It's one of the most important documents you sign when starting a cloud deployment with a public vendor: your service-level agreement (SLA). But a leading tech lawyer says customers can get burnt by their provider if they're not careful.
The first thing to remember about a cloud SLA is that it takes two to tango, says Michael Overly, a partner in the IT and Outsourcing Group in the Los Angeles office of Foley & Lardner LLP. "Everyone's expectations have to be set properly," says Foley, who has worked on both sides of the issue having represented both customers and vendors in crafting SLAs.
The larger the contract, the more opportunity there is for negotiating the SLA. But generally, by the very nature of the public infrastructure as a service (IaaS) cloud, many providers have generic service offerings, which allow the vendors to offer inexpensive prices. To the extent that a customer wants a customized offering, the price will generally rise. Customers of public cloud offerings should not expect customized services made specifically for them. If they're looking for that, there are managed hosting or collocation services.
Meanwhile, cloud providers need to take customer concerns into account. Foley says the cloud companies that listen and respond to customer concerns will be the ones succeeding long-term. Even if expectations are set, he says there are a variety of issues that can pop up during the SLA negotiation and after the document is signed. Foley has five tips to make sure businesses don't get burnt:
Where in the world is my data?
"It's becoming an increasingly difficult question to answer, and that makes a lot of people uncomfortable," Overly says. Some users need to know where their data is physically located for compliance or security reasons, particularly customers in the healthcare and financial industries. But there's a give and take: In an effort to guarantee highly available services, providers may spread data out across multiple sites as a disaster-recovery measure. But when data crosses borders into another country, different laws apply to who has access to the data and what it can be used for.
The burden remains on the customer to ensure they stay compliant with security certifications, Overly says. Some providers, such as Amazon Web Services, allow customers to dictate where their data is stored. It's not just about where the company's data centers are though, it's also important to ask who can access that data. If a support center is located outside the U.S. and they have copies of the customer data to provide support, the data may be going overseas without customers knowing it.
Overly says it's all about questioning your provider if these answers not outlined in the SLA. There are a variety of end-user "self-help" solutions, Overly says. Customers can encrypt data that's put in the cloud and hold on to the keys, for example. Or, they can choose to not store personally identifiable information (PII) in the cloud and keep that on their own premise instead.
Normally SLAs are paper documents signed by both parties with the terms of the agreement outlined in the document. One trend Overly has seen recently are SLAs that refer to specific terms that are published on a website. That should generally be a red flag to consumers, he says. Websites can change and vendors, unless specifically agreed to in the SLA, may not be required to inform customers of changes to the terms.
It's reasonable that a provider may have to make a change to the service or SLA, but customers should be notified of the changes. It is best practice to have an out clause that allows the customer to terminate the contract if unacceptable changes are made as well. One tip is to ensure that any changes that are made are done so uniformly throughout the company's offering to all customers. "There's safety in numbers," he says.
Service respond time
One of the chief benefits of cloud computing is its elastic nature and the agility it gives customers to dynamically scale their IT usage based on their exact demands. If that's an important function for the user, Overly says it should be discussed with your provider. "Many people focus on availability, but sometimes just as important is the quality of the service," he says. If the customer's business relies on the ability to spin up new resources quickly, for example, perhaps that should be written into the SLA.
One innovative solution Overly has seen regarding this issue is vendors agreeing to survey their customers periodically, anywhere from once a year to quarterly, to monitor the quality of their service. If there are declines in customer service results, then the provider may agree to make changes, for example. This is helpful particularly in multi-year agreements, he says, and it's good for both the customer and the vendor. It provides the customer with assurances that the provider will continually improve or provide the expected service, and it allows the vendor to ensure they have satisfied customers.
Notification of security issues
Security breaches are all too common in IT today and Overly says customers should consider how they will deal with them when they occur. Does your service provider have to tell you about it? If your company has customers that are impacted, who informs the public of the breach? Overly says it's a grey area in many cloud contracts. Overly says providers should share information about security breaches and suspected security breaches and the sooner the better after an issue is discovered.
Furthermore, if there is a breach then the provider should leave it to the customers to notify any of its users that may be impacted. "You want to handle that message to your customers," Overly says. Customers may want to know about all security breaches their provider has, not just the ones that you're impacted by. "I may want to know about issues other customers are having," he says. "That's a situation of 'thank God my data wasn't hit, but I still want to know what happened to make sure we're not next in line,'" he says.
Beware of hidden costs
Behind agility, another top reasons many customers embrace cloud computing is because of potential cost savings, yet Overly says customers aren't paying close enough attention to all of the revenue streams vendors may try to sneak into an SLA. In one circumstance, Overly says he found an SLA with a dozen potential revenue streams for the vendor, but only a handful of them were listed in the "Fees" section of the SLA. "Really go through every last line in the contract looking for these things," he says.
For example, a vendor may stipulate that if there is a reported problem that is found to be the user's fault, then the customer can be billed for the time and material used to investigate the issue. "That can add up pretty quickly when there's no limiting factor," Overly says. In another situation, a vendor may provide conservative estimates on how much it will cost to transfer data into or out of the cloud, then when the service is performed it costs much more. Find out how the estimate was made and double check the math, Overly says.
The overall lesson, he says, is to take an all-encompassing approach to reviewing the details of the agreement and the impact it can have on the business. Get the appropriate people involved, from the security, IT and business divisions all the way to the legal team and technical implementers to review everything and look for red flags.