Saturday, January 22, 2011

Check list for drafting a Service Level Agreement for Cloud Service.

This is initial list for reference only and listed with no particular order and I welcome comments and insights and will update it if needed based on the comments.

1: Name and content of the Service, specify the type of service such as SAAS, PAAS, IAAS, or Data As Service and the business purpose of the Service.


2: How long does this Agreement valid for? What happen when this agreement is expired? What is the renewal clause?


3: What is the scope of this agreement? What are included and what are excluded?


4: Specify the uptime and down time. What is the maintenance window for the Service?


5: Procedure for prolonged change of uptime and downtime.


6: Who to contact when the service is down?


7: What is the service availability target level? In the Cloud Computing environment, by its nature definition, the service availability level shall reach 100%. But in reality, this is not always possible. So, set a correct target level is very important?


8: What is your Recovery Time Objective (RTO) for the Cloud Service and how does your Cloud Provider meet your RTO? RTO is duration of time and a service level within which the Cloud Service must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.


9: What is the Recovery Point Objective (RPO) for your data in the Cloud and how does your Cloud Provider meet your RPO? RPO is the point in time to which your organization must recover data in the Cloud.


10: What is your acceptable value for Mean Time Between Failures (MTBF) and how does your Cloud Provider meet this requirement?  MTBF measures predicted elapsed time between inherent failures of a Cloud Service during operation. What defines a failure for your Cloud Service? How do you and/or your Cloud Provider monitors and audits the failure event.


11: Do you get any credit for the service downtime? How it is calculated. The more precise the algorithm is the better will be the SLA.


12: Define various level of support? For example, what will be the Help Desk support? What would be second level or third level support if first level support cannot solve the problems?


13: What will be escalation procedures for the support issues?


14: Where is data located? Should the data be located in certain geographic area?


15: Who can access the Service? Can someone from other county access the service?


16: Who will operate and maintain the Cloud Service? Can it be an offshore provider?


17: What is the price for each user and for additional user? If the user gets to certain level, do you get volume discount? Certain Cloud Service Provider does not provides volume discount and you need to know this up front.


18: If it is IAAS service, specify the price for CPU time, network bandwidth, storage capacity etc.


19: If this is PAAS service, specify OS and its version, database vendor and version, IDE tool version etc.


20: If this is SAAS, specify how this Service integrates with other service inside or outside of the Cloud Provider. Even if SAAS is standalone, is there any published API for the customer to integrate in house application with this service in the cloud?


21: Who will create user? How does user created? Who will provider User Provision and De-Provisioning Service? Does your Cloud Provider support Service Provisioning Markup Language (SPML)? SPML is an XML-based framework, being developed by OASIS, for exchanging user, resource and service provisioning.


22: If Identity Federation is used, what kind of Federation? Who will provide Secure Token Service? Who will be Identity Provider? Does your Cloud Provider supports SAML?  Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee.


23: How does Access Management handled? Does your Cloud Provider support XACML? XACML stands for eXtensible Access Control Markup Language. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.


24: How does your Cloud Provider supports elasticity and usage based pricing? How frequent does the bill generated (per day, per month, or per year)? Any prorated calculation in the bill?


25: How is security issue handled by Cloud Provider? This will be a very broad topic and can vary depends on the type of cloud service. So, seek a Cloud Security Expert before drafting the agreement.


26: How is Change Management handled by the Cloud Provider?


27: What is the response time and how do you Cloud Provider meets your response time requirement?


29: What is the process and procedure to get the downtime or outage credit? When can you get the credit and how the credit is processed and applied?


30: What is the Domain Name Service for your Cloud Service and the availability of this service?


31: Does you Cloud Provider meet the compliance requirement for PCI-DSS, SOX, HIPAA, FISMA, GLBA, NERC CIP, GCSx , GPG13?


32: How does physical security handled by your cloud provider?


33: Any encryption needed for your data in the cloud and how does it handled? Does the encryption meet FIPS 140-2?


34: How easy it is for you to migrate your data and application from one cloud provider to another cloud provider?


35: Do your cloud provider supports or plans to support Distributed Management Task Force's Open Cloud Standards Incubator standards (DTMF) such as Open Virtualization Format (OVF) and Systems Management Architecture for Server Hardware (SMASH) and the underlying DMTF management data model called CIM (Common Information Model)?


36: Does you Cloud Provider has any recent high profile outage and what is the process and procedure in incident response and the how can this be avoided and minimized in the future?


37: How is Service Level Objectives (SLO) defined? SLO is needed to actually provides a tool to monitor SLA.


38: How is your data and application isolated from other customers? Is this a logical isolation or physical isolation?

 

5 comments:

  1. Excellent list - thank you for sharing this.

    ReplyDelete
  2. Nice list actually, and thanks for sharing!

    I just have a small question:
    How SPML serves in provisioning and e-provisioning of users and what is the importance for the end user to know that the provider is using SPML or not from the SLA and security perspectives?

    ReplyDelete
  3. Great list! I wish there were more explicit questions regarding assurance of privacy of data, and demonstrable regulatory compliance by the cloud service provider.

    ReplyDelete
  4. This will be a very important step.
    us vpn

    ReplyDelete
  5. AvaHost is ultimately one of the best hosting provider with plans for any hosting needs.

    ReplyDelete