Info Cloud
Brand Hong Kong

Latest News

Related Sites

Feedback button

Practice Guide for Procuring Cloud Services

  1. Acknowledgements
  2. Disclaimer
  3. Objectives
  4. Introduction
  5. Key Area 1 : Service Cost
  6. Key Area 2 : Service Level
  7. Key Area 3 : On Boarding & Off Boarding
  8. Key Area 4 : Service Operation
  9. Key Area 5 : Security and Privacy Protections
  10. Key Area 6 : Service Commitments/Warranties
  11. Key Area 7 : Data Ownership & Location and IP Ownership
  12. Key Area 8 : Service Default
  13. Key Area 9 : Contracting (Terms of Service)
  14. Image: PDF Download the full PDF version of the Practice Guide for Procuring Cloud Services (Click here to download)




The OGCIO would like to express our gratitude to the following non-official and co-opt members of the Working Group on Provision and Use of Cloud Services (WGPUCS) established under the Expert Group on Cloud Computing Services and Standards for their active participation, time and effort devoted in the preparation, review, comment and finalisation of the Practice Guide for Procuring Cloud Services.


Member Organisation
Mr H P SUEN (Note 1) Principal Consultant, ECT Services Limited
Dr David CHUNG Chief Technology Officer, Hong Kong Cyberport Management Company Limited
Dr Andy CHUN Chief Information Officer, City University of Hong Kong
Mr Antony MA Chairman, Cloud Security Alliance Hong Kong & Macau Chapter
Mr Samson TAI Chief Technologist, IBM Innovation Network
Dr CK WONG Director, iASPEC Technologies Limited
Professor YANG Qiang Associate Head of Department and Professor, Department of Computer Science & Engineering, The Hong Kong University of Science and Technology
Professor Peter YUM Department of Information Engineering, The Chinese University of Hong Kong
Mr Redouane BOUQDIB Head of Client Services, Asia Pacific, The Hongkong and Shanghai Banking Corporation Limited
Ms Anna GAMVROS Partner, Baker & McKenzie
Mr Geofrey L. MASTER Partner, Mayer Brown JSM
Dr Victor NG Senior Consultant, IT Industry Development, Hong Kong Productivity Council
Professor Bebo WHITE Departmental Associate (Emeritus), SLAC National Accelerator Laboratory (Stanford University), USA
Mr Philip WONG Manager (Systems), Hong Kong Jockey Club

Note 1 : The late Mr H P SUEN passed away in May 2013.


Our special gratitude is owed to the late Mr. HP Suen, the former Convenor of the WGPUCS, who has contributed his invaluable and professional advice to the production of the Practice Guide.


The OGCIO would also like to express our gratitude to the following staff and students of Hong Kong Institute of Vocational Education (Lee Wai Lee) for their contribution of promotional video for the Practice Guide for Procuring Cloud Services.



WONG Pak Kay

LI Pak Kei, Patrick



CHAN Tsz Ching

LAI Tsz Fung

WONG Man Yin

TANG Ho Ming






The information provided in this Practice Guide for Procuring Cloud Services ("the Guide") is for general reference only. It does not provide an exhaustive guide on procuring cloud services. The Government of the Hong Kong Special Administrative Region (“the Government”) makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information provided in this Guide.


This Guide also contains information input by other parties and readers may link from this Guide to other sites and obtain information provided by other parties (collectively called "the other information"). The Government expressly states that it has not approved nor endorsed the other information contained in or in connection with these sites.


The Government does not accept any responsibilities for any loss or damage whatsoever arising from any cause whatsoever in connection with this Guide. The Government is entitled to add, delete or change any information in this Guide at any time at its absolute discretion without giving any reason. Readers are responsible for making their own assessments of all information contained in or in connection with this Guide.






The Practice Guide for Procuring Cloud Services (Practice Guide) is intended for local companies, in particular SMEs, to assist them in understanding cloud computing and how it may bring benefit to them, but also how to evaluate and consider some of the risks associated with incorporating cloud computing into their operations.






