A cloud SLA (cloud service-level agreement) is an agreement between a cloud service provider and a customer that ensures a minimum level of service is maintained. It guarantees levels of reliability, availability and responsiveness to systems and applications; specifies who governs when there is a service interruption; and describes penalties if service levels are not met.
A cloud infrastructure can span geographies, networks and systems that are both physical and virtual. While the exact metrics of a cloud SLA can vary by service provider, the areas covered are uniform:
- volume and quality of work (including precision and accuracy);
- responsiveness; and
The SLA document aims to establish a mutual understanding of the services, prioritized areas, responsibilities, guarantees and warranties provided by the service provider. It clearly outlines metrics and responsibilities among the parties involved in cloud configurations, such as the specific amount of response time to report or address system failures.
Cloud SLA is imperative for compelling reasons:
- Ensure availability and uptime
- Specific performance benchmarks to compare actual cloud performance
- Availability of usage statistics for the consumer
- Informing scheduled changes to consumers in advance (eg., maintenance downtimes)
- Help desk and support to resolve specific issues
- To clarify the scope of resources used in cloud service of interest.
Cloud Computing SLA Basics
Customers will provide their key performance indicators (KPI), and customer and provider will negotiate related service level objectives (SLO). Automated policies enforce processes to meet the SLOs, and issues alerts and reports when an agreed-upon action fails. Cloud computing providers will usually have standard SLAs. IT should review them along with their legal counsel. If the SLAs are acceptable as is, sign it and you’re done. However, companies at any stage of cloud adoption will likely want to negotiate specific requirements into their SLAs, as the vendor SLA will be in favor of the provider. (For help choosing the cloud company that suits your business needs, read our comprehensive guide to cloud computing.) Be especially careful about general statements in the standard SLA, such as stating the cloud’s maximum amount of customer computing resources, but not mentioning how many resources are already allocated. Not every cloud computing provider will automatically agree to your requirements, but most customers can make good-faith negotiated agreements with providers. Quality of service depends on knowing what you need and how they will provide it.
SLAs are the means of documenting cloud services between the CSP and consumer and play a major role for the following reasons:
Roles and Responsibilities: Consumers must understand the roles and responsibilities and business relationships between them and the CSP. For example, an indirect actor namely cloud carrier is an entity providing the carrier or transport for cloud services between CSP the consumer. In this scenario, the SLA must cover provisioning of alternative carrier in case of non-availability our outage with one carrier. According to NIST (National Institute of Standards and Technology) reference architecture, the actors involved in cloud are: Consumer, CSP, Auditor, Broker and Carrier, with unique roles. Cloud consumers must recognize and understand the activities and roles of each entity or service in the cloud as explained by CSP including their own set of responsibilities.
Examine Business Level Policies: Business level SLAs would define Guarantees provided by the CSP (for example, guarantees will include 99.99% uptime, measurable performance and usage, etc.). Acceptable use policy is a business level SLA statement where the CSP describes how the service should be used, List of services not covered and Excess usage. Normally, the CSP will encourage the consumer to buy resources that is only required for their business. Other policies will include Payment and penalty models, Activation, Renewals, Transferability, Sub-contracted services, Licensed Software, Industry specific standards and Support.
Data Level Policies: Data level policies are critical in SLA. Here CSP will explain on how the consumer’s data is governed and protected in local jurisdiction or other locations where the data will reside or made available. Consumers must carefully evaluate legal requirements on how SLA will handle issues related to movement of data to offer multi-site storage in different jurisdictions for redundancy. The other critical SLAs in data level policies include, Data Preservation – backup, restore, redundancy, etc.; Data Locations – will verify data locations for consumers; Data Privacy – defines how consumer data is secured and used; Data Seizure – in some circumstances the data can be seized by government agencies, etc. Therefore, data level policies in SLA are the most critical policies which must be evaluated thoroughly by consumers.
Service and Deployment Model Differences: Service models are categorized as IaaS, PaaS and SaaS . The service models in cloud are unique in terms of service delivery and are defined with unique SLAs. Likewise cloud deployment models are private, public and hybrid clouds which have a unique set of SLAs. According to Cloud Standards Customer Council (CSCC), consumers should understand the nuances of service and deployment models and their corresponding SLAs because their value and risk varies significantly.
Describe Objectives for Critical Performance: SLA in performance objective relates to efficiency, accuracy and service delivery. Performance statements in the SLA will help consumers to measure and audit different aspects on cloud performance. Performance metrics are dependent for each service IaaS, PaaS and SaaS. For example, performance considerations for IaaS will include network and compute and so on.
Security and Privacy Considerations: SLAs related to security and privacy considerations deals with information assets – data, applications, functions and processes and can be defined based on criticality and sensitivity of consumer data. Normally CSPs offer global security standards defined in standards such as ISO, COBIT, ITIL, etc. The SLA will also cover alternative actions in case of security breaches or data loss for the consumer.
An SLA is key in protecting your organization and ensures you have a successful relationship with your provider. Mutual understanding in terms of performance standards are important to establish a positive experience for all involved parties. Any service provider you choose should be more than happy to create an SLA with you. However, having an SLA isn’t enough. Always remember to review the contract as your business grows or changes. Your needs may change over time and your SLA should always reflect your organization’s evolving needs.