Smart Cloud Contract Negotiation Strategies

NOT LICENSED FOR DISTRIBUTION
Smart Cloud Contract Negotiation Strategies

What To Seek And What To Abandon For Effective Cloud Contract Negotiation
by Bill Martorelli and Liz Herbert

April 20, 2018
Why Read This Report Key Takeaways

With accelerating usage of the cloud comes All Cloud Is Not Created Equal
the growing need to contract effectively. The Pricing, lock-in variables, features, service-level
apparent simplicity of the cloud in theory masks agreements (SLAs), and other major decision
considerable complexity in practice. Enterprise factors vary considerably across the many
customers require contracts sufficient to allay the forms of cloud, including software-as-a-service
governance and regulatory compliance concerns (SaaS) and infrastructure-as-a-service (IaaS). Be
of large enterprise executives and boards. This aware of the key differences when forming your
report helps infrastructure and operations (I&O) negotiating strategy.
professionals understand the nuances of cloud
Customer Negotiating Power Is Improving,
contracts and how best to negotiate cloud
But Not As Much As You’d Like
service terms for their businesses.
As enterprises expand their cloud consumption,
increased cloud spending compels more-
complete negotiations. With bigger consolidated
cloud deals come bigger discounts, especially
for SaaS, but don’t expect deep discounts for
platform services.
Use Enterprise Agreements To Get The

Best Deal
More cloud usage means placing more trust in
these services. Senior executives, boards, and
regulators insist on the right balance of risk
and strong governance to ensure this balance.
Enterprise contracts are likely to yield the
best possible terms and conditions — but not
without effort.
forrester.com
For Infrastructure & Operations Professionals

by Bill Martorelli and Liz Herbert

with Glenn O’Donnell, Sandy Rogers, Andras Cser, Basak Oztahtaci, and Diane Lynch
April 20, 2018
Table Of Contents Related Research Documents

2 Cloud Contract Negotiation Stakes Are Improve Agility With Forrester’s Software And
Rising With Cloud Growth SaaS Contract Review Checklist
These Key Principles Drive Effective Cloud Navigate The Limitations Of Public Cloud
Negotiating Strategies Agreements And SLAs
Use Our Checklist To Protect Yourself In

Cloud Deals
Recommendations
7 You’ll Have To Assume Some Risk — So Do
Share reports with colleagues.
It Intelligently
Enhance your membership with
9 Supplemental Material Research Share.
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
© 2018 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research,
Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing
is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Infrastructure & Operations Professionals April 20, 2018
Cloud Contract Negotiation Stakes Are Rising With Cloud Growth

2018 is shaping up as a banner year for cloud negotiations due to a variety of factors, including
growing customer demand and rising regulatory hurdles like the European Union’s General Data
Protection Regulation (GDPR).1 Although relatively simple contractual structures were once acceptable
for experimental cloud usage and limited SaaS deployments, growing enterprise reliance on these
platforms requires a step up in sophistication. Providers have come a long way in demonstrating their
understanding of enterprise needs, but I&O leaders must still pay significant attention, given that the
stakes are high — and getting higher.
›› Cloud deal size is rapidly growing. SaaS was first out of the gate with significant customer
commitments to leading products like Salesforce and Workday, but the size of contracts for
public cloud solutions from the hyperscale public cloud providers has shown similar, if belated,
growth. Contracts of up to $100 million are becoming routine and will only grow from here as cloud
migration strategies continue to accelerate.
›› Cloud negotiations are inherently complex. Public cloud suppliers typically use the same basic
toolkits, including reserved instances and volume discounts, but the way they use them can vary
significantly. SaaS suppliers, for their part, embrace a similar range of pricing models but can vary
significantly in their policies for payment, for charging customers for new functionality, and for
demanding price increases at renewal time. Watch out for divergences of a more significant nature;
for example, suppliers differ significantly in their use of data egress charges, which can prove a
very costly barrier to cloud portability.
›› Competition is intensifying. SaaS competition is increasing as enterprise giants like Microsoft,

