pressmaster - Fotolia


Avoid messy breakups with your AWS consulting partner

Maintain control over cloud credentials and permissions to avoid a bad breakup with your AWS consultant, and structure your contract to safeguard against deals gone awry.

Consulting partners are vital to the AWS ecosystem, and many have become essential collaborators for their clients. But, sometimes, these relationships sour -- and, as in other human affairs, breaking up can be hard to do.

Contracts between an AWS consulting partner and its enterprise clients vary widely, often due to the structure of these engagements. For example, an enterprise may struggle to find an early exit from a fully managed service -- a move that would likely carry some form of penalty, said Jamie Snowdon, an HFS Research analyst. On the other hand, that enterprise could end a relationship more easily when there's a finite deal based on fixed cost, time or materials.

HFS Research has seen an increased appetite for outcome-focused contracts. In these deals, the client can terminate the engagement and forgo an agreed-upon percentage of the cost if the AWS consulting partner fails to meet its targets. These kinds of arrangements are still relatively rare, and only a small fraction of the overall bill is eligible for these types of safeguards in the first place, Snowdon said. It's not unheard of for an enterprise to exit an engagement, but no clear or common trend has emerged, especially since contract terms can differ so greatly.

Cloud credential control

Sometimes, an enterprise wants to dump its AWS consulting partner because it's doing too good a job. For example, the partner might not be competitive on price because it knows it does great work, or the enterprise customer starts to worry that the consultant will become too central to its operations, said Greg Schulz, analyst at StorageIO. Other times -- either through accidental or malevolent design -- a consulting firm acquires account and password information that makes it difficult for the enterprise to reset things on its own.

"You shouldn't have gotten yourself in that situation, but it is something that does happen," Schulz said.

Fortunately, AWS customers have mechanisms to regain control. If an enterprise has an outside party perform services within AWS on its behalf, that enterprise retains control of the credentials, as well as access to delegate subordinate permissions to the third party. Or, put another way, the enterprise has the master key.

As a last resort, AWS will almost certainly be able to remedy access issues, though it's not clear how regularly that's done, said Oliver O'Donoghue, research director at HFS.

Sometimes, an AWS consulting partner might say it needs full, unfettered access and control in its contract. That will probably require a different conversation, Schulz said.

"You may want to get an auditor involved to make sure you won't get locked in," he said. "You need to make sure your organization has control and access to the master key, master account and master authentication."

Get a feel for the AWS Partner Network

To reduce the risk of a messy split, enterprises should always go with AWS-approved vendors and consultants. These companies must achieve specific certifications to join the partner program, which has three tiers:

  • Registered partners: These partners are registered in the program and have access to training but don't have to prove anything with formal AWS accreditations or certifications.
  • Standard partners: These partners must have two business professional and two technical professional accreditations, as well as two associate-level certifications and two customer references.
  • Premier partners: These partners must have 20 technical professional, 20 business professional and eight TCO and cloud economics accreditations. They must also have 20 associate-level and eight professional-level certifications, as well as an Audited MSP Program or DevOps Consulting Competency, one AWS competency and 10 customer references within the past 12 months.

Enterprises need clarity and oversight when a third party performs tasks in AWS on their behalf, said Liam Eagle, research manager at 451 Research. If they're particularly concerned, organizations should designate the consultant as a subaccount. But it's also essential to have a degree of trust in the AWS consulting partner relationship.

"If the customer is entering into this type of relationship ... already feeling this level of mistrust, they should, at the very least, talk to a few other vendors and see if there is one they feel differently about," Eagle said.

Dig Deeper on AWS management

App Architecture
Cloud Computing
Software Quality