Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What to consider when negotiating a hybrid cloud SLA

Gina Murphy, Executive Vice President, TriCore Solutions | Nov. 27, 2014
There is nothing standard about hybrid deployments, so you need more than the usual one-size-fits-all SLA.

cloud SLA

Service Level Agreements (SLA) serve as a roadmap and a warranty for cloud services offerings. All cloud providers offer standard, one-size-fits-all SLAs that cover availably, performance, security, disaster recovery, response times, compliance and termination. This may be adequate for pure cloud applications, however standard SLAs fall short when it comes to hybrid cloud deployments.

There is nothing standard about hybrid deployments. Each one is different and inherently includes a higher level of involvement from IT. SLAs need to establish clear guidelines of engagement for both the enterprise and service provider. Unfortunately, not all cloud service providers are open or equipped to customize SLAs.

Given the uniqueness of hybrid implementations, securing them is a continuous challenge. The private cloud portion is secured and protected by the enterprise. Mission-critical applications and data are internally controlled, while less sensitive data and applications can reside in a public cloud. This approach enables a business to take advantage of the scalability and cost savings of cloud computing without exposing mission critical information to third-party vulnerabilities.

However, the networking between the private and public clouds needs careful consideration. This is where an SLA comes into play. The SLA should address three primary areas of risk:

* Data Who secures the link when data leaves the private cloud? There are privacy and integrity concerns associated with such data movement because the privacy controls in the public cloud vary significantly from the private cloud. When data is moved to the cloud, the enterprise loses governance over their data set. Once they move the data to the cloud, its safety typically becomes the responsibility of the cloud service provider. The SLA should address data custody, control, possession, and right of return.

* Compliance Enterprises still need to comply with regulations that pertain to data governance, even if data leaves the premise. SLAs need to clearly outline the service provider's obligation to be complaint with regulations such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA) for and the Payment Card Industry Data Security Standard (PCI).

* Audit SLAs should cover access to documented proof necessary to demonstrate compliance to an auditor and who pays for the service provider's time during an audit.

Where's my data?

When data leaves the private cloud, it is likely that it will be stored in multiple data centers for high availability and for business continuity, or may transverse multiple clouds. Regional or industry-specific regulations may require that some data remains in a set physical or geographic location. You also need to make sure you can recover and restore your data. The SLA should address the following:

  • Where is the data stored? Chances are your data will be stored in multiple geographic locations on multiple servers. It is important to know where your data is for compliance and disaster recovery reasons.
  • Will it leave the country? Different countries have different privacy laws that dictate how sensitive data is to be handled.
  • Who can access it? How are the data centers secured? Will the provider provide a copy of the security policies?
  • Is the data encrypted?
  • If a breach occurs, what are the provider's policies regarding disclosure. How long before you are notified? It is important to be able to ascertain clarity with respect to responsibilities and ownership -- especially in case of breaches and conflicts.
  • With downtime costs for mission critical applications ranging from $10,000 $70,000 per minute, the SLA needs to define how often the data is backed up, how long does it take to restore it, and from what point.
  • Cloning or refreshing a database can impact operations. One item to consider is negotiating the time it takes to complete a request to clone or refresh a database or application environment.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.