5 must-haves for cloud computing contracts
Experts share their tips for negotiating cloud computing agreements that protect agencies' interests and data.
Los Angeles officials wanted what most agencies want when they choose cloud computing: a way to get access to the latest technology with minimal in-house effort and maybe even save some money.
However, the city wasn’t interested in signing a boilerplate contract for the Google applications it plans to run under a cloud model.
So in addition to agreeing to pay $7.25 million for five years’ use of a modernized e-mail system and additional services, such as a calendar function and document management, Los Angeles officials pushed for data security and performance requirements that weren’t in the standard contract offered by Google and its reseller, Computer Sciences Corp.
It wasn’t an easy process. City officials spent six months hammering out the deal, which was ready to be signed at press time. But the effort appears to have paid off.
The customized agreement includes security and performance extras and stiffer financial penalties for not meeting the requirements. It could save the city $5.5 million during the next five years. “I think we’ve got a great contract,” said Kevin Crawford, the city’s assistant general manager.
Some analysts say the deal could become a model for other public-sector organizations that seek protection beyond the standard service-level agreements (SLAs) for cloud computing.
“The government is probably going to look for agreements that are very much like this one going forward,” said David Linthicum, a principal at Booz Allen Hamilton.
The Los Angeles model is especially helpful at a time when agencies often have more questions than answers about cloud contracts.
Fortunately, now is a good time to address fundamental questions with large cloud providers, such as Amazon, Google, Microsoft, Salesforce.com and others. The scramble to land high-profile government contracts could induce vendors to agree to more customer-friendly terms than those in their standard SLAs, which are typically written in the provider’s favor, Linthicum said.
So how can agencies negotiate a cloud computing SLA that works for them? Experts say contracts should include the following five features.
1. Bulletproof data security
Los Angeles officials had concerns about moving data from within the city’s firewalls to outside locations, so data security was high on their list of priorities. As a result, the contract specifies that the provider will replicate and continuously update the city’s data at multiple locations so the 30,000 city workers who rely on the cloud applications would be unaffected by an outage.
Experts say agencies with highly sensitive or regulated data, such as financial or medical information, should also ask cloud vendors to provide real-time data streams from intrusion detection systems.
“If I believe my information is under attack, I’d want one of my [security experts] watching,” said Don Adams, chief technology officer for government at Tibco Software, a cloud services vendor.
Los Angeles officials stipulated that they must be notified of all breaches of Google’s cloud, even if the incidents don’t directly affect the city. “Knowing about breaches may push me to do something different in my administration,” Crawford said.
2. Business-class performance
Average application response times, transactions per second and monthly downtime figures are some of the key performance metrics that should be detailed in contracts, Adams said. The thresholds stipulated in the contract should balance the importance of the cloud resources to the agency’s core mission against what the agency can afford to spend for performance premiums.
Los Angeles’ contract with CSC specifies that Google’s services will experience no more than five minutes of downtime a month before penalties kick in. Although performance metrics are essential for contracts, agencies shouldn’t be lulled into a false sense of security.
“You can put those kinds of numbers in place, but if you’re going down continually, that’s still not acceptable,” said Ian Knox, senior director of product management at Skytap. The cloud services provider guarantees 99.9 percent uptime — or about 40 minutes of downtime a month — in its standard contract.
In addition, to gauge the provider’s uptime and support record, agencies should ask vendors for customer references, he added.
3. Auditing rights
Monitoring a service provider’s performance requires a mix of technology tools and on-site visits, cloud veterans say. Vendors typically document system uptime and processing rates via monthly reports and electronic dashboards that allow customers to watch for glitches in real time.
Contracts should authorize agencies to audit the electronic and physical security practices of service providers through site visits and interviews with employees, Linthicum said. Agencies are entitled to that level of access because the cloud becomes part of their functional data center under government security regulations.
In addition to auditing Google’s operations, Los Angeles’ contract requires the provider to undergo annual data management audits in accordance with the Statement on Auditing Standards No. 70 and provide the results to the city, Crawford said.
4. Strong remediation options
Adams warned agencies to avoid contracts that lack consequences for cloud providers that don’t meet their contractual obligations. “These types of agreements result in systems that fail,” he said.
For some breakdowns, such as excessive downtime, the penalty might be in the form of monetary damages. An early draft of Google’s service contract with Los Angeles outlined financial penalties for substandard performance that would add days of free service to the terms of the contract. Los Angeles negotiated so the latest draft stipulates monetary damages applied to the following year’s service, or if the contract is ending, a refund for a portion of the city’s service fees.
Contracts should define more serious consequences for security violations, including cases in which the provider fails to inform the customer of a data breach, Adams said. Such a serious failure of trust could result in immediate termination of the agreement, he added.
Los Angeles is entitled to a minimum award of $10,000 if any of its data is compromised, which demonstrates that “we really, really want CSC and Google to keep our data confidential,” Crawford said. But the city also has the power to seek unlimited damages if it feels the violation is egregious.
5. Freedom to move
A lack of data compatibility standards can make it difficult for cloud customers to move information and applications from one service provider to another.
“Once you’ve made a decision, you’re often stuck with that particular vendor,” said Richard Mark Soley, chairman of the Object Management Group, part of a coalition of standards organizations that are developing data and SLA standards for cloud computing.
Until standards are formulated, cloud contracts should guarantee that customers remain the sole owners of their data, no matter where it physically resides. In addition, customers should have ready access to their data.
Los Angeles’ contract requires that the city receive its full storehouse of data within five business days of requesting it and that the data be moved to any location of the city’s choosing, including an alternative provider.
Finally, according to the contract, the data must exist as a standard format that wouldn’t require additional costs to the city to store in an environment other than Google’s, Crawford said.
NEXT STORY: Casting a Wider Net