It takes a team to create a good cloud contract

The risks are best mitigated by people who come from specific roles in your organization

Is your head spinning?

I know that everything that I have said in this series of columns on the risks associated with cloud computing (and my advice on how to mitigate those risks) is a lot to take in. I've seen that "deer in the headlights" look on a few faces when I have taught my two-day "Contracting for Cloud Computing Services" seminar. How, they are wondering, are they going to effectively address all of these issues on their own?

They shouldn't try.

In fact, it takes a team to make it all work. You need to pull that team together from existing resources within your company. Titles and roles will differ from one organization to another, but these are the stakeholders who will have the most to contribute to your cloud-computing effort:

The business process owner -- This person may have identified the need for a given cloud service in the first place, and so he or she has no trouble seeing the benefits of the service. Less clear to the business process owners is the existence of risks. You must engage them as part of the team, or face the prospect of them proceeding on their own without any strategy for mitigating those risks.

The IT vendor management team -- You should make this group responsible for managing the overall relationship with the cloud vendor, from investigation to contract negotiation, use of the cloud service and on to end of life. The vendor management team is typically also responsible for leading and managing the activities of the cloud stakeholder team.

Technical personnel -- The right technical folks can effectively compare a cloud service to current practices, identify and implement integration points between a cloud service and in-house systems, and identify and manage the impact of a cloud service on the organization's infrastructure, including network capacity.

Security and policy professionals -- There's no one better to evaluate the security practices of the cloud vendor relative to the type of data involved and the business criticality of the service, and identify whether use of the cloud service aligns with existing organizational policy.

Representatives from the legal department -- Cloud computing can have wide-ranging legal implications, and the cloud is so new that legal precedents may not yet exist. It's important to engage legal counsel to identify legal issues (such as indemnification and limitations of liability) related to the contract with the cloud vendor, and determine whether use of a given cloud service is in compliance with your obligations under the law.

Procurement staff -- If a purchase can't proceed without passing a procurement office review, you'll want to bring these folks into the loop. The cloud brings new risks that procurement personnel may not be familiar with. If you don't want your cloud purchase stuck in purchasing, it will be essential to educate and engage the procurement staff.

Audit, compliance, governance and risk management gatekeepers -- These people are responsible for ensuring that organizational activities are compliant with government regulations and internal policies. Again, the challenges and risks of the cloud are novel enough that you could trip up here, so engage these gatekeepers early so that you can collectively identify and address all the issues in advance.

As in the story of the blind men who tried to describe an elephant after each had touched a different part of the beast, each stakeholder will bring a different perspective to the cloud. Some will see benefits, and others will see risks. Each perspective is valid, but they must all be brought together to get the big picture. Only then can you make a balanced decision regarding whether or not the benefits of adopting a cloud service outweigh the risks.

Working together, the team can help your organization effectively adopt cloud-computing services by doing the following:

* Monitoring and managing your relationship with the cloud vendor to ensure continued adherence to the contract terms, and determine how to effectively address when things don't go right.

* Establishing and disseminating standard processes appropriate to the acquisition of cloud-computing services, including developing guidelines and best practices regarding the appropriate use of cloud-computing services.

* Investigating and implementing opportunities for organization-wide contracts with cloud vendors to establish improved terms and conditions, including those that override the terms of click-through agreements to provide additional protections for end users.


Are you building a cloud risk mitigation team? One way to pull it together is to send key stakeholders to a "Contracting for Cloud Computing Services" seminar. The next one will be held Oct. 29-30 in Washington. I look forward to seeing you there.

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon