Making Cloud SLAs readily usable in the EU private sector
Common Reference Model
The SLA-Ready Common Reference Model (CRM 1st iteration, June 2016) describes, promotes and supports the uptake of cloud service level agreements, by providing a common understanding of SLAs for cloud services.
The Reference Model provides a common understanding of SLAs for cloud services, integrating SLA components like:
- terminology;
- SLA attributes;
- Service Level Objectives (SLOs);
- guidelines;
- best practices.
This initial reference model looks at current practices in the international standardisation community, to which SLA-Ready contributes, mainly through the Cloud Security Alliance liaison with ISO.
The Reference Model also looks at current practices in the cloud industry analysing use cases based on:
- different levels of knowledge (novice, basic knowledge, experienced user);
- different stages of the cloud service management life cycle (procurement of IaaS by a Fintech firm, operational phases by small IT teams in local government, an SME using Saas, and an SME migrating from one SaaS cloud service provider to another).
The ultimate goal is to encourage greater transparency and lower barriers to cloud adoption especially for SMEs, who have much to gain from the cloud but who lack the information required about which services to use and trust.
Download the Common Reference Model
Assess the relative importance of each CRM element from your point of view: reply to this surveys for Customers and Providers
| Group | Name of CRM element | Explanation/Assessment Question |
|---|---|---|
| General | SLA URL | Is there a publicly (online) available version of your cloud SLA? |
| Findable | How can customers find the SLA on your website? | |
| Choice of law | Is the SLA specific to a particular jurisdiction or geographical area? | |
| Roles and responsibilities | Does your SLA contain a clear definition of roles and responsibilities? | |
| Cloud SLA definitions | Does your SLA contain relevant definitions used in the text? | |
| Freshness | Revision date | Does your SLA specify the date of its last revision? |
| Update Frequency | Does your SLA specify the frequency of performed updates based on a reported "Last Update" value? | |
| Previous versions and revisions | Are the previous versions of the SLA publicly available? | |
| SLA duration | Does your SLA contain a clear specification of its validity period? | |
| Readability | SLA language | Is your SLA specified in more than one language? |
| Machine-readable format | Is your SLA available in machine-readable format? | |
| Nr. of pages | What is the number of pages on your SLA? Only applies to SLAs in PDF/document format. | |
| Support | Contact details | Does your SLA contain a reference to the helpdesk number or other details to contact support? |
| Contact availability | Does your SLA contain information about contact availability, specifying days of the week and working hours? | |
| Credits | Service Credit | Does your SLA provide a clear specification of the service credits provided to the CSC? |
| Service credits assignment | Does your SLA specify the conditions whether a service credit shall be provided or not to the customer? | |
| Maximum service credits (Euro amount) provided by the CSP | Does your SLA describe how much credit (euros) the CSP may give the customer? | |
| Changes | SLA change notifications | Does your SLA specify of how the CSP notifies customers about SLA changes? |
| Unilateral change | Does your SLA describe if the CSP is entitled to unilaterally change it? | |
| Reporting | Service Levels reporting | Does your SLA describe if reports about achieved Service Levels are provided to the customer? |
| Service Levels continuous reporting | Does your SLA explain if/how the service level reports are continuously updated? | |
| Feasibility of specials & customisations | Does your SLA clearly define any “specials”/exceptions and other possible customisations? | |
| General Carveouts | Does your SLA clearly define CSP assumptions, exclusions, scope of force majeure, and other carve outs to the negotiated cloud services, SLOs and SLA? | |
| SLOs & Metrics | Specified SLO metrics | Does your SLA clearly and unambiguously specifies metrics related to the SLOs defined in the SLA? |
| General SLOs | Does your SLA specify SLOs related to aspects like service monitoring, accessibility, availability, termination of service, applicable certifications, and governance? | |
| Cloud Service Performance SLOs | Does your SLA specify SLOs related to aspects like response time, capacity, and elasticity? | |
| Service Reliability SLOs | Does your SLA specify SLOs related to aspects like service resilience, disaster recovery, and customer’s data backup/restore? | |
| Data Management SLOs | Does your SLA specify SLOs related to aspects like IPR, CSC/CSP data, derived data, account data, portability, data deletion/location/examination, and law enforcement access to CSC data? | |
| Security SLOs | Does your SLA specify SLOs related to aspects like cryptography, physical/operational/communication security, incident management, compliance, and business continuity? | |
| Personal Data Protection SLOs | Does your SLA specify SLOs related to aspects like consent and choice, limitation, accountability, PII collection/use/retention/disclosure limitation, and privacy compliance? |