Making Cloud SLAs readily usable in the EU private sector
Use Cases
SME setting up its own Hybrid Cloud Ecosystem
This SME is a small start-up but is envisioning to be number 1 in its market, globally. It will need cloud service to do so, and as per different technical, business, risk mitigation and risk reasons it is working on architecting a hybrid ecosystem where several major as well as niche CSPs will be involved. However, all CSPs define their definitions and legal terms differently which makes it hard to create a clear landscape of what rights and obligation the SME has towards the respective CSP, and what rights and obligations it can arrange for with its own customers and end-users. Analysing legal documentation from A to Z concerning cloud services such as SLAs is quite cumbersome and time and resources consuming, CSPs even use different quantitative attributes, metrics, measurements and remedies. The SME feels that some CSPs prefer to keep their applicable documentation less transparent than their customers wish for, and the CSPs would be able to. Getting to the bottom of Master Service Agreements, SLAs and other contractual arrangements is time-consuming, and a SME, especially a start-up does not have those resources. It will either lead in delay in its business plans, or making the wrong decisions which will be very costly in a later phase.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Acquisition
Operation
Cloud usage:
App on a Cloud
Cloud Bursting
SME migrating to IAAS with several duration periods in the Agreement
This SME is migrating its infrastructure to IaaS of a major CSP. Being a software company itself does not necessarily mean to have the necessary knowledge for migrating to the SaaS. And, to start with, in order to provide a good proposal and business model based on subscription fees this SME needs to know what kind of different duration period are applicable, and what the financial, technical and operational consequences are. In this case for example (i) the MSA is for an indefinite period and the start is at the day of signing, this is the first duration period (ii) the MSA is effective at the moment of signing, but only after implementation of the SaaS in general and then the deployment of a customer a user will be able to access to SaaS, on which date the one-year subscription starts between the SME and its customer. This is the second duration period. Thirdly (iii), the subscription is based on the actual use of content, which means that the duration of use is shorter than the duration of the right to access. Two more for this use case, is (iv) the data retention period during with the CSP is required by law to retain certain data, and (v) the duration the SME and its customers are entitled to extract and export data.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Acquisition
Operation
Termination
Cloud usage:
App on a Cloud
Cloud Bursting
CSP allowing Data Access for Law Enforcement
This use case is from an SME CSP that is quite advanced and knowledgeable about data access requests by authorities, and it is good to consider the do's and don’ts. Most CSPs do not know what to do if access to data is requested from a government authority and may give the government authority the wrong access without assessing such request. Generally, the scope of the formal requests to obtain access is too broad instead of a detailed scope, because the authority does not yet exactly know what kind of data they need to know. However, fishing by the government authorities is not allowed. CSPs needs to check the scope of the request to access and should provide as little information and access as possible, keeping in mind the contractual, ethical and trust relationship they have with their CSC. A CSC expect a CSP to stand up for the rights of the CSC. Furthermore, if a CSP gives access within the scope then it should not affect more data protection infringements than the strictly necessary. Any CSC, SMEs included, should request a detailed data access policy of the CSP itself with the processes and consequences.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Operation
Termination
Cloud usage:
App on a Cloud
Processing Sensitive Data
SME looking for Information Security Incident Management
As per an above-average awareness level as per security breaches in its sector, being the financial services industry, this SME is quite concerned about keeping its data safe while also complying to current and upcoming regulation. With all the topics in the newspapers on security incidents, every SME should be keen on the management of those incidents, and this SME actually does. Besides that, new regulations such as the General Data Protection Regulation (GDPR) and the Network Information Security (NIS) Directive with daunting high penalties are a trigger as well. However, it is not easy for the SME to obtain the right in-depth information from the CSP it needs to assess the risks, the way breach notification is taken care of, to what extent and how fast, and how incidents are managed and repeat-incidents avoided.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Acquisition
Operation
Cloud usage:
App on a Cloud
Processing Sensitive Data
Data Integrity
CSP providing Data Portability Vendor Lock-In of SAAS CRM Applications
