Cloud Computing Service Level Agreement and Governance

Cloud Computing Service Level Agreement and Governance Service Level Agreement and Governance for Cloud Computing The contractual side of a service level agreement (SLA) and governance for cloud computing Ali Raslan Abstract In the world of information technology (IT), cloud computing has been the futuristic concept of modern computing for the last decade or more. Nevertheless, in the last few years this concept has become the mainstream. However, with the entire buzz and the evolutionary techniques the information technology companies developing and implementing, many overwhelming issues like interoperability, insecurity, and accessibility represents some of the most anticipated questions every decision maker has to consider before signing the contract of a Cloud Service agreement document. In addition to that, one key issue for every organization trying to make the big move to the world of cloud computing, is to provide governance for data that it no longer directly controls. During this research, I will try to illustrate and point the main ideas and practices of the contractual side of a service level agreement (SLA) and governance for cloud computing by trying to highlight a set of guidelines to help and assist organization in defining and constraining the governance plans for data they are willing to move into the cloud. Keywords: cloud computing, SLA, IT, contract, agreement, constraining. Word count: 4000 words. Introduction Cloud computing is the new era of internet evolution, where this term usually refers to everything involves delivering hosted services and data over the internet to companies, individuals and even other computing systems. The idea of cloud computing started in 1950s when large-scale mainframes made available to schools and corporations (James, 2013). Few decades later, this concept started to become more alive by adopting this concept by some of the major technological companies like Google, Amazon and Microsoft where commercial cloud computing started to take place in the market. This new technology developed through a number of phases, this includes Software as a Service (SaaS), Grid and Utility Computing (GaUC), Application Service Provision (ASP) (Arif, 2014). Nevertheless, through the development of this concept, many issues and uncertainties like security, interoperability, vendor lock-in, and compliance were arising against adopting this technology (North Bridge, 2013). These problems are familiar even with the traditional Information Technology Outsourcing (ITO), and these issues usually treated at the agreement level between the service provider and the customer. Cloud Computing Definitions The National Institute Of Standards And Technology NIST Definition of Cloud Computing â€Å"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.† (Peter Mell, 2011). Moreover, in his book The Big Switch: Rewiring the World from Edison to Google by Nicholas Carr, hundred years from now, the modern era of power grid has begun when corporations started to join the power grid leaving behind the traditional power generator systems every company used to have in order to satisfy the company’s need for electricity. This big transformation at that time is very similar to today’s switching from traditiona l computing and data handling to the cloud. Where with all the unusual concepts and worries about the security, actual data place and the stability of the services provided, companies will soon realize the emerging markets and services Cloud Computing can offer. The main motivation behind Cloud computing mostly represented by the benefits this technology can offer for its clients. Where features like ‘Service on Demand’, usually with a ‘pay as you go’ billing system and factors like the highly abstracted and shared resources, the instantaneous provisioning and scalability makes cloud computing the next power grid transformation. Risks and Issues On the other hand, despite all the mentioned benefits and features cloud computing can offer, it has been realized that there are limits to the acceptance of cloud computing among enterprise companies, because of the level of complexity and dependability these service might become. Moreover, the data governance issues related to this technology represents some of the main difficulties the cloud computing market is facing right now. The European Network and Information Security Agency (ENISA) defines that the client responsibility of data governance is similar to the service provider responsibility in case of any data lose or corruption (Catteddu, 2009). Thus because customer should be aware of the risks that might imply by using this technology, and to encourage these companies to investigate farther in finding a more reliable providers. In addition to that, farther risks might imply to any cloud computing environment, such as hacking attacks or unauthorized access to the actual phys ical data locations. The Journal of Information Technology Management categorized this type of attacks in three main categories: Attacks targets hosted application under a SaaS environment. Attacks through the trusted network connection. This can be done from the customer side to the provider or from the provider side to the customer environment. Attacks targets hosted server under a PaaS or IaaS environment. (Cochran Witman, 2011) Cloud Computing Governance Components In the Information Technology Outsourcing, describing the product or the service specifications to be delivered are usually drafted via a contract is in the form of Service Level Agreement (SLA), this agreement defines the all the important and legal parts of the service between the service provider and the service recipients. The same concept can be implemented with the cloud computing, since most of the main agreement parts involves providing an information technology service. However, cloud computing includes many different ideas and concepts, where in cloud computing agreement the service have to treat different concepts and behaviors like unknown data