The procurement of cloud services is unlike traditional technology purchasing. Traditional procurement and contracting approaches that are designed to purchase products, such as hardware and related software, can be inconsistent with cloud services. A failure to modernize contracting and procurement approaches can reduce the pool of competitors and inhibit customer ability to adopt and leverage cloud technology.
Ten Procurement Considerations
Cloud procurement presents an opportunity to reevaluate existing procurement strategies so you can create a flexible acquisition process that enables your organization to extract the full benefits of the cloud. The following procurement considerations are key components that can form the basis of a broader cloud procurement strategy.
1. Understand why Cloud Computing is different
The standardized commercial delivery model of cloud computing is fundamentally different from the traditional model for on-premises IT purchases. Understanding this difference can help you structure a more effective procurement model. IaaS cloud services eliminate the customer’s need to own physical assets. There is an ongoing shift away from physical asset ownership toward on-demand utility-style infrastructure services. Customers should understand how standardized utility-style services are budgeted for, procured, and used and then build a cloud procurement strategy that is intentionally different from traditional IT—designed to harness the benefits of the cloud delivery model.
2. Plan Early to Extract the full Benefit of the Cloud
A key element of a successful cloud strategy is the involvement of all key stakeholders (procurement, legal, budget/finance, security, IT, and business leadership) at an early stage. This involvement ensures that the stakeholders can understand how cloud adoption will influence existing practices. It provides an opportunity to reset expectations for budgeting for IT, risk management, security controls, and compliance. Promoting a culture of innovation and educating staff on the benefits of the cloud and how to use cloud technology helps those with institutional knowledge understand the cloud. It also helps to accelerate buy-in during the cloud adoption journey.
3. Avoid overly Prescriptive Requirements
Successful cloud procurement strategies focus on application-level, performance-based requirements that prioritize workloads and outcomes, rather than dictating the underlying methods, infrastructure, or hardware used to achieve performance requirements. Customers can leverage a Cloud Service Provider (CSP)’s established best practices for data center operations because the CSP has the depth of expertise and experience in offering secure, hyper-scale, IaaS cloud services. It is not necessary to dictate customized specifications for equipment, operations, and procedures (e.g., racks, server types, and distances between data centers). By leveraging commercial cloud industry standards and best practices (including industry-recognized accreditations and certifications), customers avoid placing unnecessary restrictions on the services they can use and ensure access to innovative and cost-effective cloud solutions.
4. Separate Cloud Infrastructure (Unmanaged Services) from Managed Services
There is a difference between procuring cloud infrastructure (IaaS) and procuring labor to utilize cloud infrastructure or managed services, such as Software as a Service (SaaS) cloud. Successful cloud procurements separate cloud infrastructure from “hands-on keyboard” services and labor, or other managed services purchases. Cloud infrastructure and services, such as labor for planning, developing, executing, and maintaining cloud migrations and workloads, can be provided by Cloud Service Providers (CSP) partners (or other third parties) as one comprehensive solution. However, cloud infrastructure should be regarded as a separate “service” with distinct roles and responsibilities, service level agreements (SLAs), and terms and conditions.
5. Incorporate a Utility Pricing Model
To realize the benefits of cloud computing you need to think beyond the commonly accepted approach of fixed-price contracting. To contract for the cloud in a manner that accounts for fluctuating demand, you need a contract that lets you pay for services as they are consumed.
CSP pricing should be:
Offered using a pay-as-you-go utility model, where at the end of each month customers simply pay for their usage.
Allowed the flexibility to fluctuate based on market pricing so that customers can take advantage of the dynamic and competitive nature of cloud pricing.
Allowing CSPs to offer pay-as-you-go pricing or flexible pay-per-use pricing gives customers the opportunity to evaluate what the cost of the usage will be instead of having to guess their future needs and over procure. CSPs should provide publicly available, up-to-date pricing and tools that allow customers to evaluate their pricing. Additionally, CSPs should provide customers with the tools to generate detailed and customizable billing reports to meet business and compliance needs.
CSPs should also provide features that enable customers to analyze cloud usage and spending so that customers can build in alerts to notify them when they approach their usage thresholds and projected/budgeted spend. Such alerts enable organizations to determine whether to reduce usage to avoid overages or prepare additional funding to cover costs that exceed their projected budget.
6. Leverage Third-Party Accreditations for Security, Privacy, and Auditing
Leveraging industry best practices regarding security, privacy, and auditing provides assurance that effective physical and logical security controls are in place. This prevents overly burdensome processes and duplicative approval workflows that are often unjustified by real risk and compliance needs. There are many security frameworks, best practices, audit standards, and standardized controls that cloud solicitations can cite.
7. Understand That Security is a Shared Responsibility
As cloud computing customers are building systems on a cloud infrastructure, the security and compliance responsibilities are shared between service providers and cloud consumers. In an IaaS model, customers control both how they architect and secure their applications and the data they put on the infrastructure. CSPs are responsible for providing services through a highly secure and controlled infrastructure and for providing a wide array of additional security features. The respective responsibilities of the CSP and the customer depend on the cloud deployment model that is used, either IaaS, SaaS, or Platform as a Service (PaaS).Customers should clearly understand their security responsibilities in each cloud model.
8. Design an Implement Cloud Data Governance
Organizations should retain full control and ownership over their data and have the ability to choose the geographic locations in which to store their data, with CSP identity and access controls available to restrict access to customer infrastructure and data. Customers should clearly understand their responsibilities regarding how they store, manage, protect, and encrypt their data. A major benefit of cloud computing as compared to traditional IT infrastructure is that customers have the flexibility to avoid traditional vendor lock-in. Cloud customers are not buying physical assets, and CSPs provide the ability to move up and down the IT stack as needed, with greater portability and interoperability than the old IT paradigm. Customers should require that CSPs: 1) provide access to cloud portability tools and services that enable customers to move data on and off their cloud infrastructure as needed, and 2) have no required minimum commitments or required long-term contracts.
9. Specify Commercial Item Terms
Cloud computing should be purchased as a commercial item, and organizations should consider which terms and conditions are appropriate (and not appropriate) in this context. A commercial item is recognized as an item that is of a type that has been sold, leased, licensed, or otherwise offered for sale to the general public and generally performs the same for all users/customers, both commercial and government. IaaS CSP terms and conditions are designed to reflect how a cloud services model functions (i.e., physical assets are not being purchased, and CSPs operate at massive scale to offer standardized commercial services). It is critical that a CSP’s terms and conditions are incorporated and utilized to the fullest extent.
10. Define Cloud Evaluation Criteria
Cloud evaluation criteria should focus on system performance requirements. Select the appropriate CSP from an established resource pool to take advantage of the cloud’s elasticity, cost efficiencies, and rapid scalability. This approach ensures that you get the best cloud services to meet your needs, the best value in these services, and the ability to take advantage of market-driven innovation.
Thousands of public sector customers use Cloud to quickly launch services using an efficient cloud-centric procurement process. Keeping these ten steps in mind will help organizations deliver even greater customer-, and mission-focused outcomes.
Source: 10 Considerations for a Cloud Procurement, March 2017, AWS