Oracle, and SAP move in. And with the advent of multiple hybrid cloud alternatives such as
Google’s partnership with Cisco, Microsoft’s Azure Stack, and VMware’s cloud alliances with
Amazon and IBM, 2018 is a watershed year for multicloud and hybrid cloud scenarios. The stage is
set for a highly competitive year for cloud service providers. The lesson: Spend some preparation
time to get the best deal you can.
These Key Principles Drive Effective Cloud Negotiating Strategies
Negotiating with cloud service providers presents certain challenges, but customers can rely on key
principles when contemplating their negotiating strategies.
›› Flexibility costs money. Any form of variable demand capacity entails a premium price on
unlimited flexibility, and cloud is no exception. In addition, expect to pay for any effort on your
specific behalf that costs the supplier money, such as customization to the SaaS platform itself
or nonstandard maintenance windows. The days of customization for the sake of competitive
differentiation are dwindling fast.
© 2018 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
›› “Man prates, but gold speaks,” says the old Italian proverb.2 In other words, money talks (you
know the rest). Make no mistake: Cloud suppliers respect and appreciate significant customer
buying intentions, so expect that notable deals will get you some attention. However, a prospective
deal that doesn’t break the $10 million barrier likely won’t get you much. Buyers should note that a
“big” cloud deal is relative to the vendor: A deal of $2 million per year for Salesforce is still notable,
whereas Amazon’s idea of a big deal is much greater. Unless you’re spending more than $25 million
a year with Amazon Web Services (AWS), don’t expect much. “They pretty much dictate,” observed
one partnering management service provider. “We take dictation.”
›› Discounts are available, but thresholds differ across service types. Cloud pricing basics
are often an open book, available on websites across all cloud categories, but suppliers usually
discuss the finer points under a cloak of silence. Chief among these is the question of discounts.
Many discount programs exist, including those based on cumulative spend as well as discounting
of other kinds, such as use of reserved instances. However, while SaaS discounts can resemble
those familiar from conventional software and hardware acquisitions, which are up to 80% in some
cases, discounts for IaaS tend to be much lower, usually in the range of 15% to 20%. Moreover,
cloud suppliers will target other types of discounts, such as those to encourage migration, when it
suits them. But be aware that they’ll generally resist any suggestion that these discounts represent
programs available to all.
›› Cloud suppliers are inconsistent across customer engagements. Customers tend to think that
a cloud service provider will respond similarly across customer engagements. “How much is the
maximum discount I can expect?” is one frequent question that Forrester hears. Another is, “What
will Amazon readily yield on, and what will it resist conceding?” But the highly individualized — and
highly secretive — nature of cloud negotiations confounds such questions; don’t waste your time
on them. Of course, cloud suppliers have “deal desks,” as most technology suppliers do, but as
usual, their willingness to negotiate a point is inconsistent across product lines, geographic regions,
and specific times on their yearly calendars.
›› The enterprise agreement is a key strategy to get the best overall deal. Enterprise agreements
are a key tool for getting the most favorable price and the best terms. Buyers should note that the
term “enterprise agreement” takes on slightly different meaning in SaaS versus cloud platforms,
though the reason for using it is similar. In cloud platforms, the enterprise agreement is like a
master services agreement, something more formal than buying off the website in a pay-as-you-
go model.3 In SaaS, the enterprise agreement is more focused on aggregation of spend across
the enterprise, which may be based on different pricing models such as corporate revenue or
corporate headcount rather than a true user/usage metric. As with cloud platforms, the best SaaS
deals come through enterprise agreements. The vendor is willing to enter them because they
typically entail a large and strategic commitment.
Use Our Checklist To Protect Yourself In Cloud Deals
Our clients frequently ask us about cloud service pricing. They want to know if a provider is quoting
them a good discount or what they should expect to pay for a service. But the answers to these
questions are only a small part of the overall deal. Click the link in the download box at the beginning
of this report on Forrester.com for an Excel tool that outlines key categories for cloud contracts and
advice for negotiating with cloud vendors. The key categories necessary for inking a great cloud deal
are (see Figure 1):
›› Favorable pricing, payments, and subscription terms. Because suppliers sometimes offer cloud
services based on specific term lengths, unlike project services, customers are often concerned
about possible pricing increases at renewal time. Just because cloud services don’t have specific
term commitments in theory doesn’t mean that customers don’t encounter them in practice. For
example, multiyear contracts are typical for large-scale SaaS. And watch for feature commitments
from the vendor; with typical agreements, a cloud or SaaS provider is generally free to eliminate
features without giving any thought to the impact on customers using the feature. Although suppliers
tend to accumulate — not eliminate — features, customers feel better when they have contractual
protection for their use of specific features.4 Finally, SaaS customers often surrender their right to
