Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013

Transcription

1 Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013

2 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple cloud standards-defining bodies Establish criteria for open-standardsbased cloud computing 400+ Organizations participating 2011 Deliverables Practical Guide to Cloud Computing Cloud Computing Use Cases 2012 Deliverables Practical Guide to Cloud SLAs Security for Cloud Computing:10 Steps to Ensure Success Impact of Cloud Computing on Healthcare 2013 Deliverables and Projects Public Cloud Service Agreements: What to Expect & Negotiate Convergence of Cloud, Mobile and Social whitepaper Cloud Security Standards Landscape whitepaper Big Data working group

3 CSCC Practical Guide to Cloud SLAs Practical Guide to Cloud SLA s: A reference to help enterprise IT analyze Cloud SLAs (Published in April 2012) 10 Steps to Evaluate Cloud SLAs 1. Understand roles and responsibilities 2. Evaluate business level policies 3. Understand service and deployment model differences 4. Identify critical performance objectives 5. Evaluate security and privacy requirements 6. Identify service management requirements 7. Prepare for service failure management 8. Understand the disaster recovery plan 9. Define an effective management process 10. Understand the exit process "Cloud service level agreements are important to clearly set expectations for service between cloud consumers and providers. Providing guidance to decision makers on what to expect and what to be aware of as they evaluate and compare SLAs from cloud computing providers is critical since standard terminology and values for cloud SLAs are emerging but currently do not exist. Melvin Greer, Senior Fellow and Chief Strategist, Cloud Computing, Lockheed Martin

4 Public Cloud Service Agreements Current Landscape Agreements offered by Public cloud providers often viewed as unsatisfactory for mission critical workloads Today, most Public cloud service agreements are weighed heavily in provider s favor Provider s liability is limited Burden is on consumer for SLA violation notification and credit request Common industry-wide terminology does not exist Difficult for consumers to compare guarantees and limitations across providers Language about service levels is often distributed among several documents Customer Agreement, Acceptable Use Policy, and Cloud SLA Difficult for consumers to locate critical clauses "Today, customers complain regularly that SLAs are just another form of vendor boilerplate and that it is difficult if not impossible to get much modification That doesn t mean we don t need SLA s; we do. It's important we make it clear what is going on now versus what we would like to see/influence for the future and when we are hoping that future will occur." Amy Wohl, principal consultant of Wohl Associates

5 Motivation and Contents Why Another Paper on Cloud Agreements? Pick up where the Practical Guide to Cloud SLAs left off, but follow the same 10 steps Help cloud adopters focus their efforts in areas where it is possible to discuss better language Base recommendations on a thorough analysis of actual agreement language Contents See at right 29 pages

6 Steps to Evaluate & Negotiate Public Cloud Agreements 1. Understand Roles & Responsibilities 2. Evaluate Business Level Policies Acceptable Use Policy (AUP) is primary artifact that requires thorough review Content Prohibitions Security Prohibitions Service Integrity Prohibitions Rights of Others Prohibitions AUPs have little consistency in wording although there is a clear pattern to the types of provisions they include Consumers should exercise caution and thoroughly review every provision before agreeing to an AUP: Clarity Brevity Completeness Focus Four specific polices, contained primary in provider s Customer Agreement, are key: Data policies Changes to services, APIs or agreements Suspension of services Limitations of Liability Data Policy: Specify physical location of content Cloud provider should not access consumer s data unless required by law Changes to Services, APIs, Agreements: Advance notice (30 days) Backward compatibility Suspension of Services Advance notice (30 days) Sufficient time to address (60 days) Consumer data will not be deleted Limitations of Liability Compare Aggregate Liability and Indemnification/Disclaimer clauses

