Standardisation for SLAs of cloud outsourcing agreements
The European Commission issued standardization guidelines for cloud computing service level agreements with the goal of improving consistency in service level agreements at the global level to be used by entities willing to enter into outsourcing agreements with cloud providers.
The guidelines that are available here have been drafted by the Cloud Select Industry Group which includes representatives from companies such as Amazon, Google, IBM, Microsoft, SAP and Salesforce. The guidelines contain a number of recommendations that will now be tested and might be included in the future within the structures of the International Organisation for Standardisation (ISO).
I have already covered some of the issues affecting service level agreements and liquidated damages / penalties in outsourcing agreements in the post available here and some of the issues are relevant also for cloud computing agreements. But the guidelines from the European Commission are very useful recommendations for the drafting of outsourcing agreements of such kind not just in Europe but in any jurisdiction.
Below are some heads up of the main recommendations:
- Performance service level objectives – these objectives relate to:
- availability of the system in terms of accessibility of the same and usability by authorised persons;
- response time by the cloud service provider following requests from a cloud service customer;
- capacity of some properties of a cloud service. This parameter might be linked to the data storage capacity, but for instance I have recently negotiated cloud outsourcing agreements where the parameter of reference was linked to the number of users that could be simultaneously connected to the system;
- support which relates to the provision of maintenance services in outsourcing agreements that are measured on the basis of the support hours (e.g. 24×7), the time of response and the resolution time; and
- termination concerning some of the issues on termination and migration in outsourcing agreements covered in the post available here. This service level objective requires to specify the data retrieval period i.e. the time available to the customer to get a copy of the cloud service customer data before they are deleted following the termination, the data retention period i.e. the period in which the cloud service provider will retain a copy of the stored data during the termination period and the residual data retention i.e. the data that cloud service provider can retain also following the end of the termination process for instance for regulatory purposes.
- Security service level objectives are crucial in outsourcing agreements that often collect sensitive confidential data. And as covered in the post available here security obligation become even more relevant if personal data are stored and even more in case of BIG DATA projects including those pertaining to the Internet of Things and wearable technologies . In this context, the following should be considered:
- service reliability relating to the proper functioning of the service including its ability to deal with failures, loss of data and loss of service also through an adequate level of redundancy;
- authentication and authorization which include the measures adopted to authenticate users, to revoke the user access, to protect the cloud service user access credentials and the potential third party authentication support;
- cryptography that pertains to measures adopted for the transformation of data in order to prevent an unauthorised access to them;
- security incident management and reporting encompassing the percentage of timely incident reports, of timely incident responses and of timely incident resolutions;
- logging and monitoring that concern the logging parameters i.e. the data collected in log files, the log access availability i.e. log file entries available to the cloud service customer which have a considerable impact also in relation to labor laws that in countries like Italy are very restrictive on practices affecting monitoring of employees as covered in the post available here and retention periods of log files;
- auditing and security verification which might consist in an audit right for the customer or in the provision of certifications of compliance with standards;
- vulnerability management relating to the percentage of timely vulnerability corrections and relative reports; and
- service changes that relate to changes in the way that services are offered during the life of the contract e.g. updates or changes ot interfaces that are measured with the notice period to be granted to customers and the number of change notifications reported.
- Data management service level objectives relating to the way data are handled during their life cycle and pertain to:
- data classification relating to the distinction among customer data, provider data and derived data i.e. data generated through the provision of the service such as login data;
- customer data mirroring, backup and restore which pertain to the creation of copies of data like backup copies. And in this respect backup frequency, backup retention time, maximum data restoration time and percentage of successful data restorations including disaster recovery measures are all very relevant service level agreements;
- data lifecycle that relates to the way data that are no longer relevant shall be handled. Indeed, also because of data protection law restrictions data cannot be stored for an undefined period of time. In this respect, the way data are deleted, the percentage of timely effective deletions and of tested storage retrievability are all quite relevant; and
- data portability which concerns the possibility for the customer to export the data in order to use them with the new supplier and for this purpose it is relevant the format of portable data, the interface through which data can be transferred and the rate of transfer.
- Personal data protection service level objectives that I have already extensively covered in several posts like the one available here.
This is a very interesting topic and as usual feel free to contact me, Giulio Coraggio to discuss. Also, if you want to receive my newsletter, please join my LinkedIn Group or my Facebook page. And follow me on Twitter, Google+ and become one of my friends on LinkedIn.
Image courtesy of Flickr by Trafalgar Lio
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.