termination for convenience due to availability of try-before-buy policies, but termination for cause
remains a way out if they can expand the definition of “cause” to include poor performance.
›› Clear rules about data usage, storage, and access. At the heart of regulatory regimes is the
question of data location and access. The ability to specify the location of data at rest and in
motion is essential to regulatory compliance for large enterprises, especially global companies,
and is particularly relevant to European data protection laws.5 As the hyperscale providers continue
their global expansion, they can offer greater location specificity. In addition, the treatment of data
after termination has become an extremely sensitive topic. Conditions of its return to the customer
are an essential consideration, as well as whether the vendor can subsequently use any of the data
in anonymized form for machine learning or other purposes.
›› A defined plan for business continuity. Just because the cloud service is typically under the
supplier’s control doesn’t mean the customer is free from all concerns about ongoing availability
and disaster recovery. Sometimes, SaaS suppliers don’t provide all the protections that customers
believe they do.6 Smart customers make sure they review the business continuity plan and include
contractual language about recovery point objective (RPO) and recovery time objective (RTO). Buyers
dissatisfied with the conditions for continuity can turn to third-party redundancy options, for a fee.
›› Security provisions that provide meaningful protection. Leading cloud vendors typically provide
better security than a customer can on its own — but not always. Standards such as SOC 2
and ISO20018 are common — but not everywhere. And cloud suppliers are notorious for merely
providing a “commercial best effort” for protection of sensitive customer data. Thus, you must be
certain that sufficient contractual protections are in place.7 Additionally, customers should always
look at hypervisor security; network security; software-defined networking (SDN); guest OS-level
security features (file integrity monitoring); firewalling; IDS/IPS; and ease of use of the security
console. Be mindful of special issues, such as in a chain of cloud solutions (e.g., an app running
on Azure), in which you may effectively have two suppliers managing security — which means
possible finger pointing.
›› A support model that will ensure that you get the most out of your solution. Buyers must
recognize that cloud is different and that the nature of multitenant delivery means that the provider
handles most break/fix and patching issues quickly and seamlessly across all its customers.
This eliminates much of what most would define as traditional support. However, where you do
need support, such as for connections between SaaS solutions, expect to experience lower
commitments than with other models like on-premises software or managed services. Increasingly,
we see cloud providers including more value-add elements under the umbrella of support,
including administration resources or deployment accelerators/quick-start packages.
›› Benchmarking that benefits you without invading your privacy. Benchmarking brings specific
challenges to cloud contracts, with important differences across IaaS and SaaS. With IaaS, the
principal direction for pricing is downward, as is generally true in managed services. With SaaS,
customers are on the lookout for unwarranted or unexpected price increases.
›› SLAs that give you confidence about performance and availability. The goal of projecting
financial pain on your supplier for inadequate performance doesn’t really apply in the cloud. This
is because, in many ways, cloud contracts are, ultimately, designed not to pay out for missed
SLAs — suppliers are typically beholden only to extend additional services rather than pay a true
financial penalty. Moreover, the responsibility for SLA misses is often the explicit responsibility of
the customer.8 Enterprises will find it hard to negotiate for specific SLA exceptions; instead, they
must prepare to view the SLA mechanism in a new light.
›› Bidirectional indemnification and adequate limitations on liability for data exposure. Cloud
customers are often highly sensitive to the risk of data exposure. Basic cloud agreements typically
restrict limitations of liability to a multiple of monthly service charges, normally starting at either
six or 12 months. Enterprise agreements can lend liability a more expansive treatment, such as
adding a monetary threshold in addition to the monthly service fee calculation. For example, such
agreements can specify the limitation of liability as the lesser of 12 months of service fees, or $20
million. With the size of cloud contracts growing so quickly, this apparent disparity is narrowing
rapidly. Indemnification should be bidirectional and offer protections focused appropriately in the
context of intellectual property.
›› Upgrade processes that won’t bring your business to a standstill. Once they embrace SaaS,
customers typically surrender control over the pace of upgrades and maintenance windows.
But some testing responsibilities remain with the customer, including integrations between the
SaaS solution and other applications. Cloud customers must recognize these realities and plan
accordingly. In some cases, you can specify an upgrade window or even choose the exact timing
or your upgrade. That said, top cloud vendors upgrade quickly, frequently, and seamlessly, as
they’re the epitome of development and operations (DevOps) philosophy and execution — so they
typically won’t bog down your business the way legacy upgrades can.
FIGURE 1 Forrester’s Cloud Contracts Checklist
The spreadsheet associated with this figure contains additional data.
Area Key elements
Pricing, payments, and • Contract terms

