Top 10 Cloud SLA Best Practices identified by GAO
Top 10 Cloud SLA Best Practices are:
- Define SLA roles and responsibilities for the enterprise and cloud providers. These definitions should include,the persons responsible for oversight of the contract, audit, performance management, maintenance, and security.
- Define key terms. Include definitions for dates and performance. Define the performance measures of the cloud service, including who is responsible for measuring performance. These measures would include: the availability of the cloud service; the number of users that can access the cloud at any given time; and the response time for processing a customer transaction.
- Define specific identifiable metrics for performance by the cloud provider. Include who is responsible for measuring performance. Examples of such measures would include:
- Level of service (e.g., service availability—duration the service is to be available to the enterprise).
- Capacity and capability of cloud service (e.g., maximum number of users that can access the cloud at one time and ability of provider to expand services to more users).
- Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer, response time for responding to service outages).
- Specify how and when the enterprise has access to its own data and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the enterprise in case of exit/termination of service.
- Specify specific SLA infrastructure and requirements methodology:
- How the cloud service provider will monitor performance and report results to the enterprise.
- When and how the enterprise, via an audit, is to confirm performance of the cloud service provider.
Provide for disaster recovery and continuity of operations planning and testing. Include how and when the cloud service provider is to report such failures and outages to the enterprise. In addition, how the provider will re-mediate such situations and mitigate the risks of such problems from recurring.
- Describe any applicable exception criteria when the cloud provider’s performance measures do not apply (e.g., during scheduled maintenance or updates).
- Specify metrics the cloud provider must meet in order to show it is meeting the enterprise’s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the enterprises’s data). Specify the security performance requirements that the service provider is to meet. This would include describing security performance metrics for protecting data, such as data reliability, data preservation, and data privacy. Clearly define the access rights of the cloud service provider and the enterprise as well as their respective responsibilities for securing the data, applications, and processes to meet all mandated requirements. Describe what would constitute a breach of security and how and when the service provider is to notify the enterprise when the requirements are not being met.
- Specify performance requirements and attributes defining how and when the cloud service provider is to notify the enterprise when security requirements are not being met (e.g., when there is a data breach).
- Specify a range of enforceable consequences, such as penalties, for non-compliance with SLA performance measures. Identify how such enforcement mechanisms would be imposed or exercised by the enterprise.