The contents included in this section are DRAFTS proposed for a public consultation and are under review.
Scenario
Procurement needs
The cloud market represents a relatively new, yet rapidly developing, market sector that combines IT functionality (e.g. computing, storage and data management) with wide-area networking, delivered as a set of services. Although this market is still at an early stage in terms of both adoption and standardisation, due to its rapid expansion there are many services already available for procurement by governments covering: Software as a Service (Saas); Platform as a Service (Paas); and Infrastructure as a Service (IaaS).
Within this market, the instrument used to govern the relationship between the end user (the Cloud Service Customer) and the service provider (the Cloud Service Provider) is the contract entered into between these two parties, referred to as Cloud Service Level Agreement (CSLA). Given the global nature of cloud offerings, CSLAs usually span many jurisdictions which often have their own applicable legal requirements, in particular with respect to the protection of the personal data hosted in a cloud service. These agreements differ according to the each Cloud Service Provider, such that while they may contain similar functionality features, the individual terms and conditions applying to each provider's services may be both complex and expressed in a manner unique to the Service Provider.
This puts the onus on potential customers to carefully analyse what is being offered, however, it also makes the task of comparing and selecting the best service option very difficult. Since the adoption of cloud services has potentially significant implications for operational and governance-related risk, any lack of clarity on the details of the available service offers represents a barrier, particularly for applications with a long-term business importance to a user (as opposed to specific projects of limited scope and duration).
Care needs to be taken when drafting and/or agreeing to CSLA. Any ambiguity of language within the agreements can result in future (legal) disputes between both parties.
There is a need to define the role of the CSLA in the business relationships between the various cloud service stakeholders. Specifically, it is important to understand how both the Cloud Service Customer and the Cloud Service Provider can use their SLA to provide the context for their individual decisions and operations moving forward.
Costs & Benefits
Cost savings from cloud adoption: Research has indicated that 27% of businesses identify cost savings from adopting cloud. Of these: 59% saw savings of between 5% and 19% of total IT costs; 26% saw savings of 30% or more; and 15% saw savings of 4% or less or could not quantify the savings.
This study presents some predicted net costs and benefits associated with cloud computing across Europe, as well as the impact of barriers to cloud take-up, such as restrictive and/or ambiguous Cloud Service Level Agreements:
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=9742
For more general information see:
• http://www.cloudwatchhub.eu/taxonomy/term/92
Situation in Member States
Eurostat has produced country-specific statistics on the use of cloud computing by enterprises across Europe.
The following study provides information on uptake based on a number of country case-studies.
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=9742
Standards
The following contents are the starting sources for the list of standards reported in the excel spreadsheet.
As a framework of General Standards, the Regulatory context is the same described above; more than this, there is an overall list of existing standards from CEN and ETSI:
Other indications about standards are available thanks to the DG CONNECT project SLA-Ready (in the Horizon 2020 framework) at the following link: http://www.sla-ready.eu/.
Use Cases
Important points for procurers applying to all European Catalogue use cases:
• The use cases provided here represent generic use cases. You may need to modify these to meet the specific procurement needs of your organisation.
• All standards listed with the individual use cases can be substituted with any reasonable equivalents alternatives unless this action is prevented by any applicable EU or national legislation.
• Simply listing these standards within your tender documents will not ensure the interoperability of any acquired solution/service, nor will the interoperability of your solution and your existing systems be guaranteed. You will still need to conduct your own internal technical assessment before publishing your tender – the European Catalogue is not a substitute for this process.
Use Case 1: The Cloud Service Customer needs to procure Software As A Service (SaaS) for use by its employees to replace software currently installed on computers.
• ISO/IEC 27005 (Risk Management)
• ISO/IEC 19086 Part 1 (Overview and Concepts), ISO/IEC 19086 Part 3 (Core Requirements) and ISO/IEC 19086 Part 4 (Security and Privacy) – all in draft at the moment of writing this report
Relevant guides to the application of these standards:
• EU H2020 PICSE project “Case studies and best practices” http://picse.eu/case-studies
• EU H2020 SLA-Ready project CSLA Common Reference Model: http://www.sla-ready.eu/
See also as reference:
• TMF GB963 (Cloud SLA Application Note)
Use Case 2: The Cloud Service Customer needs to (be able to) create a hybrid innovation platform whereby they share specific resources with their Cloud Service Provider.
