Statement of Work (SOW)

Service Overview

As more and more enterprises gradually appreciate the cloud advantages in security, stability, service quality, operation efficiency, and others, they keep migrating their service systems to the cloud. In the all-cloud era, to avoid possible risks in cloud management and security, Huawei Cloud launches the Landing Zone solution to provide unified IT governance of people, finances, resources, permissions, and security compliance. This solution helps comprehensively and effectively manage business units, users, permissions, cloud resources, data, applications, and security for better cloud security and efficiency.

Service Content

Service	Subservice	Service Content	Application Scenario
Basic Scenarios – Design and Implementation	Landing Zone Design for Basic Scenarios – Medium Scale	Based on the customer requirement survey, detailed solutions are designed for organizational accounts, identity and permissions, network planning, security protection, and compliance audit.	Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need scalable, efficient cloud governance, in terms of organizational accounts, identity and permissions, networks, security, and compliance audit.
	Landing Zone Design for Basic Scenarios – Large Scale
	Landing Zone Design for Basic Scenarios – Ultra-Large Scale
	Landing Zone Implementation for Basic Scenarios – Medium Scale	A cloud environment is deployed for basic scenarios as designed. This helps enable resources, create accounts, deploy the cloud infrastructure, set up multi-account and authorization systems, and provide cloud network and security protection.
	Landing Zone Implementation for Basic Scenarios – Large Scale
	Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale
Advanced Scenarios – Data Perimeter Management	Data Perimeter Management Design	Service control policies (SCPs), VPC endpoint policies, resource-based policies are configured to serve as guardrails, blocking unexpected access paths.	Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need their data privacy and core data being strictly protected.
Advanced Scenarios – Data Perimeter Management	Data Perimeter Management Implementation	Data perimeter management is implemented for enterprises as the best practices.
Advanced Scenarios – Cloud Financial Management	Cloud Financial Management Design	Hierarchical financial management is designed to match master-member account associations based on the organizational structure of your landing zone.	Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need to manage finances in a hierarchical manner.
Advanced Scenarios – Cloud Financial Management	Cloud Financial Management Implementation	Financial management is implemented for enterprises.
Advanced Scenarios – O&M Management	O&M Management Design	Resource management, event management, and logs of all member accounts are monitored based on the organizational structure of your landing zone.	Medium- and large-sized enterprises are migrating services to Huawei Cloud. They want to monitor and maintain their accounts and resources on a regular basis.
Advanced Scenarios – O&M Management	O&M Management Implementation	O&M management is implemented for enterprises.

Medium scale: <= 10 accounts, <= 3 VPCs, and same-region deployment
Large scale: <= 100 accounts and <= 10 VPCs (provided that "Landing Zone Design for Basic Scenarios – Medium Scale" is not applicable)
Ultra-large scale: > 100 accounts or > 10 VPCs (provided that "Landing Zone Design for Basic Scenarios – Large Scale" is not applicable)

Prerequisites

Customers need to apply for the Landing Zone design and implementation services 15 days in advance so that Huawei Cloud can evaluate the business objectives and project delivery plan.
When deploying Landing Zone, if access to customers' service environment is needed, authorization from the customer must be obtained before the service content can be fulfilled. In addition, the cooperation of customers' personnel is required to survey the service status, collect requirements, design and review the solution, and accept the solution.

