T2P IT Service and Process Management News

Cloud contracts gone astray

2011-03-23T11:00:09Z

IT may be prepping for a move to the cloud, but finance needs to make sure that the savings this new technology brings won’t be cancelled out by poorly executed contracts for service. That’s the word from the folks at Gartner, who’ve recently issued some guidelines for agreements with vendors.

Cloud computing done right can bring big cost savings for IT. But contracts and deals must be closely examined so shortcomings can be addressed.

Here are the biggest risks, according to a recent Gartner report:

Cloud contracts aren’t mature for all markets – Some cloud services have been around longer than others, and providers venturing into newer areas may not have figured out how to handle the security, performance and other needs required by most businesses.
Contract terms generally favor vendors – The way cloud services are structured makes it difficult to customize contracts based on customers’ needs. That can often result in standardized contract terms that better serve the vendor’s interests. And there may not be room for much negotiations, so companies should adjust their expectations accordingly.
Contracts are easily changed by the vendor – Cloud service contracts are often long and confusing, making it easy for some vendors to change terms without all of their customers noticing. Business must completely understand all terms of the contract before signing it.
Contracts don’t have clear service commitments – One key weapon IT has in dealing with a cloud provider is a service guarantee. But too often, service guarantees are vague and don’t include any real penalties for the vendor. Businesses should make sure those terms are acceptable before entering into an agreement.

Outsourcing: Why CIOs Hate How You Sell IT Services

2011-03-10T18:36:00Z

IT vendors spend $25 billion a year on lead generation, while CIOs have become skilled at the art of evasion. The technology marketplace is inefficient and often acrimonious. CIO.com talked to xPeerient CEO Mark Hall about why the IT marketplace is broken and what he thinks could fix it.

How to integrate an acquired company in just 90 days

2011-03-21T10:00:00Z

Avnet's M&A playbook allows it to bring acquired companies -- and their IT systems -- into the fold with 'deliberate speed' -- usually within 90 days.

A Metrics System for the CIO

2011-03-21T04:00:00Z

Metrics can have a very interesting effect. You just have to present them properly.

ISF Lists 'Seven Deadly Sins' of Cloud Computing

2011-03-22T04:00:00Z

The Information Security Forum (ISF) has identified the "seven deadly sins" of cloud computing implementations in a new report, and has offered guidance on how to tackle them.

Cloud Computing: What CIOs Need to Know About Integration

2010-05-15T04:00:00Z

When combining cloud computing services with internal systems, confusion reigns. The reasons: lack of standards, concerns about availability and the potential for vendor lock-in.

How Kelly Services Manages Risk in the Cloud

2011-03-23T04:00:00Z

CSO contributor Bob Violino recently interviewed Rosie Rivel, senior manager of IT global risk and compliance at Kelly, regarding risk and the cloud.

Concerns with cloud backup solutions: Security and performance top list

2010-12-14T14:22:59Z

Cloud backup services promise inexpensive capacity, lower capital expenses, and simplified data management. Learn the top concerns about implementing cloud backup storage through a case study of one administrator's move to a cloud-based backup service.

Microsoft Document Outlines Its Cloud Security Infrastructure

2010-11-15T07:00:00Z

Microsoft's new white paper explains the organizational and standards-based underpinnings of its cloud security efforts.

Small Clouds: Security Selection Criteria

2010-11-23T05:00:00Z

There are a variety of players positioning themselves in the cloud computing arena today. How does a small/medium business or home office user choose a cloud-computer partner? What small cloud security concerns can tip the balance in choosing a cloud computing partner?

SaaS's Troubled Adolescence: Three Signs of Immaturity

2010-06-01T04:00:00Z

A new Forrester Research survey of enterprise software buyers sheds light on SaaS's blind spots: troubling security concerns, hidden integration costs, and data migration challenges.

Cloud Computing: What CIOs Need to Know About Integration

2010-05-15T04:00:00Z

When combining cloud computing services with internal systems, confusion reigns. The reasons: lack of standards, concerns about availability and the potential for vendor lock-in.

