We share our findings about legal issues regarding the Service Level Agreements (SLA) of IaaS vendors and how they affect customers. We also propose some solutions to the issues outlined in our study.
Take control of your SAP testing with UiPath Test Suite
IS4233 Final Presentation
1. Legal Issues Concerning the
Service Level Agreements (SLAs) of
IaaS Vendors
Clement Low Jun Xian
Loh Soon Bock
Kang Jie Min
Tan Tze Jun
2. Introduction
IaaS Cloud
What is IaaS?
3rd Party Virtualization of Physical Hardware
• Reduced Cost of Ownership
• Elimination of Hardware Procurement
Cloud
Customer
IaaS
Vendor
SLA
Physical Assets
<< bound by >>
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
2
3. Considerations & Concerns about IaaS
Geographi
c
Location
Legal
Aspects of
Contractu
al
Obligation
s all these
How can
Customer
Data
be addressed?
• Confidentialit
y
• Integrity
• Availability
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
3
4. Presentation Agenda
1.
IaaS Service Level Agreements (SLAs)
2.
Relevance of IaaS SLA in Legal Context
3.
Categories of Legal Issues in IaaS SLA
4.
Categorical Elaboration of Legal Issues
5.
Court Case Analysis
6.
Vendor SLAs: Legal Issues & Solutions
7.
Solutions to Unaddressed Legal Issues
8.
Conclusion
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
4
6. IaaS Service Level Agreements (SLAs)
Binding negotiated document
States the minimum level of
service to be provided
Entitlement to damages
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
www.themegallery.com
6
Company Logo
7. Relevance of
IaaS SLA in
Legal Context
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
7
8. Relevance of IaaS SLA in Legal Context
• Legal dispute related to IaaS in the USA
• Unavailable hours in ALL IaaS cloud service
providers TRIPLED in 2012
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
8
9. Categories of
Legal Issues in
IaaS SLA
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
9
10. Categories of Legal Issues in IaaS SLA
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
10
12. Categorical Elaboration of Legal Issues
Availability
• Monitoring of Service Uptime
• Service Uptime Percentage Ambiguity
• Vendor’s Reluctance to Fix Problems
• Delays in Server Maintenance
• Availability Calculation Based on Contiguous Blocks of Downtime Periods
Reliability
• Security Mechanism Put in Place & Mean Time for Recovery (MTR)
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
12
13. Categorical Elaboration of Legal Issues
General Liability
• Exclusion of Direct Liability
• Personnel with Access to Customer Data & Security Of Hardware Containing
Customer Data
• Secure Erasure of Data from Decommissioned Resource Unit
• Availability of Redundant Systems for Storing Customer Data
• Involvement of Customer(s) in Investigating Breaches
• Location Of Customer Data
• Chained Liability
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
13
14. Categorical Elaboration of Legal Issues
Expressed Warranties
• Reserving the right to Change Agreement Term
• Vendor Service Credits as the Sole Remedy for any Contractual Breaches
Implied Warranties
• Granting of Compensation through Claim Submission
• Time Zone for Time-Sensitive or Dependent Terms
• Resolution of Software Bugs & Defects
• Customer-Defined Security Policies
• Notification of Services and Infrastructure Events or Breaches
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
14
16. Court Case Analysis (Background)
• Gimme The Best, L.L.C (Plaintiff) vs. Sungard Vericenter,
INC. (Defendant)
• Breach of contract due to numerous breakdown of
Defendant systems in 3 separate occasions
• Slow Performance
• Data Loss
• Hardware malfunctions
• Worst breach happened in Dec 2006
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
16
17. Court Case Analysis (Legal Issues)
• Material Misrepresentation
• Breach of agreement term
• Does the 3 breaches constitutes as a single breach or
multiple breaches of contract?
• Defendant’s Limited Liabilities
• Plaintiff’s Remedies
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
17
18. Vendor SLAs:
Legal Issues &
Solutions
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
18
19. Vendor SLAs: Legal Issues & Solutions
Legal Issue: Monitoring of Percentage Uptime
• Amazon and VMware
• Measured based on IaaS vendor infrastructure
• Uptime vs Availability
• Excuse for them to escape liability
Solution
1.
External audit by certified company
2.
Provision of common monitoring tools to customers
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
19
20. Vendor SLAs: Legal Issues & Solutions
Legal Issue: Exclusion of Direct Liability
• Amazon Specific Terms
• Failures that result from your equipment, software or other technology and/or
third party equipment, software or other technology (other than third party
equipment within our direct control)
• Failures that result from failures of individual instances or volumes not
attributable to Region Unavailability.
• HP Cloud Compute Specific Terms
• Reserve the rights to withhold credit if it cannot verify the downtime or customer
cannot show that they were adversely affected in any way as a result of the
downtime
• Require to contact HP and make a report within 30 days of the end of the month
in which availability was not met
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
20
21. Vendor SLAs: Legal Issues & Solutions
… continued …
Solution
• Difficult to negotiate the SLA terms in the capacity of an individual
• Corporate Customers have to negotiate if they feel that exclusions are
unreasonable.
• IaaS vendor have to weigh their exclusion against Customer’s interest to entice
more customers
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
21
22. Vendor SLAs: Legal Issues & Solutions
Legal Issue: Unilateral change of agreement terms by the IaaS
Vendor
• Amazon and VMware
• Terms in the SLA are subjected to changes in accordance to agreements
Solution
• Provide clear and sufficient notice to customers
• Continue to honour existing contract terms
• Provide a chance for customers to repudiate contract
• Change warranties (not conditions) and provide compensations
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
22
24. Solutions to Unaddressed Legal Issues
Issue: Vendor’s Reluctance to Fix Problem
• Incapable of supporting request which cause downtime
• Expensive to rectify
• Prefer to pay service credit than to rectify the problem
Solution
• Treated as a breach of condition
• Right to terminate contract
• Legal action
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
24
25. Solutions to Unaddressed Legal Issues
Issue: Missing SLA Clause for Service Performance
• Critical to customers that process time-sensitive requests.
