SLA-Ready new Use Cases

Fintech Early Stage Seeking IaaS

There are lot of start-ups and SMEs that are active in the Fintech industry (where the financial services meet new technologies and business models) with an operational and business plan to develop and exploit cloud-based services to their customers and end-users. For this, most will consider procuring either IaaS or PaaS from respective Cloud Service Provider (CSPs) that o er these cloud services, which will be used as basis to develop, rely, and exploit their own Platform as a Service (PaaS) respectively Software as a Service (SaaS). This Use Case focusses on a Fintech company procuring Infrastructure as a Service (IaaS) from major IaaS CSP.

User Type: SME

User Maturity: Novice

Cloud Service lifecycle phase: Acquisition

Cloud usage: App on a Cloud, Processing Sensitive Data, Data Integrity, High Availability

Download use case

Small Public Administration using Governmental Cloud

In 2013, the Government of Estonia took the  rst steps to deploy a Governmental Cloud with three main principles guiding its development:

» Using Cloud solutions located within Estonia’s national borders,

» Using international private Cloud resources, and

» Using Data Embassies (cloud storage).

The Estonian government has built the foundation of a highly developed information society, and its ICT development has taken Estonia to a stage where many registers and services only exist in digital form. This development requires a fleexible and secure Governmental Cloud solution. Su client flexibility has to be planned in advance. The State Infocommunication Foundation leads the Governmental Cloud development, which is responsible for the consolidation of server resources and provision of high- quality server hosting services within Estonia’s national borders. The Estonian Public Administration (PA) is the main cloud customer of the national Governmental Cloud. In some cases, PAs are provisioned with IaaS resources (e.g. virtual machines), but also PAs provision Governmental cloud-based services to citizens. The Governmental Cloud system does not store personal identifiable data.

Download use case

SME for using SaaS

ConsultLess is a small consultancy firm in the EU that has 20 employees (mostly legal and management experts). One of the employees is partner and also the Chief Information Officer (CIO) of the firm. ConsultLess decides to procure office software as a service (SaaS) for use by its employees: the cloud service offers document storage/editing, email and calendar. This cloud service should replace an internal mail-server and o ce software installed on computers.

Download use case

SME migrating from one SaaS CSP to the other

A SME must deploy the technical processes and considerations to distribute educational material for new products to their agents. Given the potential network traffic to be generated by this process, it is necessary to rely on Cloud services.

Download use case

Cloud Brokering: Cloud Chargeback and Showback

A Cloud Service Customer (CSC) uses the services of a Cloud Broker to select the Cloud Service Provider (CSP) that fulfils its specific requirements. The Broker implements a service catalogue encompassing services from multiple CSPs. In addition, the catalogue clearly outlines charges for the various resources that can be provisioned. The CSC makes a selection and the Cloud Broker seamlessly provisions the requested resource from the appropriate CSP through their API or other interface using their native commands. At the same time, the Broker handles the chargeback to the CSC’s organisation, if appropriate.

User Type: SME

User Maturity: Novice

Cloud Service lifecycle phase: Acquisition

Cloud usage: App on a Cloud

Download use case

SME using IaaS/PaaS

EasyAgriSelling is a small tech start-up in the EU, which developed an online web shop software (as a service) for farmers who would like to start direct-selling their vegetables and other products. Their slogan is: “Selling your agricultural produce to consumers, made easy”. Farmers can set up an online shop in a few clicks - customising their shop with a logo, colours and a description of their farm. EasyAgriSelling operates a pay-as-you-go model, charging no monthly fee, but only charging their customers when products are sold. EasyAgriSelling is a SaaS provider and they are a cloud services customer building services on a cloud provider who offers them IaaS and PaaS on which to build their product. The SaaS platform runs on top of the IaaS/PaaS platform.

