Alibaba Cloud Landing Zone Service Statement of Work

1.Overview

1.1.Introduction

Landing Zone provides solution design and validation services for IT governance based on Alibaba Cloud offerings to help enterprises migrate to the cloud. The service provides designs and technical validation of the following solutions: account management, network planning, financial management, resource management, compliance auditing, and security protection. The service also guides customers to set up a secure, multi-account Alibaba Cloud environment based on Alibaba Cloud best practices.

Landing Zone provides the following three editions that you can choose from based on your business requirements:

Landing Zone

Basic edition
- Provides lightweight consulting services and designs of the following solutions based on your business requirements: account management, and network planning or security protection.
- Validates the technical feasibility of the preceding solutions.

Standard edition
- Provides standard consulting services and designs of the following solutions based on your business requirements: account management, network planning, financial management, resource management, compliance auditing, and security protection.
- Validates the technical feasibility of the preceding solutions.
- Provides solutions to integrate with self-managed systems, such as SSO, CMDB, and billing system.

Advanced edition
- Provides advanced consulting services and designs and implementation of the following solutions based on your business requirements: account management, network planning, financial management,resource management, compliance auditing, and security protection.
- Validates the technical feasibility of the preceding solutions and implements the solutions.
- Provides solutions to integrate with self-managed systems, such as SSO, CMDB, and billing system.

Any work or solution that is not defined in this statement of work is excluded from the scope of this project.

2.Service Scope

The service scope varies by the edition of Landing Zone: Basic, Standard, and Advanced. You can select the edition based on your business requirements.

2.1.Landing Zone Basic edition

Landing Zone Basic edition provides the following services:

Investigation and evaluation
- Quickly investigate and analyze the current application technology stack by means of survey forms and interviews, and evaluate the feasibility of implementing enterprise IT governance in the cloud. Define the service process of Landing Zone.
- Design the technology roadmap based on the evaluation results.

Account management
- Design the account management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Account: design solutions for account management and permission management, and norms for using RAM roles.
  - MFA: add support for MFA.
  - SSO: integrate with existing SSO to achieve centralized user authentication.
  - Identity authentication: design a federated authentication solution based on use scenarios.

Network planning (select between network planning and security protection)
- Design the network planning solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Network connection: design a solution to connect your data centers to Alibaba Cloud through VPNs, design firewalls at the access layer and application layer, and design jump servers.
  - Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.
  - Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

Security protection (select between network planning and security protection)
- Design the security protection solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Network security: design solutions for security group management and security domain management. Isolate applications by using security domains and connect specified applications based on requirements.
  - Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet the customer requirements.
  - Note that the security protection solution covers only the security management of the cloud platform and complies with the enterprise security regulations. The solution does not cover the security requirements of enterprise applications or other security requirements.

Technical validation
- Validate the technical designs of the following solutions: account management, and network planning or security protection. The technical feasibility of the following features is validated:
  - Account management, permission management, and identity management
  - Network allocation, network segmentation, and network connectivity

2.2.Landing Zone Standard edition

Landing Zone Standard edition provides the following services:

Investigation and evaluation
- Quickly investigate and analyze the current application technology stack by means of survey forms and interviews, and evaluate the feasibility of implementing enterprise IT governance in the cloud. Define the service process of Landing Zone.
- Define the work scope of Landing Zone based on the evaluation results.

Account management
- Design the account management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Account: design solutions for account management and permission management, and norms for using RAM roles.
  - MFA: add support for MFA.
  - SSO: integrate with existing SSO to achieve centralized user authentication.
  - Identity authentication: design a federated authentication solution based on use scenarios.

Network planning
- Design the network planning solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Network connection: design a solution to connect your data centers to Alibaba Cloud, design firewalls at the access layer and application layer, and design jump servers.
  - Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.
  - Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

Financial management
- Design the financial management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Cost accounting: Design a cost accounting model and make a cost center-based bill analysis scheme for cloud expenditures.
  - Cost analysis: Design financial analysis for customers, provide billing capability, assist customers to access the enterprise internal financial analysis platform, and obtain billing, expense details and other expense data.
  - Cost optimization: Recommend best practices, deployment plans, and audit plans for cost optimization based on the adopted cloud services.

