There are thousands of cloud service providers in the marketplace with hundreds being added every day. Since there are no industry-wide required governance standards or service descriptions, the cloud service customer must closely review and understand the following cloud service contractual documents. Although details will vary, cloud service providers should always offer a cloud customer agreement, an acceptable use policy, and a service-level agreement.

Cloud Service Agreement (CSA)

The CSA describes the overall relationship between the customer and provider. Since service management includes the processes and procedures used by the cloud provider, explicit definitions of the roles, responsibilities, and execution of processes need to be formally agreed upon. The customer agreement fulfills this need. Various synonyms such as master agreement, terms of service, or simply agreement may be used by certain providers.

In evaluating the CSA consumers must:

1. Understand roles and responsibilities
2. Evaluate business-level policies
3. Understand service and deployment model differences
4. Identify critical performance objectives
5. Evaluate security and privacy requirements
6. Identify service management requirements
7. Prepare for service failure management
8. Understand the disaster recovery plan
9. Develop an effective governance process
10. Understand the exit process
11. Acceptable Use Policy (AUP)

The acceptable use policy prohibits activities that providers consider to be an improper or outright illegal use of their service. This is one area of a CSA where there is considerable consistency across cloud providers. Although specific details of acceptable use will vary among IaaS, SaaS and PaaS providers, the scope and effect of these policies are the same, and these provisions typically generate the least concerns or resistance.

Service-Level Agreement (SLA)

Think of a rule book and legal contract—that combination is what you have in a service-level agreement (SLA). Some go so far as to call it the prenup (prenuptial agreement between yourself and your provider). Let us not underestimate or downplay the importance of this document/agreement. In it, the minimum level of service, availability, security, controls, processes, communications, support, and many other crucial business elements are stated and agreed to by both parties.

Many may argue that the SLAs are heavily weighted in favor of the cloud service provider, but there are a number of key benefits when compared with traditional environments or “in-house IT.” These include downtime, upgrades, updates, patching, vulnerability testing, application coding, test and development, support, and release management. Many of these force the provider to take these areas and activities very seriously, as failing to do so will impact their bottom line.

NOTE: Not all SLAs cover the areas or focus points you may have issues or concerns with. Where this is not the case, every effort should be made to obtain clarity prior to engaging with the cloud service provider. If you think it is time-consuming moving to cloud environments, wait until you try to get out!

The SLA also describes levels of service using various attributes such as availability, serviceability, or performance. The SLA specifies thresholds and financial penalties associated with violations of these thresholds. Well-designed SLAs can significantly contribute to avoiding conflict and can facilitate the resolution of an issue before it escalates into a dispute. It serves as both the blueprint and warranty for cloud computing services. Its purpose is to document specific parameters, minimum service levels, and remedies for any failure to meet the specified requirements. It should also affirm data ownership and specify data return and destruction details. Other important SLA points to consider include the following:

1. Cloud system infrastructure details and security standards
2. Customer right to audit legal and regulatory compliance by the CSP
3. Rights and cost associated with continuing and discontinuing service use
4. Service availability
5. Service performance
6. Data security and privacy
7. Disaster recovery processes
8. Data location
9. Data access
10. Data portability
11. Problem identification and resolution expectations
12. Change management processes
13. Dispute mediation processes
14. Exit strategy

Customers should read the cloud provider’s SLA very carefully and validate it against common outage scenarios. Organizations should also have contingency plans in place to support worst-case scenarios.