Posts

Moving to the Cloud: Privacy

 

Green_GaugeThis post is the fourth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Few topics related to cloud computing create more passion than privacy.  Knowing how well your organization’s information will be safe-guarded is key to trusting a service provider and the decision to go to the cloud in the first place.

Privacy, while closely related to security, differs in that security addresses access and protection of information, privacy addresses who can access data and how it may be used.

When considering privacy, organizations should start with three documents from the service provider:

  1. Terms of Service / Contract:  Most cloud providers provide clear terms and conditions related to privacy in their terms of service.  These include statements about content ownership and access rights; clauses covering confidential information; statements regarding the provider’s access to customer data and content; and terms related to how the service provider will respond to subpoenas and other third-party demands for data.
  2. Service Level Agreement:  Many cloud providers include terms related to privacy in their service level agreement.   In some cases, the SLA stipulates time frames for addressing privacy issues.
  3. Privacy Policy:  Most cloud providers now have one or more privacy policies.  These policies may be universal to the provider’s service, or may cover specific aspects of the services (such as use of the web site/portal).

When looking to choose a cloud solutions provider, look at all three documents.  Verify that they are comprehensive and clear.  Understand how they address any particular regulatory requirements for your organization.  Validate that they are consistent — that no conflicts or gaps exist that could lead to confusion or misunderstandings down the road.

Make sure the review of privacy policies and looks at the specific customer agreements and policies.  Many cloud providers offer “free” or “consumer” services with different terms and conditions than their paid (or free) solutions for business, government, education, and non-profits.   Many organizations spin their wheels and raise unwarranted concerns by not focusing on the specific, applicable agreements, and policies.

Finally, review the privacy performance of the service provider.  If they have had any sort of breach, or a privacy dispute, understand the nature, scope, and response.  Understand if the breach was provider-related or due to the actions or inaction of the customer.  Assess the appropriateness of the provider’s response given the nature of the issue.

Again, due diligence is key.  A small amount of research, a few questions, and an accurate understanding of how a service provider plans and manages privacy will help organizations determine if the provider meets the organization’s privacy needs and priorities.

Next Post in the Series:  Lock-In

 

Previous Post in the Series:  Provider Reliabilty

Tuesday Take-Away: The True Role of the SLA

As you look towards cloud solutions for more cost effective applications, infrastructure, or services, you are going to hear (and learn) a lot about Service Level Agreements, or SLAs.  Much of what you will hear is a big debate about the value of SLAs and what SLAs offer you, the customer.

Unfortunately, the some vendors are framing the value of their SLAs based on the compensation customers receive when the vendor fails to meet their service level commitments.  The best example of this attitude is Microsoft’s comparison of its cash payouts to Google’s SLA that provides free days of service.  Microsoft touts its cash refunds as a better response to failure.  Why any company would send out a marketing message that begins with “When we fail …” is beyond me.  But, that is a subject for another post someday.

That said, Microsoft and its customers that are comforted by the compensation, are totally missing the point of the SLA in the first place.  Any compensation for excessive downtime is irrelevant with respect to the actual cost and impact on your business.  And unless a vendor is failing miserably and often, the compensation itself is not going to change the vendor’s track record.

The true rule of the SLA is to communicate the vendor’s commitment to providing you with service that meets defined expectations for Performance, Availability, and Reliability (PAR).  The SLA should also communicate how the vendor defines and sets priorities for problems and how they will respond based on those priorities.  A good SLA will set expectations and define the method of measuring if those expectations are met.

Continuing with the Microsoft and Google example.  Microsoft sets an expectation that you will have downtime.  While the downtime is normally scheduled in advance, it may not be.  Google, in contrast, sets an expectation that you should have no downtime, ever.   The details follow.

Microsoft’s SLA is typical in that it excludes maintenance windows, periods of time the system will be unavailable for scheduled or emergency maintenance.  While Microsoft does not schedule these windows at a regular weekly or monthly time frame, they do promise to give you reasonable notice for maintenance windows.  The SLA, however, allows Microsoft to declare emergency maintenance windows with little or no maintenance.

In August 2010, Microsoft’s BPOS service had 6 emergency maintenance windows, totaling more than 10 hours, in response to customers losing connectivity to the service, along with 30 hours of scheduled maintenance windows.  In line with Microsoft’s SLA, customers experienced more than 40 hours of downtime that month, which is within the boundaries of the SLA and its expectations.  On August 17, 2011, Microsoft experienced a data center failure that resulted in loss of Exchange access for its Office365 customers in North America for as long a five hours.  The system was down for 90 minutes before Microsoft acknowledged this as an outage.

Google’s SLA sets and expectation for system availability 24x7x365, with no scheduled downtime for maintenance and no emergency maintenance windows.

The difference in SLAs sets a very different expectation and makes a statement about how each vendor builds, manages, and provides the services you pay for.

When comparing SLAs, understand the role of maintenance windows and other “exceptions” that give the vendor an out.  Also, look at the following.

  • Definitions for critical, important, normal, and low priority issues
  • Initial response times for issues based on priority level
  • Target time to repair for issues based on priority level
  • Methods of communicating system status and health
  • Methods of informing customers of issues and actions/results

Remember, if you need to use the compensation clause, your vendor has already failed.

 

 

 

All Cloud Computing SLAs are Not Equal

SLA’s, or Service Level Agreements, establish provider commitments for service performance, availability, and reliability.  When considering online services, understanding the SLA can make a world of difference.

For Google Apps Premier and Education Editions, Google offers a 99.9% availability SLA for the core services.  This is based on an expectation of no downtime at all, not even for scheduled maintenance.

For Microsoft’s Exchange Online service, the 99.9% availability SLA seems comparable, but it only covers downtime outside of scheduled maintenance windows.

The difference is important since scheduled maintenance can still impact your business.

So far in August 2010, there have been two (2) scheduled maintenance windows on Saturdays, running from 12:00 PM to 3:00 PM EDT.   These maintenance windows easily impact businesses that operate on Saturday, as the windows extend through the morning until mid-afternoon.  And yet, they do not count against the SLAs as they were “scheduled”.

A quick check of  Microsoft’s Online Service Notification feed indicates at least six (6) unscheduled outages Exchange Online over the first 23 days in August.  While outages do count towards the SLAs and may result in credits, having a more reliable service is preferred.