Evolve Your Cloud Vendor Management Program

Having an active and intentional vendor management program has always been important for a technology team. With the introduction of cloud, SaaS, laaS, and all the other flavors of “as a Service” offerings, this program has become even more critical. While the cloud offers significant benefits and provides a far more robust set of functions and features, the technology companies that were once simply vendors have morphed into critical partners that are now running fundamental technology services for you. They are hosting and securing your most sensitive information in data stores that are often no longer directly accessible or manageable with legacy methods. The impact of a vendor outage, breach, or other failure is now far more significant and should be planned for and responded to differently.

Before cloud solutions were available, vendor management programs were typically focused on feature comparisons, pricing, and a large up-front capital expenditure. You owned the software, hosted it, and your destiny was completely in your hands. Post-purchase, the vendor was only there for upgrades or support. It was up to you to provide redundancy and decide how to respond to and recover from an outage event. You were on your own to provide an SLA and fix things when they went down. Outage windows were needed for maintenance. The underlying (and complex) networking, storage, and server/hypervisor management all needed significant staff attention. All of this required money, people and time that were often stretched thin or (at best) at a premium.

This dynamic has changed quite a bit with cloud technologies since you no longer own the environment. Your vendor management processes now need to evolve accordingly. While the capabilities, benefits, and cost advantages of cloud technologies are a huge step forward, the cloud provider is in a very different role than a traditional vendor.

Many clients I work with are using more cloud solutions and incurring different risks than they actively realize. The technology and risk management teams need to get ahead of this so that the feature improvements and changes in risk profiles are well understood, balanced, and actively managed.

I’ve outlined some key considerations below to help illustrate some of the different vendor management approaches and decisions that need to be made:

Sourcing Considerations

  • Cost is not the primary driver – Cost and contract terms often receive the lion’s share of the focus in the selection or purchasing process. While these are important, picking a cloud technology often means buying into an ecosystem that will have a direct impact on your organization and future initiatives. It is critical that the technology and procurement groups work together and ensure this is understood and that the decision is aligned with the strategic technology goals of the company. Cloud offerings are typically unique and difficult to compare from an apples-to-apples standpoint.
  • Strategic vendor partnerships need executive attention – The C-suite probably isn’t that interested in what version of Exchange you are running in the data center. However, selecting a cloud platform is a strategic business decision that will have impacts across an organization. Executive leadership needs to be involved in the process to provide both support for the upcoming implementation and to understand how the business will be impacted overall, including risk. The organization is going to be far more reliant on the cloud services vendor than for an on-premises system.
  • Understand the Service Level Agreements (SLAs) – Cloud provider SLAs are complex and it is critical that they are well understood. They are often non-negotiable and calculated by individual service. Failures are specifically defined and often the only remedy for an outage is a future credit on the service. Cloud services like Microsoft’s have a great track record and almost always exceed their SLAs. I have never seen the SLA be a barrier to a purchase decision, but if there is an outage it is best if no one is surprised at the remedy.

Financial Considerations

  • Perform a financial assessment – A detailed financial assessment of the vendor is key. Public cloud providers like Microsoft publish their financial statements, uptime statistics, and other critical information, so this process is much easier than trying to vet a private company. The CFO should be asking whether the organization would invest in that cloud provider, because in many ways you will be.
  • Stop paying for unapproved cloud services – Shadow IT presents risks and is often redundant to some of the solutions the business may already be paying for today. Financial controls should be used to ensure that cloud vendors that have not been vetted are not being paid for. 

Legal and Insurance Considerations

  • Review the cloud provider’s agreements – Have the legal team review cloud provider agreements to ensure they are understood, and so any specific business risks can be called out. Again, try to avoid any surprises.
  • Review insurance coverage – Existing cyber security insurance or business disruption insurance may need to be modified to provide coverage for cloud-hosted services or related disruptions.
  • Understand who carries liability – The cloud vendor does not carry all the liability for their service. Clearly understanding what each party is liable for is critical, along with any indemnification clauses. (These may require the vendor to defend you, or you to defend the vendor in specific cases.)

Risk & Compliance Considerations

  • Perform a risk analysis – As mentioned above, implementing cloud solutions will change the organization’s risks and this needs to be evaluated. Many existing risks can be mitigated by cloud solutions, but those that remain should be cataloged and addressed. The increased dependency on the cloud vendor may be new to the organization.
  • Clarify the cost of services vs. criticality to stakeholders – Cloud services usually provide cost advantages over legacy solutions, but just because the services may not be at the top of the expense list does not mean you should pay less attention to them.
  • Compliance is not transitive – Cloud vendors should provide their compliance and security certifications like SOC 2, HIPAA, GDPR, or PCI-DSS. That compliance is limited, however, to the services or infrastructure the vendor directly provides. Using their services does not make your organization compliant unless you have also configured the elements you are responsible for to also be secure and compliant. As an example, multi-factor authentication must be deployed by you in your tenant for your users to provide that security control to meet a compliance standard.
  • Understand who is responsible for what – Cloud providers use a shared responsibility model for their services, and you need to ensure that the elements the customer is responsible for are secured and configured appropriately. The vendors will often provide best practice guidelines but implementing them is up to you.

  • Backup, recovery, and replication – The methods available to backup and recover data will change in a cloud environment, plus new data replication options may be available to enhance redundancy. That said, you still need to periodically test recovery, service restoration, and incident response. Those processes will be different and require your existing recovery playbooks to be updated.

Ongoing Vendor Management Tasks

  • Periodic review of services – At least annually, develop a process to review vendor performance. Would you purchase the services again knowing what you know now? Provide feedback to the vendor if there are services that could be improved.  Make sure your team keeps up to date on the vendor’s product roadmap as well.

  • Maintain security information – At least annually, have the vendors provide updated security escalation contacts and provide information related to breach notification and response processes, any changes to how they safeguard your data, updated compliance certifications, etc.

  • Develop a vendor scorecard – Use a standard method to track outages, impacts, and costs. Include other metrics like issue resolution time, and responsiveness to critical CVE vulnerability alerts (like recent SolarWinds or Log4j incidents). You should receive proactive communication as to whether the cloud services are impacted and what needs to be done to mitigate the threat.

  • Contract renewal tracking – Make sure to review vendor performance prior to any contract renewals, including any advance notice requirements prior to an auto-renewal.

  • Exit plans – Rarely, a vendor will be so critical that you will want to maintain a plan to terminate and replace their services if there was a catastrophic failure. Identify alternative vendors and understand how to replace or move data as needed. (You shouldn’t need to spend a lot of time on this, but it is worth thinking about from time to time.)


I’ve listed a lot of things to watch out for here, but much of this is required to manage any type of vendor. The bottom line is that cloud offerings significantly improve the functionality, security, and availability of your technology systems. (I wrote about all the risks you can avoid with cloud technologies here.) Just like with on-premises systems, you do need to be thoughtful and prudent when both selecting solutions and maintaining an ongoing program to manage the vendor. If it is done right, you can maintain positive and responsive vendor relationships that will allow you to continue to drive even more value out of their platforms and provide ongoing positive outcomes for everyone.

Tom Papahronis

Tom Papahronis

Strategic Advisor - eGroup | Enabling Technologies

Last updated on July 31st, 2023 at 01:12 pm