All Products
Search
Document Center

Alibaba Cloud Landing Zone Service Statement of Work

Last Updated: Oct 22, 2021

1.Overview

1.1.Introduction

Landing Zone provides solution design and validation services for IT governance based on Alibaba Cloud offerings to help enterprises migrate to the cloud. The service provides designs and technical validation of the following solutions: account management, network planning, financial management, resource management, compliance auditing, and security protection. The service also guides customers to set up a secure, multi-account Alibaba Cloud environment based on Alibaba Cloud best practices.

Landing Zone provides the following three editions that you can choose from based on your business requirements:

Landing Zone

  • Basic edition

    • Provides lightweight consulting services and designs of the following solutions based on your business requirements: account management, and network planning or security protection.

    • Validates the technical feasibility of the preceding solutions.

  • Standard edition

    • Provides standard consulting services and designs of the following solutions based on your business requirements: account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Validates the technical feasibility of the preceding solutions.

    • Provides solutions to integrate with self-managed systems, such as SSO, CMDB, and billing system.

  • Advanced edition

    • Provides advanced consulting services and designs and implementation of the following solutions based on your business requirements: account management, network planning, financial management,resource management, compliance auditing, and security protection.

    • Validates the technical feasibility of the preceding solutions and implements the solutions.

    • Provides solutions to integrate with self-managed systems, such as SSO, CMDB, and billing system.

Any work or solution that is not defined in this statement of work is excluded from the scope of this project.

2.Service Scope

The service scope varies by the edition of Landing Zone: Basic, Standard, and Advanced. You can select the edition based on your business requirements.

2.1.Landing Zone Basic edition

Landing Zone Basic edition provides the following services:

  • Investigation and evaluation

    • Quickly investigate and analyze the current application technology stack by means of survey forms and interviews, and evaluate the feasibility of implementing enterprise IT governance in the cloud. Define the service process of Landing Zone.

    • Design the technology roadmap based on the evaluation results.

  • Account management

    • Design the account management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Account: design solutions for account management and permission management, and norms for using RAM roles.

      • MFA: add support for MFA.

      • SSO: integrate with existing SSO to achieve centralized user authentication.

      • Identity authentication: design a federated authentication solution based on use scenarios.

  • Network planning (select between network planning and security protection)

    • Design the network planning solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Network connection: design a solution to connect your data centers to Alibaba Cloud through VPNs, design firewalls at the access layer and application layer, and design jump servers.

      • Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.

      • Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

  • Security protection (select between network planning and security protection)

    • Design the security protection solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Network security: design solutions for security group management and security domain management. Isolate applications by using security domains and connect specified applications based on requirements.

      • Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet the customer requirements.

      • Note that the security protection solution covers only the security management of the cloud platform and complies with the enterprise security regulations. The solution does not cover the security requirements of enterprise applications or other security requirements.

  • Technical validation

    • Validate the technical designs of the following solutions: account management, and network planning or security protection. The technical feasibility of the following features is validated:

      • Account management, permission management, and identity management

      • Network allocation, network segmentation, and network connectivity

2.2.Landing Zone Standard edition

Landing Zone Standard edition provides the following services:

  • Investigation and evaluation

    • Quickly investigate and analyze the current application technology stack by means of survey forms and interviews, and evaluate the feasibility of implementing enterprise IT governance in the cloud. Define the service process of Landing Zone.

    • Define the work scope of Landing Zone based on the evaluation results.

  • Account management

    • Design the account management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Account: design solutions for account management and permission management, and norms for using RAM roles.

      • MFA: add support for MFA.

      • SSO: integrate with existing SSO to achieve centralized user authentication.

      • Identity authentication: design a federated authentication solution based on use scenarios.

  • Network planning

    • Design the network planning solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Network connection: design a solution to connect your data centers to Alibaba Cloud, design firewalls at the access layer and application layer, and design jump servers.

      • Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.

      • Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

  • Financial management

    • Design the financial management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Cost accounting: Design a cost accounting model and make a cost center-based bill analysis scheme for cloud expenditures.