Resource management
- Design the resource management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Design a solution to integrate with the enterprise's billing system for retrieving bills, invoices, and other expense data.
  - Design expense management solutions based on resource catalogs and cost allocation solutions for enterprises that do not have standard billing models or platforms.

Compliance auditing
- Design the compliance auditing solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Provide norms for enterprise firewall configuration to meet the compliance requirements of perimeter security.
  - Design multi-layered protection solutions that include server-side encryption, client-side encryption, hotlinking protection, and IP blacklisting and whitelisting.
  - Design solutions for behavioral auditing, account auditing, and log auditing. Provide custom auditing solutions based on enterprise auditing requirements.

Security protection
- Design the security protection solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Network security: design solutions for security group management and security domain management. Isolate applications by using security domains and connect specified applications based on requirements.
  - Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet the customer requirements.
  - Note that the security protection solution covers only the security management of the cloud platform and complies with the enterprise security regulations. The solution does not cover the security requirements of enterprise applications or other security requirements.

Technical validation
- Validate the technical designs of the following solutions: account management, network planning, financial management, resource management, compliance auditing, and security protection. The technical feasibility of the following features is validated:
  - Account management, permission management, and identity management
  - Network allocation, network segmentation, and network connectivity
  - Cost allocation
  - IP whitelists, security groups, and behavioral auditing
  - Security domain isolation and access control based on whitelists
  - Integration with self-managed systems such as SSO, CMDB, and billing system

2.3.Landing Zone Advanced edition

Landing Zone Advanced edition provides the following services:

Investigation and evaluation
- Quickly investigate and analyze the current application technology stack by means of survey forms and interviews, and evaluate the feasibility of implementing enterprise IT governance in the cloud. Define the service process of Landing Zone.
- Define the work scope of Landing Zone based on the evaluation results.

Account management
- Design the account management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Account: design solutions for account management and permission management, and norms for using RAM roles.
  - MFA: add support for MFA.
  - SSO: integrate with existing SSO to achieve centralized user authentication.
  - Identity authentication: design a federated authentication solution based on use scenarios.

Network planning
- Design the network planning solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Network connection: design a solution to connect your data centers to Alibaba Cloud, design firewalls at the access layer and application layer, and design jump servers.
  - Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.
  - Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

Financial management
- Design the financial management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Cost accounting: Design a cost accounting model and make a cost center-based bill analysis scheme for cloud expenditures.
  - Cost analysis: Design financial analysis for customers, provide billing capability, assist customers to access the enterprise internal financial analysis platform, and obtain billing, expense details and other expense data.
  - Cost optimization: Recommend best practices, deployment plans, and audit plans for cost optimization based on the adopted cloud services.

Resource management
- Design the resource management solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Design a solution to integrate with the enterprise's billing system for retrieving bills, invoices, and other expense data.
  - Design expense management solutions based on resource catalogs and cost allocation solutions for enterprises that do not have standard billing models or platforms.

Compliance auditing
- Design the compliance auditing solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Provide norms for enterprise firewall configuration to meet the compliance requirements of perimeter security.
  - Design multi-layered protection solutions that include server-side encryption, client-side encryption, hotlinking protection, and IP blacklisting and whitelisting.
  - Design solutions for behavioral auditing, account auditing, and log auditing. Provide custom auditing solutions based on enterprise auditing requirements.

Security protection
- Design the security protection solution based on the investigation and evaluation results. This solution provides the following capabilities:
  - Network security: design solutions for security group management and security domain management. Isolate applications by using security domains and connect specified applications based on requirements.
  - Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet the customer requirements.
  - Note that the security protection solution covers only the security management of the cloud platform and complies with the enterprise security regulations. The solution does not cover the security requirements of enterprise applications or other security requirements.

Technical validation
- Validate the technical designs of the following solutions: account management, network planning, resource management, compliance auditing, and security protection. The technical feasibility of the following features is validated:
  - Account management, permission management, and identity management
  - Network allocation, network segmentation, and network connectivity
  - Cost allocation
  - IP whitelists, security groups, and behavioral auditing
  - Security domain isolation and access control based on whitelists
  - Integration with self-managed systems such as SSO, CMDB, and billing system

Solution implementation
- Implement the following solutions based on the technical validation results: account management, network planning, financial management, resource management, compliance auditing, and security protection.

