Things to consider when writing an RFQ / RFP to procure cloud infrastructure

The cloud is still very new to most organizations to the point where it is still widely unknown. This is especially true when you see RFPs being requested for cloud infrastructure services with all sorts of inherent challenges and logical incongruence within them.

We partner with solution integrators specializing in cloud consulting & delivery so although we at Cloud A do not bid on RFP’s directly, we would of course be more than happy to partner with organizations looking to leverage true cloud solutions in Canada. Our partners have helped over 400 organizations achieve their strategic objectives by migrating to Cloud A over the past 15 months. As a result, together we have a deep understanding of the approach and cultural shift required to realize successful change in this new era of computing.

This article hopes to clarify some of the considerations and actions to take when preparing an RFP to maximize the potencial benefits cloud computing has to offer. The goal of this article is to make the RFP attractive to the leading cloud providers and solution integrators from whom you are seeking submissions. There are many factors that are different to your traditional hardware and application requests of the past. Simply, the cloud is a new realm in computing with a lot to know and there are many other folks out there repackaging old tech as “cloud” these days; that is something you need to be careful of.

Here are several ideas and suggestions on what makes a good RFP for the Cloud:

Embrace The Utility Model

In the cloud you only pay for what you use. Make sure the financial decision makers know that you are about to embark on a journey from Capex to Opex. Budget planning and operational expenses are about to be turned upside down. Gone are the days of large long term capital expenditure plans for IT. You now have the opportunity to only pay for what you need and not spend wastefully on capacity you don’t need. Plus it’s easier to measure Opex than Capex as it can track to your revenues, and in the long run, it’s a more efficient way to run your business as your variable costs can in most cases be more closely associated to your key inputs or in the best case, map to revenue.

Consider The Benefits Of Flexible Pricing:

Price Transparency: All prices should be publicly available and transparent to customers. In the case of public cloud rates are typically listed on the cloud providers website and in some cases volume buy can produce a discount.

Multiple pricing models: Cloud Provider typically have pricing models optimized to their service offerings and with a little analysis the pricing models for compute & storage of each should be generally easy to compare. The idea is to challenge solution integrators to provide their unique spin on what a solution would look like in the cloud, leveraging the Cloud Providers pricing model and catalog of services.

Plan for prices to drop: The cloud market is new and evolving rapidly along with how services are priced. Expect that prices will come down over time. This approach reflects the dynamic and competitive nature of cloud pricing reductions. In solution procurements, customers can evaluate the overall bid price, ensuring that optimized infrastructure costs are a clearly stated evaluation criteria and you have the ability to participate when prices go down by not being locked into a higher rate.

Pay-per-use model: Incorporate a pay-as-you-go model, where at the end of each month you simply pay for your usage during that month. Limits should be periodically reevaluated to ensure that customers have the right expenditure caps and controls in place for access to the resources they need. This could include internal monitoring of your usage rate or working with a cloud consulting firm to provide monitoring.

If possible, consider designing for dynamic workloads

This is a real shift for most. Try not to think of what you need in terms of the number of CPUs and amount of RAM in use today or tomorrow. Successful cloud procurements are not overly prescriptive and focus on overall performance-based requirements. A Cloud provider or integration partner can only provide you with a 1 to 1 comparison of what you currently have running your applications. Those applications may run very differently over time or in a cloud environment where you have the ability to scale with elasticity. You likely may not need the same 1 to 1 horsepower. Even if you’re currently struggling with performance issues, a 1 to 1 may be over capacity in the cloud. The key is when providing requirements & specifications of your current environments CPUs and RAM, list out the operating systems and applications you’re running, and the network design, including how the applications integrate together with any dependencies. This will help a solution provider better determine your workloads and offer options within a cloud environment that will take advantage of resource allocation that doesn’t exist with non-cloud solutions.

Don’t Expect All the Answers

It is extremely difficult to predict the exact cloud environment until the applications and workloads are running in production but that’s ok because true cloud offerings are dynamic and as a result can better map to your business needs (this is what is often refereed to as increasing business agility these days) . Expecting the Solution Integrator to know the exact specification your environment will run on is unrealistic. The cloud provides a great solution to this where you can use the on-demand model until you find the best fit, and once you understand the baseline load, you may then broker more effective pricing if you plan for the opportunity to do so in advance.

