It’s been four months since Google announced it would guarantee 99.9 percent system accessibility for users of its Google Apps Premier Edition — a cloud-based productivity suite of business-oriented messaging and collaboration apps, including integration capabilities and support.
At the time, it sent a welcome message; although cloud computing was in its infancy, there were still minimum standards that must be met. Users were relieved that one of the major providers was establishing service benchmarks.
That was then. Over the course of four months, more companies came to accept the concept of placing their integral IT operations in the cloud. As the trend has developed, expectations as to what a good service level agreement should provide have changed.
Out of Luck
The good news for businesses that don’t require special attention — or don’t have to meet rigorous regulatory requirements — is that in their latest iteration, cloud SLAs are likely to be good enough.
The bad news for everyone else is that they’re out of luck, Wayne Matus, a partner with Pillsbury Winthrop Shaw Pittman, told the E-Commerce Times.
“A lot of cloud computing providers are reluctant to modify contracts,” Matus said. “Getting them to negotiate anything is almost impossible.”
Cloud computing is not — yet — well suited for every industry, acknowledged Dennis Quan, director of development for autonomic computing with IBM’s software group. “Providers still can’t offer assurances for specific security or governance standards,” he told the E-Commerce Times.
The cookie-cutter approach to service standards precludes a lot of industries from participating in the cloud, Matus observed. “Healthcare providers have to worry about HIPAA standards, for instance.Financial service providers have their own regulations to comply with.”
In traditional outsourcing arrangements, a client has “audit rights” that give it some level of assurance that the appropriate regulations are being followed. “With a cloud provider, you don’t have that level of control — or assurance,” noted Matus.
That said, guarantees are possible in some areas, and clients of cloud providers should ask about them.
For starters, make sure the services are based on open standards, advised IBM’s Quan.
“We are still in the early days of cloud computing — and a lot of these standards are still under development,” he explained. In other words, don’t allow yourself to be locked into a proprietary platform.
Providers need to be held to a higher standard of accountability with respect to their SLAs. Remedies — generally some form of credit — should be associated with each SLA, said Michael R. Overly, an engineer and attorney with Foley & Lardner.
“Remedies should escalate depending on the severity of the SLA failure — for example, a 10 percent credit for availability between 99 percent and 99.9 percent, and a 20 percent credit for availability between 98 percent and 99 percent, he told the E-Commerce Times. “Repeated failures in a given time period should also cause escalation of remedies.”
All credits should be made automatically, without the need for the customer to request the remedy, Overly said.
In the case of repeated failure — such as two failures in any four-month period — the vendor should also give the customer the right to terminate the agreement, suggested Overly.
Credits issued for SLA failures should not be framed in terms of “exclusive remedies,” he continued. “The customer should have all other remedies available to it under the agreement, including the ability to declare a breach, terminate, and seek damages to compensate for poor performance.”
Finally, so-called broad force majeure exceptions to SLA performance should be avoided, he advised. “While general Internet and infrastructure failures may be excluded, events such as strikes, power failures, labor issues [and] accidents should not. If a circle is drawn around the vendor facility providing the service, anything that happens within that circle, regardless of whether it constitutes an Act of God or not, should not relieve the vendor of its SLA obligations. You are buying a service. If the vendor fails to provide that service for any reason, there should be an adjustment in fees.”
Even when the service is running smoothly, “the vendor should be required to provide monthly reports on SLA performance,” said Overly.
Also, companies should make sure the proper management infrastructure — monitoring tools such as dashboards, for instance — is in place for clients to ensure that their systems are operating properly, said IBM’s Quan.
One Set to Rule Them All
That said, one set of standards or best practices to apply to all cloud providers is going to be difficult, if not impossible, to come by, Jake Sorofman, vice president of rPath, told the E-Commerce Times. “The reality is that there’s going to be a whole ecosystem of cloud providers that serve distinctly different purposes in the value chain.”
Already, he added, we are seeing signs of such an ecosystem.
In one tier, for instance, there are clouds for commodity compute capacity. “Basically, these clouds are cheap and easy to use, but they make no guarantees about quality of service or uptime,” said Sorofman. [*Editor’s Note]
There are plenty of applications that lend themselves to this level of cloud service, he said.
There are also SLA clouds that offer guaranteed uptime, security and contracts with the enterprise for mission-critical applications. Good examples of SLA clouds include Mosso, the Rackspace cloud, and Bluelock.
Another category is “designer” clouds that specialize in a specific role in the value chain. “Today, there are test dev clouds like Skytap,” Sorofman said. Going forward, there could be, for instance, disaster recovery clouds.
Different sets of standards and best practices will emerge at different levels of the cloud for different use cases, he predicted.
*ECT News Network Editor’s Note: The original published version of this story included the following quote by rPath VP Jake Sorofman referencing Amazon EC2: “There’s no SLA with Amazon, for instance, but EC2 uptime is about 99.1 percent. That’s probably not good enough for a mission-critical application, but it’s perfect when you need commodity compute cycles to crunch a whole bunch of data.” Following publication of the article, Sorofman contacted CRM Buyer through spokesperson Marisa Lam to retract the statement. In fact, Amazon does offer SLAs for its S3 and EC2 services. The fundamental Amazon EC2 service level commitment is 99.95 percent availability within a region over a rolling 12 month period.