Notes:

Landing Zone provides solutions for IT governance based on Alibaba Cloud offerings and does not provide consulting services for IT governance within the enterprise. If you require enterprise-class IT governance solutions, you can purchase the relevant services.

The design of the security protection solution provided in the project covers only the security management of the cloud platform. The solution does not cover the security protection of enterprise applications and data, or cover classified protection requirements.

The project provides the designs of solutions to integrate with the customer's self-managed systems such as SSO, CMDB, and billing system. Alibaba Cloud is not responsible for the implementation of integration solutions or troubleshooting of technical issues related to self-managed systems.

Alibaba Cloud shall not be liable for schedule delays caused by the customer.

The customer shall not limit the ways in which Alibaba Cloud provides services. Alibaba Cloud conducts investigations and provides consulting services on-site or remotely in order to produce the final deliverables.

Alibaba Cloud is not responsible for providing any technical documentation other than Alibaba Cloud official documentation and documents within the scope of this project.
Alibaba Cloud is not responsible for any implementation or maintenance work involved in the planning, architecture design, cloud transformation, or implementation of the customer's business system.
Alibaba Cloud is not responsible for troubleshooting or technical support of third-party software and application systems that are not provided by the Alibaba Cloud platform.

3.Prerequisites

The customer must apply for the service at least 15 working days before they place the order. This way, Alibaba Cloud can evaluate the customer's business objectives and check the feasibility of the schedule to determine whether to accept the application.

If the application involves a large amount of resources, it is recommended that the customer apply for the service one month in advance. This way, Alibaba Cloud can communicate with suppliers to check whether the required resources are available.

The customer shall provide Alibaba Cloud with all necessary documents, information, data, diagrams, system permissions, and remote access channels in an efficient manner to enable Alibaba Cloud to provide services. All such information is subject to the confidentiality clauses attached to the statement. The customer agrees that all information disclosed or to be disclosed to Alibaba Cloud is true, accurate, and not misleading.

Alibaba Cloud provides Landing Zone services (Basic, Standard, and Advanced editions) through phone calls, DingTalk, and emails. There are no limits on the location where Alibaba Cloud provides services.

In the project delivery process, Alibaba Cloud designs the IT governance solution and troubleshoots the issues that occur during technical validation and the customer implements the solution designed by Alibaba Cloud.

Alibaba Cloud provides services between 9:00 am to 6:00 pm (UTC+8) Monday to Friday, except for national holidays in China.

The project managers designated by the customer and Alibaba Cloud shall use mutually agreed communication methods to transfer the written information required for the project. Optional communication methods include DingTalk, fax, and email.

All project deliverables are in Chinese or English, and the working language is Chinese or English. All deliverables are submitted as electronic copies in Microsoft Office formats,including PowerPoint, Word, Excel, and Visio.

The customer and Alibaba Cloud shall work on the project according to the work plan, staffing plan, and start and end dates that are agreed upon by both parties in advance. Alibaba Cloud shall not be liable for project delays that are caused by delays in the launch of the customer's relevant business systems.

If the customer or Alibaba Cloud wants to introduce a third party, the customer or Alibaba Cloud shall be responsible for signing contracts with the third party. Alibaba Cloud is not responsible for the actions or delays caused by the subcontractors or vendors used by the customer. The customer is not responsible for the actions or delays caused by the subcontractors or vendors used by Alibaba Cloud.

Neither party is liable for special, incidental, or indirect damages, or consequential economic damages (this includes loss of profits or discounts) under this contract, even if the party has been informed of the possibility of such damages.

4.Responsibilities

4.1.Customer and Alibaba Cloud

To purchase Landing Zone (Basic, Standard, or Advanced edition), the customer must apply for the service in advance and can place orders only after the application is approved by Alibaba Cloud.
The customer and Alibaba Cloud negotiate to confirm the business objectives and service scope of Landing Zone.

