Defining Cloud SLAs Is Critical

Service level agreements have been used by companies for a long time in an effort to ensure they get the right bang for their buck, but industry experts say that with IT functions increasingly being moved to the cloud, it’s important to carefully define your goals in SLAs so that corners are not cut in an effort to increase the provider’s bottom line.

SLAs written with cloud providers must remain "specific, measurable, achievable, relevant and timely," and "should leave no ambiguity as to what both service providers and service consumers expect,"’ says Frederick Rose, service assurance practice director at Fusion PPT, who authored the InformationWeek Analytics report Promises, Promises: a Not-So-New SLA Model. They should be based on specific business needs, he emphasizes, and revolve around the key performance metrics that matter most to the client.

Internally, it’s easier to measure IT deliverables because networks, servers, apps, firewalls and other devices are transparent, says Rose. Yet, even though these areas are typically operated and managed independently, organizations don’t correlate user expectations for a service with the technologies that deliver them, leading to disjointed, inefficient services and dissatisfied users, he says. And, as companies sign on for externally based, multitenant clouds for services, if enterprise IT doesn’t make its requirements specific, says Rose, "the whole exercise is for naught."

According to David Snead, whose specialty is hammering out SLAs, companies have a much better shot at custom provisions if they know exactly what they're looking for and can frame their needs in the context of why they're critical for business. "Communicating with your provider about what your business does will get you an SLA that meets your business needs."

In terms of the typical guarantees cloud providers put in multitenant SLAs, one of the most common measurable is for downtime, says Adam Ely, CISO of cloud application platform provider Heroku.

"Service providers understand customers worry about downtime and tend to set an uptime goal ranging from 99% to 99.999%, depending on the type of offering, such as SaaS and PaaS,"’ he says. But Ely advises that organizations "understand a number of factors before comparing uptime numbers directly. Often providers report downtime that has no customer impact, thus lowering their overall uptime but not affecting the customer's uptime." Organizations should also understand what recourse they have if providers don't meet the stated SLA, rather than finding out they have no recourse during an outage, he says.

Security is undoubtedly one of the top concerns organizations have, and they should make sure their cloud providers also stress it in the SLA, says Ely. "When provider security practices are not clearly stated, it becomes hard for customers to make educated risk decisions, and [that] leads to a lack of trust and higher risk,’" he says.

"Organizations should work with providers to understand their security practices and what is applicable to the specific type of offering--but be careful to not rely on dated security questionnaires that don't properly address multitenant SaaS and PaaS offerings."

Organizations in certain verticals must also adhere to regulatory requirements, and they need to ensure those are addressed in the SLA through service provider controls and risk mitigation strategies, says Ely.

"Organizations have options for meeting their regulatory requirements in multitenant environments," he says. "The most common implications to regulatory compliance [are] data residency, export controls and data privacy laws. Risks to these requirements can often be mitigated by encrypting data, monitoring logs provided by the service provider or only storing certain types of data internally."

He adds that governing bodies are just now starting to provide guidance on how regulations are applicable to cloud providers, but in the meantime, many organizations have implemented HIPAA, Safe Harbor, PCI and other regulated processes in multitenant environments.

Ely says that providers have good intentions. However, with a mix of SaaS and PaaS services that include free, inexpensive monthly subscriptions and multiyear enterprise agreements, "not all SLAs are created equal. Better industry definition of terms, responsibilities and standard practices would help organizations make informed choices."

Additionally, he says, organizations should evaluate their needs and the impact to their business if the SLA is not met to determine if a service provider is the right fit. "Working with the provider to understand potential impact,’" says Ely, "will help the organization understand best practices, resource of SLA violation and the risk to their operations."

Learn more about Strategy: Monitoring and Measuring Cloud Provider Performance by subscribing to Network Computing Pro Reports (free, registration required).