As the world of cloud computing grows and becomes part of organisational growth strategies, procurement of cloud computing services has also reached front of mind.
Information security is a key pain-point for organisations looking to take up and rapidly consume cloud services, and with good reason. Leading cloud services providers—namely Rackspace, Google Apps and Microsoft Azure have had their fair share of outages in the past 18 months with Amazon EC2 being the latest, an outage that lasted over 45 hours.
Now traditionally, contracts have been the realm of procurement, accounting, legal or sourcing functions. Technologists and, more specifically, information security professionals kept a safe distance from them primarily because they are boring and mind numbing. But with cloud services consumption on the rise and organisations’ data assets and computing capability being rapidly cloud sourced, concern for service levels—data security, data leakage, data access, scalability, and security compliance to policies and standards—have been magnified.
In a previous article called Cloud contracts – the Devil is in the detail, I highlighted examples from published research which suggests that whilst a majority of the concerns regarding service levels, data security, data leakage and availability are similar to traditional outsourcing contracts of the past, there are areas that require consideration and deep thought.
The availability of systems, data security, leakage prevention, backup, storage and restoration within the information management lifecycle and regulatory obligations are areas frequently discussed when negotiating cloud services contracts and associated SLAs.
The 10 cloud contracts service level agreement (SLA) features that I propose are checked for inclusion in every contract are as below:
- Ensure the SLAs are enforceable and state specific remediation, such as corrections or penalties, for when they are not met.
- Ensure that the SLA documents in detail, the actions required to be undertaken such that future failure is prevented.
- Ensure penalties (if appropriate) are clearly defined with measurable minimum service targets and take the form of a financial credit towards the service that is being provided.
- Ensure uptime is defined and agreed in detail which reflects your organisation’s Business Continuity Plan (BCP) and Disaster Recovery (DR) requirements.
- Ensure performance and response time of your cloud service is explicitly documented and includes provision for peak performance where you know that application processing requirements have been above normal.
- Ensure for all 3 cloud models: Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS), that the error correction time is documented with response and escalation procedures fully understood and documented.
- Ensure infrastructure compliance and security effectiveness measures and reporting parameters are defined and time periods agreed. These should reflect the organisation’s reporting obligations periods and frequency for both internal and external reporting.
- Ensure that accountabilities are clearly defined from a data security perspective and where a breach occurs due to the vendor's errors or omissions, they are "responsible for all damage, fines," etc.
- Ensure you build data centre audits and data centre controls into your contracts to enable third-party audits and/or certifications, and regular access to specific reports and remediation plans.
- Ensure that you document—in exact terms and associated obligation—what will be undertaken in the event of the contracts being terminated, with specified timelines and, where possible, agreed data formats.
So there you have it, a quick list of cloud services SLA considerations. A single article cannot provide coverage of all cloud computing contract issues. As I become aware of additional information I will add to this list. Rest assured your obligations as a security professional have increased since the advent of cloud computing, especially in areas like contracts and SLAs.
Work with your procurement, sourcing and legal contacts to represent the information security interests within contracts to ensure it adequately and appropriately represents the organisation’s confidentiality, integrity and availability requirements.