What to look for in a cloud computing SLA

CIOs considering cloud computing need to ask many questions to ensure servic level agreements contain the right terms. We spell out the details to look for in this piece.

Many CIOs are in the process of moving applications and services into the cloud. Some are forced to consider cloud-based computing due to economic reasons, while others are looking to create new IT services. Regardless of the reasons, CIOs will have to deal with a service-level agreement (SLA) sooner or later.

Evaluating SLAs can be uncomfortable for many CIOs; after all, most SLAs are filled with legalese and contractual language that can make it difficult to quantify what exactly a vendor is offering.

Questions on data protection:
-How is the data encrypted?
-What level of account access is present and how is access controlled?
-Is the data always contained only on the Vendor's systems?
-Does the vendor use any sub-contractors or rely on any partnerships to process the data?
-Is the data backed up and if so, where are the backups stored?
-Does the vendor use a secure data center?
-What happens to copies of the data if the relationship is terminated or if the vendor fails?
-Will the vendor provide archival copies of the data to the customer?
-How will the vendor react to legal inquiries about a customer's data set?
-What types of auditing tools are available?
-How are compliance needs addressed?

Further complicating things is that most SLAs are written to protect the vendor, and not so much the customer. Most vendors create SLAs as a defensive shield against litigation, while offering customers minimal assurances. That said, SLAs can still be a powerful tool for CIOs looking to choose a cloud vendor and arrange for the best services available.

CIOs need to focus on three areas with SLAs: Data protection, continuity and costs. Arguably, data protection is the most important element to understand. CIOs will want to make sure that who has access to the data and what protections are in place be clearly defined. At first blush, determining levels of protection seems rather straight forward, but there are some hidden issues to be aware of and CIOs must perform due diligence and address those issues.

Many of these questions could raise thorny issues about how intellectual property is protected. It all comes down to who ultimately has control of the customer's proprietary data.

An IT manager will need to understand how the vendor's infrastructure and services are utilized to provide persistent access to needed applications and data sets. Continuity is important. In a perfect world, a vendor could guarantee access 100 percent of the time, but in reality, a guarantee like that is impossible.

Questions on outages:
-How is a services outage defined?
-What tools are in place to determine the severity of the outage?
-How is the customer credited or compensated for an outage?
-What level of redundancy is in place to minimize outages?
-Will there be a need for scheduled downtime?
-What alternative methods of access are offered if there is an outage?
-Is there an incident reporting system?
-Are access/usage reports available?

All service providers will experience downtime at one time or another, simply because there are situations that are beyond their control, ranging from natural disasters to interruptions in the public infrastructure. At best, most service providers offer an assurance of 99.5% uptime, but there is usually some legalese surrounding that assurance. Even so, a vendor can make a reasonable attempt to guarantee an acceptable level of service. With that in mind, the real question here becomes what happens when service is interrupted?

Combined, the answers to these questions can be indicative of the level of service that a vendor can and will provide. More importantly, those answers will dictate how well an IT department can deal with an interruption and how that interruption will affect the users.

Questions on cost:
-What is the fee structure?
-Are there hidden costs?
-Are there add on costs or fees for support?
-Are charges based upon traffic, usage or storage limits?
-Are there taxes or other external fees?
-Is there any type of price protection?
-Are there licensing fees above and beyond the service fees?

Some vendors include a pricing element in their SLAs, while others will define fees and charges under a separate contract. Either way, it is important for an IT manager to understand the costs involved with a cloud based service. Not only are those costs relevant to budgets, those costs are also used to determine return on investments. Cost analysis may be best left to members of the purchasing or accounting department, but CIOs can help to speed the process and perhaps obtain funding for a cloud service by looking for some simple explanations when it comes to costs.

Finding answers to these questions and the others outlined above can help an IT manager make an informed and intelligent decision when it comes to selecting a service provider and building a long term relationship with that provider, while keeping services affordable and reliable at the same time. It all comes down to minimising the legalese and applying common sense to service level agreements.

Read more on Cloud computing services