Contenu connexe Similaire à Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0 (20) Plus de Cloud Standards Customer Council (9) Public Cloud Service Agreements: What to Expect and What to Negotiate V2.01. Public Cloud Service Agreements:
What to Expect & What to Negotiate
V2.0
http://www.cloud-council.org/deliverables/public-cloud-service-
agreements-what-to-expect-and-what-to-negotiate.htm
July 28, 2016
2. © 2016 Cloud Standards Customer Council www.cloud-council.org 2
Today’s Speakers
Tracie Berardi
Program Manager, Cloud Standards Customer Council
Claude Baudoin
Principal, cébé IT & Knowledge Management
Energy Domain Consultant, OMG
Mike Edwards
Cloud Computing Standards Expert and Bluemix PaaS Evangelist, IBM
Long Wang
Research Staff Member, IBM T.J. Watson Research Center
John Bruylant
Business Cloud Broker, TheCloudTurbo
3. © 2016 Cloud Standards Customer Council www.cloud-council.org 3
The Cloud Standards Customer Council
• Provide customer-led guidance to multiple cloud
standards-defining bodies
• Establishing criteria for open
standards based cloud computing 600+ Organizations
participating
2011/2012 Deliverables
Practical Guide to Cloud Computing
Practical Guide to Cloud SLAs
Security for Cloud Computing
Impact of Cloud on Healthcare
2013/2014 Deliverables
Convergence of SoMoClo
Analysis of Public Cloud SLAs
Cloud Security Standards
Migrating Apps to Public Cloud Services
Social Business in the Cloud
Big Data in the Cloud
Practical Guide to Cloud Computing V2
Migrating Apps: Performance Rqmnts
Cloud Interoperability/Portability
http://cloud-council.org
2015 Deliverables
Web App Hosting Architecture
Mobile Cloud Architecture
Big Data Cloud Architecture
Security for Cloud Computing V2
Practical Guide to Cloud SLAs V2
Practical Guide to PaaS
THE Customer’s Voice for Cloud Standards!
2016 Projects
Prac Guide to Hybrid Cloud Computing
Public Cloud Service Agreements, V2
Cloud Security Standards, V2
IoT Cloud Reference Architecture
Commerce Cloud Reference Architecture
More
4. What’s New in V2 ?
V1 was published in 2013
The market has evolved – many new CSP entrants
Several public cloud service providers have updated their
agreements
Hybrid cloud requires provisions for integrated management
of multiple cloud services & on-premises resources
Data protection issues have become much more serious
Data residency is now often recognized as an issue
Several other changes based on the experience of new co-
authors
© 2016 Cloud Standards Customer Council www.cloud-council.org 4
5. © 2016 Cloud Standards Customer Council www.cloud-council.org 5
Public Cloud Service Agreements: Current Landscape
Current Landscape
CSA is comprised of four major artifacts:
• Customer Agreement
• Acceptable Use Policy
• Service Level Agreement
• Privacy Policies
Customers must pay close attention to CSA language and clauses
• Mismatch between expectations and service terms common
Service level commitments for IaaS better defined than SaaS or PaaS
Service levels more flexible and negotiable for private cloud than public
cloud
Size matters
• Larger customers have more power to negotiate favorable terms
• Over time, changes imposed by larger customers trickle down to
all customers
6. © 2016 Cloud Standards Customer Council www.cloud-council.org 6
Companion whitepaper: Practical Guide to Cloud Service Agreements
A reference to help enterprise IT analyze CSAs
Available on CSCC Resource Hub: http://www.cloud-council.org/resource-hub.htm
10 Steps to Evaluate Cloud Service Agreements
10 Steps to Evaluate Cloud Service Agreements
1. Understand roles and responsibilities
2. Evaluate business level policies
3. Understand service and deployment model differences
4. Identify critical performance objectives
5. Evaluate security, privacy and data residency requirements
6. Identify service management requirements
7. Prepare for service failure management
8. Understand the disaster recovery plan
9. Define an effective management process
10. Understand the exit process
7. © 2016 Cloud Standards Customer Council www.cloud-council.org 7
Step 1: Understand roles and responsibilities
Considerations
Acceptable Use Policy (AUP)
- primary artifact
- requires thorough review
• Content Prohibitions
• Security Prohibitions
• Service Integrity Prohibitions
• Rights of Others Prohibitions
AUPs have little consistency in
wording although there is a clear
pattern to the types of provisions
they include
Customers should exercise caution and
thoroughly review every provision
before agreeing to an AUP:
• Clarity
• Brevity
• Completeness
• Focus
Recommendations
8. Step 2: Evaluate Business-Level Policies
Business Policies
Five specific polices, contained in
provider’s Customer Agreement, are
key:
• Data policies
• Changes to services, APIs or
agreements
• Suspension of services
• Limitations of Liability
• Intellectual Property
Recommendations
Data Policy:
• CSA should specify physical location of
content
• Provider should not access customer data
unless required by law
Changes to Services, APIs, Agreements:
• Advance notice (30 days)
• Backward compatibility
Suspension of Services
• Advance notice (30 days)
• Sufficient time to address (60 days)
• Customer data will not be deleted
Limitations of Liability
• Compare Aggregate Liability and
Indemnification/Disclaimer clauses
Intellectual Property
• Provider should notify customers in case
of a third party’s claim of IP violation
© 2016 Cloud Standards Customer Council www.cloud-council.org 8
9. Step 3: Understand Service & Deployment Model Differences
Platform as a Service
(PaaS)
Important to distinguish which
capabilities are part of the platform, and
which ones are not
Require a clear catalog of the supported
services in the platform stack
CSA contents vary according to the service model
Infrastructure as a Service
(IaaS)
CSA is focused on availability of
hardware and basic support for same
Customer is entirely responsible for all
components running on the service,
including applications but also operating
systems, databases, etc.
