A guide to procuring
Accredited Cloud
Contents
2
Introduction
3
Chapter 1:
What are Accredited
Cloud Services?
4
Chapter 2:
Preparing to
procure Accredited
Cloud Services
6
Chapter 3:
Comparing
suppliers
9
Chapter 4:
Making your
final decision
10
Chapter 5:
Conclusion
Introduction
The public sector, third sector and
their partners are increasingly
using the government’s CloudStore
to find, assess and choose a cloud
provider. But with more than
1000 suppliers and even more
service offerings the CloudStore
has become a comprehensive
directory of products and services
to navigate.
It is important users know how to define and apply their specific search criteria to effectively compare suppliers and procure a service that delivers the value and benefits an organisation expects from cloud.
In this guide we discuss the initiatives and the, occasionally hidden, facets buyers should be aware of. We also cover key questions to ask throughout the procurement of Accredited Infrastructure as a Service (IaaS) and managed services.
This guide serves to supplement the formal due diligence process. It assumes that buyers will check a supplier’s accreditation and certification status, amongst other things, as part of their due diligence procedures.
1
2
1
What are Accredited
Cloud Services?
An Accredited Cloud Service is most easily described as a cloud
platform or virtualised infrastructure that has successfully passed an
independent government accreditation. There is no such thing as
a true guarantee of security but it’s as close as you’re likely to get in
the public sector.
Every cloud service with confidentiality requirements should be accredited. Accreditation can fall under two broad categories:
Pan-Government Accreditation (PGA) This is for cloud services that meet a specific security requirement to use across all government departments. This is a consistent and rigorous process conducted independently of any single government body.
Departmental accreditation This is for a service that meets the requirements for a specific government department. The process can vary substantially depending on a specific department’s security needs.
These accreditations are both credible in their own right, however if a choice is available customers should feel more confident working with suppliers that have passed the PGA process.
Working with an accredited cloud supplier brings a number of benefits:
● Accredited systems are rigorously scrutinised, with risk management playing a big part in the evaluation. ● Services are screened and tested
for viability from both a security and availability perspective.
● There is likely to be a standard process for the on-boarding of a new customer; this will simplify your transition from on-premise infrastructure to a cloud supplier.
Suppliers with Pan-Government Accredited services bring further advantages:
● Services are accredited at the point of entry – significantly decreasing your time to delivery.
● Only additional applications installed over and above the base IaaS require accreditation.
1
3
2
2
Preparing to procure
Accredited Cloud Services
The key to successful procurement of cloud services lies in the
preparation you do before you go to market: understanding what
you need, why you need it and how it will fit with your organisation.
There are four main areas every organisation should consider in preparation:
Be clear about the requirement
Write your requirements clearly to ensure that suppliers can fully understand them. Review and agree them internally - you don’t want to waste time later by finding out your search criteria or requirements were incorrect.
Your requirements can be listed under two broad categories:
● Functional – this covers the technical features that you require from a service.
● Non-Functional – this tends to cover the people and skills that you require from a service.
You should also consider what level of accreditation you need. Remember you should be able to procure services at different accreditation levels and integrate them if needed. If you are unsure about how to issue requirements that account for functional and non-functional needs, or assessing your information estate, then this
Make sure you are procuring
what you need
An important place to start in any procurement is to ask ‘why?’ What is driving the need to look outside of your own organisation for a product or service? If the need is one that cannot be fulfilled by internal teams then it’s likely you require a ‘service’ not just a stand-alone product. You might also consider where you are on your migration journey to the cloud and whether you need a supplier that can provide strategy development as well as deployment and support.
Identify internal changes needed
It’s common for public sector customers who have departmental accreditation to find that their organisation does not meet the standards required to host data on a Pan-Government Accredited platform. This means you may need to adjust processes to meet that standard. Procurements may shine a light on other areas such as current working practices, remote access, current IT spending,
4
Managed service requirements
It can be particularly challenging to define your requirements for a managed service, especially if you are outsourcing tasks currently fulfilled by internal teams. You will need to think hard about the tasks those teams perform and consider how to package these tasks appropriately. When you ask internal people to describe ‘what they do’ remember that it’s easy for them to take all the nuances and specific characteristics of a task for granted. Asking difficult questions early when specifying requirements avoids uncomfortable surprises later.Terminology of requirements
Make sure you use terminology that accurately reflects the activities and services you need from a supplier. For example, terms such as ‘Cloud’ and ‘Cloud Managed Services’ can be a bit ambiguous. If you plan to procure a service that requires the management of operating systems, and tools such as anti-virus and backups then this is a form of outsourcing and as such using the term cloud to describe your requirement’s has less relevance, if any. ‘Cloud’ is better used to describe a functional aspect of the service such as the platform from which a service is provided.Get the process right
Be clear on your own organisation’s procurement process – you don’t want to have to re-run part of the procurement due to processes not being followed correctly. Also check your internal rules for other areas such as non-disclosure
agreements (NDA’s) before engaging with suppliers. Addressing this now will avoid delays later.
