public cloud service agreements: what to expect and what to negotiate v2.0

Public Cloud Service Agreements: What to Expect & What to Negotiate

V2.0

http://www.cloud-council.org/deliverables/public-cloud-service-agreements-what-to-expect-and-what-to-negotiate.htm

July 28, 2016

© 2016 Cloud Standards Customer Council www.cloud-council.org 2

Today’s Speakers

Tracie Berardi Program Manager, Cloud Standards Customer Council

Claude Baudoin Principal, cébé IT & Knowledge Management Energy Domain Consultant, OMG

Mike Edwards Cloud Computing Standards Expert and Bluemix PaaS Evangelist, IBM

Long Wang Research Staff Member, IBM T.J. Watson Research Center

John Bruylant Business Cloud Broker, TheCloudTurbo

http://www.cloud-council.org/




The Cloud Standards Customer Council

• Provide customer-led guidance to multiple cloud standards-defining bodies

• Establishing criteria for open

standards based cloud computing 600+ Organizations participating

2011/2012 Deliverables Practical Guide to Cloud Computing Practical Guide to Cloud SLAs Security for Cloud Computing Impact of Cloud on Healthcare

2013/2014 Deliverables Convergence of SoMoClo Analysis of Public Cloud SLAs Cloud Security Standards Migrating Apps to Public Cloud Services Social Business in the Cloud Big Data in the Cloud Practical Guide to Cloud Computing V2 Migrating Apps: Performance Rqmnts Cloud Interoperability/Portability

http://cloud-council.org

2015 Deliverables Web App Hosting Architecture Mobile Cloud Architecture Big Data Cloud Architecture Security for Cloud Computing V2 Practical Guide to Cloud SLAs V2 Practical Guide to PaaS

THE Customer’s Voice for Cloud Standards!

2016 Projects Prac Guide to Hybrid Cloud Computing Public Cloud Service Agreements, V2 Cloud Security Standards, V2 IoT Cloud Reference Architecture Commerce Cloud Reference Architecture More




What’s New in V2 ?

V1 was published in 2013

The market has evolved – many new CSP entrants

Several public cloud service providers have updated their agreements

Hybrid cloud requires provisions for integrated management of multiple cloud services & on-premises resources

Data protection issues have become much more serious

Data residency is now often recognized as an issue

Several other changes based on the experience of new co-authors




Public Cloud Service Agreements: Current Landscape

Current Landscape CSA is comprised of four major artifacts:

• Customer Agreement • Acceptable Use Policy • Service Level Agreement • Privacy Policies

Customers must pay close attention to CSA language and clauses • Mismatch between expectations and service terms common

Service level commitments for IaaS better defined than SaaS or PaaS Service levels more flexible and negotiable for private cloud than public cloud Size matters

• Larger customers have more power to negotiate favorable terms • Over time, changes imposed by larger customers trickle down to

all customers





Companion whitepaper: Practical Guide to Cloud Service Agreements A reference to help enterprise IT analyze CSAs Available on CSCC Resource Hub: http://www.cloud-council.org/resource-hub.htm

10 Steps to Evaluate Cloud Service Agreements

10 Steps to Evaluate Cloud Service Agreements 1. Understand roles and responsibilities

2. Evaluate business level policies

3. Understand service and deployment model differences

4. Identify critical performance objectives

5. Evaluate security, privacy and data residency requirements

6. Identify service management requirements

7. Prepare for service failure management

8. Understand the disaster recovery plan

9. Define an effective management process

10. Understand the exit process





Step 1: Understand roles and responsibilities

Considerations

Acceptable Use Policy (AUP) - primary artifact - requires thorough review

• Content Prohibitions • Security Prohibitions • Service Integrity Prohibitions • Rights of Others Prohibitions

AUPs have little consistency in

wording although there is a clear pattern to the types of provisions they include

Customers should exercise caution and thoroughly review every provision before agreeing to an AUP:

• Clarity • Brevity • Completeness • Focus

Recommendations




Step 2: Evaluate Business-Level Policies

Business Policies Five specific polices, contained in

provider’s Customer Agreement, are key:

