While many companies offering Cloud Services ensure cyber-security is a high priority – it needs to be for them to stay in business – you still need to do your due diligence to make sure that YOUR service provider does the right thing, and also that the service complies with data protection regulations such as the EU’s General Data Protection Regulation (GDPR) and other regulations that may be specific for your business.
You also need to ensure that any integration between the cloud services and your existing IT is secure and correctly licensed, otherwise your business might be at risk.
You can find out more about the different types of cloud services on the market and some of the pros and cons of each service in ‘Getting to grips with Cloud Computing’.
Cloud is an exciting opportunity! But how do you make sure that you’re buying the right services for your business while getting the best price and, above all, keeping your business secure?
Buying the right cloud service – whether that is software, application or infrastructure cloud services – is critical. While cyber-security, cost, functionality and ease of use will be important criteria on which you base the decision, you also need to consider other aspects such as the service levels you will receive from the cloud service provider and how the cloud service integrates into your existing IT.
When purchasing cloud infrastructure of cloud platform services, it is important to ensure the design of the service itself is cost effective and will meet the changing requirements of your business both as it grows in good times and contracts during periods of reduced business activity. You may also need to consider issues around software licensing and integration with existing technologies used in your business.
A big difference between on-premise IT and cloud services is that cloud services are very much ‘one size fits all’ in terms of functionality, service levels, service availability etc. Even large businesses find it difficult to negotiate on anything other than price with cloud service providers, so make sure that you understand exactly what you are getting when you sign on the dotted line.
Cloud service providers will include Service Level Agreements (SLAs) in their contracts. SLAs are commitments regarding the amount of up-time they promise, system responsiveness etc. When considering entering into a contract with a service provider, make sure you think carefully about whether the SLAs are appropriate for your business, particularly if the service is business critical.
A 99.99% up time with a 1 hour response time and 4 hour fix time sounds impressive, but what if the system goes down for 4 hours at the busiest time of year? Could you cope? If not, then consider buying a better SLA, even if that means paying a bit more, or consider an alternative service provider that can provide the service levels you need.
SLAs can make or break your business – A 99.99% uptime with a 4 hour fix sounds impressive, but what if a 4 hour outage occurs on the busiest day of the year?
A key benefit of cloud services is that the service provider is responsible for maintaining and updating the system to ensure it is secure, although of course you must do your due diligence to be confident that the service provider can do this consistently over the long term!
However, there are still three key areas of vulnerability you will always be responsible for:
The interaction of cloud services with on-premise IT
Watch out for weak links between your own IT systems and the cloud service provider that could provide an open window into your systems and data. This could be anything, such as an old internet browser that hasn’t been updated on a laptop, outdated mobile phone operating systems, unpatched server software or poorly managed firewalls.
Don’t fall foul of Data Protection Regulations
A key point about cloud services providers is that although they hold your data for you on their systems, you are still accountable for complying with data protection and other regulations. Ensure you know what data is going into the cloud and in which country or legal jurisdiction it will be held, and make your own decisions regarding whether this is acceptable.
People are your weakest link
All the cyber-security in the world cannot protect your business if your employees and contractors don’t take their cyber-security responsibilities seriously. Not only is sharing accounts and passwords a security risk, but it also means you will be in breach of contract with the service provider. Phishing and Social Engineering are rife, so make sure everyone who uses your IT systems are aware of their obligations and trained to recognise when they are being targeted.
Although cloud services are, by their nature, one size fits all, it is worth trying to negotiate the best deal you possibly can right at the beginning of your relationship with the cloud provider. You always have the most leverage before you sign a contract, so now is the time to negotiate hard.
Although the price of the service will be fixed for a time, usually either one or three years, once this period ends, price rises are inevitable. To minimise the pain, try and agree with the service provider that future price rises will be linked to inflation. Another tactic, particularly for larger organisations, is to agree up-front the prices that will apply for future terms, should you continue to use the service in the longer term. Depending on your relative size and that of the service provider you are negotiating with, you may well be able to do a deal!