physical location, rapid scaling, lower IT upfront, and even different way of paying for the service such as monthly or annual subscriptions. In addition to that, in a cloud environment, usually the services are hosted and owned by a separate party. Where in most cases the owner of the application can be different from the owner of the server (Cochran Witman, 2011). Nondisclosure and Confidentiality Agreements These two terms are used in many other areas and through all types in contracts, agreements and forms, but the basic understanding of those two terms refers to the confidentiality of the agreement in general. Therefore, at the level of a service level agreement, a nondisclosure agreement usually means a confidential agreement. Margaret Rouse in her article about Nondisclosure Agreements she defines NDA as â€Å"A non-disclosure agreement (NDA) is a signed formal agreement in which one party agrees to give a second party confidential information about its business or products and the second party agrees not to share this information with anyone else for a specified period of time.† (Margaret, 2005). Similarly, David V. Radack in his article Understanding Confidentiality Agreements, he defines confidential agreement as â€Å"Confidentiality agreements, are contracts entered into by two or more parties in which some or all of the parties agree that certain types of information t hat pass from one party to the other or that are created by one of the parties will remain confidential.† (David, 2014). From the two provided definitions, we can see that a confidential or nondisclosure agreement force all participated parties to protect and never disclose any of the information passed between the parties while building the service. Legal location In general, the actual physical location of the server or the data in a Cloud Computing environment is not important from the technical point of view. However, from a legal point of view a Service Level Agreement requires clearly identifying the actual location of the servers handling the data and services. Thus in case of a security breach from the provider side, punishments or penalties could be issued through the provider’s local authority. For that reason, if the breach resulted the data to be moved into an offshores location, the local government regulations might have no effects towards that (Steele 2010). On the other hand, a civil case could be issued in the right of the vendor or attacker in case of such risks. For that reason, defining the legal location is very important in a service level agreement because it represents a legal cover to the actual data that might get stolen or destroyed. The Restrictions of a Software License Software License Restrictions is a very imperative factor in any Software License Agreement because it might affect the main tasks of the whole system in case of storing on an unknown devices or servers. This might occurs because sometimes software license might get violated when stored or hosted via remote hardware infrastructure. This issue might results a side effects like not being able to run the system as a whole or a part because software licenses might have a security features at the level of linking the software to a special machine MAC address or a processor serial number. User based exposures User based exposures might occurs when an end user posts some data in a secure interface or website in the system, after submitting the data to the main data server, the data might get through a third party communication systems or servers. During this stage, a security breach might occurs were data can be lost, stolen or disclosed. At this level, the Service Level Agreement investigates what administrators at this level have access to during the transmission stage. This point might cover different types and techniques for encrypting the data, or include the third party providers in the agreement to insure the security and safety of the data. Communicating With Remote Networks and Services. The system’s integration and incorporation with the cloud software as a service is one the most important factors any cloud based services have to offer for any system. However, integrating these services with the organization’s internal system sometimes means giving these services the possibility to become a part of the internal system. This can be an issue concerning the security the internal system. Mathias Thurman in his article Tightening Up SaaS Security, discusses how these concerns increase when the security of the SaaS is unidentified or unknown. Basically because when integrating the internal system with the SaaS, the SaaS network becomes a part of the internal system, and when reaching this level of integration, any attacks of security failures from the side of the SaaS provider well results the local network to be at risk too (Mathias, 2010). Cloud Service Level Agreement Components Service Level Agreement Template To illustrate the main parts and layout of a Service Level Agreement in a cloud-computing environment, in the following template we can see the main parts, layout, and definitions of the Service Level Agreement content, made by SLATemplate.com. Certainly, a Service Level Agreement can includes hundreds of pages describing every single specification. However, for the sake of illustrating the sample main part of the agreement we have the following template represents the most important parts of an SLA for a Cloud Computing system. Service Level Agreement (SLA) for Customer by Company name Effective Date: 10-08-2010 Version Approval (By signing below, all Approvers agree to all terms and conditions outlined in this Agreement.) Table of Contents 1. Agreement Overview 2. Goals Objectives 3. Stakeholders 4. Periodic Review 5. Service Agreement 1. Agreement Overview This Agreement represents a Service Level Agreement (â€Å"SLA† or â€Å"Agreement†) between Company name. and Customer for the provisioning of IT services required to support and sustain the Product or service. This Agreement remains valid until superseded by a revised agreement mutually endorsed by the stakeholders. This Agreement outlines the parameters of all IT services covered as they are mutually understood by the primary stakeholders. This Agreement does not supersede current processes and procedures unless explicitly stated herein. 