10 Considerations for Your Cloud Contracts – CIO View

Having signed two more cloud contracts this month, it feels like a good time to share what I consider to be my top 10 considerations in negotiating a cloud vendor contract. As I was writing this, I had a hard time culling the list down to just 10. I’ve learned a lot over the years and have scars to prove it. There will be different views on this depending on whether you’re talking about SaaS, IaaS or one of the other horizontals in the space (PaaS, DRaaS,..), , but these 10 are generally applicable. So, here it goes:

1. Limit price increases – There is a lot of debate on whether or not moving to the cloud is actually cheaper than on-prem applications, and my answer is that “it depends”. There are many factors that must be considered (personnel time, upgrades, etc..), but license cost is a big one. What is a fact though, is that the longer the time horizon, the more expensive the cloud alternative can become. You’re paying a constant expense stream which can blow-up any ROI analysis over time. Other than negotiating the lowest initial price you can get, the best way to limit the cost over time is to reduce the pace and amount of future price increases. There are a few ways to approach this; the first being to go for as long a stretch as possible before the first and subsequent price increases. Most vendors will give you price breaks for longer contract terms. You might think this a risky approach as you’re committing yourself to a longer contract, but I’m assuming you’ve done your due diligence and are confident you’ve picked the right vendor. Even if things don’t work out as planned, which you absolutely need to consider, you’ll not likely be in a position to actually move off completely for 2-3 years. If negotiated right, the price increases will be tied to the contract length. The second part of this is to then ensure that each increase is as low as possible. I once negotiated a 0% first anniversary increase on a 3 year contract, basically holding my per user price flat for 6 years. I also negotiated a 5 year term with a 30 day out clause. No increase for 5 years and I can leave at any time. So my long-term contract risk is……..nothing. Try it; you never know what you can get.

2. Access to Data, Integrations and SSO – Some vendors are charging different prices depending on the availability of integration connectors or API’s, while others don’t charge extra for this capability. Even if you’re not starting out with a lot of integrations on day 1, you have to be prepared for the high likelihood of needing to get data in or out early on. Even SSO connections can sometimes cost extra to set up, or not be supported at all. If your cloud vendor is relatively new and doesn’t have published SSO connectors, make sure you include this capability in the contract at no charge. It’s in the vendor’s best interest to get this done and will help them in future contracts, so there is no reason for them not to include this. Integration and connectors are key for most successful cloud implementations, and a must for many, so it is frustrating that some vendors are charging extra for these. I get the tiered, a la carte approach that helps with revenue, but I think this is one area to focus on in your contract negotiations.

3. Flexibility on your license growth – On the software and platform side, the number of users will be a key factor in the ongoing cost. Having a good understanding upfront of your one and three-year growth scenarios will help you lock in lower prices on future growth. If you’ve hit a wall on the initial price, negotiating favorable discount tiers can help in the long run. The focus should be on having a low ceiling on your initial tier.

4. Exit strategy for data and access to data if the vendor fails – One difference in having your data in the cloud is the amount of control you have over it. So what happens if the vendor does go bankrupt? What if you do decide to move off to a competitor? A vendor failing isn’t a big concern for many of the top-tier providers, but it is something you need to think through and account for. I’m lumping this into your exit strategy for getting data out as it’s a similar issue. You need to understand how you’ll get access to the data and what your options are for getting copies. Ensure that you have some time to get your data out after your contract ends, in addition to language that ensures assistance from the vendor. Once you implement and once you get data integration up and settled, you’re already a step ahead in this process.

5. Development/Sandbox environments – If you’ll be making configuration changes to your SaaS app, or rolling out new apps or pages under a platform model, it’s important to understand the availability of sandbox or dev environments. The need is really no different than on-prem apps, but the type, freshness, availability and size of the data available are important, and can vary or be an extra price. Some vendors will apply this increase to all your licenses, so pay close attention to this and push hard to get as much included for free as possible.

6. Security – This is a very broad topic, so I’ll narrow it down to encryption and masking. Is data encrypted at rest? Is confidential data masked to those who don’t have proper access? For products that rely heavily on built-in uploading/downloading (storage and synch solutions), is the data encrypted during transmission? These are key considerations in comparing vendors, and you’ll find a wide variety of options available. Don’t assume that the biggest vendors are the most secure or encrypt your data at rest. It’s not as common as you would think. Data masking is also important for internal controls to ensure PII or confidential data is not visible. Not every vendor has this capability as standard.

7. Data Center Location – If you’re a U.S company doing business solely in the U.S., then your data center location will likely be in a region close to where you do business, if you’re dealing with one of the larger SaaS providers. For some of the smaller ones, you may not have much choice in the matter. For SaaS products, I have generally found the location to be not much of an issue within the U.S. It becomes much more complicated if you’re a non-US company or you do business or have offices in other countries as two issues then arise. First, latency in accessing your data becomes something you need to worry about so ensure you understand where your key users are for the app in question, in relation to where the vendor has its data centers. The second issue is around data residency and the various legal restrictions on where your data can be stored. This has always been something to consider, especially in the EU. However, the U.S. government data snooping scandal has changed the dialogue on this and made it a critical item to consider and deal with. It’s a topic that deserves its own write-up, so I won’t dive into the specifics here, but it needs to be on your consideration list.