subscription terms • Payment terms
• Definition of users
• Price protection
• Auto renewals
• Termination rights
• Features and functionality
• Scalability
Data usage and access • Jurisdictional requirements

• Regular access to data
• Data back at termination
• Data usage rights
• Data retention
Business continuity • Recovery point objective (RPO)/recovery time objective (RTO)

• Data centers
• Force majeure
• Disaster recovery (DR) testing
Security • Third-party audits and standards

• Single sign-on (SSO)
• Logs and audit trails
• Customer audit
• Physical and electronic security
FIGURE 1 Forrester’s Cloud Contracts Checklist (Cont.)
The spreadsheet associated with this figure contains additional data.
Area Key elements
Support • Hours
• Modes
• Escalation and governance
• Response times
• Definitions of severity
Benchmarking • Price benchmarking

• Data insights based on customer data
SLAs • Uptime
• Performance
• Maintenance windows
• Payout
Indemnification and liability • Indemnification clause

• Liability protections
Upgrades • Control over upgrade timing

• Advance testing
• Timing
• Notifications
Recommendations
You’ll Have To Assume Some Risk — So Do It Intelligently

To get the best results out of their cloud contracting negotiations, I&O professionals should take
these steps:
›› Do your due diligence before working on the contract. The contract negotiation process won’t
change the physical characteristics of the solution, such as data location or security protocols. Thus,
you can’t handle everything your organization requires through contracting, no matter how great your
negotiation skill set. Be sure to know your requirements upfront and check whether the potential
cloud provider can meet your needs. Decide what risks you’re willing to take on things that cannot or
may not change about the solution itself. If any characteristics carry unacceptable levels of risk (on
security or functionality or anything else), it’s pointless to get involved in a contract negotiation.
›› Don’t overestimate your ability to predict demand. Know as much about your organization’s future
demand as possible so you can properly forecast usage. But be realistic: demand for cloud is difficult
to predict, and savings through reserved instances won’t be of much value when they expire unused.
This problem is most prevalent in multiyear commitments. You may be better off going year to year,
at least for some services. Also, make sure to look at what the vendor will offer you for tracking and
measuring demand and usage — and whether that will matter midcontract. For example, some SaaS
vendors let you change the product mix midstream if total spend stays the same.
›› Think before you leap, and don’t choose on price alone. True and complete portability is still
in the realm of science fiction, despite the promise of containers and other advanced software
architectures. Moreover, high data egress charges make it difficult to move from one cloud
environment to another. Multiyear SaaS agreements are notoriously difficult to escape, so you’d
better be comfortable in your choice of cloud provider. Generally, this should go beyond price and
include metrics such as what the offering has today and the supplier’s propensity to innovate. If you
must rely on the lowest price, at least strive to measure cloud pricing in the context of workloads
you’re building or anticipate migration to the cloud.
›› Keep your approach to GDPR focused — don’t scattershot it. GDPR will come into effect in
May 2018. As a result, enterprises subject to the potentially ruinous maximum penalties (up to 4%
of revenues, in particularly egregious circumstances) are in a virtual state of panic.9 In response,
some legal experts observe, global customers are adding European Union standard data clauses
as addenda to their contracts, adding considerable length without any real additional protections.
Don’t just throw paper at the problem. Get qualified legal advice (not necessarily an easy thing
to find) to target your GDPR efforts effectively. Even if you do no business in Europe, cascading
responsibilities across the ecosystem will capture just about everyone.
›› Zero in on AICPA’s SOC 2 as a proxy for your security requirements. Many customers feel that
security provisions of their cloud and SaaS agreements are lacking in specificity. Unless there’s a
cross-tenant attack, security is your problem. For want of a better answer, the American Institute of
Certified Public Accountants (AICPA)’s SOC 2 Type 2 should be the focal point of your negotiations,
so seek specific support for it.10 Though this has become increasingly commonplace and you may
consider it table stakes, it’s not a given.
›› Consider the potential role of third parties. Many managed services providers give customers
the ability to enjoy additional discounts and alternative support options, including improved SLA
terms. But don’t expect miracles. These third parties essentially sit on top of the public cloud
platforms. While they can provide for new types of SLAs not included by the cloud platform
suppliers or provide higher limitations of liability should they choose to, they can’t change the
nature of the underlying cloud solution beyond architecting it appropriately.
Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.
Analyst Inquiry Analyst Advisory Webinar
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.
Forrester’s research apps for iOS and Android.

