What Should Cloud Computing Users and Providers consider for SLAs?

Component

Description

Responsibilities

Cloud service users should be responsible for limits on system usage and restrictions on the type of data that can be stored

Business continuity and disaster recovery

Cloud service users should ensure their cloud providers have adequate protection in case of a disaster.

System redundancy

Cloud service users moving data and applications that must be constantly available should consider the redundancy of their provider's systems.

Maintenance

Cloud service users should understand how and when their providers will do maintenance tasks

Location of Data

Cloud service users must be able to audit the provider to prove that

regulations are being followed if a cloud service provider promises to enforce data location regulations,

Security

Cloud service users must understand their security requirements and what controls and federation patterns are necessary to meet those requirements.

Transparency

Cloud service users bear the burden of proving that the provider failed to live up to the terms of the SLA under the SLAs of some cloud providers.

Certification

Cloud service users might have the certification requirement that their cloud provider be ISO 27001 certified.

Component

Description

Security

Provider must understand what they must deliver to the service users to enable the appropriate controls and federation patterns.

Data Encryption

The details of the encryption algorithms and access control policies should be specified in the SLA.

Privacy

An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment.

Data Retention and Deletion

Cloud providers must be able to keep data for a certain period of time and delete data after a certain period of time.

Hardware Erasure and Destruction

Cloud providers should offer the added protection of zeroing out memory space after a consumer powers off a VM.

Regulatory Compliance

Cloud providers must be able to prove their compliance if regulations must be enforced.

Transparency

Cloud providers must be proactive in notifying consumers when the terms of the SLA are breached for critical data and applications.

Certification

Cloud provider would be responsible for proving their certification and keeping it up-to-date.

Component

Description

Terminology for key performance indicators

A set of industry-defined terms for different key performance indicators would make it much easier to compare SLAs in particular (and cloud services in general).

Monitoring

Trust issue need to be considered during SLA enforcement. For example consumers may not completely trust the certain measurements provided solely by a service provider and regularly employ a neutral third-party organization. The neutral third-party organization is responsible for monitoring and measuring the critical service parameters and reporting violations of the agreement from both consumer and provider. This can eliminate the conflicts of interest that might occur if providers report outages at their sole discretion or if consumers are responsible for proving that an outage occurred.

Auditability

It is vital the service users be able to audit the provider's systems and procedures. Thus, an SLA should make it clear how and when those audits take place.

Metrics

Monitoring and auditing require something tangible that can be monitored as it happens and audited after the fact. The metrics of an SLA must be objectively and unambiguously defined.

Machine-Readable SLAs

A machine-readable language for SLAs would enable an automated cloud broker that could select a cloud provider dynamically. One of the basic characteristics of cloud computing is on-demand self-service; an automated cloud broker would extend this characteristic by selecting the cloud provider on demand as well. The broker could select a cloud provider based on business criteria defined by the consumer.

Human Interaction

Although on-demand self-service is one of the basic characteristics of cloud computing, the fact remains that there will always be problems that can only be resolved with human interaction. These situations must be rare, but many SLAs will include guarantees about the provider's responsiveness to requests for support.

Cloud Brokers and Resellers

If a cloud provider is actually a broker or reseller for another cloud provider, the terms of the SLA should clarify any questions of responsibility or liability if anything goes wrong at the broker, reseller or provider facilities.

Classification

SLA Metrics

Availability

Service availability*, Time of data recovery point*, Service suspension time*, Business Continuity and Disaster Recovery

Reliability

Transparency

Performance

Online response time*, Online response time compliance ratio*, Batch processing time*, Batch processing time compliance ratio*, Maximum number of processing tasks per unit time*, Compliance ratio of maximum processing tasks per unit time*

Scalability

System Redundancy

Security

Status of the provider’s acquisition of the relevant security standard*, Status of certification of the party possessing management authority*, Status of operational restrictions included in security measures taken on the management system*, Keeping data transmitted between cloud systems confidential*, Data location*, Status of acquisition of a log for detection of malicious acts*, Period during which a log is kept for detection of malicious acts*,

Status of communication control to block malicious communication*, Status of measures against network congestion to circumvent DoD/DDoS attacks*, Implementation of measures against malware* , Certification

Data Management

Data Encryption, Privacy, Data Retention and Deletion, Hardware Erasure and Destruction

Serviceability

Policy of maintenance, Human Interaction