In a press release on June 26th, the European Commission announced the publication of new guidelines “help EU businesses use the Cloud”. These guidelines have been developed by a Cloud Select Industry Group as part of the Commission’s European Cloud Strategy to increase trust in these services. These guidelines cover SLAs (Service Level Agreements) for cloud services. In KuppingerCole’s opinion these guidelines are a good start but are not a complete answer to the concerns of individuals and businesses choosing to use cloud services.
Cloud services are important as they provide a way for individuals and businesses to access IT applications and infrastructure in a flexible way and without the need for large up front capital investment. This makes it possible for new businesses to minimize the risk of testing new products and for existing businesses to reduce the cost of running core IT services. It allows individuals to access a range of IT services for free or at minimal cost.
The cost model for cloud services is based on two pillars: the service is standardized and offered to the customer on a take it or leave it basis, and the cloud service provider can exploit the cost savings that accrue from the massive scale of their service. In the case of services offered to individuals there is a third pillar that the cloud service provider can exploit or sell information gathered about the individual users in exchange for providing the service.
Since the definition of the service offered is not usually open to negotiation it is important that its definition is clear to enable the potential customer to perform a real comparison between services offered by different providers. This definition should also be transparent on how the service provider handles and uses data stored in, or collected by the service. This is especially important because many kinds of data are subject to laws and regulations and the customer needs to be able to verify that the data for which they are responsible is being handled appropriately. In addition the individual user of a service needs to understand how data collected about them will be used.
These new guidelines specify what a cloud SLA should cover but not what the service level should be. They provide a detailed vocabulary with definitions of the various terms used in SLAs. They provide a set of SLOs (Service level Objectives) for different aspects of the service. Some relevant SLOs are suggested for each of the service aspects and SLOs are provided for the following major areas of a cloud service:
- The performance of the service including: availability, response, capacity, capability, support and reversibility. This latter aspect covers the processes involved when the service is terminated. This is important since one of the key concerns is the return of a customer’s data when the service ends together with guarantees about the erasure of that data.
- The security of the service including: its reliability, authentication and authorization, cryptography, incident management, logging and monitoring, auditing and verification, vulnerability management and service governance.
- Data management including: data classification, data mirroring backup and restore, data lifecycle and data portability. The data lifecycle include an SLO “data deletion type”: this should specify the quality of the data deletion ranging from weak to strong sanitization (such as specified in NIST 800-88) where the data cannot easily be recovered.
- Personal data protection: this focuses on the cases where the cloud service provider acts as a “data processor” for the customer who is the “data controller”: including codes of conduct and certification mechanisms, data minimisation, use retention and disclosure, openness transparency and notice, accountability, geographic location and intervenability.
These guidelines are a good start but are not a complete answer to the concerns of individuals and businesses choosing to use cloud services. They provide a common set of areas that a cloud SLA should cover and a common set of terms that can be used. However the definition of the objectives in a standard way that can be measured still falls short; it still allows too much “wriggle room” for the cloud provider. A worthwhile document that provides more detailed advice on what to measure in cloud contracts and how to measure it is given in ENISA Procure Secure.
It is good that the guidelines distinguish between the legal contractual aspects and the technical service definition. However the SLOs cover areas of data privacy where there is an essential overlap because of the legal obligations upon the cloud customer where they are using the cloud service to process data subject to regulations or laws. Section 6.4 covers the contentious area of disclosure of personal data to law enforcement authorities and suggests the objects should include the number of disclosures made over a period of time as well as the number notified. This will not be sufficient to moderate the significant concerns of European organizations using non EU based cloud service providers.
KuppingerCole has helped major European organizations to successfully understand and manage the real risks associated with cloud computing. We offer research and services to help cloud service providers, cloud security tool vendors, and end user organizations. To learn more about how we can help your organization, just contact firstname.lastname@example.org).