Making Cloud SLAs readily usable in the EU private sector
Any relationship starts with pre-assessing what one would like, why, when and with whom (for instance one or more CSPs), so does the first Cloud SLA lifecycle phase, Assessment. This includes for instance doing market intelligence, checking specific needs, offerings, CSPs, performance of CSPs and setting up a business case.
criteria to evaluate a Cloud Service security attributes
|Authentication and Identity||Multi-Factor Authentication||Does the cloud service support authentication factors in addition to passwords such as an SMS code or phone token?|
|Anonymous Use||Does the cloud service provider allow for anonymous access to the service?|
|Identity Federation Method||What single sign-on methods does the cloud service provider support?|
|Enterprise Identity||Does the cloud service provider support integration with enterprise directories or authentication providers?|
|Protection for Customer Data||Encryption of Data at Rest||Does the service encrypt data at-rest in its databases, file systems or at the virtual machine layer?|
|Encryption of Data in Transit||What mode of SSL or TLS does the vendor support for protecting data in motion?|
|Data Multi-tenancy||Does the cloud service provider support a multi- tenant offering?|
|Internal Controls||Certifications||Which compliance certifications does the cloud service provider have (e.g. SSAE16, ISO 27001, SOC2, PCI, HIPAA, etc.)?|
|Data centre protections||Does it have data centre protections?|
|User Activity Logging||Does the cloud service provider logend-user activities?|
|Account Termination||What are the grounds for account termination with the cloud service provider?|
|Data Retention||How long does the service store customer data after account termination?|
|Data Sharing Policy||Does the service reserve the right to share customer data with third parties, and if so under what circumstances?|
|Past Performance||Known Breaches||Has the cloud service provider had a (publicly disclosed) breach in its service?|
|Known Malicious Use||Is the cloud service provider known to have (publicly disclosed) malware hosted on its site or known to be a drop zone for malicious code?|
|Penetration Testing||Does the vendor perform penetration testing on a regular basis?|
There is an increasing attention by providers to customer support. The offer of 24/7 support is a differentiator used by leading Cloud Service Providers with AWS leading the trend. Leading cloud providers are marketing powerhouses with clear and compelling marketing messages, and examples of users. They also offer free trials and 24/7 support. Users cited typically come from large organisations, both large companies and public administrations/authorities (usually presented with logos but also through a testimonial).
Smaller Cloud Service Providers are also now offering a similar service. In most cases, the free trial is a core part of the marketing message. It is however, important to note that this support applies exclusively to the operational phase of the lifecycle. The only support in the earlier phases is a free trial.
Service, network costs and security
Factoring in types of service, network costs, and security: The very different public Cloud pricing models make direct comparisons difficult with increased risks on the customer side. Some Cloud Service Providers charge for network traffic; some do not. Some charge for replication services, and some provide it as a standard feature. Understanding the pricing models of each public Cloud contender will constitute most of the work when comparing prices, cost differences and which services are delivered.
The actual price of the service is only a single data point. The low price will lose its value if the service chosen does not meet expectations. The customer also risks paying more than necessary. Put simply, if the Cloud service does not fit the customer requirements, it is not right at any price.
In order to have a better idea of the final Cloud service price tag, prospective customers of a Cloud service need to factor in the type of service, network costs and security. What does the Service Level Objective tell us about the types of service, charges for network traffic, security and management?
Market structrure and Cloud pricing models
The Cloud service market is currently price driven. CSPs have very different approaches to Cloud pricing models. Pricing cuts take place on a regular basis among the top Cloud Service Providers. According to Business Insider, AWS has dropped prices 8% from October 2013 to December 2014, while both Google and Microsoft have cut prices 6% and 5%, respectively, in the same period, while other Cloud providers, such as Rackspace and AT&T, have lowered their prices even more.
Work being done by the 451 Research through its Cloud Price Index (CPI) sheds key insights into the market forces behind the cloud pricing models. The CPI tracks the complex pricing models of both public and private clouds, analyses the total cost of ownership (TCO), and gives insights into the "golden ratios" that determine when private cloud and public cloud options become better options. A 451 Report on the CPI published in July 2015 looks at where the real reductions are taking place and possible drivers behind them. According to the report, cost reductions are taking place for compute, with a 4% price drop since October 2014. This is primarily a marketing ploy, with CSPs seeking headlines, publicity and market share in exchange for regular price cuts.
Little has changed in other cloud services, e.g., storage, managed services and support. In real terms, this means that margins are eroding on compute and the underlying cost base but CSPs still have a wide range of services on which they can derive new revenue and differentiate. Cloud Service Customers can make greater savings by committing: best-case pricing has reduced 12% since last October. However, it is important that customers keep pace with the market price of the basics, and use them as a foundation to up-sell higher margin, value-added services. The overriding conclusion is that existing and prospective CSCs need neutral advice about cloud pricing.
Standards and Certifications
Trust in cloud computing and services is fundamental for increasing cloud adoption across the European Digital Single Market. The European Cloud Computing Strategy and Digital Single Market aims to work towards a common understanding of best practices in Europe, for example, on security and data protection. This is needed to raise confidence and create trust for cloud adoption by customers, businesses and public sector organisations, throughout all sectors of the economy.
Standards and security certification schemes play a key part in building trust, helping prospective customers to better compare cloud service offers also from a security point of view.
Trust is increasing in importance as more and more mission-critical workloads move to the cloud. It is vital that companies have confidence in the ability of their cloud service to support the needs of their business, while also providing value for money.