Video - Introduction

Cloud Computing is the delivery of computing resources by a service provider over the Internet to customers similar to a public utility. Through extensive sharing of computing resources, cloud services achieve economies of scale. It also offers many potential benefits to small and medium enterprise (SME) users, but may incur potential risks as well.


Cloud Computing Service Models


There are three kinds of cloud services, and these are referred to as “service models”:


  • Software as a Service (SaaS) provides applications running on a cloud infrastructure that can be accessible by the users through various client devices.
  • Platform as a Service (PaaS) provides facilities for application design / development, testing, deployment and hosting as well as platform services for team collaboration, web service integration and marshalling, database integration and developer community facilitation, etc.
  • Infrastructure as a Service (IaaS) provides processing, storage, networks, and other fundamental computing resources where the users are able to deploy and run their own software.


Deployment Models


There are 4 deployment models for cloud services:


  • Public Cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organisation, or some combination of them. It exists on the premises of the cloud service provider.
  • Private Cloud - The cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple users (e.g., business units). It may be owned, managed, and operated by the organisation (an in-house Private Cloud), a third party (an outsourced Private Cloud), or some combination of them, and it may exist on or off premises.
  • Community Cloud - The cloud infrastructure is provisioned for exclusive use by a specific community of users from organisations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more organisations in the community, a third party, or some combination of them, and it may exist on or off premises.
  • Hybrid Cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).


Key Areas to consider when procuring cloud services


There are 9 key areas to consider when procuring cloud services: Service Cost; Service Level; On Boarding & Off Boarding; Service Operation; Security and Privacy Protections; Service Commitments / Warranties; Data Ownership & Location and IP Ownership; Service Default; and Contracting (Terms of Service). The considerations in each of these key areas are elaborated in more details in their respectively chapters in the Practice Guide.





Key Area 1: Service Cost


Video - Key Area 1: Service Cost

There are different charging schemes for different kinds of cloud service models.  IaaS are typically charged based on unit rates of allocated/used computing resources per unit of time.  Charging schemes for PaaS and SaaS of different service providers vary and are application specific.  When procuring cloud services, users need to :


  • compare charging rates;
  • understand charging details (e.g. unit of measurements, per allocation vs per usage, etc.); and
  • consider exit arrangement (e.g. committed period / usage, cost of bringing out data & software licences, etc.).





Key Area 2: Service Level


A Service Level Agreement (SLA) defines the interaction between a cloud service provider and its user. There are two types of SLAs – off-the-shelf agreements and customised, negotiated agreements. An SLA contains service level objectives (SLOs) that define objectively measurable conditions for the service and set the expectation of service. Each service level objective has a metric, i.e. what to measure, and a target value. Different types of cloud computing service model would have different services levels.


In general, there are several points we need to consider in evaluating an off-the-shelf SLA or in reaching a service agreement with cloud service provider:


  • Relevance of the defined service level objectives
  • Sufficiency of the defined service level objectives
  • An appropriate target value for the selected metric
  • How to measure and monitor the defined service level objectively?
  • What is the consequence if a service provider fails to meet the service level? Does the user have a business contingency plan?





Key Area 3: On Boarding & Off Boarding


Video - Key Area 3: On Boarding & Off Boarding

Users should work with cloud services providers in the on-boarding and off-boarding processes in order to ensure smooth transitions. The following areas shall be studied:


  • Data Migration - The user should review the options offered by cloud service provider on data migration and in particular on tools or documentations.  The data migration costs and time should also be well defined.  The user should ask and clearly understand how the cloud service provider addresses the issue of data leakage and protects data.
  • Service Billing and Metering - The user should establish process that reviews and approves cloud services related billing and metering.  Some cloud services providers offer cost forecasting tools or usage notification services. The user should enrol such services if available.
  • Data Retention - When terminating cloud services, the user has to decide on how the data stored in cloud platform should be handled.  Before terminating the contract, the user should ensure all data are deleted; this should include testing data and backup copy. 





