The cloud service models (IaaS, PaaS, SaaS, etc.) offer new paradigms of computing resources and IT enabled capabilities for all types of organizations. IT industry experts claim that over 80% of enterprises have adopted some cloud service in their organization. The key term ‘service’ in cloud computing creates the need to develop contracts named service level agreements (SLA) between the client organization and the cloud service provider (CSP). SLAs are used by companies for a long time, especially when the company hires third party service provider to manage some of their business operations. SLAs will ensure the consumer receives all the services availed as agreed by the provider and of course ensure money’s worth for the client.
Likewise, an organization deciding to hire cloud services for their IT needs, SLAs come into play to make sure the services offered by the CSP are delivered as promised. SLA has become a pre-requisite due to cloud business strategy and provides series of rules and directives that must be taken by cloud consumers to evaluate and negotiate terms with CSP. It describes a set of non-functional requirements of cloud services. An example of SLA can be the return of operations (RTO) in case of any service failure in the cloud.
Cloud SLA is imperative for compelling reasons,
- Ensure availability and uptime
- Specific performance benchmarks to compare actual cloud performance
- Availability of usage statistics for the consumer
- Informing scheduled changes to consumers in advance (eg., maintenance downtimes)
- Help desk and support to resolve specific issues
- To clarify the scope of resources used in cloud service of interest
SLAs are the means of documenting cloud services between the CSP and consumer and play a major role for the following reasons:
- Roles and Responsibilities: Consumers must understand the roles and responsibilities and business relationships between them and the CSP. For example, an indirect actor namely cloud carrier is an entity providing the carrier or transport for cloud services between CSP the consumer. In this scenario, the SLA must cover provisioning of alternative carrier in case of non-availability our outage with one carrier. According to NIST (National Institute of Standards and Technology) reference architecture, the actors involved in cloud are: Consumer, CSP, Auditor, Broker and Carrier, with unique roles. Cloud consumers must recognize and understand the activities and roles of each entity or service in the cloud as explained by CSP including their own set of responsibilities.
- Examine Business Level Policies: Business level SLAs would define Guarantees provided by the CSP (for example, guarantees will include 99.99% uptime, measurable performance and usage, etc.). Acceptable use policy is a business level SLA statement where the CSP describes how the service should be used, List of services not covered and Excess usage. Normally, the CSP will encourage the consumer to buy resources that is only required for their business. Other policies will include Payment and penalty models, Activation, Renewals, Transferability, Sub-contracted services, Licensed Software, Industry specific standards and Support.
- Data Level Policies: Data level policies are critical in SLA. Here CSP will explain on how the consumer’s data is governed and protected in local jurisdiction or other locations where the data will reside or made available. Consumers must carefully evaluate legal requirements on how SLA will handle issues related to movement of data to offer multi-site storage in different jurisdictions for redundancy. The other critical SLAs in data level policies include, Data Preservation – backup, restore, redundancy, etc.; Data Locations – will verify data locations for consumers; Data Privacy – defines how consumer data is secured and used; Data Seizure – in some circumstances the data can be seized by government agencies, etc. Therefore, data level policies in SLA are the most critical policies which must be evaluated thoroughly by consumers.
- Service and Deployment Model Differences: Service models are categorized as IaaS, PaaS and SaaS. The service models in cloud are unique in terms of service delivery and are defined with unique SLAs. Likewise cloud deployment models are private, public and hybrid clouds which have a unique set of SLAs. According to Cloud Standards Customer Council (CSCC), consumers should understand the nuances of service and deployment models and their corresponding SLAs because their value and risk varies significantly.
- Describe Objectives for Critical Performance: SLA in performance objective relates to efficiency, accuracy and service delivery. Performance statements in the SLA will help consumers to measure and audit different aspects on cloud performance. Performance metrics are dependent for each service IaaS, PaaS and SaaS. For example, performance considerations for IaaS will include network and compute and so on.
- Security and Privacy Considerations: SLAs related to security and privacy considerations deals with information assets – data, applications, functions and processes and can be defined based on criticality and sensitivity of consumer data. Normally CSPs offer global security standards defined in standards such as ISO, COBIT, ITIL, etc. The SLA will also cover alternative actions in case of security breaches or data loss for the consumer.
In addition to the above roles, SLAs will also define areas such as disaster recovery, service management, auditing, self-service metering and provisioning, solutions for service failure, remedies and limitations in cloud services. SLAs will also state exit processes followed in case a consumer wishes to discontinue from a service provider.