Making Cloud SLAs readily usable in the EU private sector

Finding a common vocabulary & understanding of Cloud SLAs for SMEs

Key findings from the SLA-Ready Impact Workshop

15th December 2016, Brussels Belgium

Trusted and transparent cloud SLAs are an essential piece of the objectives of the Digital Single Market (DSM). Cloud computing is a key enabler for new technologies such as IoT and data science. As more and more companies wake up to the opportunities to innovate that such technologies afford them, it will be vital that they make informed decisions, in particular when signing cloud contracts and Service Level Agreements (SLAs). Trusting your provider will become a necessity if confidence in cloud computing is to grow.

SLAs are key components in defining cloud services, but unfortunately they are the least understood cloud attribute. Companies, in particular SMEs, struggle with complex language and terms of service (technical and legal). There is also a lack of widely accepted standard frameworks, vocabularies, and much uncertainty as to what is regulated, who is responsible and which laws actually apply.

There is a clear need for greater maturity both from a provider and customer perspective. It is vital that Cloud Service Providers (CPS) provide Cloud Service Customer (CSC) with a clear picture of the services that they are purchasing. Going back to basics and having common definitions for SLAs is key if cloud SLA are to become truly trusted.

Since the start of 2015, the SLA-Ready project has contributed to the definition of best practices and services supporting customers in understanding complex concepts and legal terminology. Funded under the European Commission’s Horizon 2020 programme, SLA-READY has published a Marketplace of readily available services and tools such as the SLA-Aid, a substantial set of use cases and the SLA Repository for both CSPs and CSCs. The one-day workshop held in Brussels in December highlighted both how the outputs of SLA-Ready has benefitted the SME and scientific communities and also identified future steps necessary if greater transparency and clarity is to be achieved in cloud SLAs.

So what’s behind SLA-Ready’s user-friendly services which look to improve knowledge of cloud SLAs for both CSPs and CSCs?
Well first of all, it’s all about finding a common language for CSPs and CSCs to communicate. This can be achieved through the adoption of standards making it easier for CSCs to compare cloud SLAs and get answers to specific questions regarding issues such as response time and uptime of services. Currently, this information is not readily available and even finding an SLA on a providers’ website can be challenging.

SLA-Ready has created a Common Reference Model for Cloud SLAs to create a common understanding of SLAs and their attributes, and encourage standardisation on the part of cloud service providers. The Common Reference Model integrates a set of essential SLA components, such as common vocabularies, SLO metrics and measurements. The 30 elements of the model are based on a set of common user requirements and are aligned with recognised standardisation initiatives, to which SLA-Ready has contributed. The resulting good and best practices therefore become a multi-stakeholder reference point:

  • Cloud service providers benefit from understanding the most important customer requirements along the cloud service life cycle, and particularly major concerns and difficulties
  • Cloud customers, especially SMEs with little or no bargaining power, have valuable access to best practices and legal guidance, addressing concerns that are key to building confidence and trust and therefore uptake of services.
  • Cloud customers with the possibility to negotiate contracts (e.g. financial institutions, governments) have access to CRM guidelines on which to base terms and metrics on issues reflecting key market concerns. They can also help raise awareness of security and privacy issues and ultimately enable them to filter down to standard contracts.

The Common Reference Model is a good starting point to what should become a standard practice. Through standards it will become much easier for SMEs, and in particular cloud re-sellers, to see where they are standing in terms of respecting the law. With standards in place, trust in cloud services can grow.

Mobile phones and tablets are now used more than desktops to access Internet as business and habits change. SMEs are adapting to this new reality and cloud services are providing amazing opportunities for businesses to be agile allowing them to adapt business plans to changing circumstances. Through a series of workshops targeting European SMEs we’ve seen real examples of SMEs such as Parking Plus and HyperMedia who are now able to provide services that were unthinkable before the advent of cloud computing.

