Service Level Agreements (SLA) serve as a roadmap and a warranty for cloud services offerings. All cloud providers offer standard, one-size-fits-all SLAs that cover availably, performance, security, disaster recovery, response times, compliance and termination. This may be adequate for pure cloud applications, however standard SLAs fall short when it comes to hybrid cloud deployments.
There is nothing standard about hybrid deployments. Each one is different and inherently includes a higher level of involvement from IT. SLAs need to establish clear guidelines of engagement for both the enterprise and service provider. Unfortunately, not all cloud service providers are open or equipped to customize SLAs.
Given the uniqueness of hybrid implementations, securing them is a continuous challenge. The private cloud portion is secured and protected by the enterprise. Mission-critical applications and data are internally controlled, while less sensitive data and applications can reside in a public cloud. This approach enables a business to take advantage of the scalability and cost savings of cloud computing without exposing mission critical information to third-party vulnerabilities.
However, the networking between the private and public clouds needs careful consideration. This is where an SLA comes into play. The SLA should address three primary areas of risk:
* Data – Who secures the link when data leaves the private cloud? There are privacy and integrity concerns associated with such data movement because the privacy controls in the public cloud vary significantly from the private cloud. When data is moved to the cloud, the enterprise loses governance over their data set. Once they move the data to the cloud, its safety typically becomes the responsibility of the cloud service provider. The SLA should address data custody, control, possession, and right of return.
* Compliance – Enterprises still need to comply with regulations that pertain to data governance, even if data leaves the premise. SLAs need to clearly outline the service provider’s obligation to be complaint with regulations such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA) for and the Payment Card Industry Data Security Standard (PCI).
* Audit – SLAs should cover access to documented proof necessary to demonstrate compliance to an auditor and who pays for the service provider’s time during an audit.
Where’s my data?
When data leaves the private cloud, it is likely that it will be stored in multiple data centers for high availability and for business continuity, or may transverse multiple clouds. Regional or industry-specific regulations may require that some data remains in a set physical or geographic location. You also need to make sure you can recover and restore your data. The SLA should address the following:
- Where is the data stored? Chances are your data will be stored in multiple geographic locations on multiple servers. It is important to know where your data is for compliance and disaster recovery reasons.
- Will it leave the country? Different countries have different privacy laws that dictate how sensitive data is to be handled.
- Who can access it? How are the data centers secured? Will the provider provide a copy of the security policies?
- Is the data encrypted?
- If a breach occurs, what are the provider’s policies regarding disclosure. How long before you are notified? It is important to be able to ascertain clarity with respect to responsibilities and ownership -- especially in case of breaches and conflicts.
- With downtime costs for mission critical applications ranging from $10,000 – $70,000 per minute, the SLA needs to define how often the data is backed up, how long does it take to restore it, and from what point.
- Cloning or refreshing a database can impact operations. One item to consider is negotiating the time it takes to complete a request to clone or refresh a database or application environment.
Availability and Performance
Availability can mean differently things depending on the services offered. For IaaS, availability is usually defined in terms of infrastructure, such as cloud servers and storage. For PaaS, availability may be defined in terms of functionality and access to the platform, and for SaaS providers, availability will be defined in terms of application and data availability. Ensure that guarantees and definitions are clearly outlined in the SLA.
- What happens when a portion of the hybrid cloud becomes unavailable due to an outage or a natural disaster? Disaster recovery should play a major role in the SLA and it should be able to be tailored to the customer’s RTO and RPO requirements.
- Whether the problem occurs in the private cloud or the public cloud, the SLA should spell out a coordinated and more importantly a transparent process so that both parties work together to resolve the problem at hand.
- Organizations need to understand the complexity compliance and its impact on availability. For some regulations such as PCI, operating system patch schedules may be necessary and the frequency of these updates may differ from the provider’s default. Update schedules should be clearly defined in the SLA.
The whole point of a hybrid cloud is to design and customize cloud capabilities to address your organization’s unique needs. You need a service provider willing and able to customize the service level agreement to meet those needs so that your organization can takes advantage of the flexibility, scalability, cost reductions, and resiliency that cloud computing offers. Transparency builds trust and having the ability to respond to a crisis as a team is the goal of any SLA including.
Murphy is responsible for all of TriCore’s Solutions, Service Strategy and Sales Enablement. This includes Product Management, Account Management and supporting Sales and Operations with strategic guidance from the customer’s perspective to take TriCore’s products and services to the next level.