EU Cloud Strategy — a step towards model SLAs?
Cloud SLA Standardisation Guidelines
In late June 2014 the Cloud Select Industry Group (C-SIG) delivered guidelines to help EU businesses contract in the cloud. This output is one of a number of pillars within the Commission’s European Cloud Strategy and emanates from the work stream tasked with the development of model safe and fair contract terms. These Guidelines are not prescriptive cloud terms but aim to be the first step towards standardised building blocks for Service Level Agreements (SLAs) and associated metrics. Not law, but it may influence the development of contracting standards.
The European Commission consulted on the future for cloud computing within the digital economy in 2011. This led to the Cloud Computing Strategy published with great fanfare in September 2012. Setting out its vision of the future, the Commission indicated it would be “unleashing the potential of cloud computing in Europe”. In a communication bearing this phrase, it set an objective of “enabling and facilitating faster adoption of cloud ... throughout all sectors of the economy”. Aimed squarely at finding “ways to maximise the potential offered by the cloud” this Cloud Strategy is the result of analysis of the overall policy, regulatory and technology landscape.
In announcing its Cloud Strategy the Commission highlighted an urgent need for actions to address three key areas:
- Fragmentation of the single market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location;
- Problems with contracts related to worries over data access and portability, change control and ownership of the data; and
- A jungle of standards generates leading to confusion by a proliferation of standards and a lack of certainty as to which standards provide adequate levels of interoperability of data formats to permit portability.
Select industry groups The Strategy explains that: “several of the identified actions are designed to address the perception, by many potential adopters of cloud computing, that the use of this technology may bring additional risks.” Working groups were set up via DG Connect and, in November 2013, the European Cloud Partnership launched to assess and potentially coordinate common and transparent public sector cloud procurement processes throughout the EU. This is something which could be of great benefit to large enterprise cloud vendors seeking simplified and more consistent procurement models across multiple jurisdictions in the EU.
The working groups have started to feedback their early findings. In November 2013 the European Telecommunications Standards Institute (ETSI) published its final report titled “Cloud Standards Co-ordination” concluding that “cloud standardization is much more focussed than anticipated”. They portrayed the landscape as “complex but not chaotic and by no means a ‘jungle’”. ETSI’s report tries to define the cloud and classify numerous use cases. It then goes on to list some 20 relevant organisations with a hand in cloud standardisation and over 150 associated documents, specifications and whitepapers. These are all cloud enablers but are maturing and ETSI recommends further monitoring and reporting. Interesting stuff, but far from definitive, and offering little guidance to today’s cloud adopters.
Safe and Fair Contract Terms and Conditions
The EU Cloud Strategy is seeking a new approach and is in part based upon the idea that the EU may be able to ease the pain of adoption via new regulation (including data privacy reform). Thankfully, this is not solely about new potential laws. There are wider policy and political commitments. The EU’s Digital Agenda set the objective to "simplify copyright clearance, management and cross border licensing" now viewed as an element of the necessary steps to make Europe more cloud friendly. Part of this vision also involves the Common European Sales Law (CESL) proposals which envisage a single EU wide consumer contract law which could displace national contracting regimes and jurisdictional issues thus facilitating more cross border trading in the EU. The political belief is that current contract laws potentially impact digital confidence as consumers have a lack of certainty about their rights. It’s hoped that a uniform law may change this but any such change is a long way away today.
With all of the above in mind, the Cloud Strategy aimed to address issues not being considered within the CESL and the wider Digital Agenda. Importantly four elements were called out:
- Data preservation after termination of the contract;
- Data disclosure and integrity;
- Data location and transfer / Ownership of the data; and
- Direct and indirect liability, change of service by providers and subcontracting.
The EU plans to identify and then publish best practices in relation to model contract terms. The hope is that by socialising this information, and providing better optics in relation to the "how to" of cloud contracting, this should lead to more supplier consistency and transparency but will also accelerate cloud adoption by building trust in the cloud.
C-SIG reporting on SLAs
The June 2014 report from C-SIG (made up on a select group of industry bodies and IT service providers) offered up a 41 page document providing insights but not necessary advancing the cause. What the Cloud Service Level Agreement Standardisation Guidelines do well is set out and further define a range of concepts which, depending of the nature of the cloud model and the type applicable services, could be employed in a cloud SLA. The intention is to set out a "set of principles that can assist organizations, through the development of standards and guidelines for cloud SLAs and other governing documents". The C-SIG makes it clear that the principles are not intended to be limiting nor to even set model terms. They are "guidelines" and could be used as a checklist or prompt during drafting and negotiations.
The Guidelines are intended to be technology neutral, to have worldwide applicability and attempt to set out some unambiguous definitions of common cloud concepts and terminology.
Comparable Service Level Objectives (SLO)
The C-SIG believes that in order for cloud customers to easily make like-for-like comparisons and be informed about the services of competing cloud vendors, it would be best if the service level objectives derive from the same roots. They explain that the SLO does not need to be determined by identical means, but sufficient information about the SLO needs to be provided. This is why they are setting out standardized terminology, metrics and templates — they hope these will be used to provide extra insight in making these decisions.
The Guidelines go on to expand upon what the C-SIG believes to be the some of the most common SLOs and the performance of related aspects of the interface between the cloud service customer and the vendor. There is an outline SLO and associated description for:
- Performance including : Availability; Response Time; Capacity; Capability indicators; Support; Reversibility and the Termination Process;
- Security including : Service Reliability, Authentication & Authorisation, Cryptography; Security Incident Management and Reporting, Logging and Monitoring; Auditing and Verification and Governance;
- Data Management including : Data Classification, Data Monitoring, Backup and Restore, Data Lifecycles and Data Portability; and
- Personal Data Protection including : Codes of Conduct, Standards and certification mechanisms, Purpose Specification, Data Minimisation, Use, Retention and disclosure limitation, Openness, Transparency and notice, Accountability, Geographical location of data, Intervenability
Whether this information rather than structure approach will be adopted remains to be seen. The next step is for the Commission to test the Guidelines with users and discuss it within an expert group in October 2014. If the Guidelines are to gain traction there needs to be significant vendor buy-in (particularly from the dominant US players). If the International Standards Organisation (ISO) or other bodies move to incorporate or adopt these Guidelines this may in turn feed new international standards on SLAs for cloud.
Thought also needs to be given to the Guideline’s applicability to multi-tenanted services . Perhaps time should be invested gathering the views of smaller cloud vendors as the Guidelines contain more extensive SLOs than many standard cloud deals today. Vendors will be shifting uneasily if these are to shape all EU cloud deals in the future. Protecting buyers is one thing, but trust comes from balance and fairness. This is not law but it may force into being guidelines that are treated as EU law.