 

SLA-Ready has offered a practical guide to the entire cloud service life cycle, facilitating customers in making a comprehensive assessment of all potential risks from the very beginning. The SLA Aid is an online tool available to CSCs. It provides them with a customised checklist and roadmap for their adoption of cloud services. Most importantly, it puts the focus on the acquisition phase as the most critical one in the lifecycle to ensure customers scrutinise and compare contracts and carry out a proper assessment of obligations, risks and responsibilities, from service set-up to termination.

The SLA Marketplace can play an instrumental role in helping SMEs, and organisations of all kinds for that matter, in understanding where one should look or what one should check either before engaging or during the implementation of cloud service agreements.” stated Andrei Kelemen, Executive Director, ClujIT.

 

The SLA Aid plays a key role in breaking down entry barriers to cloud adoption by accelerating the time it takes to improve SME customer knowledge. “With SMEs making up the majority of the cloud market, such access to information is a key enabler which is usually the reserve of expensive consultants”, according to Peter Weber from the Slovenian National Trade Association ITAS. Frank Bennett, iCloud Ltd and Deputy Chairman and Member of Governance Board Cloud Industry Forum (CIF) also sees the benefit for both CSCs and CSPs stating “The SLA Aid is appropriate to both customers and providers, and as someone who has built a SaaS business and needed to offer a SLA, I only wish I had had this kind of support.

The focus on security and compliance can also help address the lack of expertise in assessing a provider’s security measures. With security high on the agenda Andrei Kelemen pointed out that “more and more larger providers need to introduce policies which encourage customers to look into security and SLAs and provide feedback on their needs. This needs to become the norm” It is important to note though that the CRM is not a vehicle of assurance such as a certification, rather the establishment of a set of common user requirements.

A core activity within SLA-Ready has been to increase trust and transparency in cloud SLAs by supporting both the definition of cloud SLA standards and also in supporting CSPs in assessing their own cloud SLAs in order to help create a culture of trust and transparency for CSPs.

The SLA-Aid and SLA Repository can benefit CSPs in helping them to understand the most important customer requirements along the cloud service life cycle, and particularly major concerns and difficulties. CSPs can easily assess just how transparent and easy to use their SLA is from a customer perspective. Be it an SME or a procurer of cloud services such as the HN Science Cloud, SLA-Ready outputs can be used in different contexts for vetting SLAs.

During its brief lifetime, SLA-Ready has laid the foundations for creating a culture of trust amongst CSPs. We have seen a real intention of CSPs to complete the self-assessment questionnaire and a willingness to publish their results in the SLA repository.

However, we have only touched the tip of the iceberg. For greater transparency from providers it is vital that they feel comfortable enough with sharing the information that they have on the elements of the CRM and their own self-assessment based on what are a set of user requirements.

Large providers recognize the importance of responding to customer needs. Alex Li, Principal Standards Analyst, Microsoft highlighted the effort that his organization has put into actively engaging with their customers to refine and improve services based on feedback. However, the difficulty that large providers have is economies of scale. The whole point of cloud computing is to offer a shared infrastructure at a low price. Providing services which involve negotiation and meeting specialised requirements would not be economically viable for providers and would end up driving prices up for customers.

SME associations such as the Digital SME Alliance, ClujIT (Romania), CONETIC (Spain) and TechUK (UK) have already promoted the outputs of SLA-Ready to SMEs. Further support from decision making bodies is required though, in particular in implementing the best practices emerging from SLA-Ready into governance structures if the benefits of services such as the SLA-Aid are to be felt. One way forward for the future would be to introduce the effort SLA-Ready has achieved and make the services and tools part of national digital agendas. Members from the EuroCIOs responded to the tools and services produced by SLA-READY.

Chairman of the EuroCIOs board Freddy Van den Wyngaert and CIO of Agfa ICS suggested that: “End-user organisations like the ones represented by EuroCIO and National Bodies should also push their members to require such documents. It can also start by asking vendors to map their current SLAs within the SLA Model".

 

Through a set of workshops educating SMEs on SLAs and in particular legal issues, SLA-Ready has identified a key need for similar awareness raising activities which can disseminate new directives to people on the ground.