User Type: SME

User Maturity: Experienced

Cloud Service lifecycle phase: Acquisition, Operation

Cloud usage: App on a Cloud, High Availability

Download use case

SME video storage and streaming from the Cloud

A financial investment company is launching new investment products to its agents and affiliates. A number of videos have been created to teach the company’s agents and affiliates about the benefits and features of the new products. The videos are very large and need to be available on-demand, so storing them in the cloud lessens the demands on the corporate infrastructure. However, access to those videos needs to be tightly controlled. For competitive reasons, only certi ed company agents should be able to view the videos. An even stronger constraint is that regulations require the company to keep product details, including the videos, confidential during the quiet period before the launch of the product. The company’s decision is to use a public cloud storage provider to scale the secure hosting and streaming of the videos. The cloud solution must control the videos with an auditable access control mechanism that enforces the company’s security policies.

User Type: SME

User Maturity: Novice, Basic

Cloud Service lifecycle phase: Acquisition, Operation

Cloud usage: App on a Cloud, High Availability

Download use case

Cloud-based Development and Testing

An online retailer needs to develop a new Web 2.0 storefront application, but does not want to burden its IT sta  and existing resources. The company chooses a cloud provider to deliver a cloud-based development environment with hosted developer tooling and a source code repository. Another cloud provider is chosen to provide a testing environment so that the new application can interact with many di different types of machines and huge workloads.

User Type: SME

User Maturity: Experienced

Cloud Service lifecycle phase: Acquisition, Operation

Cloud usage: App on a Cloud, Data Integrity, Cloud Bursting, High Availability

Download use case

Logistics and Project Management in the Cloud

A small construction company with approximately 20 administrative employees needed a way to manage their resources, optimise project scheduling and track job costs. The company had very specific requirements that no commonly available system addressed, so they used a combination of Quickbooks and spreadsheets. This system was not elastic and was a huge waste of human resources. The solution to the problem was to build a custom client-side application. All of the business logic resides on the client (company). Data for the application is served from a Google App Engine (GAE) datastore. The datastore does not enforce any sort of schema other than an RDF graph, although it does host an RDF-OWL ontology. The client uses that ontology to validate data before displaying it to the user or sending it back to the GAE.

User Type: SME

User Maturity: Novice

Cloud Service lifecycle phase:

Cloud usage: App on a Cloud, Data Integrity

Download use case

Local Government Services in a Hybrid Cloud

There are more than 1800 local governments across Japan, each of which has its own servers and IT sta . A secondary goal of the Kasumigaseki cloud is to provide a hybrid cloud environment. In addition to the Kasumigaseki cloud, the Japanese central government has decided to group local governments at the prefecture level. Each prefecture will have a private cloud and a connection to the Kasumigaseki hybrid cloud. Internal tasks and some data will be hosted in the prefecture’s private cloud, while other data will be stored locally. Wherever possible, existing systems will be virtualised and hosted in the Kasumigaseki cloud.

User Type: Government

User Maturity: Expert

Cloud Service lifecycle phase: Operation

Cloud usage: App on a Cloud, Cloud Bursting

Download use case

Payroll processing in the Cloud

The organisation decided to see how practical it would be to run the payroll process in the cloud. The existing payroll system was architected as a distributed application, so moving it to the cloud was relatively straightforward. The payroll application used an SQL database for processing employee data. Instead of rewriting the application to use a cloud database service, a VM with a database server was deployed. The database server retrieved data from a cloud storage system and constructed relational tables from it. Because of the size of the original (in-house) database, extraction tools were used to select only the information necessary for payroll processing. That extracted information was transferred to a cloud storage service and then used by the database server. The payroll application was deployed to four VMs that run simultaneously; those four VMs work with the VM hosting the database server. The configuration of the payroll application was changed to use the VM hosting the database server; otherwise the application was not changed.

User Type: SME

User Maturity: Novice

Cloud Service lifecycle phase: Acquisition, Operation

Cloud usage: App on a Cloud

Download use case

CSP SPECIFYING CARVE-OUTS IN ITS CLOUD SERVICE TERMS

As there is so much to think about while choosing, selecting and procuring cloud services, and the SME is aware that carve-outs are part of the cloud SLA where the CSP further limits or excludes its responsibility and liability, it is not always the highest priority to assess, understand, discuss and negotiate these with the CSP. When an incident happens the CSP has defined the carve-out ‘force majeure’ very broad, in a way that all influences of third parties are excluded, even of those the CSP procures to be able to provide the cloud services. In such a case, if an incident happens, the SME usually expects that it would be within the control of the CSP, but is often unable to claim any resource. The CSP merely referred to the general carve-out in the applicable SLA.

