There are many documents that provide guidelines for implementing Service Level Agreements (SLA) for could computing. The SLA defines the limitations and responsibilities of both the customer and service provider. Cloud SLAs should not mandate a specific approach for any concept and should be technology neutral. The SLA should cover the following areas:
1. Who is responsible for security? In the cloud, security is a shared responsibility and each party’s role should be clearly defined. Ensure the SLA includes application and infrastructure as well as data security.
2. Define business risk and liability. Is the service provider liable for harm to the business in the event of a breach or the loss of availability resulting in loss of business?
3. How does the business conduct investigations in the event of a breach? Who does the forensic collection and analysis?
4. Is the service provider responsible for restoration of data in the event of loss? If not, how is the data restored?
5. Ensure the SLA includes physical security requirements.
6. For sensitive data such as PII or PHI include limitations on where the data can be stored.
7. Include when and who can view the data can view the data. Do all employees of the service provider have access to your data?
SLAs are formal documents, agreed on by both parties that define a set of service level objectives. The objectives should include security and privacy. Without a good SLA, it is not possible to implement good cloud security.
To learn more about the cloud, consider the (ISC)2 Certified Cloud Security Professional (CCSP) 40 hr. training in Washington DC. To learn more visit our training page at http://www.nationalcybersecurityinstitute.org/training/
James Angle is Regional Information Security Officer for a nonprofit healthcare provide.