Jason Sparapani
Cloud service agreements can be difficult to understand; therefore negotiations with cloud providers can be thorny. A customer advocacy group has several tips.
Organizations looking to put any portion of their IT operations in the public cloud need to sign a cloud service agreement with a cloud service provider. This pact determines what services the provider is responsible for and what it will do in case of problems such as an outage."The market has evolved, and there is a certain number of cloud service providers, or CSPs, that have entered and that changes the lay of the land," since then, said the CSCC's Claude Baudoin in a Thursday webinar presenting the guide.
The increasing use of blended IT environments often called "hybrid IT" -- on-premises data centers mingling with an assortment of cloud services -- spurred the need for an update. The dissolution of the EU-U.S. data transfer pact known as Safe Harbor in October 2015 did, too. "Now service agreements need to say something about how data is protected against access by the wrong jurisdiction or country," Baudoin said.
Claude Baudoin The guide lays out 10 steps for organizations to take when evaluating cloud service contracts -- from understanding who is responsible for what, to evaluating data privacy policies to exiting the contract. Baudoin summed up its most important points; I've summed up his:
Not all negotiations are equal. Cloud providers expect to give you "one-size-fits-all terms," Baudoin said. But large organizations can often use their sway to get better terms. Smaller ones can sometimes get what they want -- if they pay extra. "Sometimes it's worth considering depending on the impact on your business," Baudoin said.
Have a starting point for evaluating service. Assess the service you have in-house before being wowed by, say, vendor claims of 99.9% uptime. It might not matter, Baudoin said. "If your own availability in-house has been 99.5%, maybe that fourth decimal is not as important as the third one -- so have a baseline about your current practice." (Besides, those "classic" claims of 99.9% availability, said Mike Edwards, who works on cloud computing standards at IBM and spoke in the webinar, are difficult to verify.)
Understand how service levels are measured. That typically means how the cloud provider calculates cloud service downtime, when IT operations go offline and thus compensation for that downtime. In one agreement the CSCC examined for its guide, the downtime must be longer than five minutes before the provider logs it.
Have a worst-case-scenario plan. Understand what the provider will do in case of a data breach or natural disaster -- and plan accordingly. For example, most cloud service agreements don't provide adequate guarantees in case of a service outage after, say, an earthquake, the guide says. In fact, most focus on limiting what the cloud provider is liable for. So customers must make their own disaster recovery plans.
Own your data governance. Organizations are putting essential applications -- ones that support day-to-day operations -- in the cloud. But cloud service agreements today contain few provisions on management and communication processes. That puts data governance squarely on you, the customer. "Don't abdicate your own responsibilities," Baudoin said. "Continue to have strong governance in-house."
No comments:
Post a Comment