Indeed, there is much concern about the General Data Protection Regulationstrong> and its implications on SMEs who are data controllers or processors and who do not have the resources available for legal advice. They are rightly concerned and need more information on topics such as personal data. This can include a range of information, such as personal identifiers (e.g., IP addresses and HR data), customer lists and contact details, with both automated personal data and manual filing systems.

It also imposes restrictions on the transfer of data outside of the EU. Transfers largely require an individual's informed consent. Other key considerations in the GDPR that controllers and processors must be aware of include: the right to data portability (which allows citizens to move data from one Service Provider to another); the need to document operations (including categorization of the different types of data collected and time limits for erasing this); the right to be forgotten and the right to know when you are hacked (within 72 hours from the time a processor or controller becomes aware of a breach).

With many SMEs using data from different platforms, they are unsure if they are compliant. SMEs will have to re-look at contracts that they are engaging into and are currently ill-prepared for all the clauses linked to the various rules and regulations. Indeed, there is a real-need for simpler procedures. Simpler for providers to establish their terms; and simpler for customers to understand what they are signing up for.

George Ioannidis, Director of IN2 search interfaces development Ltd, summed this up succinctly, stating the need for providers to have “em<>a simpler way of expressing terms, in order to avoid 20 page documents that most people don’t read properly”. What is clear is that SMEs are ill-prepared for the GDPR and outreach workshops are key for educating SMEs on this topic. Legalese workshops and online resources such as those provided by SLA-Ready are key to helping SMEs overcome the language barrier when signing cloud contracts.

It’s not just SMEs who are facing challenges in understanding legal issues in cloud computing. Traditionally a pioneer in adopting new technologies, the research and scientific community is also recognising the immense and fast-moving opportunities that cloud as an enabler of data science and IoT brings. However, such speed and versatility is not mirrored when it comes to legal clarity of cloud services. If new communities such as SMEs or research and science are to truly benefit from what new technologies can bring then these obstacles need to be cleared before public organisations such as universities are put off and cloud adoption is judged to be unattainable due to administrative difficulties. Cloud providers have a key role to play in this process.

Carmela Asero, Policy Officer for the European Open Science Cloud at European Commission recognizes this challenge. “Although SLA-Ready has targeted mainly SMEs, the scientific community face very similar challenges in the Pre-Commercial Procurement of cloud services, especially in terms of contract details and common vocabularies”.

 

Both GÉANT and the HNScience Cloud are experiencing the importance of clarity and transparency in cloud SLAs. Bob Jones, leader of the HNSCiCloud, CERN commented on how SLA-Ready has contributed to this “SLA-Ready has allowed both CSPs and CSCs to identify the priority areas for our community, and as a result they have been able to have a dialogue with suppliers on placing more emphasis on these elements in their SLAs. Dialogue is key for both sides. Procurers, now have a better understanding of the areas where its customers need clarity. At the same time, we understand and respect that providers are running a business and need to meet their own targets”.

Andres Steijaert programme manager of cloud services at GÉANT also recognised the importance of SLA-Ready instruments to GÉANT community in order to help them assess and understand cloud SLAs. He went on to highlight the importance of identifying common requirements of scientific communities and exploring the opportunities for joint procurement which can reduce the price of the services.

In the era of digitalisation and in a hyper-connected global economy, cloud computing is an enabler in many industry sectors, from retail and smart manufacturing to smart agriculture. Cloud gives life-breathing properties to the many companies with no IT administrator in-house or skills to set up and manage servers and software, allowing them to scale up as their business grows. For medium-sized firms migration of new applications to the cloud can benefit from rapid upgrade cycles and low capital costs.

To boost wider adoption of cloud services by European SMEs, Andrej Kelemen, Executive Director, ClujIT, makes a very important recommendation:

“SLA-Ready plays a key role in helping SMEs in understanding exactly what to do before buying a cloud service, what to do when using it and what took look out for when closing the contract or switching to another provider. SLA-Ready should therefore be introduced in all national digital agendas of EU member states”.

 

Download the full report of SLA-Ready Impact Workshop to find more information.