Service type	Phase	Task name	Task details	Customer	Alibaba Cloud

Service type	Phase	Task name	Task details	Customer	Alibaba Cloud
Landing Zone	Current situation investigation	Infrastructure	Analyze the customer's deployment architecture, understand the relationship between computing, storage, middle ware, and applications, and analyze and aggregate data on nodes.	A/S/C/I	R/I
		Business status and application systems	Investigate the current IT governance situation and understand the requirements for cloud-based IT governance through remote information collection and on-site communication.	A/S/C/I	R/I
		IT governance norms	Investigate the current IT governance norms, such as security norms, network norms, account management norms, and billing norms, and understand the customer's requirements of IT governance norms.	A/S/C/I	R/I
	Solution design	Account management	Design the account management solution based on the enterprise account system to achieve SSO integration, MFA, and centralized permission management.	A/S/C/I	R/I
		Network planning	Design the network planning solution to meet the customer's networking requirements.	A/S/C/I	R/I
		Financial management	Design the cloud financial management based on the account distribution label, and provide data support for the subsequent cost optimization and business decisions.	A/S/C/I	R/I
		Resource management	Design the resource management solution to meet the customer's requirements for cloud resource provisioning.	A/S/C/I	R/I
		Compliance auditing	Design the compliance auditing solution based on the customer's compliance and auditing requirements.	A/S/C/I	R/I
		Security protection	Design the security protection solution based on enterprise security norms to meet the customer's requirements. The solution covers only cloud security.	A/S/C/I	R/I
	Technical validation	Landing Zone technical validation	Validate the technical feasibility of the solutions and troubleshoot the issues that occur in the validation process.	A/S/C/I/R	S/C/I
	Solution implementation	Landing Zone solution implementation	Implement the solutions.	A/S/C/I	R/S/C/I

Notes: R for Responsible, A for Accountable, C for Consulted, I for Informed, and S for Support.

4.1.1.Customer responsibilities

The customer must appoint a project manager with the required expertise and experience as the main contact person for communication with Alibaba Cloud. The project manager has full authority to make decisions on all aspects of the project on behalf of the customer, and is directly responsible for the planning, coordination, supervision, and control of project implementation. The project manager is also responsible for troubleshooting and solving any issues that occur during project implementation.
The project manager of the customer is responsible for coordinating all resources to lead the investigation and technical verification work involved in the project.
At the beginning of the project, the customer must provide information and specification documents related to IT governance within the enterprise, and explicitly state the implementation requirements.

4.1.2.Alibaba Cloud

Alibaba Cloud must appoint an experienced technical manager to communicate with the project manager from the customer, and manage the project and project team members from Alibaba Cloud.
Alibaba Cloud must investigate the basic architecture, business scenarios, technical components, and development frameworks of the customer's system, and evaluate the Landing Zone specifications.
Alibaba Cloud must design the Landing Zone solution based on the results of the preliminary investigation.
Alibaba Cloud must cooperate with the customer to validate the technical feasibility of the Landing Zone solution and help the customer resolve issues that occur in the validation process.

4.1.3.Completion criteria

Completion criteria for Landing Zone Basic edition
- The designs of the following solutions are completed and confirmed by the customer: account management, and network planning or security protection.
- Deliverables
  - Landing Zone Basic IT Governance Solution

Completion criteria for Landing Zone Standard edition
- The designs of the following solutions are completed and confirmed by the customer: account management, network planning, financial management, resource management, compliance auditing, and security protection.
- Deliverables
  - Landing Zone Standard IT Governance Solution

Completion criteria for Landing Zone Advanced edition
- The designs of the following solutions are completed, implemented, and confirmed by the customer: account management, network planning, financial management, resource management, compliance auditing, and security protection.
- Deliverables
  - Landing Zone Advanced IT Governance Solution

4.2.Service catalog

The following table describes the services that are provided by Landing Zone:

Phase	Service	Landing Zone Basic edition	Landing Zone Standard edition	Landing Zone Advanced edition

