When it comes to choosing a cloud provider, the Service Level Agreement could prove more vital than the hardware they have on the back end. The SLA is a legal promise of performance, availability and rights, yours and theirs, and should never be taken lightly.
Despite their importance, some SLAs are shockingly short; just a few paragraphs in some cases. And providers have become shockingly lackadaisical about it.
“As a data center professional of 25-plus years, reading through cloud SLAs drives me crazy,” said Andi Mann, a member of the Office of the CTO at CA technologies. “It is like we took all the lessons we learned in negotiating SLAs with outsourcing contracts in the 80s and 90s, threw them all out the window and told the service providers ‘You know what? You just do what you think is best.’ And they did!”
He notes that both of the SLAs for Amazon EC2 and the Google Compute Engine promise 99.95% uptime, which is only marginally better than the ANSI/TIA and Uptime Institute’s lower-mid Tier II datacenter (99.741% uptime), and not enough for the upper-mid Tier III data center, which is expected to have availability of at least 99.982%.
And that’s not even close to the old data center requirement known as “five nines,” or 99.999% uptime. In the 1990s and 2000s, that was the expectation of on-premises mission-critical hardware.
It doesn’t help that cloud providers are in almost all cases the sole arbiter of when downtime actually happens. They may document what constitutes an outage, but in reality (and by contract) they must acknowledge the outage as such before any breach is recorded, said Mann.
“You can wave your APM and DCIM reports in their face all you want, and scream as loudly as you can about your disgruntled users and customers, but if the provider didn’t notice, record, or admit to an outage, it essentially never happened,” he said.
Beyond the SLA Basics
So with all of those negatives, that means true diligence is needed when choosing a provider and carefully scrutinizing the SLA. Whatever the level of complexity in the SLA, they have moved beyond the early stages of making promises of compute power and storage that marked early SLAs, says James Hanley, vice president and general manager for cloud platform and data center at CSC.
“Customers are focused on apps that run and enhance their business, not the underlying IT technology,” he said. “As we go to market, we’re really focused on the apps they are running, and each apps, whether new or old and transformation have a unique set of requirements. So we’ve become experts in applying analytics and segmenting them and applying those segments into a cloud environment, utilizing what they require for risk and cost.”
This means actual integration between the cloud and the app. CSC creates a set of policies for each app, then orchestrates the policies for that app into the cloud. Policies could be security, performance, network bandwidth, and cost. Policies are developed out of a catalog, so they have templates for common apps ready to go and can be applied rapidly.
Cross Platform Support
The next thing to look for is a provider that offers a complete, thorough environment where everything is integrated, from services to the data stores, says Joe Clabby, president of Clabby Analytics.
“In general you are looking for a very disciplined environment where the managed service provider can manage everything from application development and infrastructure through apps management, security as a service level, all the way through the lifecycle,” he said.
“The problem with a lot of clouds is they are siloed,” he added. “So you got all these cloud infrastructure to virtualize your workloads but they don’t work well together. So you still have to do integration work. So your provider needs to demonstrate they have done the work to integrate the silos.”
Where and When Can You Access the Data
It’s fairly standard to codify specific service and performance levels for the data being dealt with. If all you are doing is using AWS to support your developers, that’s not a big deal. If you use it for day-to-day business, then you look for more stringent performance requirements.
More important should be a statement of ownership regarding data and apps, said Charles King, principal analyst with Pund-IT. “Any time you entrust a third party with properties you own, it’s like when you rent a piece of equipment you sign a contract stating the company you are renting from is the owner of the equipment. It shouldn’t be an issue but when things get litigious it’s important to have things covered,” he said.
Moreover, check and get a guarantee of where the data will physically reside. HIPPA and financial compliance would require the data to stay within the state, and some countries, like Germany, mandate that data not leave their physical borders. The integrated, global data centers of Microsoft, Google and Amazon mean your data can sit on hard drives anywhere in the world and you’d never know it, so if you face compliance issues, keeping that data within U.S. borders has to be in writing.
Hold Their Feet to the Fire
There is a decided lack of penalties for the providers for breaching these SLAs, notes Mann, and customers need to make sure the SLA doesn’t absolve the provider of responsibility that may be its own
“In their generosity to themselves, the biggest cloud providers have ‘non-negotiated’ SLAs that do not effectively punish downtime even if it officially happens. Moreover, few if any of these SLAs provide any reporting on, let alone penalties for insider security breaches resulting in loss of data or intellectual property,” he notes.
In the event they declare a legitimate outage, they typically just promise to credit some percentage of the fees paid for the service they didn’t provide, with no punitive damages provided by their contracts, he added. That’s the equivalent to a store credit, and if you quit, you get nothing back. So note the language of the SLA and make sure your provider doesn’t let itself off the hook, especially if it’s at fault for down time.
Finally, think about an exit strategy, which should be included in the contract, specifying if either party wants to end the relationship how you do that, the rights of both, how you get you data back, the time frame and cost to do so, and so on.
There have been a few cloud provider bankruptcies and shut-downs, like Nirvanix and Megacloud, and Symantec had a cloud service called Backup Exec that they closed down. Symantec helped its customers get their data back but Nirvanix and Megacloud customers were left hanging. Your rights to your data should not go away just because the business does.
One of the promises of the cloud is automation, and in a few years, spinning up services should require no human intervention of any kind. “If you look down the road and assume more and more apps will be delivered via the cloud, apps and the people that manage them will have the ability to self-select apps in a location,” said Hanley.
Customers should look for automated policy orchestration, he said, so policies are utilized regardless of where you place it on a cloud. You might have a policy that says you have to have a secure environment. Another might say data cannot leave a particular country. Another says response time can be no less than a certain amount of milliseconds. “Ultimately, this type of automation buys the client faster time to market for apps and a lower barrier to entry,” he said.
The hottest topic in cloud computing right now is security. People are worried about breaches, and rightfully so. Home Depot and Target have taken big hits financially and in the public eye for their data breaches.
Clabby says make sure a cloud provider has the right policies and procedures in place for security and check if they are certified. They should at least be EAL 5+ certified, even if you don’t need it. It shows the provider is on top of security issues.
Any company working with the government should check for FedRamp compliance, which is a whole set of compliance standards for doing business with government agencies. The same goes for HIPPA compliance if the customer is in health care.
Compliance is obvious. A lesser-known element is how often are they monitored and how many compliance tests are done every year. Clabby spoke to one recent cloud provider that does 60 test cycles per year, which translates to five per month.
“That tells me they take security seriously. Then, lets look at Apple’s cloud,” he said, in reference to the iCloud leak that left dozens of female celebrities red-faced. “Many providers don’t charge for security because they aren’t guaranteeing people what their security should look like. Then watch your cloud costs go through the roof as they add all the features you need later.”
Photo courtesy of Shutterstock.