Key Area 4: Service Operation


Video - Key Area 4: Service Operation

The objectives of service operation are about how a service provider can deliver service to their users in a secure, reliable and high-quality way, including in a manner meeting any agreed SLAs.  Cloud computing should be approached carefully with due consideration to the service operation of the service provider. The responsibilities of both the user and the cloud service provider vary depending on the service model selected. However, understanding the policies, procedures, and technical controls used by a cloud service provider is a prerequisite to assessing the quality of services and the security and privacy risks involved, and ultimately its viability for the user. 


It is desirable to compare the service provider with the industry best practices of the service operation, e.g. quality management, IT services management and security management best practices to run their services operation.


User should have oversight and collaborate with the business processes around cloud issues that directly impact the organisation. In addition to interacting with cloud service provider(s), users must monitor what the cloud providers are doing and maintain service catalogue (a record of IT services) for cloud. The catalogue can include information such as:


  • Whom to contact about a service
  • Who has authority to change the service
  • Which critical applications are related to the service
  • Outages or other incidents related to the service
  • Information about the relationships among services





Key Area 5: Security and Privacy Protections


Video - Key Area 5: Security and Privacy Protections

Cloud users and SMEs need to understand and educate themselves with the changes in approach being applied to the processing of their data. The user organisation additionally needs to ensure they are knowledgeable, through verification steps, to ensure the adequacy of the security controls adopted by the cloud service provider, to enable sufficient trust that the cloud service provider is capable of adequately protecting the user organisation’s sensitive data.


To facilitate cloud user organisations in understanding the security issues on using cloud services and to assist cloud service providers in defining appropriate and relevant security controls, two checklists have been prepared by the Working Group on Cloud Security and Privacy established under the Expert Group on Cloud Computing Services and Standards:


Image: PDF Security Checklist for Cloud Service Consumers


Image: PDF Security & Privacy Checklist for Cloud Service Providers in Handling Personal Identifiable Information in Cloud Platforms





Key Area 6: Service  Commitments / Warranties


In many cases, particularly for standard offerings, cloud service agreements will be a set of standard terms which are favourable to the service provider and are not open to negotiation. These standard terms will usually contain very limited service commitments and warranties and a set of limitations and exclusion of liability which further limit the service provider's obligations. Users will need to:


  • match provider’s representations with user’s requirements;
  • take note of limitations of provider’s liability;
  • make sure pre-contractual statements are recorded in the contract; and
  • read the fine print – disclaimers, limitations, exclusions.





Key Area 7: Data Ownership & Location and IP Ownership


Key Area 7: Data Ownership & Location and IP Ownership

Cloud services entail issues on data ownership and intellectual property (IP) similar to traditional IT outsourcing.  There are a few key points to note:


  • Data Ownership - ownership and rights to use data / applications stored / created in cloud;
  • Data Location - use of sub-contractors & their locations, provision to designate data location, how data is erased upon resources de-provisioning; and
  • Intellectual Property Rights - IP rights of both data and applications developed through the cloud services.





Key Area 8 : Service  Default


Before deciding to use a particular cloud solution, user should understand:


  • what commitments service provider is making;
  • the risks brought by specific provisions that excused non-performance; and
  • the rights user has if there is a service default, e.g. Termination, Damages and Limitation of Liability, Specific Performance through obtaining a court order.





Key Area 9 : Contracting ( Terms of Service )


The terms of any cloud computing solution must be embodied in contractual arrangement.  Responsible contracting for cloud computing solution requires the user to undertake a number of distinct steps, each of which must be tailored appropriately for the particular case:


  1. User requirements: data, applications and business needs
  2. Available contract terms (and options)
  3. Assess alignment of user requirements and available contract terms
  4. Special risk consideration: variable terms and contingency arrangements
  5. Traditional service provider due diligence







Image: PDF Click here to download the PDF file of the full version of the Practice Guide for Procuring Cloud Services

The Government of the Hong Kong Special Administrative Region of the People's Republic of China

Office of the Government Chief Information Officer
Caring Organisation
Level Double-A conformance, W3C WAI Web Content Accessibility Guidelines 2.0
Web Accessibility Recognition Scheme