In November 2012, we wrote an Alert about the European Commission’s Communication on Cloud Computing intended, it said, to “… unleash the potential of cloud computing in Europe”. Sceptics were doubtful that the cloud industry needed much help from European regulators to thrive.
Twenty months later, the Commission has begun to deliver on its key actions in the Communication with the publication of its Cloud Service Level Agreement Standardisation Guidelines.
How helpful are these Standardisation Guidelines to the cloud sector at this point in its development?
The recently-issued Cloud Service Level Agreement Standardisation Guidelines have their origin back in November 2012. At that time, the European Commission issued a Communication setting out a road map for the future growth of cloud computing in Europe.
In the 2012 Communication, the Commission set out a number of key actions, including to cut through the jungle of standards and to promote safe and fair cloud contracts. The Commission believes that the development of model terms for cloud computing – and, specifically, service level agreements in the cloud sector – is one of the most important issues affecting the future growth of the cloud industry in Europe, and that standardising the approach to cloud services will enable buyers of cloud computing services to make fair comparisons between different providers’ offerings.
The guidelines are intended to help business-to-business users of cloud solutions to ensure that key elements are included in plain language in contracts they make with cloud providers. The recommendations are more directed toward the cloud industry than toward user of cloud computing. They seek to have the cloud industry standardise aspects of SLA offerings that will improve the overall clarity of the sector as a whole and improve the understanding of cloud SLAs among the buyer market. In particular, the aim of the guidelines is to highlight and provide information on the concepts usually covered by SLAs and indicate what information can be obtained from any existing certification schemes.
At one level, the Standardisation Guidelines will be useful for business because they provide a standardised vocabulary and terminology by which the metrics that underpin cloud services are described. The guidelines set out a series of service level objectives covering:
- Performance: in terms of availability and service provisioning; response time; capacity and capability; support hours; support responsiveness; and reversibility and lock-in;
- Security: covering service reliability; authentication and authorisation; cryptography; security incident management and reporting; incident monitoring; audit rights; and vulnerability management;
- Data Management: including classification of data; data mirroring; and response to data portability requirements; and
- Personal Data Protection: including codes of conduct on data privacy compliance; data minimization; use, retention and disclosure limitation, transparency; accountability; geographic limitations; and intervenability.
If a business is looking to understand and implement the key objectives that are typically required from a relationship with a cloud services provider, the standardisation guidelines provide an ideal starting point.
Cloud computing has evolved in a relatively un-regulated way. Obviously, cloud offerings need to be fitted within existing regulatory frameworks, although these are typically pre-existing and not directly targeted at the cloud sector itself. The Commission’s 2012 Communication – and now the next step which the standardisation guidelines represent – are a move toward creating a framework that is specific to cloud computing. While the guidelines do not indicate the level at which specific metrics should be measured, they do at least provide a starting point for determining what scope and attributes of a cloud offering ought to be covered by measured metrics within a service level framework.
Drawbacks and Limitations
The open question is whether the cloud industry will pay attention to these non-mandatory guidelines, or whether the guidelines represent an attempt to set a baseline when the industry itself is already much further advanced than the baseline in the development of established approaches and has no interest or relevance to the guidelines.
There are, however, a number of shortfalls with the guidelines.
Firstly, the guidelines are just that: guidelines. There is no mandatory element, and any adoption or use depends entirely on the voluntary adoption by industry players. It is by no means clear the extent to which the leading cloud providers will want to amend their existing cloud offerings to take into account these guidelines.
Secondly, the guidelines are only recommendations from the European Union. As the EU itself is quick to recognise, the initiative of which the guidelines are a part will only have a deeper impact if standardisation is done at an international level across all the key jurisdictions – and this really means by international standards such as ISO/IEC 19086. To this end, the C-SIG is also working with the ISO Cloud Computing Working Group to try to formulate a broader European position on SLA standardisation. These guidelines could be seen as no more than an in-feed to ISO’s effort to establish international standards for SLAs on cloud computing.
Thirdly, the guidelines stop short of clear thresholds. So, for example, the guidelines describe an approach to defining availability/uptime – but there is no stated thresholds as to what level of availability ought to be good, bad or indifferent in the cloud market. Also, the key variable in measuring uptime is the inclusion or exclusion of maintenance, especially scheduled maintenance; but the guidelines merely observe this issue – there’s no recommended or mandated position as to whether maintenance should be in or out of the availability metric.
What Happens Now?
For the guidelines to become successful, they need to be adopted by the international community. At one level, the International Standards Organization could get behind these guidelines and move rapidly toward creating a series of cloud metrics.
Adoption more broadly will depend either on the guidelines imposed “top-down” by the ISO as a standard that becomes broadly accepted in the market; or broad adoption could occur “bottom-up” if the key cloud providers move to embed these guidelines into their international cloud offerings. Or, of course, the ideal answer would be a combination of both top-down and bottom-up. But much depends on the appetite of the cloud industry to adopt and apply these guidelines – without industry buy-in, the guidelines may have little practical effect.