Updated on 2024-05-15 GMT+08:00

Statement of Work (SOW)

Service Overview

As more and more enterprises gradually appreciate the cloud advantages in security, stability, service quality, operation efficiency, and others, they keep migrating their service systems to the cloud. In the all-cloud era, to avoid possible risks in cloud management and security, Huawei Cloud launches the Landing Zone solution to provide unified IT governance of people, finances, resources, permissions, and security compliance. This solution helps comprehensively and effectively manage business units, users, permissions, cloud resources, data, applications, and security for better cloud security and efficiency.

Service Content

Service

Subservice

Service Content

Application Scenario

Basic Scenarios – Design and Implementation

Landing Zone Design for Basic Scenarios – Medium Scale

Based on the customer requirement survey, detailed solutions are designed for organizational accounts, identity and permissions, network planning, security protection, and compliance audit.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need scalable, efficient cloud governance, in terms of organizational accounts, identity and permissions, networks, security, and compliance audit.

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-Large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

A cloud environment is deployed for basic scenarios as designed. This helps enable resources, create accounts, deploy the cloud infrastructure, set up multi-account and authorization systems, and provide cloud network and security protection.

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale

Advanced Scenarios – Data Perimeter Management

Data Perimeter Management Design

Service control policies (SCPs), VPC endpoint policies, resource-based policies are configured to serve as guardrails, blocking unexpected access paths.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need their data privacy and core data being strictly protected.

Data Perimeter Management Implementation

Data perimeter management is implemented for enterprises as the best practices.

Advanced Scenarios – Cloud Financial Management

Cloud Financial Management Design

Hierarchical financial management is designed to match master-member account associations based on the organizational structure of your landing zone.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need to manage finances in a hierarchical manner.

Cloud Financial Management Implementation

Financial management is implemented for enterprises.

Advanced Scenarios – O&M Management

O&M Management Design

Resource management, event management, and logs of all member accounts are monitored based on the organizational structure of your landing zone.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They want to monitor and maintain their accounts and resources on a regular basis.

O&M Management Implementation

O&M management is implemented for enterprises.

  • Medium scale: <= 10 accounts, <= 3 VPCs, and same-region deployment
  • Large scale: <= 100 accounts and <= 10 VPCs (provided that "Landing Zone Design for Basic Scenarios – Medium Scale" is not applicable)
  • Ultra-large scale: > 100 accounts or > 10 VPCs (provided that "Landing Zone Design for Basic Scenarios – Large Scale" is not applicable)

Prerequisites

  • Customers need to apply for the Landing Zone design and implementation services 15 days in advance so that Huawei Cloud can evaluate the business objectives and project delivery plan.
  • When deploying Landing Zone, if access to customers' service environment is needed, authorization from the customer must be obtained before the service content can be fulfilled. In addition, the cooperation of customers' personnel is required to survey the service status, collect requirements, design and review the solution, and accept the solution.

Service Scope

  1. Applicable Scope

    Phase

    Activity

    Description

    Survey and evaluation on cloud IT governance

    Survey and evaluation on IT governance

    Huawei Cloud learns customers' IT governance status, collects their IT governance specifications (for example, on security, network, account management, billing, and bill splitting), analyzes the current IT governance architecture, and collects their requirements for cloud IT governance.

    Design and implementation for basic scenarios

    Resource organization

    Based on the business structure and IT management mode, Huawei Cloud designs resource grouping in a single account or for multiple accounts to separate responsibilities based on permissions.

    Identity and permissions

    • Huawei Cloud designs the cloud identity federation with identity providers (for example, Active Directory or Google) so that existing credentials can be used to access Huawei Cloud.
    • Huawei Cloud designs users and user groups, authorization management, and credential security, and configure permission sets for a single account or multiple accounts.
    • Huawei Cloud designs permission boundaries and organization-level guardrail policies for users, user groups, and application identities.

    Network planning

    • Huawei Cloud designs public network access, including access via the NAT gateway, elastic IP address (EIP), and proxy servers.
    • Huawei Cloud designs multi-region connections between cloud and on-premises data centers or on the same cloud, as well as the connection with third-party clouds.
    • Huawei Cloud designs VPC division for service deployment, inter-cloud VPC interconnection, and networks for public services, file systems, and Object Storage Service (OBS) buckets in the file management area.

    Compliance audit

    • Huawei Cloud checks the compliance of resource configurations for cloud asset operations, O&M, security, and reliability as the best practices.
    • Huawei Cloud audits operation logs and permanently stores logs about operations and resource changes.

