Latest News

Related Sites

Share

1. Acknowledgements
2. Disclaimer
3. Objectives
4. Introduction
5. Key Area 1 : Service Cost
6. Key Area 2 : Service Level
7. Key Area 3 : On Boarding & Off Boarding
8. Key Area 4 : Service Operation
9. Key Area 5 : Security and Privacy Protections
10. Key Area 6 : Service Commitments/Warranties
11. Key Area 7 : Data Ownership & Location and IP Ownership
12. Key Area 8 : Service Default
13. Key Area 9 : Contracting (Terms of Service)
14. Download the full PDF version of the Practice Guide for Procuring Cloud Services (Click here to download)

Acknowledgements

The OGCIO would like to express our gratitude to the following non-official and co-opt members of the Working Group on Provision and Use of Cloud Services (WGPUCS) established under the Expert Group on Cloud Computing Services and Standards for their active participation, time and effort devoted in the preparation, review, comment and finalisation of the Practice Guide for Procuring Cloud Services.

Note 1 : The late Mr H P SUEN passed away in May 2013.

Our special gratitude is owed to the late Mr. HP Suen, the former Convenor of the WGPUCS, who has contributed his invaluable and professional advice to the production of the Practice Guide.

The OGCIO would also like to express our gratitude to the following staff and students of Hong Kong Institute of Vocational Education (Lee Wai Lee) for their contribution of promotional video for the Practice Guide for Procuring Cloud Services.

Disclaimer

The information provided in this Practice Guide for Procuring Cloud Services ("the Guide") is for general reference only. It does not provide an exhaustive guide on procuring cloud services. The Government of the Hong Kong Special Administrative Region (“the Government”) makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information provided in this Guide.

This Guide also contains information input by other parties and readers may link from this Guide to other sites and obtain information provided by other parties (collectively called "the other information"). The Government expressly states that it has not approved nor endorsed the other information contained in or in connection with these sites.

The Government does not accept any responsibilities for any loss or damage whatsoever arising from any cause whatsoever in connection with this Guide. The Government is entitled to add, delete or change any information in this Guide at any time at its absolute discretion without giving any reason. Readers are responsible for making their own assessments of all information contained in or in connection with this Guide.

Objectives

The Practice Guide for Procuring Cloud Services (Practice Guide) is intended for local companies, in particular SMEs, to assist them in understanding cloud computing and how it may bring benefit to them, but also how to evaluate and consider some of the risks associated with incorporating cloud computing into their operations.

Introduction

Cloud Computing is the delivery of computing resources by a service provider over the Internet to customers similar to a public utility. Through extensive sharing of computing resources, cloud services achieve economies of scale. It also offers many potential benefits to small and medium enterprise (SME) users, but may incur potential risks as well.

Cloud Computing Service Models

There are three kinds of cloud services, and these are referred to as “service models”:

• Software as a Service (SaaS) provides applications running on a cloud infrastructure that can be accessible by the users through various client devices.
• Platform as a Service (PaaS) provides facilities for application design / development, testing, deployment and hosting as well as platform services for team collaboration, web service integration and marshalling, database integration and developer community facilitation, etc.
• Infrastructure as a Service (IaaS) provides processing, storage, networks, and other fundamental computing resources where the users are able to deploy and run their own software.

Deployment Models

There are 4 deployment models for cloud services:

• Public Cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organisation, or some combination of them. It exists on the premises of the cloud service provider.
• Private Cloud - The cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple users (e.g., business units). It may be owned, managed, and operated by the organisation (an in-house Private Cloud), a third party (an outsourced Private Cloud), or some combination of them, and it may exist on or off premises.
• Community Cloud - The cloud infrastructure is provisioned for exclusive use by a specific community of users from organisations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more organisations in the community, a third party, or some combination of them, and it may exist on or off premises.
• Hybrid Cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Key Areas to consider when procuring cloud services

There are 9 key areas to consider when procuring cloud services: Service Cost; Service Level; On Boarding & Off Boarding; Service Operation; Security and Privacy Protections; Service Commitments / Warranties; Data Ownership & Location and IP Ownership; Service Default; and Contracting (Terms of Service). The considerations in each of these key areas are elaborated in more details in their respectively chapters in the Practice Guide.

There are different charging schemes for different kinds of cloud service models.  IaaS are typically charged based on unit rates of allocated/used computing resources per unit of time.  Charging schemes for PaaS and SaaS of different service providers vary and are application specific.  When procuring cloud services, users need to :

• compare charging rates;
• understand charging details (e.g. unit of measurements, per allocation vs per usage, etc.); and
• consider exit arrangement (e.g. committed period / usage, cost of bringing out data & software licences, etc.).

