Cloud SLAs Require Extra Attention

Cloud computing can sometimes seem to simple, and, when it comes to service level agreements, that’s not necessarily a good thing.

IT managers are used to covering all their bases in service contracts – a mile or so long in paper – for technology providers. The contracts typically cover:

– pricing and benchmarks

– processes and procedures

– security and business continuity requirements

– clauses that spell out the rights and responsibilities of the IT services supplier and customer.

Yet, sometimes, cloud computing service contracts can be extremely short (although that might seem a welcome gift)…and vague. “Failure to understand the true meaning of the cloud and to address the serious legal and contractual issues associated with cloud computing can be catastrophic,” says Daniel Masur, a partner in the Washington, D.C. office of law firm Mayer Brown, quoted in a recent article about cloud agreements. “The data security issues are particularly challenging, and failure to address them in the contract can expose a customer to serious violations of applicable privacy laws.”

On the other hand, if you listen to cloud service providers, they’ll tell you that simplicity is the whole point of the cloud. They offer low-cost, instantly available, pay-per-use options for everything from infrastructure on-demand, to desktop support, to business applications by pooling resources. Meanwhile, the responsibility for issues like data location or disaster recovery remains with you – the client.

But you don’t have to accept this situation – because it may not always be right for you. It depends on what you’re using the cloud for. As the article points out, demand a tighter service contract if you’re employing the cloud for mission-critical systems, employees’ personal data (which is often regulated by governments around the world) and sensitive business intelligence, it’s a good idea to get the legal department or general counsel involved.

What kind of SLA considerations should you look for in this case? First of all, consider a private cloud. Other considerations: guarantees and details on data encryption, geographic restrictions, and other terms.

Yet, for non-core apps or services that typically involve routine, non-sensitive data, looser contract terms with a lower price might be just the thing and perfectly acceptable.

Typical Mistakes

Major mistakes that new cloud services customers often make is when they assume a vendor’s contract provides adequate customer protection or that there’s no room to negotiate at all. “Many prospective customers assume incorrectly that cloud contracting is very similar to traditional IT contracting and either fail to address the issues unique to cloud computing, such as data privacy and compliance issues, or do so in a manner that increases their price without delivering commensurate value,” said Masur, in the article.

I know that when I speak with customers who are checking out our SLA monitoring service, I often hear stories that would make your hair curl – about a general lax attitude toward meeting and reporting on these basic service guarantees. And if customers require more from their cloud service provider, that can often mean higher pricing from those vendors.

If you want to beef up your standard cloud vendor agreement, use your traditional IT outsourcing contract as a model. Despite the lack of standard best practices in cloud contracting, your traditional IT contract can guide you with a list of standard engagement provisions, including:

– privacy and security standards,

– regulatory and compliance issues,

– service level requirements and penalties,

– change management processes,

– business continuity procedures,

– mandatory flow-down of all terms to subcontractors,

– termination rights.

Software licensing terms, too, offer useful guidelines for SaaS deals.

When engaging with a cloud vendor, take the time to consider which services need appropriate levels of guarantees. And use cloud platform and SLA monitoring to independently track and safeguard your data.