• Data policies

• Changes to services, APIs or agreements

• Suspension of services

• Limitations of Liability

• Intellectual Property

Recommendations

Data Policy: • CSA should specify physical location of

content • Provider should not access customer data

unless required by law Changes to Services, APIs, Agreements:

• Advance notice (30 days) • Backward compatibility

Suspension of Services • Advance notice (30 days) • Sufficient time to address (60 days) • Customer data will not be deleted

Limitations of Liability • Compare Aggregate Liability and

Indemnification/Disclaimer clauses Intellectual Property

• Provider should notify customers in case of a third party’s claim of IP violation



Step 3: Understand Service & Deployment Model Differences

Platform as a Service (PaaS)

Important to distinguish which capabilities are part of the platform, and which ones are not

Require a clear catalog of the supported services in the platform stack

CSA contents vary according to the service model

Infrastructure as a Service (IaaS)

CSA is focused on availability of hardware and basic support for same

Customer is entirely responsible for all components running on the service, including applications but also operating systems, databases, etc.

Software as a Service (SaaS)

CSA should address end-to-end availability of application across all components supplied by the cloud provider

• Application • Middleware • Database • Storage • Computation • Network access • Security

Remember data protection for any personally identifiable information in customer data (“privacy”)




Step 4: Identify Critical Performance Objectives

Performance goals have 4 key components:

• Service Commitments • Credits • Credit Process • Exclusions

Service Commitments focus mainly on “Availability”

• Guarantees, Measurement Details & Observation Periods differ

Credits are compensation for missed service commitments

• Service credit calculations and maximum credit limits differ

Credit Process requires customer to take specific action to receive credit

• Reporting timeframe & required information differ

Exclusions similar across all CSAs

Carefully analyze service availability commitments & associated credits

Understand business impact of a single outage corresponding to maximum downtime

Analyze service credit calculations and maximum credit limits

Compare service credit processes Examine commitment exclusions Automate process for detecting and

logging service outages Look for API call response time

service level objectives SLA metrics are limited and no

standards currently exist

Considerations Recommendations


Recommendations

Security, privacy and data residency statements should be explicit

Customers should look for certifications Providers should commit to specific physical

and logical security practices Provider must notify customer when data is

handed over to third party / law enforcement Look for emergency mechanisms to resolve

security breaches Insist provider investigates incidents with

due diligence, and can restore deleted data Provider must take measures to ensure

privacy of personal information contained in customer data

Provider should know data residency and data protection laws/regulations, and offer options regarding where data is stored

Considerations

Security and privacy language often spread among several documents: All need to be checked

Most clauses obligate the customer to protect the provider, not the other way around

Impact of security breaches can be much larger than cost of the service

Provider’s security measures and certification(s) should be visible

Does the cloud provider commit to privacy of personally identifiable information contained in customer data?

Data residency commitments are increasingly important but often omitted


Step 5: Evaluate Security, Privacy & Data Residency Requirements



Step 6: Identify service management requirements

Considerations

Organizations must monitor and manage cloud services they use

Don’t expect service agreements to specify much - be ready to perform your own due diligence

Aspects contributing to service management

• Auditing

• Monitoring and reporting

• Measurement & metering

• Provisioning

• Change management

• Upgrades & patching

Recommendations

Precisely define objectives and ensure provider offers adequate level of support

Understand service management capabilities available with cloud service

Consider cloud management platforms (CMPs) in a hybrid cloud situation

Consider provider’s commitments to stability of functionality over time

Ask for detailed and regular metrics on contracted services

Examine the definitions and potential impact of each service metric

Ask questions related to service management maturity

Retain in-house the service management expertise required to monitor and improve cloud service performance





Step 7: Prepare for service failure management

Considerations

There is typically little in current service agreements

Therefore, the burden is on the customer

Compensation is tied to the price of the service, not the impact on your business

Key failure management systems • Event management • Incident management • Problem management

Failure Metrics • Mean Time Between Failures (MTBF) • Mean Time to Recover (MTTR) • Mean Time to Failure (MTTF)

Insist provider offer interface for sending failure and alert data

Ensure provider offers interface to report failures to the provider

Insist provider offers an Expected Time to Resolution (ETR) for any service failure

Evaluate cloud services support resilient features such as replication, clustering, fail over, etc.