Software as a Service
(SaaS)
CSA should address end-to-end
availability of application across all
components supplied by the cloud
provider
• Application
• Middleware
• Database
• Storage
• Computation
• Network access
• Security
Remember data protection for any
personally identifiable information in
customer data (“privacy”)
© 2016 Cloud Standards Customer Council www.cloud-council.org 9
10. © 2016 Cloud Standards Customer Council www.cloud-council.org 10
Step 4: Identify Critical Performance Objectives
Performance goals have 4 key
components:
• Service Commitments
• Credits
• Credit Process
• Exclusions
Service Commitments focus mainly
on “Availability”
• Guarantees, Measurement Details
& Observation Periods differ
Credits are compensation for
missed service commitments
• Service credit calculations and
maximum credit limits differ
Credit Process requires customer to
take specific action to receive credit
• Reporting timeframe & required
information differ
Exclusions similar across all CSAs
Carefully analyze service availability
commitments & associated credits
Understand business impact of a
single outage corresponding to
maximum downtime
Analyze service credit calculations
and maximum credit limits
Compare service credit processes
Examine commitment exclusions
Automate process for detecting and
logging service outages
Look for API call response time
service level objectives
SLA metrics are limited and no
standards currently exist
Considerations Recommendations
11. Recommendations
Security, privacy and data residency
statements should be explicit
Customers should look for certifications
Providers should commit to specific physical
and logical security practices
Provider must notify customer when data is
handed over to third party / law enforcement
Look for emergency mechanisms to resolve
security breaches
Insist provider investigates incidents with
due diligence, and can restore deleted data
Provider must take measures to ensure
privacy of personal information contained in
customer data
Provider should know data residency and
data protection laws/regulations, and offer
options regarding where data is stored
Considerations
Security and privacy language often
spread among several documents: All
need to be checked
Most clauses obligate the customer to
protect the provider, not the other way
around
Impact of security breaches can be
much larger than cost of the service
Provider’s security measures and
certification(s) should be visible
Does the cloud provider commit to
privacy of personally identifiable
information contained in customer data?
Data residency commitments are
increasingly important but often omitted
© 2016 Cloud Standards Customer Council www.cloud-council.org 11
Step 5: Evaluate Security, Privacy & Data Residency Requirements
12. © 2016 Cloud Standards Customer Council www.cloud-council.org 12
Step 6: Identify service management requirements
Considerations
Organizations must monitor and
manage cloud services they use
Don’t expect service agreements to
specify much - be ready to perform
your own due diligence
Aspects contributing to service
management
• Auditing
• Monitoring and reporting
• Measurement & metering
• Provisioning
• Change management
• Upgrades & patching
Recommendations
Precisely define objectives and ensure
provider offers adequate level of support
Understand service management
capabilities available with cloud service
Consider cloud management platforms
(CMPs) in a hybrid cloud situation
Consider provider’s commitments to stability
of functionality over time
Ask for detailed and regular metrics on
contracted services
Examine the definitions and potential impact
of each service metric
Ask questions related to service
management maturity
Retain in-house the service management
expertise required to monitor and improve
cloud service performance
13. © 2016 Cloud Standards Customer Council www.cloud-council.org 13
Step 7: Prepare for service failure management
Considerations
There is typically little in current service
agreements
Therefore, the burden is on the
customer
Compensation is tied to the price of the
service, not the impact on your
business
Key failure management systems
• Event management
• Incident management
• Problem management
Failure Metrics
• Mean Time Between Failures (MTBF)
• Mean Time to Recover (MTTR)
• Mean Time to Failure (MTTF)
Insist provider offer interface for
sending failure and alert data
Ensure provider offers interface to
report failures to the provider
Insist provider offers an Expected
Time to Resolution (ETR) for any
service failure
Evaluate cloud services support
resilient features such as replication,
clustering, fail over, etc.