Phase	Service	Landing Zone Basic edition	Landing Zone Standard edition	Landing Zone Advanced edition
Current situation investigation	Infrastructure	Supported	Supported	Supported
	Business status and application systems	Supported	Supported	Supported
	IT governance norms	Supported	Supported	Supported
Solution design	Account management	Supported	Supported	Supported
	Network planning	Supported (select between network planning and security protection)	Supported	Supported
	Financial management		Supported	Supported
	Resources management		Supported	Supported
	Compliance auditing		Supported	Supported
	Security protection	Supported (select between network planning and security protection)	Supported	Supported
Technical validation	Landing Zone technical validation	Supported	Supported	Supported
Solution implementation	Landing Zone solution implementation			Supported

5.Service Level Agreement

Provide the Landing Zone service.
Provide technical validation and on-site support based on demands during the service period.
Provide the following documents based on service specifications: Landing Zone Basic IT Governance Solution, Landing Zone Standard IT Governance Solution, and Landing Zone Advanced IT Governance Solution.

6.Service Process

The following figure shows the service process of Landing Zone.

7.Acceptance criteria

7.1.Acceptance list

No.	Phase	Details	Deliverable	Deliverable type

No.	Phase	Details	Deliverable	Deliverable type
1	Current situation investigation	Infrastructure	Landing Zone Investigation Report	Document
		Business status and application systems
		IT governance norms
2	Solution design	Account management	Landing Zone Advanced IT Governance Solution Landing Zone Basic IT Governance Solution Landing Zone Standard IT Governance Solution
		Network planning
		Financial management
		Resource management
		Compliance auditing
		Security protection
3	Technical validation	Technical validation	N/A
4	Solution implementation	Solution implementation	N/A

7.2.Acceptance criteria

In the project delivery process,Alibaba Cloud should provide consulting services regarding Landing Zone and record important information in documents. In the acceptance phase, the customer should focus on the quality of document content and confirm that the documents meet their requirements.
If the customer's business process requires internal reviews before Alibaba Cloud submits the deliverables, the customer must conduct and complete internal reviews before the agreed acceptance time.
If the document content needs to be modified after the review meeting, Alibaba Cloud must make the required modifications and submit the modified documents to the customer for acceptance. The customer must appoint a representative to sign for confirmation.
Acceptance criteria for Landing Zone Basic edition
- Landing Zone Basic IT Governance Solution meets expectations.
Acceptance criteria for Landing Zone Standard edition
- Landing Zone Standard IT Governance Solution meets expectations.
Acceptance criteria for Landing Zone Advanced edition
- Landing Zone Standard IT Governance Solution meets expectations.

7.3.Acceptance plan

In accordance with the deliverables of each project phase described in Section 7.1 Acceptance List, project acceptance is based on the following acceptance plans. The customer agrees to accept the deliverables submitted by Alibaba Cloud based on these acceptance plans.

No.	Acceptance start time	Acceptance content	Acceptance completion

No.	Acceptance start time	Acceptance content	Acceptance completion
1	Completion of the design and technical validation of Landing Zone Basic IT Governance Solution	Landing Zone Basic IT Governance Solution	Acceptance confirmation by the customer

Acceptance plan for Landing Zone Standard edition

No.	Acceptance start time	Acceptance content	Acceptance completion

No.	Acceptance start time	Acceptance content	Acceptance completion
1	Completion of the design and technical validation of Landing Zone Standard IT Governance Solution	Landing Zone Standard IT Governance Solution	Acceptance confirmation by the customer

Acceptance plan for Landing Zone Advanced edition

No.	Acceptance start time	Acceptance content	Acceptance completion

No.	Acceptance start time	Acceptance content	Acceptance completion
1	Completion of the design,technical validation, and implementation of Landing Zone Advanced IT Governance Solution	Landing Zone Advanced IT Governance Solution	Acceptance confirmation by the customer

8.Project Completion

The project is completed after the customer confirms the acceptance.

1.Overview

1.1.Introduction

2.Service Scope

2.1.Landing Zone Basic edition

2.2.Landing Zone Standard edition

2.3.Landing Zone Advanced edition

3.Prerequisites

4.Responsibilities

4.1.Customer and Alibaba Cloud

4.1.1.Customer responsibilities

4.1.2.Alibaba Cloud

4.1.3.Completion criteria

4.2.Service catalog

5.Service Level Agreement

6.Service Process

7.Acceptance criteria

7.1.Acceptance list

7.2.Acceptance criteria

7.3.Acceptance plan

8.Project Completion

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)