that are at the foundation of cloud services.

On top of these layers Software and Applications are built.  The overall These layers are built on top of each other with the complete stack looking like the diagram above.

These are not easy concepts and, although they needed to be introduced here, we will go into more detail in a later blog.

Next week we will introduce the concepts of Public, Private and Hybrid Cloud.

Amazon, Google and Microsoft are the three biggest names in cloud computing.  Amazon pioneered the public cloud when it decided in 2002 to use its vast infrastructure to offer computing facilities to customers and launched a range of services to developers including storage and a development platform.  Now Amazon Web Services, after less than 10 years, has hundreds of thousands of customers and an annual revenue of $750 million, as estimated by analysts at UBS. 

Microsoft launched Windows Azure Platform, it’s Platforme as a Service (PaaS) product in 2010 and Microsfot Online Services, it’s Software as a Service (SaaS) product in 2011.  Google has launched a number of initiatives starting in 2006 with Google Calendar, Google Talk and Google Page Creator and continuously expanding their SaaS offer through under the banner name of Google Apps.

These three giants are up against the traditional infrastructure makers such as AT&T, EMC, HP, IBM, Oracle and Verizon.  According to data supplied by International Data Corp. and Gartner, they collectively control 95% of the corporate infrastructure market, valued at around $1.5 trillion, through their data center solutions, the option traditionally taken by corporations to cover their storage and computing needs.  At 5% for Amazon, Google and Microsoft are starting small but the growth in this segment is particularly strong.

Building, maintaining and evolving corporate infrastructure is a lucrative business for providers and an area of strategic importance for companies.  Cloud solutions are bound to greatly alter the way corporate infrastructure is built and used.  It represents a completely different approach and, just as importantly, a major cultural and behavioral change.

Because it is so important, I will be devoting a number of posts to this topic in the coming weeks.  Some of the areas that I will be covering are:

1)     What is cloud computing?  And cloud services?
2)     Public vs. Private vs. Hybrid Clouds – Pros and cons of each model
3)     Cloud APIs – Software, Platform and Infrastructure as a Service
4)     Small Print – What to look for when signing up with a provider of  a new, and not yet standardized, offering

Stay tuned if you are interested in discovering and learning about the cloud.

Citrix unveiled the acquisition of Cloud.com at 6 am PT on July 12th, an ultra-hot Silicon Valley startup that powers many of the world’s largest and most successful clouds.  This announcement was just made 3 hours before VMware held a major launch event to unveil the next phase of their cloud computing strategy.  The timing of these announcements highlights the tight and exciting race between these two companies to lead a market projected to exceed $11 billion by the end of 2014.

VMware presented its new cloud structure suite, including products such as vSphere 5, vShield 5, vCenter Site Recovery Manager 5 and vCloud Director 1.5.  The goal is to increase the value that customers can extract from virtualized resources by enabling cloud-scale operations.  As Paul Maritz, VMware CEO explains: "With vSphere® 5 and our cloud infrastructure suite, VMware is helping customers accelerate towards more efficient and automated cloud infrastructure, redefining how resources are managed and secured, and ultimately, driving a more productive relationship between IT and the businesses they serve."

In the case of Citrix, Cloud.com product line is not a traditional enterprise server virtualization platform with the cloud management layered on top. Instead, it is a hypervisor-agnostic solution designed from the ground up to help providers build simple, automated, elastic, scalable and efficient clouds. According to a Cloud.com customer benchmark study dated October 2010, this approach has helped customers around the world roll out new cloud services up to 50 times faster, at one fifth the cost of alternative solutions. A key question around this acquisition is how Citrix will manage OpenStack and CloudStack.  Although these two products could be viewed in direct competition, Citrix underscores that they are both highly synergistic by design.  They share the same core principles, architectures and beliefs about how ‘real clouds’ should be built and bringing them together in this acquisition is a key part of its strategy.

As a founding member of Openstack.org, Citrix is the second largest contributor to the project and is a member of the OpenStack policy board.  This acquisition will help Citrix further accelerate its support of OpenStack by allowing it to combine the two engineering teams to work together going forward.  Specifically, we can expect:

·      Release a Citrix tested and verified version of OpenStack, along with a cloud-optimized version of Citrix XenServer (announced at 2011 Citrix Synergy conference as ‘Project Olympus’).

·      Add support for OpenStack APIs into an upcoming release of Citrix CloudStack, allowing organizations to leverage existing OpenStack tools to manage infrastructures deployed via Citrix CloudStack.

·      Deliver a common, intuitive management interface that provides manageability of both the Citrix CloudStack and OpenStack platforms.

·      Add support for bi-directional migration paths between the Citrix CloudStack and OpenStack platforms.

As you would expect, during the acquisition announcement, Citrix explained that CloudStack will continue to support vSphere, Xen and KVM, as it does today.  The interesting twist is that it will now be as a project placed inside a new cloud-computing unit within Citrix.