The ever-growing network of IT services delivered by cloud computing are making yet another area of business unsettled:
There is a cloud provider out there for you, just like there is a date out there for you.
David Snead, D.C. attorney who handles SLA agreements
Service-level agreements (SLAs) are the cornerstone of every IT service delivered into an enterprise; some are foundational enough that they are federally regulated, like agreements with communications providers. Businesses rely on them to hold providers to account. An SLA specifies exactly what and how a provider is expected to do, such as responding to problems within a certain time window, and what reparations a provider has to make if downtime occurs and the customer loses business. But that game is changing in cloud computing, often in ways that the enterprise may not be prepared to handle.
"The ease and convenience with which cloud computing arrangements can be set up may lull customers into overlooking the significant issues that can arise when key data and processes are entrusted to cloud service providers," said a new report released in March by the Cloud Legal Project at Queen Mary, University of London. The authors surveyed 31 contracts from 27 cloud providers and found a wide range of issues that IT professionals need to be aware of.
Some cloud contracts had clauses that specifically voided data protection requirements, including accidental destruction of application data or intentional sharing of customer data; others claimed the right to terminate accounts without notice or without providing any cause.
Most of them claimed the right to amend the terms of their contracts on the fly, simply by updating their websites, a fact the Cloud Legal Project found "most disturbing" and something that would probably give an IT manager a case of the flaming fantods (or at least severe heebie-jeebies). Even honoring the terms of the contract could be problematic.
"The provider may be in a different part of the world; the contract may operate under the laws of another jurisdiction; the contract may seek to exclude liability for the loss suffered, or may limit liability to what is, in effect, a nominal amount," said the report.
With cloud computing, many of the generally agreed assumptions about how an SLA may work are thrown into disarray; for example, April's Amazon Web Services (AWS) outage in its Elastic Block Store (EBS) service critically impacted business systems for thousands of users. But that contingency wasn't even mentioned in Amazon's terms of service, which guarantees an SLA of 99.95% uptime for its Elastic Compute Cloud (EC2) only. AWS gave back credit for affected users, but it wasn't obligated to do so (it is also one of the providers noted above that reserves the right to change its terms or terminate accounts without notice).
Will the aftermath of Amazon's outage be a recurring cloud theme?
Experts think that kind of situation is likely to occur many times before cloud computing settles in to the IT market, and IT professionals who think they're on sound footing should go back and look twice. SLAs were already a kind of a masquerade ball that IT pros and traditional service providers were comfortable with, according to Mark Thiele, VP for enterprise at Las Vegas-based data center operator Switch.
"We know that service agreements are often superficial," he said.
For instance, Thiele said that money-back SLAs were often calculated in ways that wouldn't sensibly remunerate or might be hard to pin down; conversely, business value lost during an outage could also be extremely fuzzy. They're mostly a way to formalize responsibilities between a provider and a customer. In 1996, the Telecommunications Act laid out a regulatory framework for telecoms to use "good faith" in negotiating service levels that had been all but meaningless before.
Thiele said that in the cloud computing space, SLAs have gone from a paper tiger to meaningless confetti. With a traditional provider or outsourcer, the SLAs are usually tailored by the vendor to the customer's requirements, but cloud computing is inherently a self-service, one-size-fits-all proposition. Workloads in AWS range far and wide, from bulk scientific calculation to Web-based operations with millions of requests from dozens of applications.
Cloud providers have no idea what their users are up to, so they're writing "feel good" SLAs, according to Thiele, and that means fundamental insecurity, especially for the enterprise IT professional. The IT managers and CIOs of the enterprise world are well aware of the issue, and more often than not, it's a factor in determining how they put cloud to use.
"We do use a few public cloud providers and in general try to treat them as any other SaaS vendors," said Dmitri Ilkaev, systems architect at Thermo Fischer Scientific. He said IT works to make sure that business requirements can actually be translated into the provider's SLA language, and that running internal reporting and monitoring on the service provider was essential.
Ilkaev said it made sense right now to approach cloud with Web services-style SLAs, but cloud computing was still evolving and it wasn't a settled question by any means.
"On the other hand, the cloud technical stack is still undergoing its evolution together with different standards, protocols and frameworks," he said.
How the evolving cloud market affects SLAs
The good news is that the market is rapidly evolving. There were only three or four public cloud providers in 2008; now there are dozens, many of them specifically targeting conservative, gun-shy enterprises.
We know that service agreements are often superficial.
Mark Thiele, VP for enterprise at data center operator Switch
"Amazon is like this giant shiny object that people flock to," said David Snead, a D.C. attorney who represents telecoms and handles SLA agreements regularly. "There's more than one cloud provider out there that will negotiate with you."
Speaking at a panel at Interop 2011, Snead said that caveat emptor was an absolute rule in cloud computing right now, but that he expected regulation would come into play and help make some of these choices clearer, just as it did in the 90s with communications services. He noted that German regulators have been clear that they expect personal and business data (like health and banking records) to stay in Germany; cloud providers will simply have to open data centers in the appropriate jurisdiction if they want to play.
Snead said IT shops should have the whip handy when it comes to ironing out contracts with cloud providers, something panel attendees approved of.
"If your cloud provider isn't doing what it takes to get you to the middle, you need to find another one…There is a cloud provider out there for you, just like there is a date out there for you," Snead said.
"We have three courses of action when it comes to a provider: evaluate, approve, or do nothing. With cloud computing, it's very often: do nothing," said one IT contract manger from a national insurance firm who was not able to speak on the record.
She said her firm and others were perfectly willing to wait until cloud providers came up with appropriate ways to measure performance and access. Others simply need to tread carefully and understand what their risks are; right now, based on the contracts we can see, they are considerable, immutable and unstable in scope.
Carl Brooks is the Senior Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org.