Download use case

CSP CHANGING SLA AT OPERATION TIME

An SME has built its own SaaS on the PaaS infrastructure of a major CSP. The SME provides its SaaS to its customer under its own Master Service Agreement, Terms and Conditions and SLA. However, the SaaS SME did not notice that the PaaS CSP is contractually entitled right to unilaterally change the PaaS service offerings and conditions in the SLA, since the SME ticked the box while registering online without taking the time to assess the SLA and related terms. The CSP now invoked this right to lower the uptime and level of redundancy. Therefore, the SaaS cloud Services from the SME cannot meet the service level it has granted to its own customers. Migrating the application on a PaaS of another CSP would be a very time consuming and costly task. Cloud Service Provider as PaaS Provider, SME as Cloud Service Partner and SMEs customer as Cloud Service Customer.

Download use case

CSP PROVIDING SERVICES UNDER DIFFERENT REGULATIONS

The Choice of law clause is a term of a contract in which parties specify that any dispute arising under the SLA shall be governed by in accordance with the laws of a particular jurisdiction. Since most of the major CSPs have headquarters in the United States of Americas, many of these CSP’s have designated the governing law of the state they have their headquarters applicable to the agreement. The SME has done diligence on what CSP would fit its SaaS and business ambitions best with regard to the provided IaaS. However, it did not notice the choice of law the SLA is governed by. As the SME is providing SaaS to end-users being consumers in the EU member state where it is based, it is obliged to provide the services under the laws of that member state, including consumer right provisions. Therefore, the supply chain is not workable for this SME as it cannot hold its IaaS supplier accountable or responsible if certain issues arise. The SME will bear the full liability towards its end-users without any recourse, which happened several times for this SaaS SME.

Download use case

CSP PROVIDING DATA SERVICES FOR THE HEALTH SECTOR

An SME in the Health Sector who has built its SaaS application on an IaaS/PaaS from the CSP. Anyone in the health sector has to be compliant to mandatory sectorial standards and needs to have certain certifications. Furthermore, since this SME will process sensitive personal data, it also needs to encrypt the data in light of the applicable personal protection regulations in the EU. Even though many CSPs have such specific certifications, encryption possibilities and back up possibilities, in most cases the layers in the provided IaaS/PaaS where the customer of the SaaS CSP processes its sensitive and other data do not fall under these certifications, or encryption and back-up by default. This SME made the mistake in trusting that the provided certifications were applicable for that use, where it does not.

Download use case

A SME TERMINATING A CONTRACT WITH A CSP

The case is simple, and will happen to all CSCs: an SME wished to terminate the MSA with a CSP, and then starts thinking about whether and to what extent the CSP will delete its data, after the SME has extracted and exported that data as much as possible. This SME, as will others, finds out that nothing is arranged for, and is left in the dark.

Download use case

CSP MIGRATING DATA BETWEEN DIFFERENT JURISDICTIONS

Since both within the European Union and outside the EU each country has different laws and regulations regarding personal data protection, the data location where the SME is active is relevant as well as the data location of the server of the CSP. In this case it concerns an SME active in a dozen countries and wishes to migrate to cloud services its HR data which concerns almost 100% personal data. In some jurisdictions, such HR data is even especially arranged in the law. If an entity of a SME is based in Russia and the headquarter is within the European Union, then it is not allowed by local law to store personal data, including HR data outside of Russia. The server of the CSP should be based in Russia, and in some cases the CSP will cooperate with a local data centre where a back-up copy will be stored on a data location in the European Union. This is not only relevant in Russia, as the same applies for Germany, for example. This SME segmented the data in advance, and together with its legal counsel architected where what data is to be stored, what back-up mechanisms should apply, and with success opened the dialogue with the relevant CSP.