• ISO/IEC 27005 (Risk Management)
• ISO/IEC 29134 (Privacy Impact Assessment)
• ISO/IEC 19086 Part 1 (Overview and Concepts), ISO/IEC 19086 Part 2 (Metric Model), ISO/IEC 19086 Part 3 (Core Requirements) and ISO/IEC 19086 Part 4 (Security and Privacy) – all in draft at the moment of writing this report
• ETSI TR 103 125 “SLAs for Cloud services ”
Relevant guides to the application of these standards:
• EU H2020 SLA-Ready project CSLA Common Reference Model: http://www.sla-ready.eu/
• C-SIG SLA “Cloud SLA Standardisation Guidelines”
• EC SMART “Standards terms and performance criteria in service level agreements for Cloud computing services”
Use Case 3 : The Cloud Service Customer needs to (be able to) monitor the delivery of services by their Cloud Service Provider to ensure they are delivering these services at the agreed levels.
• ISO/IEC 27004 (Information security monitoring, measurement, analysis and evaluation)
• ISO/IEC 19086 Part 1 (Overview and Concepts), ISO/IEC 19086 Part 2 (Metric Model), ISO/IEC 19086 Part 3 (Core Requirements) and ISO/IEC 19086 Part 4 (Security and Privacy) – all in draft at the moment of writing this report
• ETSI TR 103 125 “SLAs for Cloud services”
Relevant guides to the application of these standards:
• EU H2020 SLA-Ready project CSLA Common Reference Model: http://www.sla-ready.eu/
• C-SIG SLA “Cloud SLA Standardisation Guidelines”
• ENISA “Procure Secure: A guide to monitoring of security service levels in cloud contracts”
• CSA Cloud Trust Protocol https://cloudsecurityalliance.org/group/cloudtrust-protocol/
Use Case 4: The Cloud Service Customer needs to (be able to) ensure they can retrieve all data that is handled by their Cloud Service Provider when the service is terminated, regardless of why this service is terminated.
• ISO/IEC 19086 Part 3 (Core Requirements) and ISO/IEC 19086 Part 4 (Security and Privacy) – both in draft at the moment of writing this report
See also as reference:
• CSA Privacy Level Agreement v2
Relevant guides to the application of these standards:
• EU H2020 SLA-Ready project CSLA Common Reference Model: http://www.sla-ready.eu/
• CSCC Practical Guide to Cloud Service Level Agreements – v2”
• C-SIG SLA “Cloud SLA Standardisation Guidelines ”
Guidelines
Vendor Lock-In
Within ICT, vendor lock-in is a recognised issue whereby public authorities, who have entered into contracts with providers of ICT product or service for a certain period of time, cannot easily change their provider once the contract ends as essential information is not available to any new suppliers.
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=2327
Within cloud computing, vendor lock-in is intrinsically linked to the Service Level Agreements (the contracts) between the Cloud Service Customer and the Cloud Service Provider. If the customer is unable to negotiate the terms of their Service Level Agreement, and/or if these terms are not transparent and clearly defined then the customer may be prevented from accessing the full range of suppliers.
Similarly, a customer may be prevented from leaving a Cloud Service Prover (even if that Provider is providing a poor service) due to the drafting of their Service Level Agreement.
Interoperability & Implementation
At the following links are available several guidelines about implementation of a interoperable SLA platform.
• http://www.ecis.eu/2016/06/special-paper-on-cloud-computing-portability-and-interoperability/
• http://csc.etsi.org/resources/WP1-Report/Special_Report_033381-v2.1.1.pdf
• http://www.sla-ready.eu/common-reference-model
• http://cloudscout.cloudwatchhub.eu/#/app/home?lang=en&code=en
Procurement
Procurement guidelines for Service Level Agreements have been produced by a number of organisations/initiatives, setting out Service Level Objectives.
• PICSE (Procurement Innovation for Cloud Services in Europe) www.picse.eu/
• http://picse.eu/sites/default/files/Annex1_Guidetocloudprocurement_webversion.pdf
• Cloud Select Industry Group – Subgroup on Service Level Agreement
• Cloud Service Level Agreement Standardisation Guidelines:
http://ec.europa.eu/newsroom/dae/document.cfm?action=display&doc_id=6138
• Procure Secure - A guide to monitoring of security service levels in cloud contracts: https://www.enisa.europa.eu/publications/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts/at_download/fullReport
Horizontals
Strategic Procurement / Examples in MS
The EC has published a study: “Analysis of cloud best practices and pilots for the public sector”. The study provides a detailed analysis of cloud initiatives at the national level and deployments in the public sector in ten Member States.
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=3521
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=3522
Security and Privacy
There exists practical guidance aimed at the procurement and governance of cloud services. This guidance provides advice on questions to ask about the monitoring of security when procuring a Service Level Agreement. The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery.
The documents listed above and available at the indicated links, provides also this kind of guidance.
