Practical Guide to Cloud Service

Agreements, Version 2.0

http://cloud-council.org/resource-hub.htm#practical-guide-to-cloud-service-

agreements-version-2

June, 2015

2

The Cloud Standards Customer Council THE Customer’s Voice for Cloud Standards!

• Provide customer-lead guidance to

multiple cloud standards-defining bodies

• Establishing criteria for open

standards based cloud computing 500+ Organizations participating

2011/2012 Deliverables

Practical Guide to Cloud Computing

Practical Guide to Cloud SLAs

Security for Cloud Computing

Impact of Cloud Computing on Healthcare

2013/2014 Deliverables

Convergence of SoMoClo

Analysis of Public Cloud SLAs

Cloud Security Standards

Migrating Apps to Public Cloud

http://cloud-council.org

2015 Projects (partial)

Update to Security for Cloud Computing whitepaper

Update to Practical Guide to Cloud Service Agreements

Practical Guide to Privacy for the Public Sector

Practical Guide to PaaS

Social Business in the Cloud

Big Data in the Cloud

PGCC Version 2

Migrating Apps: Performance Rqmnts

Cloud Interoperability/Portability

3

Practical Guide to Cloud Service Agreements, Version 2

Revision Highlights

Terminology changes have been

made - SLA replaced by CSA

The Current CSA Landscape section

updated to reflect current market

dynamics

All ten steps in the Guide for

Evaluating Cloud Service

Agreements section have been

updated to reflect current best

practices

References to cloud computing

standards have been updated

References added to published

CSCC whitepapers

4

Cloud Service Agreements: Current Landscape

Current Landscape

CSA is comprised of three major artifacts:

• Customer Agreement

• Acceptable Use Policy

• Service Level Agreement

Customers must pay close attention to CSA language and clauses

• Mismatch between expectations and service terms common

Service level guarantees for IaaS better defined than SaaS or PaaS

Service levels more flexible and negotiable for private cloud than

public cloud

Size matters

• Larger customers have more power to negotiate favorable

terms

• Over time, changes imposed by larger customers will trickle

down to all customers

5

CSCC Practical Guide to Cloud Service Agreements

A reference to help enterprise IT & business decision

makers as they analyze and compare service

agreements from different cloud service providers.

10 Steps to Evaluate Cloud Service Agreements

1. Understand roles and responsibilities

2. Evaluate business level policies

3. Understand service and deployment model differences

4. Identify critical performance objectives

5. Evaluate security and privacy requirements

6. Identify service management requirements

7. Prepare for service failure management

8. Understand the disaster recovery plan

9. Define an effective governance process

10. Understand the exit process

"Cloud service agreements are

important to clearly set

expectations for service

between cloud consumers and

providers. Providing guidance

to decision makers on what to

expect and what to be aware of

as they evaluate and compare

SLAs from cloud computing

providers is critical since

standard terminology and

values for cloud SLAs are

emerging but currently do not

exist.“ Melvin Greer, Senior

Fellow and Chief Strategist,

Cloud Computing, Lockheed

Martin

6

Step 1: Understand roles and responsibilities

Considerations

Full understanding of

responsibilities between the

cloud service customer and

the cloud service provider is

critical

Ensure CSA makes clear

statements about activities

and responsibilities of the

various customer and

provider subroles

Responsibility for detecting

and reporting incidents should

be clearly stated in the CSA

Cloud Service Customer

Cloud Service Provider

Cloud

Service

Partner Cloud service

user

Cloud service

administrator

Cloud service

integrator

Cloud servicebusiness manager

cloudservice

administrator

cloud serviceoperationsmanager

cloud service

business manager

cloud servicesecurity & risk

manager

cloud servicedeployment

manager

networkprovider

customer support & care representative

inter-cloudprovider

Cloud servicedeveloper

Cloud auditor

Cloud service broker

Source: ISO/IEC 17789

7

Step 2: Evaluate Business-Level Policies

Business Policies

Guarantees

Acceptable Use Policy (AUP)

List of Services Not Covered

Excess Usage Billing

Service Activation

Payment Terms and Penalties

Governance

Change Notification and Management

Support, Prioritization, Escalation

Definition of Business Hours / Prime Time

Planned Maintenance

Renewals

Transferability

Subcontracted Services

Licensed Software

Industry-Specific Standards (HIPAA…)

Country-Specific Laws & Regulations

Data Policies

Preservation and Redundancy

Data Location

• Data Residency

• Notification of Relocation

Data Seizure by Law Enforcement

Data Privacy

• Also see Step 5

Data Availability

The concern here is the alignment of

the policies expressed (or implied) in

the CSA with those of the customer

8

Step 3: Understand Service & Deployment Model Differences

Deployment Model

Private (on premises)

• IT department needs to establish a

service agreement with internal users

Private (outsourced)

• Similar to traditional IT outsourcing

Public

• Stronger requirements to make

multitenancy safe and effective

Hybrid

• Same as public but with added

integration requirements between

internal and external resources

Community

• Similar to public

CSA contents will vary according to the choice of service model and

deployment model

Service Model

IaaS

• Similar to IT outsourcing

• Metrics focused on availability and

performance of the servers,

network and data storage

PaaS

• Distinguish “integrated solutions”

and “deploy-based solutions”

• Consider requiring compliance with

standards like OASIS’ TOSCA

SaaS

• Focus on the end-to-end

performance of the application

• Very dependent on the specific app

9

Step 4: Identify Critical Performance Objectives

Adopt standard definitions (e.g., from IEEE) of availability and response

times

Consider not just the computing hardware, but also the facility (backup,

power, etc.)