7 Steps to Evaluate & Negotiate Public Cloud Agreements 3. Understand Service & Deployment Model Differences In general, service objectives specified in Public Cloud Agreements are very similar across all service models (IaaS, PaaS and SaaS): Availability is the primary objective included in all public cloud SLAs (regardless of service model) Step 4 highlights key observations & recommendations This paper focuses exclusively on Public Cloud agreements Private, Hybrid and Community Cloud agreements are out of scope 4. Identify Critical Performance Objectives Performance goals are specified in the Cloud SLA & have 4 key components: Service Commitments Credits Credit Process Exclusions Service Commitments focus exclusively on Availability for all service models Guarantees, Measurement Details & Observation Periods differ Credits are the sole form of compensation for missed service commitments Service credit calculations and maximum credit limits differ Credit Process requires cloud consumer to take specific action to receive credit Reporting timeframe & required information differ Exclusions similar across all provider SLAs

8 Steps to Evaluate & Negotiate Public Cloud Agreements 5. Evaluate Security & Privacy Requirements Security language is often spread among several documents: check for consistency and clarity. Most clauses obligate the consumer to protect the provider, not the other way around Ask what recourse you have if a provider decides unilaterally to interrupt your service due to an alleged violation Ask to be notified in case there is a security breach at the provider s end Ask what professional services you can get to help secure your content Ask about data restoration if an attack has deleted your content If you hold personal information about your own clients, how is it protected? Ask what measures prevent provider personnel from accessing your data 6. Identify Service Management Requirements Don t expect service agreements to specify much Be ready to perform your own due diligence to determine how the provider manages the levels of service Find out if the following are standard, optional, or not offered at all: Software maintenance / upgrades Backup/restore Disaster recovery (e.g., off-site backup) Data encryption Can provider change / remove components that impact your ability to function? Examine how availability and performance metrics are defined, and the impact on your business Certifications may be a sign of maturity

9 Steps to Evaluate & Negotiate Public Cloud Agreements 7. Prepare for Service Failure Management There is typically nothing in current service agreements Therefore, the burden is on the consumer Compensation is tied to the price of the service, not the impact on your business (as mentioned in Step 4) 8. Understand the Disaster Recovery (DR) Plan Use of a public cloud does not absolve the user from serious DR and Business Continuity planning Service agreements focus on limiting the provider s liability Together, these statements indicate an immature area, a need for serious discussion during agreement negotiation, and a need to plan your own measures

10 Steps to Evaluate & Negotiate Public Cloud Agreements 9. Define an Effective Management Process 10. Understand the Exit Process Agreements are typically silent about communication and escalation processes Potential areas for negotiation are: Regular status meetings Single point-of-contact designation Automatic notifications APIs or Web services for management queries In the absence of defined management interfaces, and for services that require strict notification, escalation and restoration procedures, public clouds may not be appropriate solutions Look for clear and manageable exit clauses Develop a migration plan in advance Look for one-sided terms, in which: Consumer pays a penalty to change provider Provider can stop the service at its discretion on short notice Think of how long it will take you to identify a replacement service and migrate data or applications How and when your data is removed from provider s systems is critical: Too early? Potential service discontinuity to your own users Too late? Potential security or privacy issues

11 Summary Expectations and Negotiation Considerations The contractual considerations contained in various forms directly influence cloud computing opportunities Read candidate cloud solution provider agreements early in the evaluation process Understand the specific definitions, constraints, limitations and credit policies Have open discussions with providers to identify areas of concern and what can be clarified, modified or negotiated Have open discussions regarding perceived gaps that may be critical to cloud consumers (Service Management for example) Recognize that the customization of agreements can adversely impact timeto-market and other cloud benefits Agreements are Critical Considerations, Providing Insights to the Future Cloud Relationship

12 Call to Action Join the CSCC Now! To have an impact on customer use case based standards requirements To learn about all Cloud Standards within one organization To help define the CSCC s future roadmap Membership is free & easy: Get Involved! Join one or more of the CSCC Working Groups Participate in monthly web conferences for all members Review and leverage CSCC resources Practical Guide to Cloud Computing V1 Practical Guide to Cloud SLAs V1 Public Cloud Service Agreements: What to Expect and What to Negotiate Security for Cloud Computing: 10 Steps to Ensure Success Impact of Cloud Computing on Healthcare Socialize the Public Cloud Service Agreements paper

13 Thank You