Service Scope

Applicable Scope

Phase	Activity	Description
Survey and evaluation on cloud IT governance	Survey and evaluation on IT governance	Huawei Cloud learns customers' IT governance status, collects their IT governance specifications (for example, on security, network, account management, billing, and bill splitting), analyzes the current IT governance architecture, and collects their requirements for cloud IT governance.
Design and implementation for basic scenarios	Resource organization	Based on the business structure and IT management mode, Huawei Cloud designs resource grouping in a single account or for multiple accounts to separate responsibilities based on permissions.
	Identity and permissions	Huawei Cloud designs the cloud identity federation with identity providers (for example, Active Directory or Google) so that existing credentials can be used to access Huawei Cloud. Huawei Cloud designs users and user groups, authorization management, and credential security, and configure permission sets for a single account or multiple accounts. Huawei Cloud designs permission boundaries and organization-level guardrail policies for users, user groups, and application identities.
	Network planning	Huawei Cloud designs public network access, including access via the NAT gateway, elastic IP address (EIP), and proxy servers. Huawei Cloud designs multi-region connections between cloud and on-premises data centers or on the same cloud, as well as the connection with third-party clouds. Huawei Cloud designs VPC division for service deployment, inter-cloud VPC interconnection, and networks for public services, file systems, and Object Storage Service (OBS) buckets in the file management area.
	Compliance audit	Huawei Cloud checks the compliance of resource configurations for cloud asset operations, O&M, security, and reliability as the best practices. Huawei Cloud audits operation logs and permanently stores logs about operations and resource changes.
	Security protection	Host security: Huawei Cloud designs protection solutions against vulnerabilities, threats, and attacks to hosts. Data security: Huawei Cloud designs solutions for key management, database protection policies, and storage access control.
Advanced scenarios	Data perimeter	Huawei Cloud designs security control policies for network and intranet boundaries. Routing tables, ACLs, and security groups are managed based on different permissions. This aims to minimize exposure to network risks. Huawei Cloud configures SCPs and guardrail policies for VPC endpoints and resources to block all unexpected access paths based on principles of separation of duty (SOD). This ensures that data and resources can be accessed only by specified users on specified networks or environments. Analysis tools are provided to prove the validity of policy configurations. This way, Huawei Cloud can eliminate data leakage risks caused by privilege credential disclosure or incorrect configurations.
	Cloud financial management	Hierarchical financial management is designed based on the organizational structure of Landing Zone and master-member account associations. Resources in each member account can be logically grouped by cost tag and costs can be split by cost tag.
	O&M management	The resource and event management of all member accounts can be viewed and operated in a unified manner. The management account centrally manages the log monitoring of other accounts in an organization with multiple accounts.
Technical testing	Technical testing for IT governance solutions	Technical tests are performed for the Landing Zone IT governance architecture in the customer's test or pre-production environment. The tests cover the multi-account system, single sign-on (SSO), user permissions, identity management, network connectivity, and operation audit.
Solution implementation	Implementation of IT governance solutions	All IT governance solutions of Landing Zone are implemented in customers' production environment.

Inapplicable Scope
- Software design, reconstruction, installation, and deployment that are beyond the Landing Zone design scope, such as third-party security, application, and network software purchased by customers
- Cloud services that are used for Landing Zone testing and implementation, such as Enterprise Router, Direct Connect, Virtual Private Network (VPN), Cloud Firewall (CFW), and Web Application Firewall (WAF)
- Services that are beyond the Landing Zone scope, such as SecMaster, disaster recovery (DR) and backup design, and resource planning for cloud services (such as big data and database)
Regions
Asia Pacific, Middle East, and Latin America (Brazil not included).

Service Process

Service Deliverables

L6 Service Name	Deliverable
Landing Zone Design for Basic Scenarios – Medium Scale	Landing Zone Design and Implementation for XX Project
Landing Zone Design for Basic Scenarios – Large Scale
Landing Zone Design for Basic Scenarios – Ultra-Large Scale
Landing Zone Implementation for Basic Scenarios – Medium Scale
Landing Zone Implementation for Basic Scenarios – Large Scale
Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale
Advanced Scenarios – Data Perimeter Management
Advanced Scenarios – Cloud Financial Management
Advanced Scenarios – O&M Management

Responsibility Matrix

Shared Responsibilities
- Negotiate and confirm specific IT governance requirements and objectives.
- Negotiate and confirm project management plans.
- Negotiate, confirm, and review Landing Zone contents.
- Sign a contract.
Huawei Responsibilities
- Designate a project owner and notify the customer of any personnel changes three working days in advance until the project is accepted.
- Use the authorized data only for Landing Zone services and not use the data for any other purposes.
Customer Responsibilities
- Assign a project owner to assist Huawei Cloud in implementing Landing Zone design and implementation services. The project owner is responsible for coordinating and managing personnel and resources between the two parties. The owner also reviews and accepts the services provided by Huawei Cloud.
- Provide the service system information, including but not limited to the application architecture, deployment architecture, network architecture, and security requirements.

Responsibility Details

"R" represents the responsible party.
"S" represents the supporting party.

No.	Service Process	Content	Huawei	Customer
1	Survey and evaluation on cloud IT governance	Survey and evaluation on IT governance	R	S
2	Design and implementation for basic scenarios	Resource organization	R	S
3		Identity and permissions	R	S
4		Network planning	R	S
5		Compliance audit	R	S
6		Security protection	R	S
7	Advanced scenarios	Data perimeter	R	S
8		Cloud financial management	R	S
9		O&M management	R	S
10	Technical testing	Technical testing for IT governance solutions	S	R
11	Solution implementation	Implementation of IT governance solutions	S	R

If a customer has purchased the Landing Zone implementation service, Huawei Cloud is responsible for implementing the solution.

Acceptance Criteria

Supported acceptance modes: online acceptance and offline acceptance.
The deliverables of each subservice must be submitted in compliance with the criteria. If customers accept the deliverables, they need to sign and seal the Acceptance Report of Huawei Cloud Landing Zone Design and Implementation or click the acceptance link on the Huawei Cloud official website.

Parent topic: Landing Zone Design and Implementation

Previous topic: Landing Zone Design and Implementation

Next topic: FAQs