It's one of the most important documents you sign when starting a cloud deployment with a public vendor: your service-level agreement (SLA). But a leading tech lawyer says customers can get burnt by their provider if they're not careful.
The first thing to remember about a cloud SLA is that it takes two to tango, says Michael Overly, a partner in the IT and Outsourcing Group in the Los Angeles office of Foley & Lardner LLP. "Everyone's expectations have to be set properly," says Foley, who has worked on both sides of the issue having represented both customers and vendors in crafting SLAs.
The larger the contract, the more opportunity there is for negotiating the SLA. But generally, by the very nature of the public infrastructure as a service (IaaS) cloud, many providers have generic service offerings, which allow the vendors to offer inexpensive prices. To the extent that a customer wants a customized offering, the price will generally rise. Customers of public cloud offerings should not expect customized services made specifically for them. If they're looking for that, there are managed hosting or collocation services.
Meanwhile, cloud providers need to take customer concerns into account. Foley says the cloud companies that listen and respond to customer concerns will be the ones succeeding long-term. Even if expectations are set, he says there are a variety of issues that can pop up during the SLA negotiation and after the document is signed. Foley has five tips to make sure businesses don't get burnt:
Where in the world is my data?
"It's becoming an increasingly difficult question to answer, and that makes a lot of people uncomfortable," Overly says. Some users need to know where their data is physically located for compliance or security reasons, particularly customers in the healthcare and financial industries. But there's a give and take: In an effort to guarantee highly available services, providers may spread data out across multiple sites as a disaster-recovery measure. But when data crosses borders into another country, different laws apply to who has access to the data and what it can be used for.
The burden remains on the customer to ensure they stay compliant with security certifications, Overly says. Some providers, such as Amazon Web Services, allow customers to dictate where their data is stored. It's not just about where the company's data centers are though, it's also important to ask who can access that data. If a support center is located outside the U.S. and they have copies of the customer data to provide support, the data may be going overseas without customers knowing it.
Overly says it's all about questioning your provider if these answers not outlined in the SLA. There are a variety of end-user "self-help" solutions, Overly says. Customers can encrypt data that's put in the cloud and hold on to the keys, for example. Or, they can choose to not store personally identifiable information (PII) in the cloud and keep that on their own premise instead.
Sign up for CIO Asia eNewsletters.