Cloud Computing Service Level Agreement
Best practices are still being defined
Although cloud computing is a new computing solution, outsourcing information technology services is not. The steps that organizations take remain basically the same for clouds as with other, more traditional, information technology services. What does change with cloud computing, however, is the potential for increased complexity and difficulty in providing adequate oversight to maintain accountability and control over deployed applications and systems throughout their lifecycle. This can be especially daunting when non-negotiable SLAs are involved, since responsibilities normally held by the organization are given over to the cloud provider with little recourse for the organization to address problems and resolve issues, which may arise, to its satisfaction.
Reaching agreement on the terms of service of a negotiated SLA for public cloud services can be a complicated process fraught with technical and legal issues. Migrating organizational data and functions into the cloud is accompanied by a host of
security and privacy issues to be addressed, many of which concern the adequacy of the cloud provider's technical controls for an organization's needs. Service arrangements defined in the terms of service must also meet existing privacy policies for information protection, dissemination and disclosure. Each cloud provider and service arrangement has distinct costs.
Considering the growing number of cloud providers and range of services offered, organizations must exercise due diligence when moving functions to the cloud. Decision making about new services and service arrangements entails striking a balance between benefits in cost and productivity versus drawbacks in risk and liability.
Service Level Agreement Issues and Solutions
Extend organizational practices pertaining to the policies, procedures, and standards
used for application development and service provisioning in the cloud, as well as the
design, implementation, testing, and monitoring of deployed or engaged services.
Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.
Understand the various types of laws and regulations that impose security and privacy
obligations on the organization and potentially impact cloud computing initiatives,
particularly those involving data location, privacy and security controls, and electronic
Review and assess the cloud provider's offerings with respect to the organizational
requirements to be met and ensure that the contract terms adequately meet the
Incorporate mechanisms into the contract that allow visibility into the security and
privacy controls and processes employed by the cloud provider, and their performance
Institute a risk management program that is flexible enough to adapt to the continuously evolving and shifting risk landscape.
Understand the underlying technologies the cloud provider uses to provision services,
including the implications of the technical controls involved on the security and privacy of the system, with respect to the full lifecycle of the system and for all system components.
Security - Identity and Access Management
Ensure that adequate safeguards are in place to secure authentication, authorization,
and other identity and access management functions.
Understand virtualization and other software isolation techniques that the cloud provider employs, and assess the risks involved.
Evaluate the suitability of the cloud provider's data management solutions for the
organizational data concerned.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed and that all operations can be eventually reinstituted in a timely and organized manner.
Understand and negotiate the contract provisions and procedures for incident response required by the organization.
Contract Dispute Resoulution
Inserting some general rules for minor dispute resolution into a service level agreement and outsourcing contract can help IT services provider and users keep the peace and avoid painful and costly conflicts.
Some minor dispute resolution mechanisms that every outsourcing should include:
- An agreement to keep a shared log of all disputes.
- A requirement that the parties document and on all disputes.
- A governance structure that names the people responsible for addressing the issues that lead to a disagreement.
- A provision that either party can escalate a dispute to the other parties' management structure.
- An obligation to set up technical, management and executive committees that will meet regularly and work to resolve disputes.
A small disputes arbitration clause that allows each party to present its position in ten pages and one hour, and requires an arbitrator to rule on the dispute within ten days with no appeals and the loser paying all fees.
If you have no mechanisms for minor dispute resolution built into your existing outsourcing contract, there are still options for dealing with disagreements and preventing long-term discordand discontent. But timing is everything. For example, a customer might agree to discuss withholdings on a disputed invoice if the supplier is willing to discuss a dispute over the scope of services.
The Practical Guided for Cloud Outsourcing Template includes -- Sample Cloud Outsourcing Contract along with a Service Level Agreement and other tools to facilitate the cloud outsourcing process. The template includes Janco's exclusive Business and IT Impact Questionnaire.