public cloud service agreements: what to expect & what to ... · security for cloud computing...
TRANSCRIPT
Public Cloud Service Agreements: What to Expect & What to Negotiate
V2.0
http://www.cloud-council.org/deliverables/public-cloud-service-agreements-what-to-expect-and-what-to-negotiate.htm
July 28, 2016
© 2016 Cloud Standards Customer Council www.cloud-council.org 2
Today’s Speakers
Tracie Berardi Program Manager, Cloud Standards Customer Council
Claude Baudoin Principal, cébé IT & Knowledge Management Energy Domain Consultant, OMG
Mike Edwards Cloud Computing Standards Expert and Bluemix PaaS Evangelist, IBM
Long Wang Research Staff Member, IBM T.J. Watson Research Center
John Bruylant Business Cloud Broker, TheCloudTurbo
© 2016 Cloud Standards Customer Council www.cloud-council.org 3
The Cloud Standards Customer Council
• Provide customer-led guidance to multiple cloud standards-defining bodies
• Establishing criteria for open
standards based cloud computing 600+ Organizations participating
2011/2012 Deliverables Practical Guide to Cloud Computing Practical Guide to Cloud SLAs Security for Cloud Computing Impact of Cloud on Healthcare
2013/2014 Deliverables Convergence of SoMoClo Analysis of Public Cloud SLAs Cloud Security Standards Migrating Apps to Public Cloud Services Social Business in the Cloud Big Data in the Cloud Practical Guide to Cloud Computing V2 Migrating Apps: Performance Rqmnts Cloud Interoperability/Portability
http://cloud-council.org
2015 Deliverables Web App Hosting Architecture Mobile Cloud Architecture Big Data Cloud Architecture Security for Cloud Computing V2 Practical Guide to Cloud SLAs V2 Practical Guide to PaaS
THE Customer’s Voice for Cloud Standards!
2016 Projects Prac Guide to Hybrid Cloud Computing Public Cloud Service Agreements, V2 Cloud Security Standards, V2 IoT Cloud Reference Architecture Commerce Cloud Reference Architecture More
What’s New in V2 ?
V1 was published in 2013
The market has evolved – many new CSP entrants
Several public cloud service providers have updated their agreements
Hybrid cloud requires provisions for integrated management of multiple cloud services & on-premises resources
Data protection issues have become much more serious
Data residency is now often recognized as an issue
Several other changes based on the experience of new co-authors
© 2016 Cloud Standards Customer Council www.cloud-council.org 4
© 2016 Cloud Standards Customer Council www.cloud-council.org 5
Public Cloud Service Agreements: Current Landscape
Current Landscape CSA is comprised of four major artifacts:
• Customer Agreement • Acceptable Use Policy • Service Level Agreement • Privacy Policies
Customers must pay close attention to CSA language and clauses • Mismatch between expectations and service terms common
Service level commitments for IaaS better defined than SaaS or PaaS Service levels more flexible and negotiable for private cloud than public cloud Size matters
• Larger customers have more power to negotiate favorable terms • Over time, changes imposed by larger customers trickle down to
all customers
© 2016 Cloud Standards Customer Council www.cloud-council.org 6
Companion whitepaper: Practical Guide to Cloud Service Agreements A reference to help enterprise IT analyze CSAs Available on CSCC Resource Hub: http://www.cloud-council.org/resource-hub.htm
10 Steps to Evaluate Cloud Service Agreements
10 Steps to Evaluate Cloud Service Agreements 1. Understand roles and responsibilities
2. Evaluate business level policies
3. Understand service and deployment model differences
4. Identify critical performance objectives
5. Evaluate security, privacy and data residency requirements
6. Identify service management requirements
7. Prepare for service failure management
8. Understand the disaster recovery plan
9. Define an effective management process
10. Understand the exit process
© 2016 Cloud Standards Customer Council www.cloud-council.org 7
Step 1: Understand roles and responsibilities
Considerations
Acceptable Use Policy (AUP) - primary artifact - requires thorough review
• Content Prohibitions • Security Prohibitions • Service Integrity Prohibitions • Rights of Others Prohibitions
AUPs have little consistency in
wording although there is a clear pattern to the types of provisions they include
Customers should exercise caution and thoroughly review every provision before agreeing to an AUP:
• Clarity • Brevity • Completeness • Focus
Recommendations
Step 2: Evaluate Business-Level Policies
Business Policies Five specific polices, contained in
provider’s Customer Agreement, are key:
• Data policies
• Changes to services, APIs or agreements
• Suspension of services
• Limitations of Liability
• Intellectual Property
Recommendations
Data Policy: • CSA should specify physical location of
content • Provider should not access customer data
unless required by law Changes to Services, APIs, Agreements:
• Advance notice (30 days) • Backward compatibility
Suspension of Services • Advance notice (30 days) • Sufficient time to address (60 days) • Customer data will not be deleted
Limitations of Liability • Compare Aggregate Liability and
Indemnification/Disclaimer clauses Intellectual Property
• Provider should notify customers in case of a third party’s claim of IP violation
© 2016 Cloud Standards Customer Council www.cloud-council.org 8
Step 3: Understand Service & Deployment Model Differences
Platform as a Service (PaaS)
Important to distinguish which capabilities are part of the platform, and which ones are not
Require a clear catalog of the supported services in the platform stack
CSA contents vary according to the service model
Infrastructure as a Service (IaaS)
CSA is focused on availability of hardware and basic support for same
Customer is entirely responsible for all components running on the service, including applications but also operating systems, databases, etc.