      • Cost analysis: Design financial analysis for customers, provide billing capability, assist customers to access the enterprise internal financial analysis platform, and obtain billing, expense details and other expense data.

      • Cost optimization: Recommend best practices, deployment plans, and audit plans for cost optimization based on the adopted cloud services.

  • Resource management

    • Design the resource management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Design a solution to integrate with the enterprise's billing system for retrieving bills, invoices, and other expense data.

      • Design expense management solutions based on resource catalogs and cost allocation solutions for enterprises that do not have standard billing models or platforms.

  • Compliance auditing

    • Design the compliance auditing solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Provide norms for enterprise firewall configuration to meet the compliance requirements of perimeter security.

      • Design multi-layered protection solutions that include server-side encryption, client-side encryption, hotlinking protection, and IP blacklisting and whitelisting.

      • Design solutions for behavioral auditing, account auditing, and log auditing. Provide custom auditing solutions based on enterprise auditing requirements.

  • Security protection

    • Design the security protection solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Network security: design solutions for security group management and security domain management. Isolate applications by using security domains and connect specified applications based on requirements.

      • Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet the customer requirements.

      • Note that the security protection solution covers only the security management of the cloud platform and complies with the enterprise security regulations. The solution does not cover the security requirements of enterprise applications or other security requirements.

  • Technical validation

    • Validate the technical designs of the following solutions: account management, network planning, financial management, resource management, compliance auditing, and security protection. The technical feasibility of the following features is validated:

      • Account management, permission management, and identity management

      • Network allocation, network segmentation, and network connectivity

      • Cost allocation

      • IP whitelists, security groups, and behavioral auditing

      • Security domain isolation and access control based on whitelists

      • Integration with self-managed systems such as SSO, CMDB, and billing system

2.3.Landing Zone Advanced edition

Landing Zone Advanced edition provides the following services:

  • Investigation and evaluation

    • Quickly investigate and analyze the current application technology stack by means of survey forms and interviews, and evaluate the feasibility of implementing enterprise IT governance in the cloud. Define the service process of Landing Zone.

    • Define the work scope of Landing Zone based on the evaluation results.

  • Account management

    • Design the account management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Account: design solutions for account management and permission management, and norms for using RAM roles.

      • MFA: add support for MFA.

      • SSO: integrate with existing SSO to achieve centralized user authentication.

      • Identity authentication: design a federated authentication solution based on use scenarios.

  • Network planning

    • Design the network planning solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Network connection: design a solution to connect your data centers to Alibaba Cloud, design firewalls at the access layer and application layer, and design jump servers.

      • Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.

      • Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

  • Financial management

    • Design the financial management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Cost accounting: Design a cost accounting model and make a cost center-based bill analysis scheme for cloud expenditures.

      • Cost analysis: Design financial analysis for customers, provide billing capability, assist customers to access the enterprise internal financial analysis platform, and obtain billing, expense details and other expense data.

      • Cost optimization: Recommend best practices, deployment plans, and audit plans for cost optimization based on the adopted cloud services.

  • Resource management

    • Design the resource management solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Design a solution to integrate with the enterprise's billing system for retrieving bills, invoices, and other expense data.

      • Design expense management solutions based on resource catalogs and cost allocation solutions for enterprises that do not have standard billing models or platforms.

  • Compliance auditing

    • Design the compliance auditing solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Provide norms for enterprise firewall configuration to meet the compliance requirements of perimeter security.

      • Design multi-layered protection solutions that include server-side encryption, client-side encryption, hotlinking protection, and IP blacklisting and whitelisting.

      • Design solutions for behavioral auditing, account auditing, and log auditing. Provide custom auditing solutions based on enterprise auditing requirements.

  • Security protection

    • Design the security protection solution based on the investigation and evaluation results. This solution provides the following capabilities:

      • Network security: design solutions for security group management and security domain management. Isolate applications by using security domains and connect specified applications based on requirements.

      • Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet the customer requirements.