Stay ahead of your competition no matter where you are.
Supplemental Material
Online Resource
The underlying spreadsheet detailing the table in Figure 1 is available as a downloadable tool. Click the
link in the download box at the beginning of this report on Forrester.com for an Excel tool that outlines
key categories for cloud contracts and advice for negotiating with cloud vendors.
Companies Interviewed For This Report
We would like to thank the individuals from the following companies who generously gave their time
during the research for this report.
Deloitte Zuora
Logicworks Zylo
Endnotes
This data-driven report outlines the current state of compliance, trends by industry and geography, and key Forrester
1
recommendations for moving your efforts forward. See the Forrester report “The State Of GDPR Readiness.”
Source: Giovanni Torriano, Piazza Universale di Proverbi Italiani, F. and T.W., 1666.
2
A master services agreement, or MSA, is the contract in which a services engagement spells out specific terms and
3
conditions.
A typical contractual request regarding features is significant notice of 12 months or more of any such impending
4
change.
GDPR is about to reverberate data residency and access policies all over the world, not just in Europe. See the
5
Forrester report “The State Of GDPR Readiness.”
Don’t assume that SaaS vendors will provide sufficient backup. See the Forrester report “Back Up Your SaaS Data —
6
Because Most SaaS Providers Don’t.”
Security deserves a set of recommendations all its own. See the Forrester report “The Forrester Cloud Security
7
Compliance Checklist.”
For basic cloud contracts, it’s often the customer’s responsibility to notify the supplier of outages. See the Forrester
8
report “Navigate The Limitations Of Public Cloud Agreements And SLAs.”
Source: “Multi-Billion Euro Fines for Data Protection Violations Under the New GDPR—Really?” Bloomberg Law,
9
October 9, 2017 (https://media2.mofo.com/documents/171009-data-protection-violations-gdpr.pdf).

10
Source: “SOC 2 - SOC for Service Organizations: Trust Services Criteria,” Association of International Certified
Professional Accountants (https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html).
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
›› Core research and tools
›› Data and analytics
›› Peer collaboration
›› Analyst engagement
›› Consulting
›› Events
Forrester’s research and insights are tailored to your role and

critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights ›› Infrastructure & Operations
eBusiness & Channel Security & Risk
Strategy Sourcing & Vendor
Management
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 128601

Smart Cloud Contract Negotiation Strategies

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Smart Cloud Contract Negotiation Strategies

Uploaded by

Copyright:

Available Formats

NOT LICENSED FOR DISTRIBUTION

Smart Cloud Contract Negotiation Strategies

by Bill Martorelli and Liz Herbert

Why Read This Report Key Takeaways

Use Enterprise Agreements To Get The

Smart Cloud Contract Negotiation Strategies

by Bill Martorelli and Liz Herbert

Table Of Contents Related Research Documents

Use Our Checklist To Protect Yourself In

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Cloud Contract Negotiation Stakes Are Rising With Cloud Growth

›› Competition is intensifying. SaaS competition is increasing as enterprise giants like Microsoft,

These Key Principles Drive Effective Cloud Negotiating Strategies

Use Our Checklist To Protect Yourself In Cloud Deals

FIGURE 1 Forrester’s Cloud Contracts Checklist

The spreadsheet associated with this figure contains additional data.

Area Key elements

Pricing, payments, and • Contract terms

Data usage and access • Jurisdictional requirements

Business continuity • Recovery point objective (RPO)/recovery time objective (RTO)

Security • Third-party audits and standards

FIGURE 1 Forrester’s Cloud Contracts Checklist (Cont.)

The spreadsheet associated with this figure contains additional data.

Area Key elements

Benchmarking • Price benchmarking

Indemnification and liability • Indemnification clause

Upgrades • Control over upgrade timing

You’ll Have To Assume Some Risk — So Do It Intelligently

Engage With An Analyst

Analyst Inquiry Analyst Advisory Webinar

Forrester’s research apps for iOS and Android.

Companies Interviewed For This Report

Forrester report “The State Of GDPR Readiness.”

Because Most SaaS Providers Don’t.”

report “Navigate The Limitations Of Public Cloud Agreements And SLAs.”

October 9, 2017 (https://media2.mofo.com/documents/171009-data-protection-violations-gdpr.pdf).

Forrester’s research and insights are tailored to your role and

You might also like