Microsoft Launches Cloud Services Due Diligence Checklist

Microsoft has released a new Cloud Services Due Diligence Checklist to help companies compare cloud service providers and reach more attractive user agreements.

Microsoft logo

Microsoft has developed a new Cloud Services Due Diligence Checklist to better enable customers to make better cloud procurement decisions, as more and more organizations are looking to migrate workloads to the cloud.

Despite the benefits of cloud computing being clear, many organizations struggle with the process of contracting with and managing cloud service providers—particularly organizations that may use multiple providers.

Even for companies that already manage multiple, complex business processes in the cloud, the process can be challenging and inconsistent, said Alex Li, a principal standards analyst at Microsoft, in a blog post.

Indeed, in guidance on the checklist Microsoft notes that the move to the cloud raises key strategic issues for an organization, such as how will data be secured, where will it be located, and how available will it be when it is no longer on-premises? Moreover, organizations must ask how the organization will continue to meet regulatory obligations. And how will the privacy of sensitive customer and employee data be protected?

In his post, Li argues that before the companies procuring cloud services can assess and compare the level of service offered by different cloud service providers, they need to clearly identify their own objectives and requirements.

Yet, many organizations have no structured way to determine these objectives or guidance through the decision-making process, Li said. And without a standardized approach, companies have inked agreements that have not been in their best interest. This is where the checklist can help.

Microsoft commissioned Forrester Consulting to conduct a study on cloud service agreements. The results showed that organizations almost always lack standardized cloud agreements and often omit important considerations. The study also found that missing terms can have significant impact, and that more consistent contracting leads to improved project delivery, better quality control, increased profitability and more.

Microsoft developed its checklist to help organizations with due diligence as they consider a move to the cloud. It helps customers to identify their own performance, service, data management and governance objectives and requirements. And in the process, it enables companies to compare different cloud service providers.

Microsoft based its checklist on the International Organization for Standardization (ISO)'s recently issued Cloud Computing Service Level Agreement Framework, also known as ISO/IEC 19086-1. Microsoft was a member of the panel of experts that developed the ISO standard over a three-year period.

"The Microsoft checklist distills the standard's 37 pages into a simpler, two-page document that organizations can use to negotiate a cloud service agreement that meets their business objectives," the company said in an overview of the checklist.

According to Li, the checklist also enables key internal decision-makers to be involved in the process of evaluating cloud service providers. Additionally, it helps organizations identify up-front any potential issues that could affect a cloud project. And it "simplifies the comparison of offerings from different cloud service providers through a set of questions with consistent terms and definitions for each provider," he noted.

Meanwhile, the Forrester study showed that more than 94 percent of organizations surveyed said they would change some terms in their current cloud agreement.

"Due to their complex nature, cloud agreements almost invariably omit some considerations and SLAs [service level agreements], leading to consequences for the business when problems later arise," the Forrester study said.

For example, 48 percent of respondents said if they could redo their most recent cloud agreement, they would include more stipulations about security. In addition, many respondents also would have included more stipulations about privacy (41 percent), performance (36 percent), availability (31 percent), roles and responsibilities (30 percent) and accessibility (28 percent).

The study also found that many respondents also said they wish they had incorporated more points of view and considerations when developing their cloud agreements, both from the organization's internal key stakeholders (37 percent) and from external resources on standards and best practices (23 percent).

"Our study found that respondents tend to rate security processes (which presumably include compliance and privacy considerations) as the most important, followed by favorable pricing, payments and subscription terms," the Forrester study said. "Additional considerations include clear rules about data usage and access, terms that provide confidence about performance and availability, and a support model that will maximize success."

Overall, the Forrester study had three key findings: There's more to cloud service provider selection than cost; cloud agreements are often missing key considerations; and the ISO/IEC 19086-1 Standard—upon which the Microsoft checklist is built—will help organizations meet new requirements.

"Businesses have high expectations for their cloud service providers," said Bill Martorelli, principal analyst at Forrester Research. "Rather than solely prioritizing cost in their vendor selection, they prefer vendors that can lend their business process expertise to help fulfill growing needs for innovation and fulfilling the business technology agenda."

Martorelli said Forrester surveyed 467 enterprises, small-to-midsized businesses and government organizations for the study.

"In conclusion, the cloud presents a great opportunity for companies to improve their agility, scalability and financial flexibility while making new technology advancements, but also presents new challenges in defining standards for what buyers and sellers should include in their cloud agreements," he said, noting that the ISO standard and the checklist should help make for easier negotiations and higher quality cloud agreements.