      • Note that the security protection solution covers only the security management of the cloud platform and complies with the enterprise security regulations. The solution does not cover the security requirements of enterprise applications or other security requirements.

  • Technical validation

    • Validate the technical designs of the following solutions: account management, network planning, resource management, compliance auditing, and security protection. The technical feasibility of the following features is validated:

      • Account management, permission management, and identity management

      • Network allocation, network segmentation, and network connectivity

      • Cost allocation

      • IP whitelists, security groups, and behavioral auditing

      • Security domain isolation and access control based on whitelists

      • Integration with self-managed systems such as SSO, CMDB, and billing system

  • Solution implementation

    • Implement the following solutions based on the technical validation results: account management, network planning, financial management, resource management, compliance auditing, and security protection.

Notes:

  • Landing Zone provides solutions for IT governance based on Alibaba Cloud offerings and does not provide consulting services for IT governance within the enterprise. If you require enterprise-class IT governance solutions, you can purchase the relevant services.

  • The design of the security protection solution provided in the project covers only the security management of the cloud platform. The solution does not cover the security protection of enterprise applications and data, or cover classified protection requirements.

  • The project provides the designs of solutions to integrate with the customer's self-managed systems such as SSO, CMDB, and billing system. Alibaba Cloud is not responsible for the implementation of integration solutions or troubleshooting of technical issues related to self-managed systems.

  • Alibaba Cloud shall not be liable for schedule delays caused by the customer.

  • The customer shall not limit the ways in which Alibaba Cloud provides services. Alibaba Cloud conducts investigations and provides consulting services on-site or remotely in order to produce the final deliverables.

  • Alibaba Cloud is not responsible for providing any technical documentation other than Alibaba Cloud official documentation and documents within the scope of this project.

  • Alibaba Cloud is not responsible for any implementation or maintenance work involved in the planning, architecture design, cloud transformation, or implementation of the customer's business system.

  • Alibaba Cloud is not responsible for troubleshooting or technical support of third-party software and application systems that are not provided by the Alibaba Cloud platform.

3.Prerequisites

  • The customer must apply for the service at least 15 working days before they place the order. This way, Alibaba Cloud can evaluate the customer's business objectives and check the feasibility of the schedule to determine whether to accept the application.

  • If the application involves a large amount of resources, it is recommended that the customer apply for the service one month in advance. This way, Alibaba Cloud can communicate with suppliers to check whether the required resources are available.

  • The customer shall provide Alibaba Cloud with all necessary documents, information, data, diagrams, system permissions, and remote access channels in an efficient manner to enable Alibaba Cloud to provide services. All such information is subject to the confidentiality clauses attached to the statement. The customer agrees that all information disclosed or to be disclosed to Alibaba Cloud is true, accurate, and not misleading.

  • Alibaba Cloud provides Landing Zone services (Basic, Standard, and Advanced editions) through phone calls, DingTalk, and emails. There are no limits on the location where Alibaba Cloud provides services.

  • In the project delivery process, Alibaba Cloud designs the IT governance solution and troubleshoots the issues that occur during technical validation and the customer implements the solution designed by Alibaba Cloud.

  • Alibaba Cloud provides services between 9:00 am to 6:00 pm (UTC+8) Monday to Friday, except for national holidays in China.

  • The project managers designated by the customer and Alibaba Cloud shall use mutually agreed communication methods to transfer the written information required for the project. Optional communication methods include DingTalk, fax, and email.

  • All project deliverables are in Chinese or English, and the working language is Chinese or English. All deliverables are submitted as electronic copies in Microsoft Office formats,including PowerPoint, Word, Excel, and Visio.

  • The customer and Alibaba Cloud shall work on the project according to the work plan, staffing plan, and start and end dates that are agreed upon by both parties in advance. Alibaba Cloud shall not be liable for project delays that are caused by delays in the launch of the customer's relevant business systems.

  • If the customer or Alibaba Cloud wants to introduce a third party, the customer or Alibaba Cloud shall be responsible for signing contracts with the third party. Alibaba Cloud is not responsible for the actions or delays caused by the subcontractors or vendors used by the customer. The customer is not responsible for the actions or delays caused by the subcontractors or vendors used by Alibaba Cloud.