8. Disaster Recovery Capabilities – Having applications in the cloud means you don’t need to deal with backups and disaster recovery yourself, but it doesn’t mean you don’t need to worry about it. Understanding your vendor’s approach and processes is important. Do they backup to facilities in other geographic locations? How long do they keep backups for? What are their RPO and RTO’s? Don’t ignore this just because you won’t be managing it on a daily basis.

9. SLA’s and Support – Up-time or issue resolution SLA’s are very important, but don’t expect a lot of flexibility in this area. The larger the company, the less likely you’ll get any movement. The top-tier vendors typically exceed their SLA’s but most will not budge from relatively low up-time percentages in the contract. Issue resolution response times vary widely, with many charging extra for quicker response. As a consumer of the service, I hate that model. They want to tell me my default is 2 business days for support unless I pay more. Really?

10. Storage and growth – The amount of storage is becoming a much smaller issue than it used to be, but it’s something you still need to understand and account for. If storage is a key part of the product, then you’ll likely be getting 1TB, or an “unlimited” amount of storage per user. However, some vendors still charge for storage. As with the growth of license counts, you need to understand your initial and future requirements so your future storage needs are accounted for up front. You’ll never have the same leverage as you do in the initial contract negotiations, so go overboard on growth requirements up front to be safe.

These are just some of the key items to consider. I know you’ll have others you feel strongly about, so feel free to chime in here or on twitter.

User-Centric IT

I went to an interesting CEO/CIO gathering a few weeks back where the concept of User-Centric IT was presented by some of the leading cloud providers.  The concept, pushed and marketed by Box, Marketo, Skyhigh, Jive, Okta, Zendesk, and GoodData, professes that enterprise software should first and foremost focus on the needs of the end-user.   To be more specific, the principles of User-Centric IT are:

  1. User-Centric IT serves the business by empowering people.
  2. User-Centric IT adapts to the way people work, not the other way around.
  3. People, information and knowledge must connect in real-time.
  4. Mobility is a work-style preference, not a device.
  5. Security should be inherent and transparent to the user experience.

In my view, User-Centric IT is real and is part of the changing expectations of enterprise users due to the rise of the Consumerization of IT, and the pervasiveness of the cloud.  The principles of empowerment, mobility, and real-time connections are all standard in consumer technologies today.  It’s these expectations that are driving enterprise IT to change its focus to how the user works.  Work is now a thing and not a place.  No longer are applications just about functionality, with UI design an afterthought.  Employees are using great, user-centric tools at home and they expect the same easy to use tools while working.  The same concept is driving BYOD where users have choices in the devices they use, opting for the more consumer oriented devices.  User-Centric IT uses these same principles in empowering users to be more productive, while wrapping it all up with the security enterprises require out of their applications.

These principles are also what’s great about the cloud and why legacy apps and on-prem software face an uphill battle.  As I come across more and more industry vertical, cloud based options these days, it’s wonderful to see how each new company has taken usability to a higher level.  Of course, the social and mobile trends taking over many enterprises are the other forces driving this concept. Can’t argue with that.

The various vendors who have joined forces in marketing this principle all have products that come at the issue from different angles, whether it be enterprise collaboration, security, identity, marketing or analytics.  What they all have in common is a goal towards user enablement and mobility.  Now, some will argue that this concept is just pure marketing with no real substance.  There is definitely a marketing bent to it no doubt,  but the underlying core message does resonate with those of us who believe these trends are real.  Whether you just call it the Consumerization of IT or something else, you can’t argue with principles.  As a real believer of the how the cloud is quickening the pace of innovation in businesses and the inherent value it creates, peeling back the marketing layer uncovers real trends.

At the event, there was a lot of discussion about the challenges this brings to CIO’s.  Some were concerned about cloud sprawl, while others are dealing with deeply entrenched legacy apps that can’t just be switched or upgraded overnight.  There was also a discussion on User-Led IT vs. User-Centric IT.  User-Led is where integration, security, data  quality, and governance is given little value, focusing purely on the best looking and quickest to implement.  User-Centric IT takes this up a level, valuing the needs of the employee, but layering on the real security, integration and data quality requirements enterprises need.   These are real issues and real concerns, but it shouldn’t stop the conversation.  I believe that the CIO’s that are truly innovating and driving cloud adoption today, with an eye on social and mobile, are already using these principles for transformation and innovation.  As the cloud becomes even more entrenched as the go-to strategy for companies, concepts like User-Centric IT will be become more commonplace.

Here is a link to the User-Centric IT website