2. Goals Objectives The purpose of this Agreement is to ensure that the proper elements and commitments are in place to provide consistent IT service support and delivery to the Customer(s) by the Service Provider(s). The goal of this Agreement is to obtain mutual agreement for IT service provision between the Service Provider(s) and Customer(s). The objectives of this Agreement are to: Provide clear reference to service ownership, accountability, roles and/or responsibilities. Present a clear, concise and measurable description of service provision to the customer. Match perceptions of expected service provision with actual service support delivery. 3. Stakeholders The following Service Provider(s) and Customer(s) will be used as the basis of the Agreement and represent the primary stakeholders associated with this SLA: IT Service Provider(s): Company name. (â€Å"Provider†) IT Customer(s): Customer (â€Å"Customer†) 4. Periodic Review This Agreement is valid from the Effective Date outlined herein and is valid until further notice. This Agreement should be reviewed at a minimum once per fiscal year; however, in lieu of a review during any period specified, the current Agreement will remain in effect. The Business Relationship Manager (â€Å"Document Owner†) is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required. Business Relationship Manager: Company name Review Period: Bi-Yearly (6 months) Previous Review Date: 01-08-2010 Next Review Date: 01-12-2011 5. Service Agreement The following detailed service parameters are the responsibility of the Service Provider in the ongoing support of this Agreement. 5.1. Service Scope The following Services are covered by this Agreement; o Manned telephone support o Monitored email support o Remote assistance using Remote Desktop and a Virtual Private Network where available Planned or Emergency Onsite assistance (extra costs apply) Monthly system health check 5.2. Customer Requirements Customer responsibilities and/or requirements in support of this Agreement include: Payment for all support costs at the agreed interval. Reasonable availability of customer representative(s) when resolving a service related incident or request. 5.3. Service Provider Requirements Service Provider responsibilities and/or requirements in support of this Agreement include: Meeting response times associated with service related incidents. Appropriate notification to Customer for all scheduled maintenance. 5.4. Service Assumptions Assumptions related to in-scope services and/or components include: Changes to services will be communicated and documented to all stakeholders. 6. Service Management Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components. 6.1. Service Availability Coverage parameters specific to the service(s) covered in this Agreement are as follows: Telephone support : 9:00 A.M. to 5:00 P.M. Monday – Friday Calls received out of office hours will be forwarded to a mobile phone and best efforts will be made to answer / action the call, however there will be a backup answer phone service Email support: Monitored 9:00 A.M. to 5:00 P.M. Monday – Friday Emails received outside of office hours will be collected, however no action can be guaranteed until the next working day Onsite assistance guaranteed within 72 hours during the business week 6.2. Service Requests In support of services outlined in this Agreement, the Service Provider will respond to service related incidents and/or requests submitted by the Customer within the following time frames: 0-8 hours (during business hours) for issues classified as High priority. Within 48 hours for issues classified as Medium priority. Within 5 working days for issues classified as Low priority. Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request. â€Å"(SLA template, 2010) References Carr, N. G., January 2008. The Big Switch: Rewiring the World, from Edison to Google. s.l.:s.n. COCHRAN, M. WITMAN, P. D., 2011. GOVERNANCE AND SERVICE LEVEL AGREEMENT ISSUES IN A CLOUD COMPUTING ENVIRONMENT. Journal of Information Technology Management Volume XXII, Number 2, pp. 41-55. Peter Mell, T. G., 2011. The NIST Definition of Cloud Computing. [Online] Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf Arif Mohamed, A history of cloud computing. 2014. [ONLINE] Available at: http://www.computerweekly.com/feature/A-history-of-cloud-computing. [Accessed 5 March 2014]. James, A Brief History of Cloud Computing | SoftLayer Blog. 2013. [ONLINE] Available at: http://blog.softlayer.com/2013/virtual-magic-the-cloud. [Accessed 10 March 2014]. North Bridge, 2013 Cloud Computing Survey | North Bridge. 2014. [ONLINE] Available at: http://www.northbridge.com/2013-cloud-computing-survey. [Accessed 11 May 2014]. Peter Mell. The NIST Definition of Cloud Computing 2011. [ONLINE] Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. [Accessed 11 May 2014]. Catteddu, D. and G. Hogben, Cloud Computing Benefits, risks and recommendations for information security 2009, European Network and Information Security Agency: Heraklion, Crete, Greece. 125 pp. Margaret Rouse, What is non-disclosure agreement (NDA)? Definition from WhatIs.com. [ONLINE] Available at: http://searchsecurity.techtarget.com/definition/non-disclosure-agreement. [Accessed 11 May 2014]. David V. Radack, Understanding Confidentiality Agreements. 2014. [ONLINE] Available at: http://www.tms.org/pubs/journals/jom/matters/matters-9405.html. [Accessed 11 May 2014]. Steele, C., City of Monrovia, California, personal communication, 2010. Mathias Thurman, Tightening Up SaaS Security Computerworld. 2010. [ONLINE] Available at: http://www.computerworld.com/s/article/352873/Tightening_Up_SaaS_Security. [Accessed 11 May 2014]. SLATeamplate.com, Service Level Agreement Template (SLA). 2010. [ONLINE] Available at: http://www.slatemplate.com/. [Accessed 11 May 2014].