  • Neither party is liable for special, incidental, or indirect damages, or consequential economic damages (this includes loss of profits or discounts) under this contract, even if the party has been informed of the possibility of such damages.

4.Responsibilities

4.1.Customer and Alibaba Cloud

  • To purchase Landing Zone (Basic, Standard, or Advanced edition), the customer must apply for the service in advance and can place orders only after the application is approved by Alibaba Cloud.

  • The customer and Alibaba Cloud negotiate to confirm the business objectives and service scope of Landing Zone.

Service type

Phase

Task name

Task details

Customer

Alibaba Cloud

Landing Zone

Current situation investigation

Infrastructure

Analyze the customer's deployment architecture, understand the relationship between computing, storage, middle ware, and applications, and analyze and aggregate data on nodes.

A/S/C/I

R/I

Business status and application systems

Investigate the current IT governance situation and understand the requirements for cloud-based IT governance through remote information collection and on-site communication.

A/S/C/I

R/I

IT governance norms

Investigate the current IT governance norms, such as security norms, network norms, account management norms, and billing norms, and understand the customer's requirements of IT governance norms.

A/S/C/I

R/I

Solution design

Account management

Design the account management solution based on the enterprise account system to achieve SSO integration, MFA, and centralized permission management.

A/S/C/I

R/I

Network planning

Design the network planning solution to meet the customer's networking requirements.

A/S/C/I

R/I

Financial management

Design the cloud financial management based on the account distribution label, and provide data support for the subsequent cost optimization and business decisions.

A/S/C/I

R/I

Resource management

Design the resource management solution to meet the customer's requirements for cloud resource provisioning.

A/S/C/I

R/I

Compliance auditing

Design the compliance auditing solution based on the customer's compliance and auditing requirements.

A/S/C/I

R/I

Security protection

Design the security protection solution based on enterprise security norms to meet the customer's requirements. The solution covers only cloud security.

A/S/C/I

R/I

Technical validation

Landing Zone technical validation

Validate the technical feasibility of the solutions and troubleshoot the issues that occur in the validation process.

A/S/C/I/R

S/C/I

Solution implementation

Landing Zone solution implementation

Implement the solutions.

A/S/C/I

R/S/C/I

Notes: R for Responsible, A for Accountable, C for Consulted, I for Informed, and S for Support.

4.1.1.Customer responsibilities

  • The customer must appoint a project manager with the required expertise and experience as the main contact person for communication with Alibaba Cloud. The project manager has full authority to make decisions on all aspects of the project on behalf of the customer, and is directly responsible for the planning, coordination, supervision, and control of project implementation. The project manager is also responsible for troubleshooting and solving any issues that occur during project implementation.

  • The project manager of the customer is responsible for coordinating all resources to lead the investigation and technical verification work involved in the project.

  • At the beginning of the project, the customer must provide information and specification documents related to IT governance within the enterprise, and explicitly state the implementation requirements.

4.1.2.Alibaba Cloud

  • Alibaba Cloud must appoint an experienced technical manager to communicate with the project manager from the customer, and manage the project and project team members from Alibaba Cloud.

  • Alibaba Cloud must investigate the basic architecture, business scenarios, technical components, and development frameworks of the customer's system, and evaluate the Landing Zone specifications.

  • Alibaba Cloud must design the Landing Zone solution based on the results of the preliminary investigation.

  • Alibaba Cloud must cooperate with the customer to validate the technical feasibility of the Landing Zone solution and help the customer resolve issues that occur in the validation process.

4.1.3.Completion criteria

  • Completion criteria for Landing Zone Basic edition

    • The designs of the following solutions are completed and confirmed by the customer: account management, and network planning or security protection.

