18 Apr 2018
Service Level Agreement and Governance for Cloud Computing
The contractual side of a service level agreement (SLA) and governance for cloud computing
In the world of information technology (IT), cloud computing has been the futuristic concept of modern computing for the last decade or more. Nevertheless, in the last few years this concept has become the mainstream. However, with the entire buzz and the evolutionary techniques the information technology companies developing and implementing, many overwhelming issues like interoperability, insecurity, and accessibility represents some of the most anticipated questions every decision maker has to consider before signing the contract of a Cloud Service agreement document. In addition to that, one key issue for every organization trying to make the big move to the world of cloud computing, is to provide governance for data that it no longer directly controls. During this research, I will try to illustrate and point the main ideas and practices of the contractual side of a service level agreement (SLA) and governance for cloud computing by trying to highlight a set of guidelines to help and assist organization in defining and constraining the governance plans for data they are willing to move into the cloud.
Keywords: cloud computing, SLA, IT, contract, agreement, constraining.
Word count: 4000 words.
Cloud computing is the new era of internet evolution, where this term usually refers to everything involves delivering hosted services and data over the internet to companies, individuals and even other computing systems. The idea of cloud computing started in 1950s when large-scale mainframes made available to schools and corporations (James, 2013). Few decades later, this concept started to become more alive by adopting this concept by some of the major technological companies like Google, Amazon and Microsoft where commercial cloud computing started to take place in the market. This new technology developed through a number of phases, this includes Software as a Service (SaaS), Grid and Utility Computing (GaUC), Application Service Provision (ASP) (Arif, 2014). Nevertheless, through the development of this concept, many issues and uncertainties like security, interoperability, vendor lock-in, and compliance were arising against adopting this technology (North Bridge, 2013). These problems are familiar even with the traditional Information Technology Outsourcing (ITO), and these issues usually treated at the agreement level between the service provider and the customer.
The National Institute Of Standards And Technology NIST Definition of Cloud Computing “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” (Peter Mell, 2011). Moreover, in his book The Big Switch: Rewiring the World from "Edison" to "Google" by Nicholas Carr, hundred years from now, the modern era of power grid has begun when corporations started to join the power grid leaving behind the traditional power generator systems every company used to have in order to satisfy the company’s need for electricity. This big transformation at that time is very similar to today’s switching from traditional computing and data handling to the cloud. Where with all the unusual concepts and worries about the security, actual data place and the stability of the services provided, companies will soon realize the emerging markets and services Cloud Computing can offer. The main motivation behind Cloud computing mostly represented by the benefits this technology can offer for its clients. Where features like ‘Service on Demand’, usually with a ‘pay as you go’ billing system and factors like the highly abstracted and shared resources, the instantaneous provisioning and scalability makes cloud computing the next power grid transformation.
On the other hand, despite all the mentioned benefits and features cloud computing can offer, it has been realized that there are limits to the acceptance of cloud computing among enterprise companies, because of the level of complexity and dependability these service might become. Moreover, the data governance issues related to this technology represents some of the main difficulties the cloud computing market is facing right now. The European Network and Information Security Agency (ENISA) defines that the client responsibility of data governance is similar to the service provider responsibility in case of any data lose or corruption (Catteddu, 2009). Thus because customer should be aware of the risks that might imply by using this technology, and to encourage these companies to investigate farther in finding a more reliable providers. In addition to that, farther risks might imply to any cloud computing environment, such as hacking attacks or unauthorized access to the actual physical data locations. The Journal of Information Technology Management categorized this type of attacks in three main categories:
(Cochran & Witman, 2011)
In the Information Technology Outsourcing, describing the product or the service specifications to be delivered are usually drafted via a contract is in the form of Service Level Agreement (SLA), this agreement defines the all the important and legal parts of the service between the service provider and the service recipients. The same concept can be implemented with the cloud computing, since most of the main agreement parts involves providing an information technology service. However, cloud computing includes many different ideas and concepts, where in cloud computing agreement the service have to treat different concepts and behaviors like unknown data physical location, rapid scaling, lower IT upfront, and even different way of paying for the service such as monthly or annual subscriptions. In addition to that, in a cloud environment, usually the services are hosted and owned by a separate party. Where in most cases the owner of the application can be different from the owner of the server (Cochran & Witman, 2011).
These two terms are used in many other areas and through all types in contracts, agreements and forms, but the basic understanding of those two terms refers to the confidentiality of the agreement in general. Therefore, at the level of a service level agreement, a nondisclosure agreement usually means a confidential agreement. Margaret Rouse in her article about Nondisclosure Agreements she defines NDA as “A non-disclosure agreement (NDA) is a signed formal agreement in which one party agrees to give a second party confidential information about its business or products and the second party agrees not to share this information with anyone else for a specified period of time.” (Margaret, 2005). Similarly, David V. Radack in his article Understanding Confidentiality Agreements, he defines confidential agreement as “Confidentiality agreements, are contracts entered into by two or more parties in which some or all of the parties agree that certain types of information that pass from one party to the other or that are created by one of the parties will remain confidential.” (David, 2014). From the two provided definitions, we can see that a confidential or nondisclosure agreement force all participated parties to protect and never disclose any of the information passed between the parties while building the service.
