Making Cloud SLAs readily usable in the EU private sector
Use Cases
A core element of the SLA-Ready Common Reference Model is analysing SME and government use cases and comparing them with the current state of practice in cloud computing industry. The use cases have been chosen as representative of common requirements and can be extended to other use cases reflecting the needs of specific SMEs interested in leveraging SLA-Ready's outcomes.
Check the new Use Cases!
Fintech Early Stage Seeking IaaS
• AP: App on a Cloud
• SD: Processing Sensitive Data
• DI: Data Integrity
• HA: High Availability
(1) The Fintech Early Stage company and its customer (bank) as well as its customers are based in The Netherlands.
(2) Furthermore, FSI is high-regulated, including special requirements for vendors (including without limitation any CSPs), which include the right of the bank authority to be able to audit the vendors in the respective supply chain.
(3) Personal data is involved, so the data protection regulation and legislation is applicable as well. These three main legal criteria are known to this Fintech Early Stage company.
(4) Its prospective customers (banks) are known for their strict procurement, including information security requirements, and high level of expectation of service delivery.
(5) There are no particular needs on IaaS, expect for that it should be relatively (a) cheap and (b) easy to develop, exploit and maintain its own SaaS on top of the IaaS of the selected CSP.
Assessment. Without some reasonable assessment, it is impossible to procure cloud services. This basically goes for generally all procurement but it is especially relevant as there are many types of cloud services, services models, deployment models, and even in the right category there is a lot of variety in offerings and terms. This Use Case shows that without diligence and proper assessment and pre-selection landscaping – which could be a bit less comprehensive than in the Use Case described above –, even a reasonably informed CSC is not able to start procuring the right cloud services.
Small Public Administration using Governmental Cloud
• AP: App on a Cloud
• HA: High Availability
• DI: Data Integrity
• Using Cloud solutions located within Estonia’s national borders,
• Using international private Cloud resources, and
• Using Data Embassies (cloud storage).
The Estonian government has built the foundation of a highly developed information society, and its ICT development has taken Estonia to a stage where many registers and services only exist in digital form. This development requires a flexible and secure Govt. Cloud solution. Sufficient flexibility has to be planned in advance. The State Infocommunication Foundation leads the Gov-Cloud development, which is responsible for the consolidation of server resources and provision of high-quality server hosting services within Estonia’s national borders. The Estonian Public Administration (PA) is the main cloud customer of the national Gov Cloud. In some cases PAs are provisioned with IaaS resources (e.g., virtual machines), but also PAs provision Gov cloud-based services to citizens. The Gov Cloud system does not store personal identifiable data.
• Cloud Service Providers, which provision their services to the Gov Cloud according to the requirements specified by the Cloud Owner (Estonian Government), and usually described on Service Level Agreements (SLA) and other contracts.
• Cloud Service Customer: the Public Administrations using Gov Cloud services
This use case defines an additional actor namely the Gov Cloud Owner, which relates to the organization that legally owns the Gov Cloud and defines policies and requirements. The analysis of this use case considers that the Gov Cloud Owner is the actor offering an SLA to the cloud customers (PAs). The offered SLA already takes into account the capabilities from participant CSPs.
SME using SaaS
• AP: App on a Cloud
• SD: Processing Sensitive Data
• DI: Data Integrity
Compliance is a critical factor in this use case. Furthermore, some (not all) of the data stored and processed is sensitive, and data leaks could have a severe impact on the reputation/business of the firm.
• Cloud Service Provider, which provisions the storage/editing, email and calendar SaaS to ConsultLess. This is a public CSP. .
• Cloud Service Customer, is the ConsultLess SME using the CSP SaaS.
• Physical security of the cloud assets should be guaranteed by the CSP.
• Timely patching and updating, adequate backups, and security as a service are all required by ConsultLess.
• The CSP should demonstrate compliance through those certifications required by ConsultLess.
• ConsultLess wants to avoid vendor lock-in issues.
SME migrating from one SaaS CSP to the other
• AP: App on a Cloud
• SD: Processing Sensitive Data
• DI: Data Integrity
• HA: High Availability
Secondly, and regarding all 26 CRM requirements, the SME finds out that he does not have specific, tailored options beneficial for his needs to terminate the agreement with the CSP in a way that ascertain the business continuity of that SaaS, the assistance needed to migrate process flows, data (including metadata where necessary) to another SaaS CSP environment, and adequately and cost-effectively wind-down and discontinue the SaaS provided by the former CSP.
In short, the former CSP is in full control, and the SME has a very weak bargaining position. It is a hard and expensive lesson-learned exercise for the SME, which in this use case the SME has used to the intent to improve his way of procuring cloud services and follow the CRM where important for his business and business continuity. Depending on the CSP the SME chooses, the SME may be able to succeed to some extent in these goals and approach, this as per the current immature nature of cloud SLAs and offerings of CSP. In any case, with the experience obtained and the CRM, the SME s now ready to make an informed decision what to choose.
As explained above, SMEs generally do not spend time or other resources on procuring cloud services, until they find out it is worthwhile to do so. This hampers their development and business opportunities, which SMEs find out when it may be too late already for them to change course, but it is also their moment to improve and pay more attention to procurement in general, and procuring cloud services in specific.