On 26 June, the European Commission announced the publication of guidelines "to help business users save money and get the most out of cloud computing". The guidelines have been developed by a Cloud Select Industry Group (CSIG) which includes industry bodies such as Cloud Security Alliance and IT services providers such as Atos, Amazon, Microsoft, Google, SAP, IBM, Salesforce, Cisco, Accenture and Intel among others. The Commission sees this as the first step towards standardised building blocks for Service Level Agreements (SLAs), terminology and metrics for cloud use in Europe.
The Commission makes the case for cloud computing stating that "it allows individuals, businesses and public sector to store their data and carry out data processing in remote data centres, saving on average 10-20%". Undeniably, cloud services do provide a way for individuals and businesses to access IT applications and infrastructure in a more flexible way and often avoiding the upfront, often expensive, capital investment. However, with this business case established, do these guidelines actually deliver the Commission's business case to help cloud users (business and individual users rather than consumers) across Europe to save money? The answer would be, at this stage, not really.
The guidelines are an admirable effort to specify and illustrate a selection of the concepts that could be addressed, depending on the precise makeup of the cloud service, in a cloud users' SLA with its cloud provider. This hopes to help a business and technical stakeholders to understand non-legal concepts and vocabulary used in cloud SLAs. Effectively, the guidelines specify what a cloud SLA could cover but not what the actual service level provisions should be. This is the Commission's attempt to "kick off" the discussion on standardisation of concepts for cloud SLAs and pave the way for the Commission's aim to become the world's leading trusted cloud region. Indeed, for users new to cloud computing or veteran users re procuring or renegotiating their cloud terms, these guidelines provide a very useful summary of areas for consideration.
The key sections are discussed below:
- A definitions section provides the CSIG's agreed definitions of various terms and vocabulary used in cloud SLAs. The CSIG also gives a definition of what it considers cloud computing is composed of for the purposes of the guidelines. These are: (A) five essential characteristics being (i) on-demand self service, (ii) broad network access, (iii) resource pooling, (iv) rapid elasticity, and (v) measured service; (B) four service models, being (i) SaaS, (ii) PaaS, (iii) IaaS, and (iv) other XaaS (a collective term of diverse but re-usable components including but not limited to infrastructure, platforms, data, software, hardware or other goods, made available as a service with some kind of use of cloud computing); and (C) four deployment models, being (i) private cloud, (ii) community cloud, (iii) public cloud, and (iv) hybrid cloud.
- A performance service-level objectives section that explains common service level objectives that relate to a cloud service and the interface between the cloud service customer and the cloud service provider. There are useful explanations here of availability, uptime, response times, capacity of a cloud service, capability indicators, support, data retrieval and the termination process. These areas of objectives touch on some of the most important aspects of consideration for a prospective user of a cloud service.
- There is a security level objectives section giving an overview of service reliability, authentication and authorizations, cryptography, security incident management and reporting, logging and monitoring, audit and security verification, vulnerability management and governance. These sorts of SLAs are seen by the CSIG as useful to improve both assurance and transparency and establish a common set of semantics in order to manage cloud security from both the security level offered by a cloud service provider and that level requested by the cloud service customer. With cyber security and defence such an important consideration for business users, especially in what some data security experts refer to as the "post-Snowden" cyber world, this is another critical area for businesses and users to understand and be comfortable in what levels of security are being offered by their cloud service provider.
- The guidelines also explain data management service level objectives such as data classification, data mirroring / backup / restore, data lifecycle and data portability. Customer companies who transition to cloud computing will find this useful as the traditional methods of securing and managing data are challenged by cloud based architectures. Managing data and information in the era of cloud computing can affect all organisations and requires careful consideration. One of the main reasons for businesses procuring private clouds is due to their concerns over protecting their data and retrieval of it at the end of the relationship with their cloud provider. Therefore, this is an area for users and business customers to consider at the outset in order to get the strategy of their cloud procurement right and ensure it is fit for the purpose for which it was procured.
- Finally, there is a section related to Personal Data SLA objectives which includes codes of conduct, standards and certification mechanisms, purpose specifications, data minimisation, use / retention and disclosure limitation, openness / transparency and notice, accountability and geographical location of cloud service customer data and, as the CSIG terms it, "intervenability" (which means, given a data subject's rights of access, rectification, erasure, blocking and objection under EU laws, the cloud service customer must be able to verify that the cloud service provider does not impose technical or organisational obstacles to these requirements, including in cases when data is further processed by subcontractors). The focus of this section is where the cloud service provider acts as a data processor on behalf of its customer (who would, therefore, be data controller).
The guidelines do not prescribe requirements that must be implemented in a SLA but instead provides information that regulators, cloud service customers and providers "may find helpful when considering cloud SLAs". These service level objectives are not to be considered as exhaustive and also they should not be considered as applicable in all individual cases. Customers should also note that the applicability of a particular service level objective can depend on the type of service offered (in terms of both the service functionality and service model) and the pricing of it (for example, free service, paid or premium).
So why has the CSIG not provided a uniform approach to cloud SLAs and prescribed what they should be? The answer is that is almost an impossible task. Firstly, cloud services can be built by using any number of technologies so a particular technology stack could not be assumed. The funding model of the cloud services could not be assumed either as there are a number of methods to pay (and potential remedies available to a customer if the service falls below the SLA) for such use. Cloud is also, by its very nature, a global communications channel and any agreement relating to cloud would need to account for regional, national and local laws, regulations and policies. So too customers of cloud vary drastically from enterprises with thousands of users to small businesses with few users. Also, the provision of cloud services can be highly standardised relying on uniformity to achieve economies of scale and to be able to provide customer benefits such as low prices, whereas, in some cloud agreements customers may (for example, due to their size or investment) be able to negotiate the cloud offering, the governing terms and any SLAs. Therefore, creating a cloud SLA template with a "one size fits all" approach was never the intention of the Commission or the CSIG.
However, producing unambiguous and standardised definitions, comparable service level objectives and conformance of cloud service providers to document the method for how they achieve their SLAs based on standard concepts is a useful exercise.
Neelie Kroes, the Commission Vice President in charge of the Digital Agenda, stated optimistically, "This is the first time cloud suppliers have agreed on common guidelines for service level agreements. I think small businesses in particular will benefit from having these guidelines at hand when searching for cloud services." Whilst many optimists would share that opinion, less optimistic observers may find of particular note the CSIG's comments stating that the guidelines would have a "deeper impact" if standardisation is done on an international basis rather than just within the European (e.g. through ISO/IEC 19086). Whilst the CSIG is working with the International Standards Organisation (ISO) Cloud Computing Working Group, to present a European position on SLA standardisation, there is no guarantee that the European definitions will be accepted. The next step will be the Commission testing these guidelines with users and in particular SMEs. It will also be discussed within the Expert Group on Cloud Computing Contracts set up by the Commission in October 2013. This discussion will also involve other CSIG activities, for example the data protection Code of Conduct for cloud computing providers.
Therefore, these guidelines appear to be a good start to assist cloud business and individual users to have a better understanding of cloud services, rather than providing the answer to all of the questions cloud users should be asking when choosing their cloud service provider.