Cloud procurement best practices

A finger icon tapping on one of many question mark-shaped clouds.

Procuring cloud services isn't all just about visiting a cloud provider's website, choosing a service, entering your corporate credit card number and hitting the buy button. There are several considerations to be made and not all are about cost.

One of the main issues surrounding cloud procurement boils down to the sheer number of cloud services and consumption models on offer, which can confuse many CIOs. The countless number of cloud services available can make it difficult for companies to identify and then procure the service that best meets their needs.

To compound this challenge, there is no one single way to pay for cloud services and pricing can be difficult to compare across providers. According to 451 Research, 36% of cloud providers don't publish their prices online, so businesses "have to manually engage and negotiate with over one third of providers to get a complete view of the market".

"Pricing complexity is a major procurement challenge as it can lead to unexpectedly large bills and prevent organisations realising the cost savings they originally envisaged," says Maarten van Montfoort, vice president for northwest Europe at ‎software license management business, Comparex. "To cut through this complexity, organisations need the ability to retain control over their cloud environment to minimise sprawl and unforeseen charges."

But it's important to understand the cost implications of cloud procurement. Moving to a consumption model appears cheaper but may not be if services are consumed constantly, without being shut down when not required.

"Services procured as Platform-as-a-Service (PaaS) may show savings over Infrastructure-as-a-Service (IaaS) when the internal support costs are considered and the costs of managing Software-as-a-Service (SaaS) procured services and the data in them may become a factor," says Pete Hulme, data centre technical lead at IT services firm, Dimension Data.

"Understanding of the requirements for managed and unmanaged services and their true costs is a key requirement for designing a procurement strategy."

Costs aside, there are many other issues at stake. Procuring cloud services isn't just what the IT department thinks is good for the business. Hulme says it's really a core business operations decision involving stakeholders throughout the organisation.

"It's vital to involve the key stakeholders in the process and to clearly understand both the objectives and the desired outcomes from all perspectives. It is crucial to understand that cloud computing is fundamentally different from traditional IT and to understand what this means (both positive and negative) before developing a procurement plan," he says.

Putting best practices into practice

Before embarking on procuring cloud services, organisations need to understand both what they need and what the marketplace can offer in terms of options and services.

"If your core business is insurance services then you don't want to be running your own datacentre and likewise if your core business is providing hosted cloud services then you don't want to be offering Insurance services," says Nathan Johnston, solutions architect at UK cloud hosting provider, Memset.

"In other words, stick to your core competencies and use specialists not generalists for providing, helping and supporting your IT estate."

Rich Lockey, UK country manager at software asset managements and volume licensing company, Crayon, says that organisations need to make sure when signing up for cloud-based services, they understand the reality behind how long they're going to be doing it for.

"Short-term procurement is actually quite expensive -- if you extrapolate out a few week instance of a major cloud provider's platform and you end up keeping it for 12 months you're probably going to be paying between 40% and 60% too much money," he says.

Owen Rogers, research director of the digital economics unit at 451 Research says that cloud providors should consider building price cuts into your contract such that organisations always get the best deal on an ongoing basis.

"Service providers benefit [from] offering such schemes by securing commitments from customers, whilst giving the customer the assurance that they're always getting good value. The Cloud Price Index can be a useful independent guide of changes in cloud pricing globally," he adds.

Mark Peacock, the Hackett Group IT transformation practice leader and principal says due diligence around security, data portability and service levels is also critical.

"You need to examine the technical architecture of the solution, and how data is getting to and from it, particularly if you're orchestrating a hybrid solution that includes on-premise and cloud components. It's critical to know that the system will meet your needs from a security and performance standpoint," he says.

He adds that a clear understanding of price modelling over a five-year time horizon is also critical.

"A lot of SaaS contracts can look attractive at first. But as they expand on a per-person basis, the price can increase dramatically. This is very different from the on-premise solutions companies are used to, which generally have high fixed costs, but low variable costs," he says.

Cloud and GDPR

One of the biggest considerations for organisations in the next 12 months when it comes to cloud procurement is GDPR. It represents the biggest shake-up for data protection of modern times, according to Peter Groucutt, managing director at backup and recovery services provider, Databarracks.

"The magnitude of these fines is potentially disastrous for an organisation and so we are starting to see a face-off in cloud procurement between the data controllers (customers) and data processors (vendors) over who is liable in the event of a breach," he says.

He adds that the regulations have "dramatically altered this landscape and how traditional procurement contracts are now to be negotiated".

"In practice, data processors are now facing requests from their data controller for unlimited liability, to mitigate against the risk of a breach. The cloud service provider with thousands of customers can't possibly accept that level of risk but the customer will understandably feel uncomfortable about the limited liability in existing contracts in light of greater exposure under the GDPR," he says.

Groucutt adds that the fallout from this is difficult negotiations which will include agenda items such as realistic liability caps, liability triggers and the need for amendments to insurance policies.

"At this early stage there are no market standards so the critical question most will find themselves asking is how much liability will each party be willing to give?"

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.