A Service Level Agreement (SLA) defines the interaction between a cloud service provider and its user. There are two types of SLAs – off-the-shelf agreements and customised, negotiated agreements. An SLA contains service level objectives (SLOs) that define objectively measurable conditions for the service and set the expectation of service. Each service level objective has a metric, i.e. what to measure, and a target value. Different types of cloud computing service model would have different services levels.

In general, there are several points we need to consider in evaluating an off-the-shelf SLA or in reaching a service agreement with cloud service provider:

• Relevance of the defined service level objectives
• Sufficiency of the defined service level objectives
• An appropriate target value for the selected metric
• How to measure and monitor the defined service level objectively?
• What is the consequence if a service provider fails to meet the service level? Does the user have a business contingency plan?

Users should work with cloud services providers in the on-boarding and off-boarding processes in order to ensure smooth transitions. The following areas shall be studied:

• Data Migration - The user should review the options offered by cloud service provider on data migration and in particular on tools or documentations.  The data migration costs and time should also be well defined.  The user should ask and clearly understand how the cloud service provider addresses the issue of data leakage and protects data.
• Service Billing and Metering - The user should establish process that reviews and approves cloud services related billing and metering.  Some cloud services providers offer cost forecasting tools or usage notification services. The user should enrol such services if available.
• Data Retention - When terminating cloud services, the user has to decide on how the data stored in cloud platform should be handled.  Before terminating the contract, the user should ensure all data are deleted; this should include testing data and backup copy. 

The objectives of service operation are about how a service provider can deliver service to their users in a secure, reliable and high-quality way, including in a manner meeting any agreed SLAs.  Cloud computing should be approached carefully with due consideration to the service operation of the service provider. The responsibilities of both the user and the cloud service provider vary depending on the service model selected. However, understanding the policies, procedures, and technical controls used by a cloud service provider is a prerequisite to assessing the quality of services and the security and privacy risks involved, and ultimately its viability for the user. 

It is desirable to compare the service provider with the industry best practices of the service operation, e.g. quality management, IT services management and security management best practices to run their services operation.

User should have oversight and collaborate with the business processes around cloud issues that directly impact the organisation. In addition to interacting with cloud service provider(s), users must monitor what the cloud providers are doing and maintain service catalogue (a record of IT services) for cloud. The catalogue can include information such as:

• Whom to contact about a service
• Who has authority to change the service
• Which critical applications are related to the service
• Outages or other incidents related to the service
• Information about the relationships among services

Cloud users and SMEs need to understand and educate themselves with the changes in approach being applied to the processing of their data. The user organisation additionally needs to ensure they are knowledgeable, through verification steps, to ensure the adequacy of the security controls adopted by the cloud service provider, to enable sufficient trust that the cloud service provider is capable of adequately protecting the user organisation’s sensitive data.

To facilitate cloud user organisations in understanding the security issues on using cloud services and to assist cloud service providers in defining appropriate and relevant security controls, two checklists have been prepared by the Working Group on Cloud Security and Privacy established under the Expert Group on Cloud Computing Services and Standards:

Security Checklist for Cloud Service Consumers

Security & Privacy Checklist for Cloud Service Providers in Handling Personal Identifiable Information in Cloud Platforms

In many cases, particularly for standard offerings, cloud service agreements will be a set of standard terms which are favourable to the service provider and are not open to negotiation. These standard terms will usually contain very limited service commitments and warranties and a set of limitations and exclusion of liability which further limit the service provider's obligations. Users will need to:

• match provider’s representations with user’s requirements;
• take note of limitations of provider’s liability;
• make sure pre-contractual statements are recorded in the contract; and
• read the fine print – disclaimers, limitations, exclusions.

Cloud services entail issues on data ownership and intellectual property (IP) similar to traditional IT outsourcing.  There are a few key points to note:

• Data Ownership - ownership and rights to use data / applications stored / created in cloud;
• Data Location - use of sub-contractors & their locations, provision to designate data location, how data is erased upon resources de-provisioning; and
• Intellectual Property Rights - IP rights of both data and applications developed through the cloud services.

Before deciding to use a particular cloud solution, user should understand:

• what commitments service provider is making;
• the risks brought by specific provisions that excused non-performance; and
• the rights user has if there is a service default, e.g. Termination, Damages and Limitation of Liability, Specific Performance through obtaining a court order.

The terms of any cloud computing solution must be embodied in contractual arrangement.  Responsible contracting for cloud computing solution requires the user to undertake a number of distinct steps, each of which must be tailored appropriately for the particular case:

1. User requirements: data, applications and business needs
2. Available contract terms (and options)
3. Assess alignment of user requirements and available contract terms
4. Special risk consideration: variable terms and contingency arrangements
5. Traditional service provider due diligence

Download

Click here to download the PDF file of the full version of the Practice Guide for Procuring Cloud Services