This document discusses making cloud service level agreements (SLAs) more usable for private sector organizations in the European Union. It notes that insufficient knowledge and security concerns are currently blocking factors for cloud adoption. The document proposes developing standardized guidelines and a common reference model to improve transparency of SLAs. This would help organizations better understand and evaluate SLAs to make informed decisions about cloud services. It outlines components that could be included in the reference model, such as service level objectives, metrics, and best practices. The overall goal is to increase cloud adoption among small and medium enterprises through more consistent and user-friendly SLAs.

1. Making Cloud SLAs readily usable
in the EU private sector
Arthur van der Wees
Managing Director international law firm Arthur’s Legal
Founder & Chief Executive Officer Zapplied Platform

2. 2
Risks, Comfort & Trust in the Cloud
 Cloud Services Challenges:
For the 80% not yet using cloud services, insufficient knowledge is the
main blocking factors (42%).
For the 20% using cloud services, the risk of a security breach is the main
limiting factor (39%).
Eurostat (EC)

3. Cybersecurity & Data Protection: Threat or Strength?
Risks, Comfort, Trust in & Rewards of the Cloud
60%cited concerns around
data security as a barrier
to adoption.
45%concerned that the
cloud would result in a
lack of data
control.
94%experienced security
benefits they didn’t
previously have on-
premise.
62%said privacy protection
increased as a result of
moving to the cloud.
Initial concerns Realized benefits
Microsoft Azure (ISO 27018)

4. European Commission Priority: Digital Single Market
C-SIG Drafting Group DG CNECT: Select expert group (CSA, IBM, Microsoft,
Telecom Italia and Arthur’s Legal): EC Cloud SLA Standardisation Guidelines,
ISO and other standardisation. ISO/IEC 17788. ISO/IEC 19086 (I).
Computer Science: TU Darmstadt
Coordination & communication: Trust-IT Services
Security: Cloud Security Alliance
Strategic & Legal: Arthur’s Legal
Cloud Computing & European Commission

5. 5
What do we want to achieve?
Improve transparency, bridging the disconnect between supply and
demand, and increase the uptake of cloud computing by making it
easier for and empower 20 million EU SMEs to understand SLAs
SLA-Ready aims to provide common understanding of Service Level
Agreements (SLAs) for Cloud services with greater standardisation and
transparency so organisations can make an informed decision on what
services to use, what to expect and what to trust.

6. How to achieve
#Cloud #Trust #Strategy #Performance #Security #Data #Data Protection #SLAReady
SLAs are an important but yet only
one particle in the Cloud Service
Level Ecosystem:
SLA-Ready services will support SMEs with user-friendly practical tools, guides,
and a social marketplace, encouraging them to carefully plan their journey and
make it strategic through an informed, stepping-stone approach, so the Cloud and
applications grow with their business.
The SLA-Ready Common Reference Model will benefit the industry by
integrating a set of SLA components, e.g. common vocabularies, Service Level
Objectives (SLO) service metrics and measurements, as well as best practices
and relevant standards to fill identified gaps in the current SLA landscape.

7. Ethics & Accountability
Law & Legislation Case Law
Standardisation &
Certification
(Self-regulatory)
Cloud SLA &
Other Contractual
Arrangements
Risk Allocation
& Insurance
Technology
Cloud Service Level Ecosystem
Human

8. Cloud SLA Life Cycle
When zooming in at one (1) SLA from a legal, negotiation and contract management
perspective, the life cycle of a SLA can be split in seven (7) headline legal life cycle phases:
1.Assessment
2.Preparation
3.Negotiation & Contracting
4.Execution & Operation
5.Updates & Amendments
6.Escalation, and;
7.Termination & Consequences of Termination

9. 4 Main Categories Service Level Objectives (SLOs)
1. Performance
2. Security
3. Data Management
4. (Personal) Data Protection
SLA Life Cycle: Assess, Select, SLA, Execute, Monitor, Update & Terminate
Data Life Cycle: Create/derive, Store, Use/Process, Share, Archive, Destroy
Out of ScopeWithin Scope

10. Data is not a four letter word
EC Cloud Service Level Agreement Standardisation Guidelines (v20140828)
3D approach | Multi-story of connected data types | Classified data
| Sensitive data | Personal data | Derived data | Proprietary data |
IPR | Encrypted data, with or without Tokenization | Every kind
of data needs to be addressed differently.
Data
Data of any form, nature or structure, that can be created, uploaded, inserted
in, collected or derived from or with cloud services and/or cloud computing,
including without limitation proprietary and non-proprietary data, confidential
and non-confidential data, non-personal and personal data, as well as other
human readable or machine readable data.

11. State of Practice vs State of Art
Current maturity level of Cloud SLAs of CSPs:
1. Difficult to find, difficult to read & assess: Lot’s of push-back at CSPs
2. Performance: Availability, Uptime & Measurements
3. Incident Management: Response time per prioritised incident
4. Carve-outs & other exclusions: ‘Planned’ Maintenance, Force Majeure, customer, third parties.
5. Less then 10% coverage out of the EC SLA Standardisation Guidelines
6. Difficult to monitor, manage & enforce: status.aws.amazon.com (real-time system status &
status history (35 days)), trust.salesforce.com (real-time system status & planned maintenance),
www.cloudharmony.com/directory (real-time system status & status history (up to 1 year))
CSPs not comfortable, yet.
But how about the cloud customer?

12. Any question goes!
Thank you
Arthur van der Wees
@SLAReady
@Arthurslegal
vanderwees@arthurslegal.com