Cloud service providers rely on large volumes to drive economies of scale, so if you are confident that your use of the services will grow, consider making up-front purchase commitments to drive down the price. Of course, this can be a dangerous tactic if cloud consumption volumes don’t grow as planned, so make sure your business case is robust.
It is very common for businesses to ‘dip their toe in the water’ of a cloud service, but not ever really using the service to its fullest potential. Many businesses cancel the service once the first subscription term ends, a service provider’s worst nightmare.
To counteract this problem, cloud service providers often provide technical support and training; make sure you understand what non-pricing related benefits your cloud service provider may be willing to offer and take full advantage of them.
Use SAM to control cloud costs
For many businesses, one attraction of moving to the cloud is that costs are more closely aligned to the business cycle. However, signing a contract for a subscription service can be a double-edged sword if you are locked into expensive contracts in which costs do not reduce to match down-turns in the business cycle.
To minimise the risks, make sure your SAM system covers the purchasing and management of cloud services. Ensure purchasing your policies and processes cover your cloud services as well as on-premise IT. Everyone who might be involved in buying cloud services needs to understand the potential pitfalls and how to avoid them.
You also need to get on board your technical teams and any 3rd party consultants who may be advising you. It is very easy to accidentally ‘design cost’ into your cloud solutions, but this problem can be avoided by making sure different design options are priced up and considered when building the business case for a cloud service.
Good contract management and cost management is essential in ensuring your business doesn’t regret entering into a cloud agreement. Make sure you regularly examine all your cloud costs and work with those using the services to make sure that the benefits they receive are worth what you are paying for the service. If the service isn’t earning its keep, then cancel it! It’s the only way to reduce cloud costs permanently.
Who will manage the system?
Although cloud services have the potential to reduce the number of technical people you require to manage your IT, technical resource may still be required to ensure cloud application (platform-as-a-service) and cloud infrastructure (Infrastructure-as-a-service) systems are administered correctly, evolve to meet changing business needs, and to ensure integrations between on-premise and cloud systems are maintained and secure. Cloud software services (software-as-a-service) will continue to require ongoing administrative resource to ensure that new employees are added to the system and employees who leave or change their job roles have their subscriptions adjusted or terminated to avoid unnecessary charges.
Who owns the intellectual property?
For many businesses, cloud services offer an easy route for the development of new products and services, or unique tools that provide significant competitive advantage against competitors
If you work with a cloud services partner to develop new cloud services, make sure it is clear you own the intellectual property, otherwise you might find competitors using the technology you have developed!
All relationships must come to an end
The end of a cloud services contract can be a painful time, particularly if you’ve not been able to negotiate limits to future price rises. Many businesses have received a nasty surprise from their cloud services vendor when prices have been ‘jacked up’ at the end of a term, leaving the company with no choice but to pay the price increases.
If you’ve not been able to negotiate a new term in advance or otherwise limit price increases, make sure you are well prepared for the new negotiation. Start preparing early, identify who potential competitors might be, and have a realistic plan for transferring the service to them. There is nothing like a little competition to keep price increases in check!
The other eventuality that you should be prepared for is what happens if the cloud services provider goes out of business. This is particularly a risk for small start-up cloud software companies who develop an innovative product which they hope will make their fortune. The start-up dream is to sell the company to a larger software firm, but the reality is that many do go out of business. Make sure you have contingency plans in place should this happen – should you have a source-code escrow agreement in place so you can still access the software? Or might you even consider buying the start-up from the administrators, so you still have access to the intellectual property?
No matter what your options are, if a small cloud business is being wound up it is entirely possible that you will have a very limited period of time to get your data out of the system before it is wiped. If the service is business critical, make sure you have contingency plans in place to deal with this possibility.
Cloud services provide a wonderful opportunity for businesses to take advantage of innovative software, reduce their technology overheads and align IT spend with the business cycle. Like anything, though, you do need to be aware of the additional factors. Below is a check-list to help you get the most from your cloud services: