Making Cloud SLAs readily usable in the EU private sector

Execution & Operation

This phase includes the actual start of setting up the cloud services, populating the respective cloud service with relevant data, on boarding and training users, setting up communication channels and further operational activities while using the respective cloud services.

Performance metrics

In the SLAs we analysed, the uptime or availability of the service is the only term present in all documents with Cloud Service Providers increasing the levels of availability (from 99.95% to 99.99% and in one case 100%).

It is important to highlight that from a Cloud Service Customer perspective this guarantee should be analysed based on the type of service it applies, and most importantly to the type of business the service is essential. Otherwise it can be meaningless. For instance, 99.95% monthly availability only permits about 21 minutes of downtime (and in most cases 99.9% with a 40 minutes period of downtime), that can correspond to large money loss for a company if it happens during the most critical period for the business. While these percentages can be very promising for most of the business using the Cloud, it might be critical for a business that needs reliability of the infrastructure of the Cloud services in general to function correctly. The compensation of the CSP in such cases is only in service credit percentage.

As stated by Michael Allen (Solutions VP, Dynatrace): Service providers should address these concerns by sharing performance metrics beyond basic availability and uptime with their customers. It’s not enough to simply keep tabs on whether all the lights are on in the data centre; Cloud providers need to offer insight into IT performance from an outside-in perspective so that they can monitor how their Cloud infrastructure is impacting on their customers and report back to them transparently. 

Security and Privacy

There is a large gap for security and privacy terms in SLAs. Security is typically contemplated in the SLA documents or agreements regulating the contract in a qualitative form, not expressing any clear information about the type of security measure, the maximum response time to incidents, or the impact of security breaches to services for customers.

This lack of detail does not offer any valuable means for customers to judge how their applications and data are duly protected and what the risks of using Cloud services. Until the adoption of the European Data Protection regulation, the Acceptable User Policies continues to regulate all information the CSC gives the CSP, even for accessing services. For now, the lack of flexibility and security features CSPs could guarantee is a barrier towards the trust on Cloud services.

According to the 451 Research: SLAs are just marketing tools: guarantees give consumers faith that the service provider can deliver, and service credits make them believe they can ‘punish’ the provider if the provider lets them down. But in reality, service providers structure their contracts so they have much to gain, and little to lose, if something goes wrong. Although SLAs may provide an indication of a service’s performance, enterprises must remember that downtime, poor performance, security breaches and data losses are their risks to bear. End users must evaluate the risks, against the costs and the benefits, and plan accordingly.