Cloud contracts – check your SLAs

As the world of cloud computing grows and becomes part of organisational growth strategies, procurement of cloud computing services has also reached front of mind.

Information security is a key pain-point for organisations looking to take up and rapidly consume cloud services, and with good reason. Leading cloud services providers—namely Rackspace, Google Apps and Microsoft Azure have had their fair share of outages in the past 18 months with Amazon EC2 being the latest, an outage that lasted over 45 hours.

Now traditionally, contracts have been the realm of procurement, accounting, legal or sourcing functions. Technologists and, more specifically, information security professionals kept a safe distance from them primarily because they are boring and mind numbing. But with cloud services consumption on the rise and organisations’ data assets and computing capability being rapidly cloud sourced, concern for service levels—data security, data leakage, data access, scalability, and security compliance to policies and standards—have been magnified.

In a previous article called Cloud contracts – the Devil is in the detail, I highlighted examples from published research which suggests that whilst a majority of the concerns regarding service levels, data security, data leakage and availability are similar to traditional outsourcing contracts of the past, there are areas that require consideration and deep thought.

The availability of systems, data security, leakage prevention, backup, storage and restoration within the information management lifecycle and regulatory obligations are areas frequently discussed when negotiating cloud services contracts and associated SLAs.

The 10 cloud contracts service level agreement (SLA) features that I propose are checked for inclusion in every contract are as below:

  1. Ensure the SLAs are enforceable and state specific remediation, such as corrections or penalties, for when they are not met.

  2. Ensure that the SLA documents in detail, the actions required to be undertaken such that future failure is prevented.

  3. Ensure penalties (if appropriate) are clearly defined with measurable minimum service targets and take the form of a financial credit towards the service that is being provided.

  4. Ensure uptime is defined and agreed in detail which reflects your organisation’s Business Continuity Plan (BCP) and Disaster Recovery (DR) requirements.

  5. Ensure performance and response time of your cloud service is explicitly documented and includes provision for peak performance where you know that application processing requirements have been above normal.

  6. Ensure for all 3 cloud models: Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS), that the error correction time is documented with response and escalation procedures fully understood and documented.

  7. Ensure infrastructure compliance and security effectiveness measures and reporting parameters are defined and time periods agreed. These should reflect the organisation’s reporting obligations periods and frequency for both internal and external reporting.

  8. Ensure that accountabilities are clearly defined from a data security perspective and where a breach occurs due to the vendor's errors or omissions, they are "responsible for all damage, fines," etc.

  9. Ensure you build data centre audits and data centre controls into your contracts to enable third-party audits and/or certifications, and regular access to specific reports and remediation plans.

  10. Ensure that you document—in exact terms and associated obligation—what will be undertaken in the event of the contracts being terminated, with specified timelines and, where possible, agreed data formats.

So there you have it, a quick list of cloud services SLA considerations. A single article cannot provide coverage of all cloud computing contract issues. As I become aware of additional information I will add to this list. Rest assured your obligations as a security professional have increased since the advent of cloud computing, especially in areas like contracts and SLAs.

Work with your procurement, sourcing and legal contacts to represent the information security interests within contracts to ensure it adequately and appropriately represents the organisation’s confidentiality, integrity and availability requirements.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesC2GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place