Beltug

Expect the unexpected - prepare thoroughly when negotiating cloud contracts! Takeaways from the X-change of 04 June 2019


Date:04/06/2019


Cloud adoption is running at full throttle in today's corporate world: cloud, hybrid IT, multi-cloud are all attracting their fans.  But cloud is not ‘one per customer’: a large organisation can use over 20 clouds and manage thousands of cloud accounts. This complexity comes with many challenges. To meet them, you need to start at the very beginning: during your cloud contract negotiations

 

In this session, we zoomed in on the hurdles in the negotiation process.  Our experts shared insights and expertise, while real-life cases from Etex and Coca-Cola revealed their conversations with cloud vendors. Rounding out the event, we looked at Beltug’s new paper with exit clauses to consider for your cloud contract (which will be published soon).

 

Presentations are available to Beltug members (after log-in):

 

Data protection hurdles when negotiating cloud and IT contracts

 

Heidi Waem, Counsel at Crowell & Moring started by pointing out the privacy challenges in the cloud environment.  By design, cloud is an extra-territorial concept.  But your cloud can be situated in a locality that is considered ‘safe’ by the GDPR (such as Europe) or 'unsafe' (Russia, for instance).  Heidi shared an overview of the trends towards data localisation, depending on the strength of regulations in the countries (slide 5).

 

In terms of a regulatory framework, in the EU, we have not only the GDPR, but also the NIS Directive (the Belgian implementation of NIS was published in April 2019).  The US has the Cloud Act and the CCPA (California Consumer Privacy Act).  The concepts of 'controller' and 'processor' are essential and substantial elements of the GDPR. The controller, for instance, determines purposes and means of processing.

 

In the GDPR, it is the controller who has that obligation; in NIS, processors also have a notification duty (without ‘undue delay’) towards the national CSIRT, sectoral government or sectoral CSIRT.

 

The CCPA does not specifically delineate a material scope, but its obligations cover 'collecting', 'selling' or 'sharing' personal information.  Personal information is (broadly) defined as: "Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

 

When incorporating the concept of data protection in your cloud contracts, there are various elements to take into account (slides 19-24):

  • Location of data processing
  • Sub-processors
  • Duty to cooperate
  • Security
  • Audit rights
  • Lock-in, exit and return of data on exit (portability)
  • Liability

 

 

Case: Vendor governance and financial treatment for cloud agreements @ Coca-Cola

 

Next up was Kris Maes, Senior Manager – Vendor Management at Coca-Cola European Partners.  He started by explaining that, at Coca-Cola, IT procurement and vendor management are handled within the ICT department.  At Coca-Cola the management of vendors and contracts is done bottom-up (which is much more preferable than the other way around).

 

This works by starting with building the company’s own requirements (which can be a lengthy process), then including terms and conditions (GDPR, InfoSec, payment terms, regulatory compliance), going over pricing, and concluding with the agreement with the vendor.  Bear in mind the work isn't over at that point: the agreement still needs to be processed and handled internally.

 

At the start of this process, i.e. the 'requirements & sizing', make sure that you are aligned internally and that you can be as clear as possible towards your potential vendors. Open up towards the vendor about the journey.

 

Also segment the licence towards which employees are using the product and how (a blue-collar worker uses the product differently from a VP); the support you need for different profiles can also be segmented.

 

For preparing the terms and conditions, Kris covered a few elements:

  • Data privacy & information security: leave that to the experts, Kris advises.
  • URL terms: print them and keep them with your contract (making sure that this is the version that was valid at the time of signing the contract).
  • Service descriptions: include a detailed service description to avoid reduced functionalities and name changes
  • Service levels: same as with the data privacy: have a look at them ad hoc, depending on the business criticality of the solution.  Focus your effort on business-critical applications, and standardise as much as possible.
  • Termination and data extraction: Prepare for exit and assess what will be included in the exit effort.

 

The second step in the bottom-up approach, as Kris outlined, is 'pricing'. Leverage your previous requirements and conditions step.

 

Cost equals p x q x t.  The factors of quantity and periodicity influence cloud price.  Price is only a subset of that and will only shave off a few percentages.

 

Once you reached an agreement, then you need to make sure you commit to it and that you stick to your project plan.  Track that project progress as well.  And finally, keep an eye on what you can capitalise from your cloud investments and what remains an operational cost (slide 7) and include your finance department in that effort.

 

 

Case: Cloud negotiation lessons learned @ Etex

 

Werner Spinnoy, Vendor & Licence Manager at Etex Group, started his talk by explaining that the Etex Group has strengthened its core business and grown through multiple acquisitions.  Five external drivers are at the source of the Etex IT Strategy.

  • Physical time constraints
  • Technologies
  • Changing business
  • Financial
  • Applications

 

To select their services provider, the company used a rather traditional approach (slide 12). For the final selection, Etex used criteria in the areas of the agreement, the solution and the people. They wanted a proposal with a strong commitment to performance guarantees, a flexible adoption for future demand, and an additional price reduction over the contract duration of 5 years.

 

The solution needed to be fully scalable with high flexibility, and to include both an improvement of the IT operations processes and the potential for more services (e.g. global service desk, application management).

 

Werner insists as well that the people in this story are critical.  Etex wants to work with their provider as partners, and requires a dedicated service manager to operate on a daily basis.

 

This SAP transformation project at Etex was a complex task, within a challenging timeframe.  Werner shared an overview of the lessons learned and the way forward (slides 17 and 18).

 

 

Outsourcing versus public cloud: two separate worlds

 

Our final speaker of the day was Bart Gouweloose of Miradores, an independent consultant in cloud migrations and migrating data centres.  With all the different flavours of cloud, the life of an ICT department has changed dramatically and has become more complex, he explained. You have complexity at one hand, but many possibilities at the other hand slide 8).  We are moving to an environment with a 'no-ops' situation (like water running out of your tap or electricity coming out of the wall). You might conclude that complexity is the new normal.

 

This complexity influences obviously contracts.  When zooming in on the risk of 'lock-in' versus the cost of a migration, Bart started with the question: "Should we really call it ‘lock-in’?".  He pointed out that public cloud environments are portable in a good number of cases .  He also noted that the  more specific the functionalities in your cloud solution, the harder it is to migrate to a different cloud player.

 

SaaS is a completely different story.  You have many more different (often smaller) players.  Here 'bigger is better': the larger the player, the more tooling is available for a migration.  When working with smaller players, be careful, Bart advised.  You need to wonder:

  • where is the software hosted?
  • what if the data centre company fails?
  • what guarantees do you have?

 

Right at the start of your contract negotiations with a new cloud provider, you must prepare for a possible exit.  Begin by making sure you understand the new environment and the technology at hand. When working with the solution, remain up to date with that knowledge.

 

But don't worry about the ownership of your data - the larger cloud players have sufficient policies in place (slide 18). However, do document the set up of your new environment and keep those records up-to-date.

  • Define all set-up parameters, linked to the new environment
  • Watch out for data that doesn’t come with the export from the old platform
  • Be aware that you will not get access to the IP used in the old environment
  • Check if all services from the past are still required and provided in the new environment

 

Define your exit approach right in your contract, and write a (high level) exit plan from day one.  And define how to mitigate your risks.  This lowers your potential migration costs, e.g. by adopting standard solutions or by adopting specific development standards (such as loosely coupled micro services).

Finally, continuously keep your exit plan up to date and test where possible.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login




>>> Back to overview