Understand responsibilities and hand-
off procedures
Confirm provider’s monitoring
capabilities do not violate data privacy
stipulations
Assess MTBF, MTTR, and MTTF to
determine expected service
downtimes
Recommendations
14. © 2016 Cloud Standards Customer Council www.cloud-council.org 14
Considerations
Use of public cloud services does not
absolve the user from serious DR and
Business Continuity planning
Service agreements focus on limiting
the provider’s liability
• SLA exclusions
• Disclaimers
• Limitations of liability
Devise a disaster recovery plan
• Prioritize apps, services and data
• Determine acceptable downtime
Ensure business critical content is
stored redundantly in different
geographical locations
Define Recovery Point Objective (RPO)
and Recovery Time Objective (RTO)
Ensure appropriate frequency of
backups based on content criticality
Use data and app replication
capabilities provided by cloud service
Implement mechanism to promptly
detect and quantify outages
Recommendations
Step 8: Understand the disaster recovery plan
15. © 2016 Cloud Standards Customer Council www.cloud-council.org 15
Step 9: Define an effective governance policy
Considerations
Governance complicated by responsibility
split between customer and provider
• Control and oversight
• Elements controlled by provider
Key elements:
• Periodic assessment – service levels,
compliance
• Reports – key indicators, service failures
• Problem reporting & status
• Change notifications
• Request processing
• User satisfaction
Escalation process
• Up to & including termination of service
agreement
Recommendations
Agreements are typically silent about
communication and escalation
processes
Potential areas for negotiation are:
• Regular status meetings
• Single point-of-contact designation
• Automatic notifications
• APIs or Web services for
management queries
In the absence of defined
management interfaces, and for
services that require strict notification,
escalation and restoration procedures,
public cloud services may not be
appropriate solutions
16. © 2016 Cloud Standards Customer Council www.cloud-council.org 16
Step 10: Understand the exit process
Considerations
Exit process should be part of any CSA
Customer exit plan
• Procedures
• Provider assistance
• Fees
• Retrieval of customer data
• Business continuity during exit
Requirement for provider to delete
copies of customer data
Requirement for provider to cleanse log
& audit data
• Retention of records for specified
periods may be required by law
Recommendations
Ensure agreement specifies advance notice
will be given for all terminations
Develop contingency plans / procedures to:
• Find new cloud service
• Extract and reload data
• Switch to new cloud service
As part of the termination process, insist that
provider offer assistance to facilitate data
extraction
Ensure all customer data maintained for a
specific time period after transition
At the completion of the exit process,
customers should receive written
confirmation from provider that all
customer’s data has been completely
removed from the provider’s systems
17. © 2016 Cloud Standards Customer Council www.cloud-council.org 17
New Developments
Work is taking place in the area of Cloud Service Agreements
ISO/IEC is well advanced with the 19086 standard
EU SLALOM project
Both aim at:
Standardized terminology
Listing of many potential CSA items
Standardized metrics
Codes of Conduct & Certification schemes continue to evolve
Especially in the area of data protection
New Developments
18. © 2016 Cloud Standards Customer Council www.cloud-council.org 18
Summary
Don’t “sign on the bottom line” without understanding the various documents
that govern the relationship
Not everything is negotiable – but not everything is fixed either. Understand
where you can ask for better terms (and determine if they’re worth paying
more for)
Use our recommendations tables to evaluate a proposed CSA and detect
areas that don’t meet your business requirements
Have a baseline – what are the current service levels of your incumbent
providers or your in-house systems?
Be careful about how service levels are measured (e.g., measurement time
windows)
Understand what happens in worst case scenarios (data breach, service
failure, etc.)
Remain in charge of governance – don’t abdicate your own responsibilities
to the public cloud service provider
19. © 2016 Cloud Standards Customer Council www.cloud-council.org 19
Join the CSCC Now!
– To have an impact on customer use case based standards requirements
– To learn about all Cloud Standards within one organization
– To help define the CSCC’s future roadmap
– Membership is free & easy: http://www.cloud-council.org/become-a-member
Get Involved!
– Join one or more of the CSCC Working Groups
http://www.cloud-council.org/workinggroups
Leverage CSCC Collateral!
– Visit http://www.cloud-council.org/resource-hub
Call to Action
20. © 2016 Cloud Standards Customer Council www.cloud-council.org 20
Thank You !