What Should Cloud Computing Users and Providers consider for SLAs?

At several 2010 Cloud Computing conferences, cloud users asked speakers/ panelists for a reference contract, SLA checklist or other parameters they should be negotiating with cloud service providers. No one could  provide a comprehensive answer or list.  Here's the opinion of ITU Focus Group on Cloud Computing SLAs:

Service Users

There are a number of requirements that service users should consider for SLAs in cloud computing.





Cloud service users should be responsible for limits on system usage and restrictions on the type of data that can be stored

Business continuity and disaster recovery

Cloud service users should ensure their cloud providers have adequate protection in case of a disaster.

System redundancy

Cloud service users moving data and applications that must be constantly available should consider the redundancy of their provider's systems.


Cloud service users should understand how and when their providers will do maintenance tasks

Location of Data

Cloud service users must be able to audit the provider to prove that

regulations are being followed if a cloud service provider promises to enforce data location regulations,


Cloud service users must understand their security requirements and what controls and federation patterns are necessary to meet those requirements.


Cloud service users bear the burden of proving that the provider failed to live up to the terms of the SLA under the SLAs of some cloud providers.


Cloud service users might have the certification requirement that their cloud provider be ISO 27001 certified.

A Provider’s Perspective

There are a number of requirements providers should consider for SLAs in cloud computing.





Provider must understand what they must deliver to the service users to enable the appropriate controls and federation patterns.

Data Encryption

The details of the encryption algorithms and access control policies should be specified in the SLA.


An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment.

Data Retention and Deletion

Cloud providers must be able to keep data for a certain period of time and delete data after a certain period of time.

Hardware Erasure and Destruction

Cloud providers should offer the added protection of zeroing out memory space after a consumer powers off a VM.

Regulatory Compliance

Cloud providers must be able to prove their compliance if regulations must be enforced.


Cloud providers must be proactive in notifying consumers when the terms of the SLA are breached for critical data and applications.


Cloud provider would be responsible for proving their certification and keeping it up-to-date.

Common Requirements

There are a number of common requirements that should be considered commonly for SLAs in cloud computing.




Terminology for key performance indicators

A set of industry-defined terms for different key performance indicators would make it much easier to compare SLAs in particular (and cloud services in general).


Trust issue need to be considered during SLA enforcement. For example consumers may not completely trust the certain measurements provided solely by a service provider and regularly employ a neutral third-party organization. The neutral third-party organization is responsible for monitoring and measuring the critical service parameters and reporting violations of the agreement from both consumer and provider. This can eliminate the conflicts of interest that might occur if providers report outages at their sole discretion or if consumers are responsible for proving that an outage occurred.


It is vital the service users be able to audit the provider's systems and procedures. Thus, an SLA should make it clear how and when those audits take place.


Monitoring and auditing require something tangible that can be monitored as it happens and audited after the fact. The metrics of an SLA must be objectively and unambiguously defined.

Machine-Readable SLAs

A machine-readable language for SLAs would enable an automated cloud broker that could select a cloud provider dynamically. One of the basic characteristics of cloud computing is on-demand self-service; an automated cloud broker would extend this characteristic by selecting the cloud provider on demand as well. The broker could select a cloud provider based on business criteria defined by the consumer.

Human Interaction

Although on-demand self-service is one of the basic characteristics of cloud computing, the fact remains that there will always be problems that can only be resolved with human interaction. These situations must be rare, but many SLAs will include guarantees about the provider's responsiveness to requests for support.

Cloud Brokers and Resellers

If a cloud provider is actually a broker or reseller for another cloud provider, the terms of the SLA should clarify any questions of responsibility or liability if anything goes wrong at the broker, reseller or provider facilities.

Classification of SLA Metrics

SLA metrics can be classified by a number of categories. Classified categories include availability, performance and security,


SLA Metrics


Service availability*, Time of data recovery point*, Service suspension time*, Business Continuity and Disaster Recovery




Online response time*, Online response time compliance ratio*, Batch processing time*, Batch processing time compliance ratio*, Maximum number of processing tasks per unit time*, Compliance ratio of maximum processing tasks per unit time*


System Redundancy


Status of the provider’s acquisition of the relevant security standard*, Status of certification of the party possessing management authority*, Status of operational restrictions included in security measures taken on the management system*, Keeping data transmitted between cloud systems confidential*, Data location*, Status of acquisition of a log for detection of malicious acts*, Period during which a log is kept for detection of malicious acts*,

Status of communication control to block malicious communication*, Status of measures against network congestion to circumvent DoD/DDoS attacks*, Implementation of measures against malware* , Certification

Data Management

Data Encryption, Privacy, Data Retention and Deletion, Hardware Erasure and Destruction


Policy of maintenance, Human Interaction

0 thoughts on “What Should Cloud Computing Users and Providers consider for SLAs?

  1. Google Touts 'Industry First' Service Level Agreement for Apps
    An SLA agreement that guarantees a certain percentage of uptime (usually more than 99 percent) doesn't include scheduled maintenance. Customers get a credit for any other downtime that fails to meet the SLA.
    "Unlike most providers, we don't plan for our users to be down, even when we're upgrading our services or maintaining our systems," Matthew Glotzbach, Google's enterprise product management director, said in a blog post. "For that reason, we're removing the SLA clause that allows for scheduled downtime. Going forward, all downtime will be counted and applied towards the customer's SLA. We are the first major cloud provider to eliminate maintenance windows from their service level agreement."
    In a further tweak to the SLA, Google said that any intermittent downtime will also be counted. Previously, a period of less than ten minutes was not included. "We believe any instance that causes our users to experience downtime should be avoided — period," said Glotzbach.

  2. What organization will monitor SLAs for compliance?  Shouldn't it be a 3rd party, rather than the cloud service vendor? Will there be one set of SLAs for the network provider and another set for the Cloud service provider (e.g. SaaS, Platform as a Service, Infrastructure as a Service, others)?

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.

This site uses Akismet to reduce spam. Learn how your comment data is processed.