The European Commission has published Cloud Service Level Agreement (SLA) Standardisation Guidelines presented to it by the Cloud Select Industry Group. The guidelines are designed to help businesses ensure agreements with cloud providers include essential elements such as compliance with EU data protection rules.
The guidelines set out a number of principles for the development of SLA standards for cloud computing, including the need that they be technology and business model neutral, of world-wide application and that they contain unambiguous definitions and conform to specified cloud-essential characteristics.
The guidelines highlight that, since the definition of the cloud service offered is not usually open to negotiation, it is important that its definition is clear to enable a comparison between services offered by different providers. This definition should also be transparent on how the service provider handles and uses data stored in the cloud.
The guidelines further specify that potential standards must be able to accommodate small to large businesses and should take into account state-of-the-art technologies.
Standard service level objectives (SLOs) are provided for the following aspects of a cloud service:
- Performance - including the service's availability, response, capacity, capability, support and reversibility (the processes involved when the service is terminated). Reversibility is particularly important as one of the key concerns is the return of a customer’s data when the service ends together with guarantees about the erasure of that data.
- Security - including the service's reliability, authentication and authorisation, cryptography, incident management, logging and monitoring, auditing and verification, vulnerability management and service governance.
- Data management - including data classification, data mirroring backup and restore, data lifecycle and data portability. The guidelines specify that the data lifecycle should include an SLO “data deletion type” which should specify the quality of the data deletion ranging from weak to strong sanitisation.
- Personal data protection (which focuses on instances where the cloud service provider acts as a “data processor” for the customer who is the “data controller”) - including codes of conduct and certification mechanisms, data minimisation, use retention and disclosure, openness transparency and notice, accountability, geographic location and intervenability.
Given the global nature of the cloud, agreements often span jurisdictions with varying legal requirements for the protection of hosted personal data. This has led to concerns that the Commission's standard SLOs may be inadequate where non EU-based service providers are subject to data disclosure demands by local law enforcement authorities. The standard SLOs suggest the SLAs should include the number of disclosures made and the number notified. However, if a law enforcement organisation targets one consumer's data, the multi-tenant nature of cloud computing makes it likely that other consumers will be affected. The Commission's standard SLOs fail to address this.
The guidelines are currently under consideration to be included within a new international standard on SLAs for cloud computing being drawn up by the International Organisation for Standardisation (ISO)