Making Cloud SLAs readily usable in the EU private sector

Arthur van der Wees

Managing Director international law firm Arthur’s Legal

Founder & Chief Executive Officer Zapplied Platform

2

Risks, Comfort & Trust in the Cloud

Cloud Services Challenges:

For the 80% not yet using cloud services, insufficient knowledge is the

main blocking factors (42%).

For the 20% using cloud services, the risk of a security breach is the main

limiting factor (39%).

Eurostat (EC)

Cybersecurity & Data Protection: Threat or Strength?

Risks, Comfort, Trust in & Rewards of the Cloud

60% cited concerns around

data security as a barrier

to adoption.

45% concerned that the

cloud would result in a

lack of data

control.

94% experienced security

benefits they didn’t

previously have on-

premise.

62% said privacy protection

increased as a result of

moving to the cloud.

Initial concerns Realized benefits

Microsoft Azure (ISO 27018)

European Commission Priority: Digital Single Market

C-SIG Drafting Group DG CNECT: Select expert group (CSA, IBM, Microsoft,

Telecom Italia and Arthur’s Legal): EC Cloud SLA Standardisation Guidelines,

ISO and other standardisation. ISO/IEC 17788. ISO/IEC 19086 (I).

Computer Science: TU Darmstadt

Coordination & communication: Trust-IT Services

Security: Cloud Security Alliance

Strategic & Legal: Arthur’s Legal

Cloud Computing & European Commission

5

What do we want to achieve?

Improve transparency, bridging the disconnect between supply and demand, and increase the uptake of cloud computing by making it easier for and empower 20 million EU SMEs to understand SLAs

SLA-Ready aims to provide common understanding of Service Level Agreements (SLAs) for Cloud services with greater standardisation and transparency so organisations can make an informed decision on what services to use, what to expect and what to trust.

How to achieve

#Cloud #Trust #Strategy #Performance #Security #Data #Data Protection #SLAReady

SLAs are an important but yet only one particle in the Cloud Service Level Ecosystem:

SLA-Ready services will support SMEs with user-friendly practical tools, guides,

and a social marketplace, encouraging them to carefully plan their journey and

make it strategic through an informed, stepping-stone approach, so the Cloud and

applications grow with their business.

The SLA-Ready Common Reference Model will benefit the industry by

integrating a set of SLA components, e.g. common vocabularies, Service Level

Objectives (SLO) service metrics and measurements, as well as best practices

and relevant standards to fill identified gaps in the current SLA landscape.

Ethics & Accountability

Law & Legislation Case Law

Standardisation &

Certification

(Self-regulatory)

Cloud SLA &

Other Contractual

Arrangements

Risk Allocation

& Insurance

Technology

Cloud Service Level Ecosystem

Human

Cloud SLA Life Cycle

When zooming in at one (1) SLA from a legal, negotiation and contract management

perspective, the life cycle of a SLA can be split in seven (7) headline legal life cycle phases:

1.Assessment

2.Preparation

3.Negotiation & Contracting

4.Execution & Operation

5.Updates & Amendments

6.Escalation, and;

7.Termination & Consequences of Termination

4 Main Categories Service Level Objectives (SLOs)

1. Performance 2. Security 3. Data Management 4. (Personal) Data Protection

SLA Life Cycle: Assess, Select, SLA, Execute, Monitor, Update & Terminate Data Life Cycle: Create/derive, Store, Use/Process, Share, Archive, Destroy

Out of Scope Within Scope

Data is not a four letter word

EC Cloud Service Level Agreement Standardisation Guidelines (v20140828)

3D approach | Multi-story of connected data types | Classified data

| Sensitive data | Personal data | Derived data | Proprietary data |

IPR | Encrypted data, with or without Tokenization | Every kind

of data needs to be addressed differently.

Data

Data of any form, nature or structure, that can be created, uploaded, inserted

in, collected or derived from or with cloud services and/or cloud computing,

including without limitation proprietary and non-proprietary data, confidential

and non-confidential data, non-personal and personal data, as well as other

human readable or machine readable data.

State of Practice vs State of Art Current maturity level of Cloud SLAs of CSPs:

1. Difficult to find, difficult to read & assess: Lot’s of push-back at CSPs

2. Performance: Availability, Uptime & Measurements

3. Incident Management: Response time per prioritised incident

4. Carve-outs & other exclusions: ‘Planned’ Maintenance, Force Majeure, customer, third parties.

5. Less then 10% coverage out of the EC SLA Standardisation Guidelines 6. Difficult to monitor, manage & enforce: status.aws.amazon.com (real-time system status &

status history (35 days)), trust.salesforce.com (real-time system status & planned maintenance), www.cloudharmony.com/directory (real-time system status & status history (up to 1 year))

CSPs not comfortable, yet. But how about the cloud customer?

Any question goes!

Thank you

Arthur van der Wees

@SLAReady @Arthurslegal

vanderwees@arthurslegal.com