3
Pricing models
The pricing of cloud computing has become surprisingly complicated. The challenge for buyers is to ensure you are in a position to compare prices on a like-for-like basis. You can expect proposals to feature cost tables of pricing for compute (CPU and RAM), storage (often measured in gigabytes), network connectivity and much more.
You should have issued clear functional and non-functional requirements so make sure the supplier has responded with pricing breakdowns that show which requirement the price relates to, this will make comparing proposals much easier.
Managed services
Managed services can be particularly difficult to compare, especially when G-Cloud service descriptions in their current guise resemble legal documents which are often not very accommodating of a quick web search. Because managed services pre-date the CloudStore, buyers should consider that the word ‘cloud’ now means different things to different people and as such when procuring anything, especially managed services, use of the word ‘cloud’ could lead to big variations in supplier responses.
As detailed in Section 2, when procuring managed services it’s important you
effectively communicate your requirements to make sure you get a clear proposal back
Key questions to ask a supplier include: ● What is their pricing model for managed
services?
● Do they describe their service as Managed IaaS or something else, what does that include at its most basic level?
● Try building on that basic level, layering on the services you require, where do their responsibilities end and is this documented in a RACI like matrix? If that leaves gaps you’ll need to know who will fill them and at what price?
Availability and
protective monitoring
If you decide to procure managed services this may include availability and protective monitoring. You will need to ask the right questions for each of these areas to help you compare services on a like-for-like basis:
Availability monitoring
Availability monitoring raises alerts and records failures and outages. It also allows uptime to be recorded and reported on. Suppliers who offer this service should be asked:
● How is it priced?
● How are reports produced? ● What is the scope of the reports? ● What level of detail do they contain?
Protective monitoring
Protective monitoring collects and analyses logs from your systems and the supplier’s systems to detect and report on suspicious and malicious activities.
Accredited protective monitoring suppliers must adhere to strict compliance guidelines on the retention and protection of logs. Make sure you understand and are comfortable with a supplier’s approach to protective monitoring. This is an area that should not be overlooked, key questions include:
● Are they GPG-13 (Good Practice Guide 13) compliant?
● What is their default retention period for the logs? Can this period be tailored to meet your specific requirements?
● How is the reporting done and are there sample reports available?
● How are you informed in the event of an incident?
● Can the monitoring extend to a range of devices outside of the supplier’s own systems, such as your on-premise devices?
● How is the protective monitoring priced? Often it is per device, throughput and storage of logs.
● What, if any, are the set-up costs?
Disaster recovery options
Disaster recovery (DR) is often categorised under two different headings:
Physical DR
This is where equipment is provided on a set notice period in the event of a disaster.
Virtual DR
This is where your tenancy is replicated to an alternate data centre. This option can be very cost effective and typically has better recovery time objectives (RTO) and recovery point objectives (RPO) than traditional DR types. Disaster recovery and availability is often covered in a platform’s Pan-Government Accreditation, however you’re not obligated to take up a supplier’s DR option if you don’t need it.
If you do need DR it is important you understand what a supplier is offering and map this against your requirements. Key questions to ask include:
● Is the supplier offering physical or virtual DR?
● What are the supplier’s RTO and RPO for backups and DR.
● How is the DR priced? Per virtual machine or on the amount of data replicated? ● Can you mix and match systems
that require DR instead of paying unnecessarily for systems that don’t require it.
What tiers of support/SLAs
are offered?
Your different services will require different levels of support, therefore it is important that you select a supplier that can be flexible and can mix tiers across your solutions. For example, you may have production, development and pre-production environments that don’t all need
the top tier of service.
The level of support services you receive can be a key differentiator between suppliers, therefore it is not unreasonable to enquire about their support processes, including their service desk, incident, problem, change, and release management processes and systems. Expect suppliers to follow a recognised standard such as ITIL and offer a range of support services including an online portal into their service desk and online resources like Wikis, and FAQs.