    • Deliverables

      • Landing Zone Basic IT Governance Solution

  • Completion criteria for Landing Zone Standard edition

    • The designs of the following solutions are completed and confirmed by the customer: account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Deliverables

      • Landing Zone Standard IT Governance Solution

  • Completion criteria for Landing Zone Advanced edition

    • The designs of the following solutions are completed, implemented, and confirmed by the customer: account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Deliverables

      • Landing Zone Advanced IT Governance Solution

4.2.Service catalog

The following table describes the services that are provided by Landing Zone:

Phase

Service

Landing Zone Basic edition

Landing Zone Standard edition

Landing Zone Advanced edition

Current situation investigation

Infrastructure

Supported

Supported

Supported

Business status and application systems

Supported

Supported

Supported

IT governance norms

Supported

Supported

Supported

Solution design

Account management

Supported

Supported

Supported

Network planning

Supported (select between network planning and security protection)

Supported

Supported

Financial management

Supported

Supported

Resources management

Supported

Supported

Compliance auditing

Supported

Supported

Security protection

Supported (select between network planning and security protection)

Supported

Supported

Technical validation

Landing Zone technical validation

Supported

Supported

Supported

Solution implementation

Landing Zone solution implementation

Supported

5.Service Level Agreement

  • Provide the Landing Zone service.

  • Provide technical validation and on-site support based on demands during the service period.

  • Provide the following documents based on service specifications: Landing Zone Basic IT Governance Solution, Landing Zone Standard IT Governance Solution, and Landing Zone Advanced IT Governance Solution.

6.Service Process

The following figure shows the service process of Landing Zone.

流程图

7.Acceptance criteria

7.1.Acceptance list

No.

Phase

Details

Deliverable

Deliverable type

1

Current situation investigation

Infrastructure

Landing Zone Investigation Report

Document

Business status and application systems

IT governance norms

2

Solution design

Account management

Landing Zone Advanced IT Governance Solution

Landing Zone Basic IT Governance Solution

Landing Zone Standard IT Governance Solution

Network planning

Financial management

Resource management

Compliance auditing

Security protection

3

Technical validation

Technical validation

N/A

4

Solution implementation

Solution implementation

N/A

7.2.Acceptance criteria

  • In the project delivery process,Alibaba Cloud should provide consulting services regarding Landing Zone and record important information in documents. In the acceptance phase, the customer should focus on the quality of document content and confirm that the documents meet their requirements.

  • If the customer's business process requires internal reviews before Alibaba Cloud submits the deliverables, the customer must conduct and complete internal reviews before the agreed acceptance time.

  • If the document content needs to be modified after the review meeting, Alibaba Cloud must make the required modifications and submit the modified documents to the customer for acceptance. The customer must appoint a representative to sign for confirmation.

  • Acceptance criteria for Landing Zone Basic edition

    • Landing Zone Basic IT Governance Solution meets expectations.

  • Acceptance criteria for Landing Zone Standard edition

    • Landing Zone Standard IT Governance Solution meets expectations.

  • Acceptance criteria for Landing Zone Advanced edition

    • Landing Zone Standard IT Governance Solution meets expectations.

7.3.Acceptance plan

In accordance with the deliverables of each project phase described in Section 7.1 Acceptance List, project acceptance is based on the following acceptance plans. The customer agrees to accept the deliverables submitted by Alibaba Cloud based on these acceptance plans.

No.

Acceptance start time

Acceptance content

Acceptance completion

1

Completion of the design and technical validation of Landing Zone Basic IT Governance Solution

Landing Zone Basic IT Governance Solution

Acceptance confirmation by the customer

Acceptance plan for Landing Zone Standard edition

No.

Acceptance start time

Acceptance content

Acceptance completion

1

Completion of the design and technical validation of Landing Zone Standard IT Governance Solution

Landing Zone Standard IT Governance Solution

Acceptance confirmation by the customer

Acceptance plan for Landing Zone Advanced edition

No.

Acceptance start time

Acceptance content

Acceptance completion

1

Completion of the design,technical validation, and implementation of Landing Zone Advanced IT Governance Solution

Landing Zone Advanced IT Governance Solution

Acceptance confirmation by the customer

8.Project Completion

The project is completed after the customer confirms the acceptance.