Similar to a contract signed between a customer and cloud provider, the SLA forms possibly the most crucial and fundamental component of how security and operations will be undertaken. The SLA should also capture requirements related to compliance, best practice, and general operational activities to satisfy each of these.
Within an SLA, the following contents and topics should be covered as a minimum:
-
- Availability (e.g., 99.999% of services and data)
- Performance (e.g., expected response times vs. maximum response times)
- Security/Privacy of the Data (e.g., encrypting all stored and transmitted data)
- Logging and Reporting (e.g., audit trails of all access and the ability to report on key requirements/indicators)
- Disaster Recovery Expectations (e.g., worse-case recovery commitment, recovery time objectives (RTO), maximum period of tolerable disruption (MPTD))
- Location of the Data (e.g., ability to meet requirements/consistent with local legislation)
- Data Format/Structure (e.g., data retrievable from provider in readable and intelligent format)
- Portability of the Data (e.g., ability to move data to a different provider or multiple providers)
- Identification and Problem Resolution (e.g., helpline, call center, ticketing system)
- Change Management Process (e.g., changes – updates or new services)
- Dispute Mediation Process (e.g., escalation process, consequences)
- Exit Strategy with expectations on the provider to ensure smooth transition