A European SME who has formally used CRM SaaS to keep track of its customer relationship management and sales cycle would like to switch certain part of its data to another account in the same CRM SaaS, and – when that did not work out – to switch that data to another CSP. This in turn requires the ability to migrate data between different environments or providers. However, the former CRM SaaS did not specify anything on data portability, data format, what data would exactly be possible to migrate, and what not, or whether metadata would be part of that. The SME settled for getting part of its data out in a structured, workable way, where the remainder of its data cannot be extracted or otherwise exported in a suitable way so basically lost the latter data and related analytics.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Operation
Termination
Cloud usage:
App on a Cloud
Cloud Bursting
Processing Sensitive Data
CSP migrating Data between Different Jurisdictions
Since both within the European Union and outside the EU each country has different laws and regulations regarding personal data protection, the data location where the SME is active is relevant as well as the data location of the server of the CSP. In this case it concerns an SME active in a dozen countries and wishes to migrate to cloud services its HR data which concerns almost 100% personal data. In some jurisdictions, such HR data is even especially arranged in the law. If an entity of a SME is based in Russia and the headquarter is within the European Union, then it is not allowed by local law to store personal data, including HR data outside of Russia. The server of the CSP should be based in Russia, and in some cases the CSP will cooperate with a local data centre where a back-up copy will be stored on a data location in the European Union. This is not only relevant in Russia, as the same applies for Germany, for example. This SME segmented the data in advance, and together with its legal counsel architected where what data is to be stored, what back-up mechanisms should apply, and with success opened the dialogue with the relevant CSP.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Acquisition
Operation
Cloud usage:
Processing Sensitive Data
A SME terminating a Contract with a CSP
The case is simple, and will happen to all CSCs: an SME wished to terminate the MSA with a CSP, and then starts thinking about whether and to what extent the CSP will delete its data, after the SME has extracted and exported that data as much as possible. This SME, as will others, finds out that nothing is arranged for, and is left in the dark.
User type:
SME
User maturity:
Novice
Basic
Experienced
Cloud Service lifecycle phase:
Acquisition
Operation
Cloud usage:
Processing Sensitive Data
Data Integrity
CSP providing Data Services for the Health Sector
An SME in the Health Sector who has built its SaaS application on an IaaS/PaaS from the CSP. Anyone in the health sector has to be compliant to mandatory sectorial standards and needs to have certain certifications. Furthermore, since this SME will process sensitive personal data, it also needs to encrypt the data in light of the applicable personal protection regulations in the EU. Even though many CSPs have such specific certifications, encryption possibilities and back up possibilities, in most cases the layers in the provided IaaS/PaaS where the customer of the SaaS CSP processes its sensitive and other data do not fall under these certifications, or encryption and back-up by default. This SME made the mistake in trusting that the provided certifications were applicable for that use, where it does not.
User type:
SME
User maturity:
Novice
Basic
Cloud Service lifecycle phase:
Acquisition
Operation
Cloud usage:
Processing Sensitive Data
Data Integrity
CSP Providing Services Under Different Regulations
The Choice of law clause is a term of a contract in which parties specify that any dispute arising under the SLA shall be governed by in accordance with the laws of a particular jurisdiction. Since most of the major CSPs have headquarters in the United States of Americas, many of these CSP’s have designated the governing law of the state they have their headquarters applicable to the agreement. The SME has done diligence on what CSP would fit its SaaS and business ambitions best with regard to the provided IaaS. However, it did not notice the choice of law the SLA is governed by. As the SME is providing SaaS to end-users being consumers in the EU member state where it is based, it is obliged to provide the services under the laws of that member state, including consumer right provisions. Therefore, the supply chain is not workable for this SME as it cannot hold its IaaS supplier accountable or responsible if certain issues arise. The SME will bear the full liability towards its end-users without any recourse, which happened several times for this SaaS SME.
User type:
SME
User maturity:
Basic
Experienced
Cloud Service lifecycle phase:
Acquisition
Operation
Cloud usage:
App on a Cloud
Processing Sensitive Data
CSP Changing SLA at Operation Time
An SME has built its own SaaS on the PaaS infrastructure of a major CSP. The SME provides its SaaS to its customer under its own Master Service Agreement, Terms and Conditions and SLA. However, the SaaS SME did not notice that the PaaS CSP is contractually entitled right to unilaterally change the PaaS service offerings and conditions in the SLA, since the SME ticked the box while registering online without taking the time to assess the SLA and related terms. The CSP now invoked this right to lower the uptime and level of redundancy. Therefore, the SaaS cloud Services from the SME cannot meet the service level it has granted to its own customers. Migrating the application on a PaaS of another CSP would be a very time consuming and costly task. Cloud Service Provider as PaaS Provider, SME as Cloud Service Partner and SMEs customer as Cloud Service Customer.
User type: NA
User maturity:
Novice
Basic
Cloud Service lifecycle phase:
Operation
Cloud usage:
App on a Cloud
High Availability