Cloud SLAs – what is important?

I’ve been digging around a little to define what is different with Cloud SLAs over a normal outsourced account, and there is quite some controversy. Lydia Leong, a Gartner blogger claims that the type of cloud SLAs used by AWS (Amazon Web Services) and HP Cloud Services are quite useless in helping cloud users (tenants) from mitigating their risks, and getting compensation when services are unavailable.

One example is that the SLA on unplanned downtime (outside of events of force majeure) for AWS is calculated over a year, not a month. Which means if your cloud services are unavailable 4½ hours in a single day during a single year you cannot claim a cent. She also talks about how they are organised around a region availability, not by instance or AZ (physical data-centre) availability. This seems to make sense to us cloud ignorants, after all there is redundancy in the cloud? Or not… according to Lyndia, at least when it comes to cloud SLAs. I’m still trying to get my head around all this 😉

Lyndia did recommend the Dimension Data (OpSource) SLA as it has a simplicity that makes more sense. For example the cloud SLAs are split by Infrastructure and Application availability. ¨Whereas AWS and HP only do SLAs for Infrastructure, or at least at the posting of this article in December 2012. HP has since this posting given a statement in respond to this claim. However Lyndia sticks to her opinion, although states that “arguably the nuances make the HP SLA slightly better than the AWS SLA“.

So what’s my take on this? At the moment nothing strong. Be aware of the risks if you go to the cloud, then you could transfer your risk, take out some insurance. It really depends how much money you are losing for every hour your services are down. According to Lyndia, Amazon has started letting cyber-risk insurers inspect the AWS operations so that they can estimate risk and write policies for AWS customers. I do think that often to take a services approach to your business makes really good sense, and the cloud is a way forward whether you like it or not.

Cloud and conflicting privacy laws

One of the biggest dilemmas with cloud services is that in theory it shouldn’t matter where your data is stored in the public cloud, just that it is secured appropriately, and only you get appropriate access and nobody else gets inappropriate access 😉

But it’s much more complicated. Every country has its own laws about the transparency of data stored and accessibility from nosing government authorities. The real problems occur when there is a conflict of privacy laws between different countries. So you have personal data stored in a Google public cloud, your data could be stored physically anywhere in the world. And the fact that Google is a US company means requirement to comply with US law (e.g. USA Patriot Act) for the organisation worldwide, not forgetting the regional laws where the data is physically stored. This conflicts with EU privacy law whereby the rights of the data subject are preserved.

Google have been quoted as follows “As a law abiding company, we comply with valid legal process, and that – as for any US based company – means the data stored outside of the U.S. may be subject to lawful access by the U.S. government.” Taken from Softpedia.

This could be an interesting time for organisations to set-up clouds but only in a single country in an organisation that is registered in the hosting country. Otherwise, can you really trust the data-holding authority to protect your rights as an EU citizen for example? I know I can’t!

And where is your personal data in the cloud?

I’ve been working an awful lot on security and privacy in the cloud lately, surprise surprise ;-), and the thing that is really an interesting problem when it comes to the privacy of data being held, is precisely where the data is physically? This presents some challenges, for example not many countries outside of the EU have equivalent privacy legislation implemented, so if personal data from the EU is stored in the cloud, the hosting country needs to have equivalent legislation or some workaround to protect data both physically and legally. have a pretty good high level article on this. Also to get a feel of how privacy legislation is working worldwide. The article (p.17) published by ISSA (December 2009, and reprinted later by IAPP July 2010) may be a worthwhile background read. Be aware that there has been an update to this directive since, e.g. the “cookie directive”. I will publish more on this later.