Service Level Agreements (SLAs) have been an effective tool for managing IT service vendors for two decades now.  Many companies also use internal SLAs for managing relationships between departments. Service Level Agreements define the duties of both organizations. External SLAs also define penalties which occur when the service provider organization fails to provide the defined level of service.

Cloud computing represents a new playing field for SLAs. Cloud computing integrates far more deeply into an organization than traditional IT outsourcing, but at the same time it does not provide the same level of perceived trust as working with another department within the same organization. These factors combined make effective SLAs critical for successful cloud computing initiatives.

Cloud Computing SLA Essentials

If your business relies upon the services provided by your cloud computing vendor, there are essential topics which should be covered by a Service Level Agreement.

Availability – When does the application need to be available and how much down time is acceptable?  Does 9-5 Monday to Friday availability meet your business requirements or do you need 24*7 access to the application?  Is 99% availability acceptable or do you need 99.9% or even better? What is the cost to your business of an hour of downtime? Who will measure and report on availability and what methods will they use to do it?

Performance – How slow can the application be and still allow you do do business?  Cloud computing is a growing industry segment and this means that many service providers are oversubscribing their infrastructure.  Will 1 second of additional delay cause harm to your business?  What about 2 second?  At what point does the application performance become unacceptable? Who will measure and report on performance and what methods will they use to do it?

Security – What data does the application store?  How is that data secured?  Who has access to that data?  If the data includes customer information, there may be legal requirements in your industry (HIPAA, for example) to protect that data.  There may also be legal requirements based upon the jurisdiction of your company, your cloud provider, or your customer. Outsourcing data security to a cloud provider will not outsource legal responsibility in the case of a lawsuit resulting from a security breach.

Backup – How often is your data backed up?  How long are the backups kept?  How many generations of backups are kept?  Where are the backups stored?  What is the process for restoring from backup?

Data Export – If your organization decides to switch to another cloud provider or bring the application back in-house, what are the procedures for exporting data from the cloud?  What if your cloud computing vendor goes out of business before exporting your data?

Remedies – What happens when something goes wrong? This includes procedures to analyze failures and prevent recurrence and may also include specific monetary penalties for failures to meet the SLA requirements.

Creating an Effective SLA

Every decent cloud provider will have a boilerplate SLA agreement which they would like you to accept. If your use of the cloud is not mission-critical, it may be acceptable for you just to sign on the dotted line. On the other hand, if a failure of cloud creates a existential risk for your business, you should invest the time and effort into creating a truly useful SLA document.

Phrases to watch out for in a boilerplate SLA agreement include:

  • “scheduled downtime” (How much advance notice is given and how is it given? Can you veto a scheduled downtime?)
  • “You must submit a claim” (What is the process to submit a claim and how onerous is it? How much time do you have to file a claim?)
  • “We will evaluate all information reasonably available to us and make a good faith judgment” (The service provider is the final judge of their own service?)
  • “Due to factors outside our control” (Who decides what factors are outside the service providers control?)
  • “Caused by your use of a Service after we advised you to modify your use of a Service, if you did not modify your use as advised” (What if their advice is bad or not applicable to your business?)
  • “Service Credits are your sole and exclusive remedy for any performance or availability issues for any Service under the Agreement and this SLA.” (If a vendor is unusably bad, you get more service from them?)

These examples are from an actual boilerplate SLA used by a leading cloud application provider.  This isn’t an SLA that you would want to accept if any of the services provided are critical to your business. By working together with a quality cloud provider, you can craft an SLA that meets your business requirements while staying within your budget.