We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,937 News Articles

Is Your Cloud Vendor Making You a Great SLA(ve)?

Cloud and service level agreement (SLA), put together, have always been a subject of intense discussion. A CIO's negotiating skills are put to test before signing a contract with a cloud service provider. In turn, a robust SLA ensures a great ROI from cloud. Here are a few quick facts:

India is still in very early stages of cloud adoption, driven primarily by SaaS-based cloud deployments. (Source: Knowledgefaber)

Large enterprises drive private cloud market in India. SMEs use public cloud to leverage enterprise-level applications. (Source: Knowledgefaber)

A compounded 32 percent growth is expected in the Indian cloud market from 2011-2015. (Source: Knowledgefaber)

Thirty-eight percent Indian CIOs plan to deploy cloud in the next six months to one year.(State of the CIO Survey2012)

Last but not the least, 78 percent of the cloud service providers chosen by IT executives is on the basis of the quality of their SLAs. (Ipanema)

A lot has already been said about the importance of an SLA between a cloud service provider and its customer. In fact, research reports and analysts have consistently warned CIOs to pay close attention to the details such as the terms and conditions and the risks involved before signing the service provider's contract.

"In India, SLAs are more often than not treated as service agreements between a service provider/vendor and the service recipient. Companies seeking cloud services would enter into a general services agreement with the vendor and issue a statement of work under such agreement for provision of services. Some companies also choose to execute the standard template agreement provided by the vendor of their choice. While on one hand, having a general services agreement in place does not cater to the specific concerns that arise in cloud service arrangements, on the other, standard templates used by a vendor may be heavily one-sided and jeopardize the interests of the companies," says Sindhu Shankar, associate, TMT Practice Group at Poovayya & Co., a law firm headquartered in Bangalore. However, Sindhu agrees that of late, there is a trend of CIOs being more aware of risks and liabilities that may accrue to their companies as a result of not having SLAs in place, and insisting on negotiating the terms of service.

Companies are increasingly insisting on certain good practices and negotiating inclusion of certain key clauses in SLAs which will serve to protect their data, minimize risks, limit liability, and ensure commercial viability of the services being provided. These include conditions for data continuity, right to terminate in the event of suspension of services and other such aspects.

An important factor to keep in mind is that India does not have any dedicated data protection or privacy laws in place yet. In April 2011, the Government of India notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under the auspices of the Information Technology Act, 2002. The "Sensitive Data Rules", as the rules have come to be known, lay down the modalities for the collection and use of 'personal information' by corporate bodies in India. While Sensitive Data Rules impose restrictions on the storage, handling, processing and disclosure of "sensitive personal data or information" and "personal information", it does not apply to corporate bodies or persons located outside India.

Further, a corporate body providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside of India would not be subject to the requirements pertaining to consent for collection and disclosure of information.

Where is My Data?

While several cloud vendors brag about ensuring a 100 percent uptime, CIOs complain that nothing's guaranteed on paper. "Many cloud providers do not promise a 100 percent uptime commitment on paper when you're finalizing the deal. We have been using a cloud-based CRM for the last two years and we have never faced an outage. But it doesn't guarantee that it won't happen in the future," says Karan Doshi, project manager, Neelkamal.

For Arup Choudhury, the CIO of Eveready Industries, issue resolution time and vendor lock-in are two major concerns which must be defined in an SLA. "In case, you are not satisfied with the cloud services of a particular vendor, you should be able to move to another vendor easily."

CIOs also feel that once the SLA has been addressed, one needs to start looking at the advantages. "We have learnt to take risks, knowing that the cloud provider is going to look after our data, upgrade, maintain, and monitor that data, and also keep security in place. If there's something legally wrong, the paper will come to your rescue. Otherwise, it doesn't help you," says Mehta.

For IT decision makers, it's important to evaluate and compare SLAs from different cloud computing providers. While hidden costs can drive a CIO against the wall, companies must also ensure that the cloud services they choose have strong backup plans to keep the service running continuously. "While SLAs may broadly be similar, the varied nature of services that may be provided through cloud platforms means requirement for compliance with the Sensitive Data Rules and risks involved have to be identified and catered to on a case to case basis. Where multiple transfers of data and heavy reliance on the service are involved, it is advisable to evaluate the proposed service matrix with a critical eye and protect the company's interests accordingly," concludes Sindhu.

Data Continuity is Not Something Your Cloud Provider can Assure You

Gartner, in the past, has highlighted the fact that though safeguarding against security breaches is important, business continuity is a bigger imperative for business. "While going for a cloud solution, if business continuity is an important aspect, due diligence of the cloud service provider must be done upfront. If your cloud service provider doesn't have adequate provisioning for fail-over scenarios, business continuity may become a distant dream," says Anil Khopkar, VP-MIS, Bajaj Auto.

In the last few years, there have been several cloud-related breaches and outages. One of them is Sony's compromising tens of millions of its customers' data in 2011 stored on its cloud. Amazon Web Services, in the last two years, has experienced three major outages, among which the EC2 outage resulted in an unrecoverable data loss. Even Salesforce.com's customers suffered two major outages this year.

In India, there isn't any mandate regarding data continuity in the Sensitive Data Rules. "The rules merely deal with what constitutes sensitive data and how such data is to be handled by body corporate that fall within the purview of the rules. The rules do not lay down any mandates for continuity of services on cloud platforms. At the most, such scenarios would be governed by prevailing contract law jurisprudence. It is advisable that the parties clearly document all commercial understanding, including continuity of services, in the SLA itself," advises Sindhu.

Other Concerns

While several cloud vendors brag about ensuring a 100 percent uptime, CIOs complain that nothing's guaranteed on paper. "Many cloud providers do not promise a 100 percent uptime commitment on paper when you're finalizing the deal. We have been using a cloud-based CRM for the last two years and we have never faced an outage. But it doesn't guarantee that it won't happen in the future," says Karan Doshi, project manager, Neelkamal.

For Arup Choudhury, the CIO of Eveready Industries, issue resolution time and vendor lock-in are two major concerns which must be defined in an SLA. "In case, you are not satisfied with the cloud services of a particular vendor, you should be able to move to another vendor easily."

CIOs also feel that once the SLA has been addressed, one needs to start looking at the advantages. "We have learnt to take risks, knowing that the cloud provider is going to look after our data, upgrade, maintain, and monitor that data, and also keep security in place. If there's something legally wrong, the paper will come to your rescue. Otherwise, it doesn't help you," says Mehta.

For IT decision makers, it's important to evaluate and compare SLAs from different cloud computing providers. While hidden costs can drive a CIO against the wall, companies must also ensure that the cloud services they choose have strong backup plans to keep the service running continuously. "While SLAs may broadly be similar, the varied nature of services that may be provided through cloud platforms means requirement for compliance with the Sensitive Data Rules and risks involved have to be identified and catered to on a case to case basis. Where multiple transfers of data and heavy reliance on the service are involved, it is advisable to evaluate the proposed service matrix with a critical eye and protect the company's interests accordingly," concludes Sindhu.


IDG UK Sites

Android One vs Android Silver vs Google Nexus: What is the difference?

IDG UK Sites

iOS 8 review: Hands on with the iOS 8 beta

IDG UK Sites

Thinking robots: The philosophy of artificial intelligence and evolving technology

IDG UK Sites

How to shoot a robot rom-com in three days