Identify critical metrics based on business needs

The guide provides a sample set of CSA content:

• Availability and response time metrics

• Constraints

• Collection methods and frequency

• Usage in Service Level Agreement (e.g., to calculate penalties for

violations)

10

Step 5: Evaluate Security and Privacy Requirements

Evaluate Security

Asset sensitivity

Understand the legal and regulatory

requirements, especially on data breaches

Establish security metrics

Implement policies and procedures against

the unauthorized use of data

• Including technical measures such

as IP range blocking, etc.

Assess provider security capabilities

Assess provider governance

Assess provider security compliance

a) Security

The key difference with

traditional IT environments is the

extra level of concern among

stakeholders, due in particular to

multitenancy

Need to secure all assets:

information and applications

Define (if it doesn’t yet exist) and

apply a security classification

scheme for all assets

The Cloud Security Alliance

(CSA) provides useful guidance

11

Step 5: Evaluate Security and Privacy Requirements (cont’d)

Evaluate Privacy

Assess the presence and characteristics of PII

• What PII is being stored?

• Where is it being stored?

• Where is the customer based?

• Where is the provider based?

• Where are the users of the data located?

• What are the nationalities of the people

whose data is being stored?

Based on all this, which laws and regulations

apply?

Are they addressed in the CSA?

What are the rules about data movement,

backup, and retention?

Do these processes risk violating the laws and

regulations?

b) Privacy

PII = Personally Identifiable

Information (name, DOB, address,

national ID no., etc.)

Tangled web of national,

international, industry and local

regulations…

… that are evolving rapidly

Data may fall under different

jurisdictions over time or even at

the same time

Moving data for backup and load

balancing purposes may have

privacy implications, and this is

less predictable in the cloud

12

Step 6: Identify service management requirements

Considerations

Organizations must monitor and manage the cloud

services they use

Aspects contributing to service management

• Auditing

• is the provider’s management system adequate?

• Monitoring and reporting

• visibility of service performance

• Measurement & metering

• are you getting what you’re paying for?

• Provisioning

• can you change resources quickly?

• Change management

• transparent process for changes

• Upgrades & patching

13

Step 7: Prepare for service failure management

Considerations

Process that happens when cloud service fails to

meet expected behavior

• complete failure

• performance issues

Detection & alerting

• may need customer-side monitoring

• provider-side monitoring & notification if

available

Reporting processes for customer detected failures

Provider processes for dealing with failures

Remedies for failures

Limitations

14

Step 8: Understand the disaster recovery plan

Considerations

Part of of business continuity

• recover applications, data, communications in

face of disaster

Clear responsibilities:

• provider disaster recovery?

• customer disaster recovery?

Techniques:

• multiple redundant data centers

• replicated data stores

• multiple redundant networks

• multiple app instances

• automated failover

Failure of the cloud service provider?

15

Step 9: Define an effective governance policy

Considerations

Governance complicated by responsibility split

between customer and provider

• control and oversight

• elements controlled by provider

Key elements:

• periodic assessment – service levels,

compliance

• reports – key indicators, service failures

• problem reporting & status

• change notifications

• request processing

• user satisfaction

Escalation process

• upto & including termination of service

agreement

16

Step 10: Understand the exit process

Considerations

Exit process should be part of any CSA

Customer exit plan

• procedures

• provider assistance

• fees

• retrieval of customer data

• business continuity during exit

Requirement for provider to delete / make

inaccessible copies of customer data

Requirement for provider to cleanse log &

audit data

• retention of records for specified

periods may be required by law

17

Summary

Develop a strong business case and strategy for

cloud computing environment

Assess provider’s CSA against functional and

non-functional requirements

Determine how to monitor CSA performance

Ensure an adequate disaster recovery plan can

be defined and executed

Ensure support for an efficient exit process

Join the CSCC Now!

– To have an impact on customer use case based standards requirements

– To learn about all Cloud Standards within one organization

– To help define the CSCC’s future roadmap

– Membership is free & easy: http://www.cloud-council.org/application

Get Involved!

– Join one or more of the CSCC Working Groups

• http://www.cloud-council.org/workinggroups.htm

Call to Action

16

19

Additional Resources Customer Cloud Architecture for Mobile

http://bit.ly/1cGs5Xj

Practical Guide to Cloud Service Agreements, V2

http://bit.ly/1IQxrdg

Public Cloud Service Agreements: What to Expect & What to Negotiate

http://bit.ly/1GKbI8O

Practical Guide to Cloud Computing, V2

http://bit.ly/1MwD9mZ

Security for Cloud Computing: 10 Steps to Ensure Success, V2

http://bit.ly/1L3D9gZ

Cloud Security Standards: What to Expect & What to Negotiate

http://bit.ly/18fZFl3

Interoperability and Portability for Cloud Computing: A Guide

http://bit.ly/1Fg7lkk

Migrating Applications to Public Cloud Services: Roadmap for Success

http://bit.ly/1B9YGJy

Web Application Hosting Cloud Solution Architecture

http://bit.ly/1DbOszm

Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success

http://bit.ly/1EDTe9o

Impact of Cloud Computing on Healthcare

http://bit.ly/1B9ZP42

20

Thank You