Understand responsibilities and hand-off procedures

Confirm provider’s monitoring capabilities do not violate data privacy stipulations

Assess MTBF, MTTR, and MTTF to determine expected service downtimes

Recommendations





Considerations

Use of public cloud services does not absolve the user from serious DR and Business Continuity planning

Service agreements focus on limiting the provider’s liability

• SLA exclusions

• Disclaimers

• Limitations of liability

Devise a disaster recovery plan • Prioritize apps, services and data • Determine acceptable downtime

Ensure business critical content is stored redundantly in different geographical locations

Define Recovery Point Objective (RPO) and Recovery Time Objective (RTO)

Ensure appropriate frequency of backups based on content criticality

Use data and app replication capabilities provided by cloud service

Implement mechanism to promptly detect and quantify outages

Recommendations

Step 8: Understand the disaster recovery plan





Step 9: Define an effective governance policy

Considerations

Governance complicated by responsibility split between customer and provider

• Control and oversight

• Elements controlled by provider

Key elements: • Periodic assessment – service levels,

compliance • Reports – key indicators, service failures • Problem reporting & status • Change notifications • Request processing • User satisfaction

Escalation process • Up to & including termination of service

agreement

Recommendations

Agreements are typically silent about communication and escalation processes

Potential areas for negotiation are: • Regular status meetings • Single point-of-contact designation • Automatic notifications • APIs or Web services for

management queries In the absence of defined

management interfaces, and for services that require strict notification, escalation and restoration procedures, public cloud services may not be appropriate solutions





Step 10: Understand the exit process

Considerations

Exit process should be part of any CSA

Customer exit plan

• Procedures

• Provider assistance

• Fees

• Retrieval of customer data

• Business continuity during exit

Requirement for provider to delete copies of customer data

Requirement for provider to cleanse log & audit data

• Retention of records for specified periods may be required by law

Recommendations

Ensure agreement specifies advance notice will be given for all terminations

Develop contingency plans / procedures to: • Find new cloud service • Extract and reload data • Switch to new cloud service

As part of the termination process, insist that provider offer assistance to facilitate data extraction

Ensure all customer data maintained for a specific time period after transition

At the completion of the exit process, customers should receive written confirmation from provider that all customer’s data has been completely removed from the provider’s systems





New Developments

Work is taking place in the area of Cloud Service Agreements

ISO/IEC is well advanced with the 19086 standard

EU SLALOM project

Both aim at:

Standardized terminology

Listing of many potential CSA items

Standardized metrics

Codes of Conduct & Certification schemes continue to evolve

Especially in the area of data protection

New Developments





Summary

Don’t “sign on the bottom line” without understanding the various documents that govern the relationship

Not everything is negotiable – but not everything is fixed either. Understand where you can ask for better terms (and determine if they’re worth paying more for)

Use our recommendations tables to evaluate a proposed CSA and detect areas that don’t meet your business requirements

Have a baseline – what are the current service levels of your incumbent providers or your in-house systems?

Be careful about how service levels are measured (e.g., measurement time windows)

Understand what happens in worst case scenarios (data breach, service failure, etc.)

Remain in charge of governance – don’t abdicate your own responsibilities to the public cloud service provider





Join the CSCC Now! – To have an impact on customer use case based standards requirements – To learn about all Cloud Standards within one organization – To help define the CSCC’s future roadmap – Membership is free & easy: http://www.cloud-council.org/become-a-member

Get Involved! – Join one or more of the CSCC Working Groups

http://www.cloud-council.org/workinggroups

Leverage CSCC Collateral! – Visit http://www.cloud-council.org/resource-hub

Call to Action




http://www.cloud-council.org/become-a-member

http://www.cloud-council.org/workinggroups

http://www.cloud-council.org/resource-hub







Thank You !