Software as a Service (SaaS)
CSA should address end-to-end availability of application across all components supplied by the cloud provider
• Application • Middleware • Database • Storage • Computation • Network access • Security
Remember data protection for any personally identifiable information in customer data (“privacy”)
© 2016 Cloud Standards Customer Council www.cloud-council.org 9
© 2016 Cloud Standards Customer Council www.cloud-council.org 10
Step 4: Identify Critical Performance Objectives
Performance goals have 4 key components:
• Service Commitments • Credits • Credit Process • Exclusions
Service Commitments focus mainly on “Availability”
• Guarantees, Measurement Details & Observation Periods differ
Credits are compensation for missed service commitments
• Service credit calculations and maximum credit limits differ
Credit Process requires customer to take specific action to receive credit
• Reporting timeframe & required information differ
Exclusions similar across all CSAs
Carefully analyze service availability commitments & associated credits
Understand business impact of a single outage corresponding to maximum downtime
Analyze service credit calculations and maximum credit limits
Compare service credit processes Examine commitment exclusions Automate process for detecting and
logging service outages Look for API call response time
service level objectives SLA metrics are limited and no
standards currently exist
Considerations Recommendations
Recommendations
Security, privacy and data residency statements should be explicit
Customers should look for certifications Providers should commit to specific physical
and logical security practices Provider must notify customer when data is
handed over to third party / law enforcement Look for emergency mechanisms to resolve
security breaches Insist provider investigates incidents with
due diligence, and can restore deleted data Provider must take measures to ensure
privacy of personal information contained in customer data
Provider should know data residency and data protection laws/regulations, and offer options regarding where data is stored
Considerations
Security and privacy language often spread among several documents: All need to be checked
Most clauses obligate the customer to protect the provider, not the other way around
Impact of security breaches can be much larger than cost of the service
Provider’s security measures and certification(s) should be visible
Does the cloud provider commit to privacy of personally identifiable information contained in customer data?
Data residency commitments are increasingly important but often omitted
© 2016 Cloud Standards Customer Council www.cloud-council.org 11
Step 5: Evaluate Security, Privacy & Data Residency Requirements
© 2016 Cloud Standards Customer Council www.cloud-council.org 12
Step 6: Identify service management requirements
Considerations
Organizations must monitor and manage cloud services they use
Don’t expect service agreements to specify much - be ready to perform your own due diligence
Aspects contributing to service management
• Auditing
• Monitoring and reporting
• Measurement & metering
• Provisioning
• Change management
• Upgrades & patching
Recommendations
Precisely define objectives and ensure provider offers adequate level of support
Understand service management capabilities available with cloud service
Consider cloud management platforms (CMPs) in a hybrid cloud situation
Consider provider’s commitments to stability of functionality over time
Ask for detailed and regular metrics on contracted services
Examine the definitions and potential impact of each service metric
Ask questions related to service management maturity
Retain in-house the service management expertise required to monitor and improve cloud service performance
© 2016 Cloud Standards Customer Council www.cloud-council.org 13
Step 7: Prepare for service failure management
Considerations
There is typically little in current service agreements
Therefore, the burden is on the customer
Compensation is tied to the price of the service, not the impact on your business
Key failure management systems • Event management • Incident management • Problem management
Failure Metrics • Mean Time Between Failures (MTBF) • Mean Time to Recover (MTTR) • Mean Time to Failure (MTTF)
Insist provider offer interface for sending failure and alert data
Ensure provider offers interface to report failures to the provider
Insist provider offers an Expected Time to Resolution (ETR) for any service failure
Evaluate cloud services support resilient features such as replication, clustering, fail over, etc.