In general, the actual physical location of the server or the data in a Cloud Computing environment is not important from the technical point of view. However, from a legal point of view a Service Level Agreement requires clearly identifying the actual location of the server\s handling the data and services. Thus in case of a security breach from the provider side, punishments or penalties could be issued through the provider’s local authority. For that reason, if the breach resulted the data to be moved into an offshores location, the local government regulations might have no effects towards that (Steele 2010). On the other hand, a civil case could be issued in the right of the vendor or attacker in case of such risks. For that reason, defining the legal location is very important in a service level agreement because it represents a legal cover to the actual data that might get stolen or destroyed.
Software License Restrictions is a very imperative factor in any Software License Agreement because it might affect the main tasks of the whole system in case of storing on an unknown devices or servers. This might occurs because sometimes software license might get violated when stored or hosted via remote hardware infrastructure. This issue might results a side effects like not being able to run the system as a whole or a part because software licenses might have a security features at the level of linking the software to a special machine MAC address or a processor serial number.
User based exposures might occurs when an end user posts some data in a secure interface or website in the system, after submitting the data to the main data server, the data might get through a third party communication systems or servers. During this stage, a security breach might occurs were data can be lost, stolen or disclosed. At this level, the Service Level Agreement investigates what administrators at this level have access to during the transmission stage. This point might cover different types and techniques for encrypting the data, or include the third party providers in the agreement to insure the security and safety of the data.
The system’s integration and incorporation with the cloud software as a service is one the most important factors any cloud based services have to offer for any system. However, integrating these services with the organization’s internal system sometimes means giving these services the possibility to become a part of the internal system. This can be an issue concerning the security the internal system. Mathias Thurman in his article Tightening Up SaaS Security, discusses how these concerns increase when the security of the SaaS is unidentified or unknown. Basically because when integrating the internal system with the SaaS, the SaaS network becomes a part of the internal system, and when reaching this level of integration, any attacks of security failures from the side of the SaaS provider well results the local network to be at risk too (Mathias, 2010).
To illustrate the main parts and layout of a Service Level Agreement in a cloud-computing environment, in the following template we can see the main parts, layout, and definitions of the Service Level Agreement content, made by SLATemplate.com. Certainly, a Service Level Agreement can includes hundreds of pages describing every single specification. However, for the sake of illustrating the sample main part of the agreement we have the following template represents the most important parts of an SLA for a Cloud Computing system.
Service Level Agreement (SLA)
Effective Date: 10-08-2010
Service Level Agreement
Name (Bob Smith)
Service Level Agreement Revised
Name (Dave Jones)
(By signing below, all Approvers agree to all terms and conditions outlined in this Agreement.)
Table of Contents
This Agreement represents a Service Level Agreement (“SLA” or “Agreement”) between Company name. and Customer for the provisioning of IT services required to support and sustain the Product or service.
This Agreement remains valid until superseded by a revised agreement mutually endorsed by the stakeholders.
This Agreement outlines the parameters of all IT services covered as they are mutually understood by the primary stakeholders. This Agreement does not supersede current processes and procedures unless explicitly stated herein.
The purpose of this Agreement is to ensure that the proper elements and commitments are in place to provide consistent IT service support and delivery to the Customer(s) by the Service Provider(s).
The goal of this Agreement is to obtain mutual agreement for IT service provision between the Service Provider(s) and Customer(s).
The objectives of this Agreement are to:
The following Service Provider(s) and Customer(s) will be used as the basis of the Agreement and represent the primary stakeholders associated with this SLA:
IT Service Provider(s): Company name. (“Provider”)
IT Customer(s): Customer (“Customer”)
This Agreement is valid from the Effective Date outlined herein and is valid until further notice. This Agreement should be reviewed at a minimum once per fiscal year; however, in lieu of a review during any period specified, the current Agreement will remain in effect.
The Business Relationship Manager (“Document Owner”) is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.
Business Relationship Manager: Company name
Review Period: Bi-Yearly (6 months)
Previous Review Date: 01-08-2010
Next Review Date: 01-12-2011
The following detailed service parameters are the responsibility of the Service Provider in the ongoing support of this Agreement.
The following Services are covered by this Agreement;
Customer responsibilities and/or requirements in support of this Agreement include:
Service Provider responsibilities and/or requirements in support of this Agreement include:
Assumptions related to in-scope services and/or components include:
Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components.
Coverage parameters specific to the service(s) covered in this Agreement are as follows:
In support of services outlined in this Agreement, the Service Provider will respond to service related incidents and/or requests submitted by the Customer within the following time frames:
Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request.
“(SLA template, 2010)
If you are the real writer of this essay and no longer want to have the essay published on the our website then please click on the link below to send us request removal:Request the removal of this essay
Get in touch with our dedicated team to discuss about your requirements in detail. We are here to help you our best in any way. If you are unsure about what you exactly need, please complete the short enquiry form below and we will get back to you with quote as soon as possible.