Embrace these cloud service-level agreement best practices

SLAs help users know what to expect from their cloud provider. But they also present a number of headaches for the enterprise, according to legal experts.

There's something comforting about the concept of a cloud service-level agreement. There it is in black and white: a cloud provider's promise to keep your applications up and running -- almost all the time.

But while a cloud service-level agreement may be an indispensable component for securing cloud services, it's rarely as airtight as it looks. In fact, according to experts, users need to be aware of both service-level agreement best practices, as well as a host of potential problems.

One of the biggest issues with cloud computing SLAs is that they haven't yet evolved into an industry standard, said Michael S. Mensik, partner at Baker & McKenzie LLP, a Chicago-based law firm, citing a the firm's recent survey on cloud computing and SLAs. According to Baker & McKenzie's survey results so far, around 70% of respondents said they haven't seen any market standard terms or conditions for any type of cloud service.

What's more, when moving to a public cloud, some organizations simply accept an out-of-the-box or cookie-cutter version of a cloud provider's SLA, said Ed Featherston, senior enterprise architect and director at Collaborative Consulting, a consulting firm in Burlington, Mass. This is a common mistake that stems from the misconception that the cloud automatically provides scalability, resiliency, reliability and recoverability.

Organizations should not only negotiate SLAs, but understand their impact from both a technology and legal perspective.

"Going to a public cloud does not eliminate your responsibility to define your business requirements; you must ensure the SLAs from the vendor accommodate those needs," said Featherston.

Draw a line between cloud infrastructure and apps

You don't want [a provider] to simply acknowledge the problem. There should be a tie-in to the cure -- like a response time of half-an-hour for the highest severity of service problem.
Howard G. ZaharoffAV Preeminent Rated Attorney, Morse, Barnes-Brown & Pendleton, P.C.

Another common mistake with cloud SLAs is not drawing a line between the cloud and your application, said Featherston. If a business develops an application in-house and then deploys it to the public cloud, IT must be able to distinguish potential infrastructure issues from application issues. This helps the organization determine whether the cloud provider -- or its own application design -- is responsible for degraded performance or other issues.

"Cloud infrastructure provides the ability to scale an application horizontally, but only if the application is architected to leverage that ability," said Featherston. If the application doesn't scale due to a design flaw, the vendor may still be meeting the SLA requirements.  

The first step an organization should take with a cloud SLA is understanding the uptime commitment, said Howard G. Zaharoff, an AV preeminent rated attorney at the Waltham, Mass.-based law firm Morse, Barnes-Brown & Pendleton, P.C.

"Saying [a cloud provider] will be up 99% of the time sounds good, but that actually means a lot of downtime -- too much for a mission-critical function," Zaharoff said, noting that 99.9% availability or higher is more acceptable.

Also, many providers' uptime commitments exclude preventive maintenance or remedial services. At a minimum, cloud users should make sure their provider conducts those tasks after-hours or during a time when their own businesses won't be affected. In addition, organizations should understand how providers will resolve any issues, and how they define "severity" levels.

"You don't want [a provider] to simply acknowledge the problem. There should be a tie-in to the cure -- like a response time of half-an-hour for the highest severity of service problem," Zaharoff said.

It's also important to remember that SLA terminology differs between providers, making it harder to compare and contrast them. Organizations should learn the definitions and terminology to make the right decisions.

Next Steps

Breaking down a cloud provider SLA

What to ask a cloud storage provider before signing an SLA

Lessons learned from cloud SLA horror stories

Cloud SLA gotchas to watch for

Your guide to evaluating a cloud SLA

Dig Deeper on Cloud computing SLAs