As more state and local government agencies turn to cloud computing to achieve flexibility, scalability and cost efficiency for their IT operations, they’re realizing many technical and business benefits.
Still, most of the risks associated with relying on third-party organizations to deliver mission-critical IT services is inherent to those deals. Agencies that adopt cloud services should negotiate cloud service agreements carefully with their providers, spelling out the obligations and responsibilities of both the provider and the agency.
Negotiating a cloud service agreement can seem like a very one-sided transaction, where the provider presents the agency with a draft agreement and then contracting officers must negotiate every deviation from that draft. The use of unfamiliar terms often compounds the difficulty of that challenge. To help, the Cloud Standards Customer Council recently released version 2 of its guide "Public Cloud Service Agreements: What to Expect and What to Negotiate," which walks customers through several concerns that should be on their radar and outlines common shortcomings. Here are a few of those key concerns, and questions to ask providers.
As agencies migrate services from legacy data centers to the public cloud, they must carefully consider the performance metrics they will use to evaluate cloud vendor performance. This work must be done prior to signing an agreement to ensure that the metrics are codified in the cloud service-level agreement (SLA).
The most common measure of performance incorporated into cloud agreements is service uptime, which is the percentage of time that a service is available to users and functioning properly. Typically, that is measured in terms of the so-called “number of nines” of uptime. For example, a vendor guarantees that a service with three nines of availability will be up and running 99.9 percent of the time, equivalent to guaranteeing the service will experience up to about 43 minutes of downtime in a month.
Adding an additional nine, and moving to 99.99 percent availability, increases that requirement significantly to only allow 4 minutes of downtime, while five nines limits a service to 26 seconds of downtime. Of course, a vendor will try to negotiate as low a commitment as possible while the customer will push for enhanced availability.
When using uptime as an availability measure, agencies must take three important factors into account. First, how will the vendor measure availability? Ideally, both the agency and the vendor will agree on a third-party monitoring service to provide uptime reporting. Second, what remedies are available to the agency should the vendor violate the SLA? The standard offer by vendors is a simple credit for the time the service was not available, which is not a particularly generous offer if an agency experiences 0.1 percent downtime. Finally, scrutinize any exceptions to the uptime agreement. Does the vendor exclude routine maintenance? Acts of God? Other circumstances?
Beyond service availability, data protection may be the most critical concern. Agencies must make certain their vendors take steps to protect agency data even when the service might be temporarily unavailable.
What is the key data protection metric that agencies should insist appear in SLAs? Durability, or the percentage of stored objects that a customer can expect to be preserved in a year. That number should be far greater than the availability guarantee because a failure in that area represents irretrievably lost data. For example, one global cloud provider offers a 99.999999999 percent durability guarantee for its archival service, equivalent to saying that a customer can expect to lose one out of every 100 billion data objects each year. In addition to guaranteeing data durability, cloud service agreements should explicitly state the data ownership and intellectual property protections that providers grant their customers.
Government agencies should ensure they retain ownership of data and that the provider cannot make any claim to own or license the agency’s information. An agreement should clearly state the circumstances under which the provider will disclose information to a third party (such as after receiving a court order) and require the provider to promptly notify the agency of any such disclosure if legally permitted to do so.
State and local governments have a special responsibility to citizens to protect the security and privacy of sensitive personal information under their care. Cloud service agreements should clearly spell out the security controls that vendors will use to protect the confidentiality of that information. For example, an agency might insert language into a Software as a Service agreement requiring the vendor to encrypt all sensitive information, both at rest and in transit.
Cloud-based services can easily shift stored data between data centers located anywhere in the world. If an agency is subject to legal or regulatory requirements about storage locations, those also must be spelled out in the cloud service agreement.
Cloud computing promises to bring great benefits to government IT, allowing agencies to rapidly advance their internal and external technology services by leveraging the infrastructure and application investments made by cloud-based providers. Agencies that enter in to cloud service agreements should take special care to ensure that those agreements protect their interests, allowing them to achieve the benefits of the cloud in a secure and fiscally responsible manner.