D3.2 Procurement Best Practices Report
The acquisition of IT services is a key function within any public or private organisation and the advent of cloud computing requires innovation in the way IT services are procured.
This report identifies and documents best practices for procuring cloud services in public research organisations. Because of the commonalities of the procurement practice in public administration, it was also included in the report.
While growing demand for computing power from the scientific community has resulted in initiatives such as Helix Nebula (www.helix-nebula.eu), procurement policies, processes and approaches in many research organisations are inadequate for addressing the on-demand model of cloud computing, introducing barriers to the procurement of cloud services. Such barriers have been identified, described and analysed in previous PICSE deliverables; i.e. D2.1 (Research Procurement Model) and D3.1 (Procurement Barriers Report).
To overcome those barriers PICSE has consulted ten public sector organisations across Europe, which have either already carried out a cloud service procurement action, or are considering doing so, in order to better understand what worked well in their procurement experiences (the results are documented in the PICSE brochure entitled "Procuring Cloud Services Today"). Additionally, the procurement approaches of the Crown Commercial Service (G-Cloud) in the UK, the Internet 2 Net+ initiative and the General Services Administration, both in the USA, have also been studied.
The report documents the procurement best practices to adopt in the areas of policy and organisation, processes, staff, tools and cloud service providers. The case studies considered showed that not all barriers are adequately addressed. Current internal policies and procurement rules within European public research organisations do not facilitate the procurement of cloud services. Many organisations lack cloud computing training and awareness. Contract termination and the use of cloud escrow are still to be properly addressed. Moreover, a systematic approach to defining security requirements is lacking, SLAs are not mature enough and limited only to performance measurement. Similarly, privacy and data protection provisions are usually stated within technical requirements even though they remain one of the main barriers to cloud adoption.
On the bright side, cloud marketplaces and brokerage models allow customers to buy commoditised cloud solutions in a transparent manner, offering a catalogue of cloud services, transparent cloud pricing and standard cloud contracts. Use of CSA CCM and ISO/IEC 27001 are the most common approaches for defining security requirements during the cloud procurement process and a lot of effort is being put in developing guidance and templates for SLAs related to performance, security, data management and privacy. The Internet2 CloudProud program and certifications such as CCSP from CSA and (ISC)²®, are examples of how the identified skill gap in the procurement of cloud services can be addressed.