• Monitoring Performance-related metrics
• Burden of proof
Solution
• States the hardware specification clearly and concisely
• Includes Performance-related metrics to measure the performance level
• Includes the monitoring methods
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
25
26. Solutions to Unaddressed Legal Issues
Issue: Customer-defined Security Policies
• Critical to customers to implement their security policies
• May clash with the vendor’s security policies
Solution
• The IaaS vendor can offer tiers of services that has various security profiles
• Allow the customer to select their most suited security profile
• The IaaS vendor’s policies will not interfere with customer’s security policies
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
26
28. Solutions to Unaddressed Legal Issues
Issue: Notification of Events/Breaches Related to Services
& Infrastructure
• Customers should receive notifications of breaches or events even if it is
unconfirmed
• Allow customers to preempt for any possible impacts or damage
Solution
• Categorize different type of events that may occur
• Allow customers to opt-in for notifications in addition to confirmed breaches or
events
• IaaS vendor can exclude any claims from customers arising from false
notifications
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
28
29. Conclusion
Let’s Re-Cap
We
Defined
IaaS
SLA
• What it is
• Service Level Quality
• Why it is gaining traction
• Warranties
Legal
Issues
• Liabilities
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
29
30. Conclusion
We found that…
Few, if not NONE,
offer performancebased SLAs
Induce the inherent legal issues
in SLAs by setting terms that are
skewed to their interests
IaaS
Vendors
Have a reactive
approach towards SLA
violations
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
30
31. Conclusion
Our perspectives…
The solutions we proposed work in the interests of IaaS customers and
simultaneously assist vendors in resolving their legal dilemmas.
We believe that IaaS SLAs can be legally favorable to both customers and
vendors alike.
Well crafted SLAs help to foster customer-vendor trust & confidence in the
IaaS cloud services industry.
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
31
32. Thank you for your attention!
Any questions?
Legal Issues Concerning the Service Level Agreements (SLAs) of IaaS Vendors
32
Hinweis der Redaktion
----- Meeting Notes (15/11/13 21:23) -----ded
Thank you Clement. I will now touch on the Solutions to Unaddressed Legal IssuesFirstly, we have the vendor’s Reluctance to Fix ProblemsThis issue arises when the vendors are not willing to fix the problems that may causes downtime or unsatisfactory performance in their services. One of the possible reason is that the problem might be too expensive to rectify or the problem is too remote to justify the reason for fixing it.The vendors will then rather to pay service credits than fixing the problems since the costs outweighs the benefits.In order for the customers to prevent such issue to happen,They have to ensure that there is a condition clause in the SLA that the vendors must ensure that they will do their best in resolving any known issues that is publicly/commercially available. Otherwise, they have the rights to terminate the contracts and sue them for breach of contract. This will ensure that the vendors will try to resolve the issue that is within their capability
Moving on, that is Missing SLA Clause for Service Performance.In most of the SLAs today including the above mentioned SLAs, there is no Performance clauses in the SLA. For time-sensitive requests, performance is critical to the customers to ensure that the response are timely and accurate.Average Response time and Network bandwidth are some of the Performance-related metrics. The questions now lies on how to monitor this metrics by the customers or vendors and who is required to prove the breach?To resolve such issueThe customers have to negotiate with the vendors to add in the performance clause in the SLA. If the customer expects to have certain hardware specification to be provided for the service, it is recommended to put in the SLA or other contract agreement.This is to prevent the same legal issue that happened in the fore mentioned legal case where the hardware provided are not in good working condition.It is best to quantify the performance level that is required for the service clearly and concisely using the specific metrics.Methods of performance measurement tools or software is best to be stated so that there will be no dispute when presenting the proofs.
Following on, Customer-Defined Security PoliciesIt is imperative to have effective security policies and implementation nowadays to protect our information and processes. Likewise, customers will want to have their own security policies rather than the vendors to protect their instances.However, vendors security policies might not complement with the customers security policies.This may caused the customers not able to implement it and worst of all, it might have security loophole due to the incompatibility.To rectify such a problem,IaaS can offer different tiers of services that has various security profiles.At each service level, the customers can choose the most suited security profiles to their needs.Most importantly, the IaaS vendors security policies should not interfere with the customer’s security policies. It should be able to complement with each other and close as much security loopholes as possible.
Lastly, Notification of Events/Breaches Related to Services & InfrastructureIn an event of security breach, vendors can remain silent and try to resolve the issue in their own hands so as to protect their reputation since it is not stated in the SLA that the vendors must notify the customers about such incidentsCustomers data might have been compromised due to the breach and they are left not notified.It could be possible that the customers able to preempt any possible impacts or damage if they are notified early by the vendors even if it is unconfirmed.However, customers may want to just receive specific breaches so that they are not spammed by the notification for every minor breachesTo address this issueThe vendors can firstly classify the different type of event and breaches and allow customers to choose what type of breaches they wish to be notified.This will help the customers to able to get the notification timely and accurately. Thus, this will provide them ample time to put in more strict security measures to protect their information.To protect the IaaS vendor’s interest, they should exclude any claims from customers arising from false alarms as it is very likely to happen. This notification is sent for the benefits of the customers. It is their sole responsibility on how to act in regards to the notification.