Use A Baseline Approach (If You Have To)

If cost is a critical factor and you really need to compare pricing between two Cloud Providers, put a baseline model together. The model could be based on a number of servers in your current environment on which you know the specifications today and which outlines the CPUs, RAM, storage requirements (including tiers), bandwidth, IOPS and anything else that you think will be required. This will allow you to compare all cloud options together for cost. This is one thing to consider with this approach, as it negates all the other advantages of a specific Cloud Providers services, and where particular services may perform very differently between cloud providers.

Use Commercial Item Terms

Procuring cloud infrastructure is like walking into a store and laying down your credit card. The pricing is publicly available and anyone can buy it online. Because these services are provided to millions of customers, discrete contract terms and services can not be modified for specific circumstances. Commercial item terms allow you to extract the fullest value from the cloud and its utility pricing model.

As a commercial item, each cloud providers unique terms and conditions should govern the contract. This is very important, because cloud providers terms and conditions are integral to the service, innovation and value they provide. The Canadian government & several provincial governments recognize this, requiring contracts for procuring commercial items, to the maximum extent practicable, to include only those contract clauses needed to implement law, regulation, or executive order or determined to be consistent with customary commercial practice.

Expect Evolving Service Terms & Conditions

On the the major advantages of the cloud is that innovation is continuous and new services are continually being introduced. Static service terms and conditions may be restrictive and not allow you to take advantage of these new services or their enhanced features and efficiencies.

Managing Data

There are two very important aspects to think about for managing and protecting data when developing the procurement:

Ownership and sovereignty: You own the data. You should be able to select where the data is stored (geographically varied infrastructure), how it is encrypted, and whether your provider can access, move, or disclose your content except as you authorize (subject to compliance with all applicable laws). Bearing in mind the cloud provider may not have a region in your country, and you will need to review where the cloud provider has available data centres.

Portability/termination: Based on the generally accepted standard IaaS/PaaS cloud computing model, customers can terminate at any time and extract/move data from a cloud provider quickly and in an accepted format without having to talk to the vendor. Also, they should rely on the cloud providers data disposal approach based on industry accepted techniques.

Security, Privacy and Audit

Because security and privacy are critical parts of cloud services, it is important to incorporate three critical elements:

Shared responsibility: Understand that security and privacy in the cloud is a shared responsibility – notably in an IaaS or PaaS model. Shared responsibility means that a cloud provider manages the physical infrastructure and the customer controls the design and architecture of the applications and solutions that run on the cloud providers physical infrastructure and overall level of security and protection. A National Institute of Standard Technology (NIST) study, NIST Cloud Computing Reference Architecture, provides a high level overview on the shared responsibility approach. Often the solution integrator will have enough confidence and experience with the cloud provider to be comfortable to own the risk to guarantee end to end coverage for the client with respect to being responsible for the total solution when it comes to SLA’s.

Levels of security: Stakeholders should determine their security, privacy and audit needs based on mission and data requirements. “Defaulting” to the highest possible security requirements without proper analysis can unnecessarily increase cost and limit solution options.

Leverage industry best practices: There are security frameworks, best practices, audit standards and standardized controls that a RFP can cite: SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2,SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP, DIACAP, FISMA, ITAR, FIPS 140-2, CSA and MPAA. Leveraging these established standards and third party accreditations can streamline the procurement process and provide customers necessary security assurance.

Current Employees & IT Departments

When drafting solicitations, avoid imposing any unique labor related requirements or constraints on the cloud provider. For example, hiring existing public sector staff or requiring that customer staff have onsite access. It is also worth time educating existing IT personnel on the benefits and opportunities of using the cloud in order to ease any job concerns. For example, IT is still a key player in an IaaS/PaaS cloud service – employees will be able to focus on developing, deploying, managing, and improving the applications while relying on the cloud provider to manage the infrastructure. Also, working with cloud services will provide them with a new cutting edge skill-set.


If you’re not familiar with the cloud, admit to yourself that “you don’t know what you don’t know”, which is a solid start. Think about getting help, or commit the time to read and learn about this new paradigm and how it’s changing the way we work and live.

Don’t be afraid to make mistakes. Recently, we saw a government department get an RFP wrong where they had requirements that the cloud either didn’t fit or was not able to provide given the rigidity. If you get it wrong on your first RFP, admit to the mistake. Consult with your vendors; use their responses to help tailor a new RFP and republish.

As you start your journey to the cloud if you have questions or comments, please let us know. We want to see Canadians benefit from this new technology and we understand that will take time. If we can help, we are happy to do so.