Much ado is made about the cost savings, profits and agility to be found in the cloud. But whether that is so depends heavily on how service level agreements (SLA) are written.
A clause can reach out and seize the savings. A phrase can rob you of anything beyond the faintest resemblance of agility and versatility. A sentence can make retrieving your company’s own data a virtual nightmare. A word not said can leave you trapped and without legal recourse … Heck, the whole document can leave you on the wrong side of a defense table in court.
Not all SLAs are riddled with such dangers, of course, but it is exceedingly naive to believe that any SLA is gotcha-free.
“SLAs are designed to protect the service provider, not the customer,” warned Richard Stone, solutions manager at Compuware.
It’s especially telling when vendors will not release details of their SLAs to anyone without a signed non-disclosure agreement (NDA). Why all the Top Secret labels and the punishable-by-law enforcement tactics if all is straight forward and above-board? The answer is simple: All is not as it should be and very rarely as it appears.
The most powerful proactive step you can take in your own defense is simply to refuse to consider any vendor that requires you to sign a NDA to see its SLA. Protecting proprietary technology is one thing, keeping their secret on how they harm their enterprise customers is something else entirely. Indeed, consider adding a favorable mark to the vendor scoring when a vendor publicly releases their SLA.
To help you negotiate past the more egregious of the SLA gotchas, here are tips on what you should look for, guard against and insist upon before you sign a contract:
Common SLA problem areas
In general, vendors try to nail your company with sole liability for anything and everything. Find it before you sign it.
“Whether addressed in an ‘applicable law’ or hidden somewhere in a ‘limitation to liability’ provision, vendors have traditionally put the onus of adherence to state or federal data privacy regulations squarely on their customers,” warned Robert Scott, managing partner of intellectual property and technology law firm, Scott & Scott. “Customers should not and, in many cases, cannot agree to this type of blanket disclaimer.”
In exchange for tying the liability noose around your neck, SLAs offer you guarantees of sweet nothings.
“Today’s cloud service providers tend to offer guarantees like 99.9 percent uptime,” said Stone. “But so what if their servers are up and running? What you need to know is, how fast and reliable is my application for my end-users?”
Stone said there is currently a lack of SLAs that guarantee customer-specific application performance levels in the cloud. Tools that measure the performance of cloud-based applications from the true end user perspective “on the other side of the cloud” are the key for businesses to ensure cloud-based application performance is strong and they’re getting what they’re paying for.
Look out for meaningless buzz-words, too. “Infinite elasticity” for example, doesn’t mean “instant elasticity.”
“Contrary to popular belief, cloud processing power, memory or communications bandwidth are not instantly available. It takes time to provision,” said Stone. “So, when running an application in the cloud, there’s little way to know how an unrelated company in the cloud that suddenly generates a spike in processing or traffic in this shared environment is going to impact a cloud customers’ own application speed and reliability for their end users, and, ultimately, their business.”
For cloud customers, end-user performance is the only meaningful measure of the overall system health.
In general, be on guard against weird measurements, no matter what is being measured. “Vendors will often calculate time, periods, and roll-up methods with parameters that fall to their advantage,” explained Erik Hille, director of marketing, CA Technologies.
What to negotiate
Negotiating points in the SLA is tricky business and exceedingly difficult to do.
“What people aren’t understanding is that cloud SLAs are not strictly enforceable as every cloud vendor has protected themselves with very vague wording and monitoring tools that give extremely poor visibility into anything that should be monitored,” said Alex Bewley, CTO at Uptime Software, a producer of server monitoring software. “In fact, you don’t get to negotiate your SLA with Amazon, you just get very poorly written default ones.
“The bottom line is that when these services fail, your SLA is useless, your business stops in its tracks, and the vendor has a loophole somewhere in that agreement to totally free themselves of the liability.”
Cloud computing, despite its popularity, is still an immature industry. Part of the maturing process is the forging on the users’ anvil that every new technology and business model undergoes. What emerges in the end is a stronger, better, more serviceable arrangement. Which is to say, now is the time to start hammering SLAs into shape.
If cloud vendors refuse to improve their SLAs and/or negotiate vital points, then drop them from consideration. If you need the advantages of the cloud but find current SLAs too one sided and detrimental to your business, consider deploying a private cloud in your own data center. If enough companies hammer the message home that current SLAs are not acceptable, the cloud industry will change and mature.
Meanwhile, here are some pointers on some of the items you should negotiate out of an SLA according to attorney Robert Scott:
- Anything allowing the cloud service provider to disclaim any and all liability for violations of state or federal privacy laws.
- Any provisions that vest ownership in the cloud vendor.
- Representation and warranties that are too broad .
- One-sided termination provisions.
- Narrowly drafted indemnification agreements.
- Provisions that shift the responsibility to compliance with applicable law to the customer.
- Provisions that allow the vendor to freely assign the license or prohibit the customer from freely assigning
- Provisions that permit the service provider from accessing or using the client’s information.
A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).