    Security protection

    • Host security: Huawei Cloud designs protection solutions against vulnerabilities, threats, and attacks to hosts.
    • Data security: Huawei Cloud designs solutions for key management, database protection policies, and storage access control.

    Advanced scenarios

    Data perimeter

    • Huawei Cloud designs security control policies for network and intranet boundaries. Routing tables, ACLs, and security groups are managed based on different permissions. This aims to minimize exposure to network risks.
    • Huawei Cloud configures SCPs and guardrail policies for VPC endpoints and resources to block all unexpected access paths based on principles of separation of duty (SOD). This ensures that data and resources can be accessed only by specified users on specified networks or environments. Analysis tools are provided to prove the validity of policy configurations. This way, Huawei Cloud can eliminate data leakage risks caused by privilege credential disclosure or incorrect configurations.

    Cloud financial management

    • Hierarchical financial management is designed based on the organizational structure of Landing Zone and master-member account associations.
    • Resources in each member account can be logically grouped by cost tag and costs can be split by cost tag.

    O&M management

    • The resource and event management of all member accounts can be viewed and operated in a unified manner.
    • The management account centrally manages the log monitoring of other accounts in an organization with multiple accounts.

    Technical testing

    Technical testing for IT governance solutions

    Technical tests are performed for the Landing Zone IT governance architecture in the customer's test or pre-production environment. The tests cover the multi-account system, single sign-on (SSO), user permissions, identity management, network connectivity, and operation audit.

    Solution implementation

    Implementation of IT governance solutions

    All IT governance solutions of Landing Zone are implemented in customers' production environment.

  2. Inapplicable Scope
    • Software design, reconstruction, installation, and deployment that are beyond the Landing Zone design scope, such as third-party security, application, and network software purchased by customers
    • Cloud services that are used for Landing Zone testing and implementation, such as Enterprise Router, Direct Connect, Virtual Private Network (VPN), Cloud Firewall (CFW), and Web Application Firewall (WAF)
    • Services that are beyond the Landing Zone scope, such as SecMaster, disaster recovery (DR) and backup design, and resource planning for cloud services (such as big data and database)
  3. Regions

    Asia Pacific, Middle East, and Latin America (Brazil not included).

Service Process

Service Deliverables

L6 Service Name

Deliverable

Landing Zone Design for Basic Scenarios – Medium Scale

Landing Zone Design and Implementation for XX Project

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-Large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale

Advanced Scenarios – Data Perimeter Management

Advanced Scenarios – Cloud Financial Management

Advanced Scenarios – O&M Management

Responsibility Matrix

  1. Shared Responsibilities
    • Negotiate and confirm specific IT governance requirements and objectives.
    • Negotiate and confirm project management plans.
    • Negotiate, confirm, and review Landing Zone contents.
    • Sign a contract.
  2. Huawei Responsibilities
    • Designate a project owner and notify the customer of any personnel changes three working days in advance until the project is accepted.
    • Use the authorized data only for Landing Zone services and not use the data for any other purposes.
  3. Customer Responsibilities
    • Assign a project owner to assist Huawei Cloud in implementing Landing Zone design and implementation services. The project owner is responsible for coordinating and managing personnel and resources between the two parties. The owner also reviews and accepts the services provided by Huawei Cloud.
    • Provide the service system information, including but not limited to the application architecture, deployment architecture, network architecture, and security requirements.
  4. Responsibility Details
    • "R" represents the responsible party.
    • "S" represents the supporting party.

    No.

    Service Process

    Content

    Huawei

    Customer

    1

    Survey and evaluation on cloud IT governance

    Survey and evaluation on IT governance

    R

    S

    2

    Design and implementation for basic scenarios

    Resource organization

    R

    S

    3

    Identity and permissions

    R

    S

    4

    Network planning

    R

    S

    5

    Compliance audit

    R

    S

    6

    Security protection

    R

    S

    7

    Advanced scenarios

    Data perimeter

    R

    S

    8

    Cloud financial management

    R

    S

    9

    O&M management

    R

    S

    10

    Technical testing

    Technical testing for IT governance solutions

    S

    R

    11

    Solution implementation

    Implementation of IT governance solutions

    S

    R

    If a customer has purchased the Landing Zone implementation service, Huawei Cloud is responsible for implementing the solution.

Acceptance Criteria

  • Supported acceptance modes: online acceptance and offline acceptance.
  • The deliverables of each subservice must be submitted in compliance with the criteria. If customers accept the deliverables, they need to sign and seal the Acceptance Report of Huawei Cloud Landing Zone Design and Implementation or click the acceptance link on the Huawei Cloud official website.