Risks of New Silos, No Standards Hang Over Cloud - Information Management

2010-11-23T21:51:09Z

Risks of New Silos, No Standards Hang Over Cloud
Information Management
... planning or moving their companies to the cloud, but that only 34 percent of those companies have a plan in place for information governance and access. ...

The Real Measure of Great End-User Services

2007-08-22T04:00:00Z

IT support should be tied explicitly to its impact on user productivity and business-unit performance, but most organizations remain caught in the IT support trap perpetuated by misguided SLAs.

For Many Enterprises, Cloud Doesn't Offer Enough Control - IT Business Edge (blog)

2010-07-22T20:09:47Z

Computeach

For Many Enterprises, Cloud Doesn't Offer Enough Control
IT Business Edge (blog)
... relate to some of the most common cloud concerns: security, availability/uptime, reliability, compliance/regulatory requirements and risk management. ...
What the Government Has Learned From Cloud Computing: Talking With Tarak ModiebizQ (blog)

all 56 news articles »

Cloud Security: Perception Is Reality - InformationWeek

2010-07-24T04:00:06Z

Cloud Security: Perception Is Reality
InformationWeek
Customers also will want to verify what operational controls and practices the provider has in place. But let's be clear: There's only so much information ...

and more »

Five Key Questions When Considering Working with a Cloud Service Provider - IT Business Edge (blog)

2010-05-24T21:26:52Z

Five Key Questions When Considering Working with a Cloud Service Provider
IT Business Edge (blog)
Second is the technology itself being used. What we've seen is most organizations are using homegrown systems that have no auditing, no encryption, ...
Lieberman Software Joins Raytheon's Partner Referral ProgramConsumer Electronics Net (press release) (subscription)

all 8 news articles »

Logicworks Launches “The Compliant Cloud” - Business Wire (press release)

2010-06-03T12:01:48Z

Logicworks Launches “The Compliant Cloud”
Business Wire (press release)
Logicworks' careful focus on sophisticated projects with complex technology requirements lead to their unique approach to cloud-computing. ...

and more »

A pharma giant goes a little bit virtual - Crain's New York Business

2010-06-06T10:12:39Z

A pharma giant goes a little bit virtual
Crain's New York Business
He adds that the company spent about seven months discussing its security needs with Amazon and auditing the service for potential issues. ...

Categories of Security Controls in Outsourcing

2010-05-25T16:19:08Z

As I’m going through a wide variety of control frameworks in a managed services/cloud environment, I’m reminded of how controls work when you’re a service provider. Mentally, I break them down into four “buckets”:

Controls that I provide to all customers as part of my baseline. In other words, these are things that I do for all of my customers because it’s either part of the way that I do business or it makes sense to do it once and scale it out to everybody. Typically these are holistic information security program things (ISO 17799/27001/27002 or similar) matched up with my service-delivery architecture.
Controls that I provide as an add-on service. Not all of my customers need these but I want to offer them to my customers to help them with their security program. Usually these are services and products supporting a regulatory framework specific to one industry: PCI-DSS, FISMA, GLBA, etc fit in here if my market is not exclusive to customers governed by those regulations. In order to keep the base cost for the other customers low, these aren’t included in the base service but are available for a price.
Controls that I am planning on building. I don’t have them yet but they’re on my roadmap. Sometimes this is how I get into new markets by building the products and services that match up against the regulatory framework for that market, then build to that as a specification.
Controls that I will not provide. Maybe this control doesn’t apply to my products and service (The “We don’t actually own a Windows/HP-UX/AIX server” problem). Maybe the controls framework didn’t scope my solutions into its assumptions. Maybe the economics of this didn’t work out. Maybe I don’t provide this because it’s dishonest for both myself and you as my customer for me to say I provide this–think along the lines of accepting risk on your behalf which puts me into a conflict of interest. This is why any vendor who says they provide 100% compliancy against FooFramework is lying.

Transparency ties it all together. The good providers will tell you upfront which controls belong in which buckets.

Tool Bucket photo by tornatore.

Similar Posts: