Build a Cloud Procurement Strategy

Learning Objectives

After completing this unit, you’ll be able to:

Differentiate between traditional and cloud procurement.
Apply best practices to build a cloud acquisition strategy.

Note

This module was produced in collaboration with Amazon Web Services, which owns, supports, and maintains the Amazon Web Services products, services, and features described here. Use of Amazon Web Services products, services, and features is governed by privacy policies and service agreements maintained by Amazon Web Services.

When you buy a cloud infrastructure, you’re not buying physical assets tailored to your needs. You’re buying access to standardized compute, storage, and other IT services. And they run in a cloud service provider’s data centers. You’re only paying for the resources you use.

This makes buying cloud technologies different from buying traditional on-premises hardware, with different considerations. This module focuses on the strategies for successful cloud acquisition.

How Buying Cloud Technology Is Different

Since you don’t purchase custom physical assets, you shouldn’t approach cloud procurement as if you are. You pay for services that you use as building blocks to create your own custom solution. You’re still responsible for tailoring, managing, and optimizing the technology for your specific purposes.

Plan Early to Get the Full Benefit of the Cloud

A cloud infrastructure affects more than just how you build solutions. Procurement managers must involve all key stakeholders in their organization (legal, budget/finance, security, IT, and business leadership) early. Working with your stakeholders across the company ensures you fully understand how it affects your company across several broad areas.

Procurement
Culture
Security and Compliance
Policy
Business Uses/Definition

You learn more about these later in this module.

a slide entitled Cloud Adoption Has Several Parts, calling out the points mentioned, which equates to Broad Adoption

Also, engage cloud service providers early. Learn about the capabilities they provide and how to best use them to meet your goals. Get a clear idea of how their services can shape your procurement decisions.

Avoid Overly Prescriptive Requirements

Recycling prescriptive data center requirements will very likely result in cloud service providers being unable to bid for business. Even if you’re able to work with a provider, with overly prescriptive requirements you’re still at risk of a poorly designed contract that can get in the way of getting the full capabilities and benefits of the cloud.

Focus on broad service descriptions and innovation—Cloud service providers regularly update services, adding new features and functionality. You should ensure that your contract enables this type of innovation. Providing broad service descriptions in a cloud procurement (such as compute, storage, optimization, and so on) allows providers to add service updates after the submission deadline.
Focus on outcome and benefits—Customers should expect that a cloud service provider delivers the ability to view billing and usage information at both granular and summary levels, visualizing patterns in spending over time, in addition to forecasting future spend. Customers shouldn’t expect to tell a provider how they should provide this functionality.

Find the Right Support for Your Cloud Adoption Strategy

Before starting the cloud acquisition process, consider whether you want to purchase, deploy, and migrate workloads to the cloud yourself, or if you want a specialist/consultant to do this for you. Cloud adoption takes place in phases and you should assess each stage to ensure you have the right mix of business, consulting, and technology support in place.

the steps in a cloud adoption process; Identify Stakeholders, Business/Policy/Legal/Security Discussions, Market Survey/Request for Info (RFI), Draft RFP/Draft Tender, Consultative Phase, RFP/Tender, Orals/Demo, Negotiation/Award, and finally Operationalization; Draft RFP/Draft Tender is highlighted and there’s a message to Know your role in the steps

There is a difference between procurement of cloud services and procurement of labor to use cloud services. Successful cloud strategies separate cloud technology provided by a cloud service provider (for example, compute, database, networking), from hands-on services and labor, or other managed services that customers need to use cloud technology.

Cloud technology and labor services, such as labor for planning, developing, executing, and maintaining cloud migrations and workloads, can be provided by partners or other third parties as one comprehensive solution, or purchased separately. Cloud technology should be regarded as a separate service with distinct roles and responsibilities, SLAs (service-level agreements), and terms and conditions.

The chart provides a more detailed breakdown of responsibilities and expectations.

Cloud Service Provider	Resellers, System Integrators (SIs), Managed Services	Public Sector Customers
Cloud XaaS Professional Services Training Support Marketplace	Requirements Analysis Strategy and Roadmap Solution Design and Architecture Application Development/Support Tech Review and Audit Implementation/Migration Governance Security Billing and Account Management Program Management Service Desk

Know the Cloud Payment Model

To realize the benefits of cloud computing, think beyond the commonly accepted approach of fixed-price contracting. When designing cloud pricing as part of your acquisition strategy, consider the:

Pay-as-you-go utility model—Unlike traditional IT infrastructure where customers must guess their usage and pay up front for resources, cloud customers only need to pay for what they consume. Therefore cloud acquisition strategies need to account for fluctuating demand, with a contract that lets customers pay for services as they are consumed.
Market pricing—Cloud pricing fluctuates based on market pricing. To take advantage of the dynamic and competitive nature of cloud pricing, customers should allow for flexibility in their procurement strategy.

You should be able to evaluate different cloud service providers based on publicly available, up-to-date pricing and tools that allow you to evaluate their total cost of ownership.

Use Third-Party Accreditations for Security, Privacy, and Auditing

Research existing industry best practices and use third-party auditing to evaluate cloud service providers. Using these existing resources prevents overly burdensome processes and duplication. For example, rather than asking hundreds of security control questions, instead ask whether a cloud service provider is certified for specific third-party accreditations such as Cloud Security Alliance (CSA) Controls or International Organization for Standardization (ISO) 9001. These accreditations bundle hundreds of security controls within their auditing.

This approach also helps you focus on cloud-based compliance topics, as opposed to those which are hardware-specific. For example, instead of physically auditing a data center which is not feasible in the cloud model, ask for an accredited certification that their data centers are audited regularly to ensure they are secure.

Understand How the Shared Responsibility for Security Affects How You Buy

In AWS Cloud Security, you learn about the Shared Responsibility Model. This is the default approach to using cloud technology for your business. Because security responsibilities are shared, require cloud service providers to share information about:

Security capabilities of their platform so you can meet your responsibilities in the shared responsibility model. For example, customers should ask cloud service providers to explain the features to define, enforce, and manage user access policies across cloud services. It’s your responsibility to use such features to manage your own security requirements.
Standardized capabilities of their infrastructure so customers can make their unique cloud environment secure. For example, cloud service providers should provide network firewalls and web application firewall capabilities to create private networks, and control access to instances and applications.

Assess Cloud Governance Controls

One of the benefits of the cloud is that customers retain full control and ownership over their data. This includes the ability to restrict access to their data and infrastructure using identity and access controls and capabilities.

Because you maintain control over your data, as part of any acquisition strategy you should assess the cloud service provider’s full range of capabilities to meet your cloud governance needs. Ask yourself, does the cloud service provider offer a managed single sign-on service that allows users to centrally manage access to multiple accounts and business applications?

Know How to Build Cloud Terms and Conditions

Cloud terms and conditions are designed to reflect how a cloud services model functions—physical assets are not being purchased, cloud service providers operate at massive one-to-many scale to offer standardized services, and so on. It is therefore critical that you:

Engage cloud service providers early to get the best fit and resolve differences.
Avoid traditional hardware terms and conditions as the basis for a cloud contract.
Incorporate and use the cloud service provider’s terms to the fullest extent possible to avoid misalignment.
Recognize the different terms and conditions between cloud service providers, cloud managed service providers, and resellers.

Define Your Cloud Evaluation Criteria

To evaluate the best solution for your requirements, take into account the unique features of cloud. Specifically, cloud evaluation criteria should focus on:

System performance requirements
Proven ability to optimize and reduce costs
Value added services (such as monitoring and security services offered at no additional charge)

In-person product demos can be an effective way for end users to test cloud offerings and for the award decision to reflect the best fit for your business needs.