Understand responsibilities and hand-off procedures
Confirm provider’s monitoring capabilities do not violate data privacy stipulations
Assess MTBF, MTTR, and MTTF to determine expected service downtimes
Recommendations
© 2016 Cloud Standards Customer Council www.cloud-council.org 14
Considerations
Use of public cloud services does not absolve the user from serious DR and Business Continuity planning
Service agreements focus on limiting the provider’s liability
• SLA exclusions
• Disclaimers
• Limitations of liability
Devise a disaster recovery plan • Prioritize apps, services and data • Determine acceptable downtime
Ensure business critical content is stored redundantly in different geographical locations
Define Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
Ensure appropriate frequency of backups based on content criticality
Use data and app replication capabilities provided by cloud service
Implement mechanism to promptly detect and quantify outages
Recommendations
Step 8: Understand the disaster recovery plan
© 2016 Cloud Standards Customer Council www.cloud-council.org 15
Step 9: Define an effective governance policy
Considerations
Governance complicated by responsibility split between customer and provider
• Control and oversight
• Elements controlled by provider
Key elements: • Periodic assessment – service levels,
compliance • Reports – key indicators, service failures • Problem reporting & status • Change notifications • Request processing • User satisfaction
Escalation process • Up to & including termination of service
agreement
Recommendations
Agreements are typically silent about communication and escalation processes
Potential areas for negotiation are: • Regular status meetings • Single point-of-contact designation • Automatic notifications • APIs or Web services for
management queries In the absence of defined
management interfaces, and for services that require strict notification, escalation and restoration procedures, public cloud services may not be appropriate solutions
© 2016 Cloud Standards Customer Council www.cloud-council.org 16
Step 10: Understand the exit process
Considerations
Exit process should be part of any CSA
Customer exit plan
• Procedures
• Provider assistance
• Fees
• Retrieval of customer data
• Business continuity during exit
Requirement for provider to delete copies of customer data
Requirement for provider to cleanse log & audit data
• Retention of records for specified periods may be required by law
Recommendations
Ensure agreement specifies advance notice will be given for all terminations
Develop contingency plans / procedures to: • Find new cloud service • Extract and reload data • Switch to new cloud service
As part of the termination process, insist that provider offer assistance to facilitate data extraction
Ensure all customer data maintained for a specific time period after transition
At the completion of the exit process, customers should receive written confirmation from provider that all customer’s data has been completely removed from the provider’s systems
© 2016 Cloud Standards Customer Council www.cloud-council.org 17
New Developments
Work is taking place in the area of Cloud Service Agreements
ISO/IEC is well advanced with the 19086 standard
EU SLALOM project
Both aim at:
Standardized terminology
Listing of many potential CSA items
Standardized metrics
Codes of Conduct & Certification schemes continue to evolve
Especially in the area of data protection
New Developments
© 2016 Cloud Standards Customer Council www.cloud-council.org 18
Summary
Don’t “sign on the bottom line” without understanding the various documents that govern the relationship
Not everything is negotiable – but not everything is fixed either. Understand where you can ask for better terms (and determine if they’re worth paying more for)
Use our recommendations tables to evaluate a proposed CSA and detect areas that don’t meet your business requirements
Have a baseline – what are the current service levels of your incumbent providers or your in-house systems?
Be careful about how service levels are measured (e.g., measurement time windows)
Understand what happens in worst case scenarios (data breach, service failure, etc.)
Remain in charge of governance – don’t abdicate your own responsibilities to the public cloud service provider
© 2016 Cloud Standards Customer Council www.cloud-council.org 19
Join the CSCC Now! – To have an impact on customer use case based standards requirements – To learn about all Cloud Standards within one organization – To help define the CSCC’s future roadmap – Membership is free & easy: http://www.cloud-council.org/become-a-member
Get Involved! – Join one or more of the CSCC Working Groups
http://www.cloud-council.org/workinggroups
Leverage CSCC Collateral! – Visit http://www.cloud-council.org/resource-hub
Call to Action
© 2016 Cloud Standards Customer Council www.cloud-council.org 20
Thank You !