How to get the most out of a cloud SLA
Although some cloud services are notorious for having vague or incomplete service-level agreements, it's important to hold a vendor's feet to the fire by documenting meaningful service-level agreement performance measures that are driven by an IT organization's key performance indicators. Federal agencies are expected to have project- and application-specific SLAs, as detailed by a Government Accountability Office report covering essential practices for cloud computing that emphasized the need for department- and project-specific SLAs.
GAO specified "ten key practices to be included in an SLA, such as identifying the roles and responsibilities of major stakeholders, defining performance objectives, and specifying security metrics. The key practices, if properly implemented, can help agencies ensure services are performed effectively, efficiently, and securely." After examining 21 cloud service contracts from five agencies, the GAO found that only seven fulfilled all 10 of the guidelines.
The GAO recommends that agencies incorporate the following elements, covering roles and responsibilities, performance measures, security and consequences into all cloud computing service contracts and service-level agreements. Specifically, SLAs should include the following:
Roles and responsibilities
- Specify roles and responsibilities of all parties covered by the SLA and, at a minimum, include agency and cloud providers.
- Define key terms, such as dates, performance tests and metrics.
- Define clear measures for performance by the cloud, including which party is responsible for measuring performance. Typical measures address levels of service, cloud capacity and capability and response times.
- Specify how and when the agency has access to its own data, systems and networks as well as how they are to be managed and maintained throughout the duration of the SLA and transitioned back to the agency in case of exit/termination of service.
- Specify how the cloud service provider will monitor performance and report results and how and when the agency audits performance.
- Provide for disaster recovery and continuity of operations planning and testing, including how and when the cloud service provider is to report failures and how the provider will remediate such situations and mitigate the risks of such problems from recurring.
- Describe any applicable exception criteria when the cloud provider’s performance measures do not apply (e.g., during scheduled maintenance or updates).
- Specify metrics the cloud provider must achieve to show it is meeting requirements for protecting data.
- Specify performance requirements and attributes defining how and when the cloud service provider is to notify the agency when security requirements are not being met .
- Specify a range of enforceable consequences, such as penalties, for non-compliance with SLA performance measures.
Jamie Tischart, McAfee's CTO for cloud and SaaS, detailed a similar set of questions cloud buyers should ask, echoing many of the GAO guidelines. Essentially, he argued, being a wise cloud consumer requires developing a sophisticated understanding of the vendor’s operational and security policies and controls. And that understanding comes from studying the available documentation and service agreements and asking the right questions when these fail to provide enough detail.
Kurt Marko is a technology consultant and writer based in Boise, Idaho.