Download use case

CSP PROVIDING DATA PORTABILITY VENDOR LOCK-IN OF SAAS CRM APPLICATIONS

A European SME who has formally used CRM SaaS to keep track of its customer relationship management and sales cycle would like to switch certain part of its data to another account in the same CRM SaaS, and – when that did not work out – to switch that data to another CSP. This in turn requires the ability to migrate data between different environments or providers. However, the former CRM SaaS did not specify anything on data portability, data format, what data would exactly be possible to migrate, and what not, or whether metadata would be part of that. The SME settled for getting part of its data out in a structured, workable way, where the remainder of its data cannot be extracted or otherwise exported in a suitable way so basically lost the latter data and related analytics.

Download use case

SME LOOKING FOR INFORMATION SECURITY INCIDENT MANAGEMENT

As per an above-average awareness level as per security breaches in its sector, being the financial services industry, this SME is quite concerned about keeping its data safe while also complying to current and upcoming regulation. With all the topics in the newspapers on security incidents, every SME should be keen on the management of those incidents, and this SME actually does. Besides that, new regulations such as the General Data Protection Regulation (GDPR) and the Network Information Security (NIS) Directive with daunting high penalties are a trigger as well. However, it is not easy for the SME to obtain the right in-depth information from the CSP it needs to assess the risks, the way breach notification is taken care of, to what extent and how fast, and how incidents are managed and repeat-incidents avoided.

Download use case

CSP ALLOWING DATA ACCESS FOR LAW ENFORCEMENT

This use case is from an SME CSP that is quite advanced and knowledgeable about data access requests by authorities, and it is good to consider the do's and don’ts. Most CSPs do not know what to do if access to data is requested from a government authority and may give the government authority the wrong access without assessing such request. Generally, the scope of the formal requests to obtain access is too broad instead of a detailed scope, because the authority does not yet exactly know what kind of data they need to know. However, fishing by the government authorities is not allowed. CSPs needs to check the scope of the request to access and should provide as little information and access as possible, keeping in mind the contractual, ethical and trust relationship they have with their CSC. A CSC expect a CSP to stand up for the rights of the CSC. Furthermore, if a CSP gives access within the scope then it should not affect more data protection infringements than the strictly necessary. Any CSC, SMEs included, should request a detailed data access policy of the CSP itself with the processes and consequences.

Download use case

SME MIGRATING TO IAAS WITH SEVERAL DURATION PERIODS IN THE AGREEMENT

This SME is migrating its infrastructure to IaaS of a major CSP. Being a software company itself does not necessarily mean to have the necessary knowledge for migrating to the SaaS. And, to start with, in order to provide a good proposal and business model based on subscription fees this SME needs to know what kind of different duration period are applicable, and what the financial, technical and operational consequences are. In this case for example (i) the MSA is for an indefinite period and the start is at the day of signing, this is the first duration period (ii) the MSA is effective at the moment of signing, but only after implementation of the SaaS in general and then the deployment of a customer a user will be able to access to SaaS, on which date the one-year subscription starts between the SME and its customer. This is the second duration period. Thirdly (iii), the subscription is based on the actual use of content, which means that the duration of use is shorter than the duration of the right to access. Two more for this use case, is (iv) the data retention period during with the CSP is required by law to retain certain data, and (v) the duration the SME and its customers are entitled to extract and export data.

Download use case

SME SETTING UP ITS OWN HYBRID CLOUD ECOSYSTEM

This SME is a small start-up but is envisioning to be number 1 in its market, globally. It will need cloud service to do so, and as per different technical, business, risk mitigation and risk reasons it is working on architecting a hybrid ecosystem where several major as well as niche CSPs will be involved. However, all CSPs define their definitions and legal terms differently which makes it hard to create a clear landscape of what rights and obligation the SME has towards the respective CSP, and what rights and obligations it can arrange for with its own customers and end-users. Analysing legal documentation from A to Z concerning cloud services such as SLAs is quite cumbersome and time and resources consuming, CSPs even use different quantitative attributes, metrics, measurements and remedies. The SME feels that some CSPs prefer to keep their applicable documentation less transparent than their customers wish for, and the CSPs would be able to. Getting to the bottom of Master Service Agreements, SLAs and other contractual arrangements is time-consuming, and a SME, especially a start-up does not have those resources. It will either lead in delay in its business plans, or making the wrong decisions which will be very costly in a later phase.

Download use case