7 Things to Watch Out for in a Cloud Provider SLA

Posted by

Is your cloud platform delivering on its promise? Whichever cloud computing providers you are using, whether AWS, Google Cloud Platform, Microsoft Azure, or IBM Softlayer, this comparison of cloud provider SLAs is a must-read.

Choosing a public cloud service provider for your business is no easy task. With many factors to consider — price, features, customer support, storage — the choices can be overwhelming.

While needs vary by company and industry, a service level agreement (SLA) is essential when creating a partnership with a public cloud provider. After all, businesses put an enormous amount of trust in their cloud providers, needing safe data storage, easy data retrieval and, especially, fast and complete disaster recovery. An SLA serves as both a mutually agreed upon outline of services and a legal guarantee of what clients are entitled to.

The dramatic outages that affected HBO, Salesforce, Apple and other industry giants in the second quarter of 2016 are proof enough that SLAs — and their uptime, backup, and compensation promises for users — are absolutely imperative when doing business with public cloud providers. Just last month, Delta Airlines suffered a five-hour outage that led to the cancellation of more than 1,500 flights and cost the airlines $150 million. Clearly, the effects of downtime on businesses are severe, leading to lost revenue, business disruption, and a tarnished reputation.

To see a comparison of SLAs in action, let’s take a closer look at the top four public cloud providers and their guarantees regarding availability and backup.

4 Public Cloud Providers and Their SLAs

Cloud Provider Link to SLA Availability Goals Potential Downtime/Year Compensation (in service credits)* Backup
Amazon Web Services EC2 (Compute) 99.95% 04:23 10% – 30% Responsibility of customer
Amazon Web Services S3 (Storage) 99% – 99.9% (depending on the service) 15:39 to 08:46 10% – 25% Responsibility of customer
Google Cloud Platform Compute Engine 99.95% 04:23 10% – 50% Responsibility of customer
Google Cloud Platform Cloud Storage 99.9% 08:46 10% – 50% Responsibility of customer
Microsoft Azure Virtual Machines (Compute) 99.95% 04:23 10% – 25% Responsibility of customer
Microsoft Azure Azure Storage 99.99% 52:36 10% – 25% Responsibility of customer
IBM Cloud SoftLayer IBM’s cloud service strives to provide “reasonable efforts to meet a service level of 100%.” 00:00 5% – 100% Responsibility of customer, but IBM will assist in restoration of lost or damaged data if there was unauthorized third-party access.

*Credits vary depending on amount of downtime.

7 Things to Look for in an SLA

After reviewing the significant differences in the SLAs’ availability goals, it’s clear most providers leave users on their own for backup. Still, there are other things to consider when creating a contract or choosing a public provider. Here are what we believe are the top SLA considerations:

1. The Fine Print of Downtime

Perhaps the most important aspect of a cloud provider’s services is how often it will be down. The 2016 DR Survey From CloudEndure found the cost of downtime for 73% of organizations runs more than $10,000 per day. Not to mention, even a few minutes of downtime will erode customer loyalty, a cost that can’t always be calculated. That’s why SLAs need to ensure minimal system downtime.

When choosing an SLA, the fine print matters. For example, while some SLAs guarantee 99.95% uptime monthly, others guarantee that level each year. In the end, providers that guarantee by month allow less downtime all at once (22 minutes each month as opposed to almost four-and-a-half hours). While even a minute of downtime has consequences, 22 minutes at once is much less detrimental to your business than hours of continuous downtime. When you look even closer, some providers delineate that inaccessible applications for less than ten minutes don’t count as SLA downtime. So technically, you could rack up unofficial downtime, but only in small increments.

2. Performance Guarantees

SLAs typically have a detailed outline of the services that will be provided as well as performance guarantees that explicitly define resource availability and the maximum amount of downtime. The contract should also specify how clients will be compensated for a failure to meet those guarantees.

3. Possession of Data

The customer’s rights to the stored data and retrieval of it, including a company’s legal ownership over the data, are vital.

4. Auditing

A guide to the cloud provider’s security measures and infrastructure should include language that affirms customers’ rights to audit for compliance.

5. Backup

Most public cloud providers do not offer data backup guarantees. Amazon Web Services, the leading cloud provider, specifically tells users in its service level agreement (Section 4.2) that they are in charge of their own backup, as does SoftLayer (Clause 6). In short, it’s clear you should not take any chances with your data. Most cloud services do not offer backup, so you should find a reputable third-party disaster recovery solution to ensure business continuity when downtime strikes.

6. Industry Regulations

Customers that are in highly regulated industries will want to know who is legally responsible for what, and when, in order to keep data protected and in compliance with relevant regulations. Healthcare, finance, and government are the three big verticals that are most concerned about regulatory compliance.

HIPAA is one of the major players. This widely known regulation is something that every patient signs off on when receiving medical treatment. As electronic medical records become more widely adopted, protecting the data going between medical facilities and the cloud is a big concern. Customers should look for SLAs to outline steps taken, like aligning with higher security standards such as FedRAMP and NIST 800-53.

Arguably, an even more impactful regulation is PCI DSS, since it involves any person who uses a credit card. This regulation works to keep credit card data in rest and in transit safe from hackers. Given these intricacies, SLAs should put customers’ minds at ease by detailing how they have PCI security backed into their systems.

While both HIPAA and PCI DSS have requirements for both provider and customer, there are regulations such as Export Controls that place the responsibility on the customer alone. In cases such as this, customers will need SLAs to explicitly say that data is located in one country and not accessible by foreign nationals employed by the provider.

With regulations, customers can’t be too careful when it comes to understanding the terms and ensuring they have chosen a provider that is experienced in the matter.

7. End of Service

Although it may be the last thing on customers’ minds when starting a relationship with a cloud provider, details about the process and rights of customers when discontinuing services shouldn’t be overlooked. All good – or bad – things come to an end.

Key Takeaway

It can be confusing to translate the alternatively vague and overly complicated language of SLAs into the realities of how it will affect the day-to-day at your company. To ensure that you get the best service possible with the fewest disruptions to your business, validate SLAs against outage scenarios and design contingency plans.

SLAs won’t cover you in all scenarios, especially in the case of downtime. However, downtime downtime does not need to be your downfall. All you need is a robust, cloud-based disaster recovery solution. Learn about CloudEndure’s enterprise-grade disaster recovery solution on our site.

Want to compare your organization’s disaster recovery strategy to that of over 140 other companies? Download CloudEndure’s free disaster recovery evaluation tool to get a custom report in minutes.