If you are buying a managed service consider your current service needs and consider the typical and atypical service requests your organisation would require. Does the supplier’s change process cater for those requests? Does the supplier’s change process really cater for ‘the cloud’?
Business model of supplier
You are putting a lot of trust in your supplier so it’s important you understand their
business model and who they are dependant on. There are three main areas to consider when evaluating how a supplier works:
1 People and skills
If a supplier relies heavily on outsourcing and
supplier has will become your alliances by proxy. Questions to ask in this area include: ● Are managed services delivered from
the supplier’s own internal teams or are they themselves dependant on another supplier?
● Who are their partners and for what aspects?
● Is the new supplier comfortable working with an incumbent?
● Can they supply examples of successfully working with third parties in the past?
2 Service or commodity
Are they an IaaS supplier that occasionally offers additional value added services or conversely are they a service orientated company that mostly sells managed services with IaaS?
It is important to refer back to your
requirements – if you are looking to outsource services, either now or in the future, then consumption and commodity based models may not be suited to your organisation.
3 Post-sales experience
The final area to consider is how the supplier will work with you after the contract is signed. Build a picture in your mind of what the project will look like from ‘end-to-end’, ask as many questions as it takes for you to be confident about how a service will transition or be implemented. Key questions to
consider include:
Once you have created a shortlist of suppliers,
make sure you have all the information needed
to compare suppliers on a like-for-like basis.
Comparing information
Try to compile all your data into a format that can be easily compared. Remember that ‘cloud’ and other terms used by suppliers are not always used to describe the same thing and as such it’s difficult to ‘compare apples with apples’. If you don’t collate and analyse the information you could procure a system that uses your terminology but isn’t what you wanted. Avoid the pressure to procure solely based on price, your final decision should not be on price alone. If it is difficult to make the final decision, consider drafting some more detailed questions and meeting suppliers again. It’s unlikely that any two suppliers are offering exactly the same thing, so more detailed questions could help. Often digging into the practical aspects of how a supplier works can give you an idea of how experienced they are. Don’t be afraid to ask difficult questions, if they are credible they won’t mind.
4
Making your
final decision
Research
It helps to get as much context and
background about the supplier as possible to help you understand their ‘company DNA’. Gather information from supplier meetings, office and data centre visits, responses to questions and proposals. Consider sharing any forms you create with suppliers, this allows suppliers to respond within the same format. However, beware that doing this assumes your form is correct and that the form accommodates all the products and services suppliers are offering. Forcing suppliers to fill in a ‘standard’ form may not do them or the solution justice.
Ask for references that have synergies with your own procurement and ask to talk to the referee directly.
Procuring accredited cloud has undoubtedly become easier in recent years through improvements with the pan-government accreditation process and with the use of CloudStore, but it is by no means easy. If anything, requirements have become more complex – budgets are smaller and the expectations of consumers for quality and rapid delivery have greatly increased.
Suppliers try to be seen as easy and simple to work with, but you need to be able to judge when something is just being over simplified. Getting your requirements right will help you to know the difference between a need and a want; which will help you put a value on products and services. Having clear and transparent requirements will encourage your suppliers to respond with clearly written proposals.
Don’t be afraid to do all the digging you need to understand how a supplier works. Ask for samples of documents such as sample reports, service level agreements (SLA’s) and contracts, wherever possible. These are invaluable in getting under the skin of the organisation and how it functions.
Finally, relationships count now more than ever; build honest and open relationships with suppliers, invite questions, manage internal and external expectations of the procurement cycle and keep lines of communication open.
5
Conclusion
About
Eduserv
Our Cloud Services can help you at
every stage of moving to the cloud. We offer Managed Services and Consultancy on top of market leading
infrastructure to help you successfully migrate to the cloud and allow you to focus on your core business.
Whether you’re looking to host a business critical website, off-site disaster recovery or to host your entire data and IT systems in a secure IL3 environment, we can help. Our
Cloud Services provide on-demand,
scalable and efficient storage and compute services that help save money and drive performance in the public sector.
We have more than 15 years’ experience of providing hosting services to government and also have substantial experience of cloud consultancy, design, migration and operation. We built the first UK IaaS cloud for education, one of the largest public-facing vCloud installations in Europe, and we draw on our experience to offer public sector organisations, such as the Department for Education, independent support for investigating cloud technologies.
Find out more at www.eduserv.org.uk
About
the author
Max Elliott-Massouras
is a Technical Consultant at Eduserv specialising in public sector hosting,
