is4233 final presentation

IS4233Term Assignment Presentation

Legal Issues Concerning the Service Level Agreements

(SLAs) of IaaS Vendors

Clement Low Jun Xian Loh Soon Bock Kang Jie Min Tan Tze Jun

16th of November, 2013

Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors

2

Introduction

Physical Assets

IaaS Cloud

3rd Party Virtualization of Physical Hardware

• Reduced Cost of Ownership

• Elimination of Hardware Procurement

What is IaaS?

SLA<< bound by >>

CloudCustomer IaaS

Vendor


3

Considerations & Concerns about IaaS

Customer Data• Confidential

ity• Integrity• Availability

GeographicLocation

Legal Aspects ofContractualObligations

How can all these be addressed?


4

Presentation Agenda

1. IaaS Service Level Agreements

(SLAs)

2. Relevance of IaaS SLA in Legal

Context

3. Categories of Legal Issues in

IaaS SLA

4. Categorical Elaboration of Legal

Issues

5. Court Case Analysis

6. Vendor SLAs: Legal Issues &

Solutions

7. Solutions to Unaddressed Legal

Issues

8. Conclusion


5

IaaSService Level Agreements

(SLAs)


6

IaaS Service Level Agreements (SLAs)

www.themegallery.com Company Logo

Binding negotiated document

States the minimum level of service to be provided

Entitlement to damages


7

Relevance of IaaS SLA in

Legal Context

• Legal dispute related to IaaS in the USA

• Unavailable hours in ALL IaaS cloud service

providers TRIPLED in 2012


8

Relevance of IaaS SLA in Legal Context


9

Categories of Legal Issues in

IaaS SLA

• Availability

• Reliability

• Performance

• General Liability

• Expressed Warranties

• Implied Warranties


10

Categories of Legal Issues in IaaS SLA


11

Categorical Elaboration of Legal Issues

Availability

• Monitoring of Service Uptime

• Service Uptime Percentage Ambiguity

• Vendor’s Reluctance to Fix Problems

• Delays in Server Maintenance

• Availability Calculation Based on Contiguous Blocks of Downtime Periods

Reliability

• Security Mechanism Put in Place & Mean Time for Recovery (MTR)


12


General Liability

• Exclusion of Direct Liability

• Personnel with Access to Customer Data & Security Of Hardware Containing

Customer Data

• Secure Erasure of Data from Decommissioned Resource Unit

• Availability of Redundant Systems for Storing Customer Data

• Involvement of Customer(s) in Investigating Breaches

• Location Of Customer Data

• Chained Liability


13


Expressed Warranties

• Reserving the right to Change Agreement Term

• Vendor Service Credits as the Sole Remedy for any Contractual Breaches

Implied Warranties

• Granting of Compensation through Claim Submission

• Time Zone for Time-Sensitive or Dependent Terms

• Resolution of Software Bugs & Defects

• Customer-Defined Security Policies

• Notification of Services and Infrastructure Events or Breaches Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors

14



15

Court Case Analysis

• Gimme The Best, L.L.C (Plaintiff) vs. Sungard Vericenter, INC. (Defendant)• Breach of contract due to numerous breakdown of

Defendant systems in 3 separate occasions• Slow Performance • Data Loss• Hardware malfunctions

• Worst breach happened in Dec 2006


16

Court Case Analysis (Background)

• Material Misrepresentation

• Breach of agreement term

• Does the 3 breaches constitutes as a single breach or

multiple breaches of contract?

• Defendant’s Limited Liabilities

• Plaintiff’s Remedies


17

Court Case Analysis (Legal Issues)


18

Vendor SLAs: Legal Issues &

Solutions

Legal Issue: Monitoring of Percentage Uptime

• Amazon and VMware

• Measured based on IaaS vendor infrastructure

• Uptime vs Availability

• Excuse for them to escape liability

Solution

1. External audit by certified company

2. Provision of common monitoring tools to customers


19

Vendor SLAs: Legal Issues & Solutions

Legal Issue: Exclusion of Direct Liability• Amazon Specific Terms

• Failures that result from your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control)

• Failures that result from failures of individual instances or volumes not attributable to Region Unavailability.

• HP Cloud Compute Specific Terms• Reserve the rights to withhold credit if it cannot verify the downtime or customer

cannot show that they were adversely affected in any way as a result of the downtime

• Require to contact HP and make a report within 30 days of the end of the month in which availability was not met


20


… continued …

Solution

• Difficult to negotiate the SLA terms in the capacity of an individual

• Corporate Customers have to negotiate if they feel that exclusions are

unreasonable.

• IaaS vendor have to weigh their exclusion against Customer’s interest to entice

more customers


21


Legal Issue: Unilateral change of agreement terms by the IaaS Vendor

• Amazon and VMware

• Terms in the SLA are subjected to changes in accordance to agreements

Solution

• Provide clear and sufficient notice to customers

• Continue to honour existing contract terms

• Provide a chance for customers to repudiate contract

• Change warranties (not conditions) and provide compensations


22



23

Solutions to Unaddressed Legal Issues

Issue: Vendor’s Reluctance to Fix Problem

• Incapable of supporting request which cause downtime

• Expensive to rectify

• Prefer to pay service credit than to rectify the problem

Solution

• Treated as a breach of condition

• Right to terminate contract

• Legal action


24


Issue: Missing SLA Clause for Service Performance

• Critical to customers that process time-sensitive requests.

• Monitoring Performance-related metrics

• Burden of proof

Solution

• States the hardware specification clearly and concisely

• Includes Performance-related metrics to measure the performance level

• Includes the monitoring methods


25


Issue: Customer-defined Security Policies

• Critical to customers to implement their security policies

• May clash with the vendor’s security policies

Solution

• The IaaS vendor can offer tiers of services that has various security profiles

• Allow the customer to select their most suited security profile

• The IaaS vendor’s policies will not interfere with customer’s security policies


26



27

Conclusion

Issue: Notification of Events/Breaches Related to Services &

Infrastructure• Customers should receive notifications of breaches or events even if it is

unconfirmed

• Allow customers to preempt for any possible impacts or damage

Solution• Categorize different type of events that may occur

• Allow customers to opt-in for notifications in addition to confirmed breaches or

events

• IaaS vendor can exclude any claims from customers arising from false notifications


28



29

Conclusion

Let’s Re-Cap

We Defined

IaaS• What it is

• Why it is gaining traction

SLA• Service Level Quality

• Warranties

• Liabilities

LegalIssues


30

Conclusion

We found that…

IaaS Vendors

Few, if not NONE, offer performance-based SLAs

Have a reactive approach towards SLA violations

Induce the inherent legal issues in SLAs by setting terms that are skewed to their interests


31

Conclusion

Our perspectives…

The solutions we proposed work in the interests of IaaS customers and simultaneously assist vendors in resolving their legal dilemmas.

We believe that IaaS SLAs can be legally favorable to both customers and vendors alike.

Well crafted SLAs help to foster customer-vendor trust & confidence in the IaaS cloud services industry.


32

Thank you for your attention!

Any questions?

is4233 final presentation

Technology

iaas slalegal issues

breaches legal issues

categories of legal

legal issues solutions7

legal contextlegal issues

iaas sla4

minimum level of service

iaas cloud service providers