On 24 June 2014 the EC Cloud Select Industry Group met another milestone in its action plan for "unleashing the potential of cloud computing in Europe" with the issue of its Cloud Service Level Agreement Standardisation Guidelines.
The guidelines are non-binding, aimed at business to business contracts, and seek to set out a common approach to service standards in contracts between cloud customers and Cloud Service Providers ("CSPs"). The approach is technology and business model neutral, using concepts that are applicable irrespective of the technologies used, or the commercial basis on which the service is offered.
They identify "service level objectives", addressing many topics on which cloud providers have historically resisted making meaningful contractual commitments such as:
- Compliance with data protection legislation.
- Service levels for availability and incident resolution;
- Data back-up and disaster recovery arrangements;
- Service levels for data security incident identification and resolution;
- Transfer of data back to the Customer (e.g. in the event of termination the contract);
- Audit rights/certifications available from the supplier to demonstrate adherence to security standards.
The "Service Level Objectives" are non-specific as regards the actual standards that may be appropriate; for example the need for a contract to give assurances on "Service Availability" or "Uptime" is highlighted but there is no guidance to the customer on what level of uptime they should expect. They identify and provide information on topics which should be addressed in SLAs rather than setting suggested service levels.
So what is the intended benefit?
The guidelines aim to introduce common language and bring transparency to cloud contracting so that customers can easily compare CSP offerings and choose cloud services with confidence, knowing that they adhere to certain standards. From the Commission's perspective the guidelines, if adopted by CSPs, will drive greater transparency and trust. Customers will be given greater assurances by CSPs and will more readily adopt cloud solutions, thus accelerating the adoption of cloud solutions and creating a virtuous circle for the benefit of customers, CSPs and the European Economy. The potential gains for the European economy are eye-catching. Based on a report by technology analyst IDC, growth in cloud computing could deliver a net gain of 4 million new European jobs and an annual boost of €1 trillion to European GDP by 2020(1).
In the early stages of cloud adoption, the contract terms offered by many CSPs appeared to assume an inherent trade-off between the efficiencies brought by a cloud solution and the client's legitimate need for assurances on data security, service quality and compliance with laws. Concerns about security of data in the cloud and a general lack of transparency on the part of CSPs impacted the speed of cloud adoption, despite the obvious business benefits. Things have moved on since and the guidelines may to a certain extent be aimed at issues that were more acute when the EC action plan was conceived in 2012. Nevertheless, there is still some way to go and from the Customer's perspective adoption of the guidelines would clearly be a positive thing.
Given their non-binding nature, how likely are CSPs to adopt them?
CSPs such as Amazon, CISCO, EMC, Microsoft. Oracle and Salesforce inputted to their creation - however the document makes clear that the final output does not necessarily represent their views. The guidelines are the product of a European initiative driven by single European market objectives. However, the cloud market is of course global by nature and many of the leading CSPs are US based companies. This is recognised by the guidelines which highlight that SLA standardisation will have maximum impact if done at international level, referring to ongoing liaison with the ISO Cloud Computing group currently developing the equivalent ISO standard (2).
Are the guidelines therefore likely to be an input to an international standard only with little benefit to Customers until those standards are finalised?
Perhaps not, for the following reasons:
Most businesses are already using cloud solutions and looking to significantly extend their use of cloud in 2014. A recent report by IBM found that businesses who were ahead of the curve on cloud adoption were reporting almost double the revenue growth and nearly 2.5 times higher profit growth than peers who were more cautious about cloud. The benefits are no longer just about cost cutting and efficiency. In a world where speed of innovation and responsiveness to change are increasingly important, competitive advantage has become a key driver for cloud adoption. The Leading CSPs are poised to capitalise on this new phase of acceleration of cloud adoption and competition for market share is intense.
Post PRISM European distrust of US surveillance laws has harmed customer confidence in US CSPs. Another set-back was suffered on 31 July when Microsoft lost its third round of an ongoing battle to resist an extra-territorial warrant issued by the US courts to handover customer data on a Microsoft e-mail account hosted in Dublin. Microsoft, who is backed in its challenge by Verizon, Apple, Cisco and other major US based CSPs, said that the judgement could “hurt the competitiveness of US cloud providers in general".
Cloud adoption is poised to dramatically increase, potentially impeded only through lingering trust and confidence issues. Against this backdrop, addressing trust and confidence issues, including through achieving endorsement at EU level, is something CSPs are likely to take seriously. This was demonstrated by the collaboration between Microsoft and the Commission's Article 29 working party earlier this year, which resulted in approval of Microsoft's cloud contract terms on cross border data transfer as meeting the requirements of EU data protection law. Microsoft heralded the endorsement as setting them apart from other cloud providers in meeting the "gold standard" set down by EU regulators.
Whether the SLA Standardisation Guidelines act as a catalyst or not, the direction of travel is clear – cloud adoption is entering a new phase of acceleration and the leading CSPs will be reacting to market led demands for changes to their operating practices and service levels to ensure they are beneficiaries.
1. IDC Worldwide Cloud Black Book, 4Q update, April 2013
2. ISO/IEC 19086