· To this end, SLA-Ready has created a Common Reference Model (CRM) that helps towards the common...
Transcript of · To this end, SLA-Ready has created a Common Reference Model (CRM) that helps towards the common...
Page1D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
www.sla-ready.eu
Title:ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Author(s):RubenTrapero,NeerajSuri,TUDA
Contributor(s):ArthurvanderWees,Arthur’sLegal;MarinaBregou,CSA
Date:31Dec,2016
Page2D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
ExecutiveOverview
SLA-ReadyaimstoincreasethedegreeoftrustausercanputonCloudServiceProviders(CSP)toconsequentlyleveragethehigheruptakeofcloudservices.AsthelinkageacrosstheCSPandtheusertypicallytranspiresviacontractualServiceLevelAgreements(SLAs),the standardisation and transparency of SLAs is paramount to provide Cloud ServiceCustomers (CSCs)with enough informationaboutwhat services touse,what to expectfromthemandinwhattotrust.
To this end, SLA-Ready has created a Common Reference Model (CRM) that helpstowards the common understanding of SLAs for cloud services. The CRM integratesguidelines,standardsandbestpracticestocreateacomponentbasedreferencemodeltodefineSLAswithacommonterminology,SLAattributesandServiceLevelObjectives.
The CRM was introduced in D2.3 by evaluating the requirements elicited in D2.1 andD2.2. An initial evaluation of the CRM was also conducted in D2.3 by evaluating thepertinentstandards,bestpracticesandalsofourrepresentativeusecasesfromrealCSPs.
D2.4conductsanin-depthvalidationandestablishesthepracticalusefulnessoftheCRM.Morespecifically,D2.4progressesbeyondD2.3inthefollowingaspects:
• The update of the evaluation of the CRM with respect to the standardizationbodiesandagenciesforbestpractices.
• AcomprehensiveevaluationoftheCRMfromtheindustrialperspectivewiththeanalysisof23usecases.Theanalysis isbasedonanextendedtemplatethathasbeenmodifiedtoincludeaspectsrelatedtotheexpertiselevelsofthecompany.
• Anovel recommendationmethodology that provides the level of importanceofeveryelementoftheCRMtoSMEsthatwantstoprovidecloudservices.
• ThecomputationofaSLAreadinessindexbasedontheCRMthatcomparesacrosstheCSPsusingtheCRMasacomparisoncriteria.
Page3D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
TableofContents
LISTOFACRONYMS..................................................................................................................9
GLOSSARY.................................................................................................................................9
1. INTRODUCTION..............................................................................................................12
1.1. PositioningD2.4withinSLA-Ready..........................................................................13
1.2. Structureofthisreport............................................................................................13
2. IMPROVINGTHEVALIDATIONOFTHECRM...................................................................14
3. THECOMMONREFERENCEMODEL(CRM)....................................................................16
3.1. Summarytakeaways................................................................................................22
4. CRMMAPPINGTOSTANDARDSANDBESTPRACTICES..................................................24
4.1. Initiativesbeinganalysed........................................................................................24
4.2. Summarytakeaways................................................................................................29
5. SECTORSPECIFICITYOFCRMS........................................................................................30
5.1. Usecasetemplate...................................................................................................30
5.2. UsecasesandCRMmapping...................................................................................32
5.2.1. Usecase1:Fintech-Financialsectorusecase..............................................32
5.2.2. Usecase2:GovernmentalCloud...................................................................34
5.2.3. Usecase3:ConsultLess,SMEsusingSaaS......................................................35
5.2.4. Usecase4:SMEsmigratingfromoneSaaSCSPtotheother.........................37
5.2.5. Usecase5:CloudBrokering:ChargebackandShowback..............................39
5.2.6. Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees......40
5.2.7. Usecase7:EasyAgriSelling-SMEusingIaaS/PaaS.........................................41
5.2.8. Usecase8:VideostorageandstreamingfromtheCloud.............................43
5.2.9. Usecase9:Cloud-basedDevelopmentandTesting.......................................45
5.2.10. Usecase10:LogisticsandProjectManagementintheCloud.......................46
5.2.11. Usecase11:LocalGovernmentServicesusingaHybridCloud.....................47
5.2.12. Usecase12:PayrollProcessingintheCloud.................................................48
5.2.13. Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms.................49
Page4D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.2.14. Usecase14:CSPchangingSLAatoperationtime..........................................50
5.2.15. Usecase15:CSPprovidingservicesunderdifferentregulations...................51
5.2.16. Usecase16:CSPprovidingdataservicesforthehealthsector.....................53
5.2.17. Usecase17:ASMEterminatingacontractwithaCSP..................................55
5.2.18. Usecase18:CSPmigratingdatabetweendifferentjurisdictions..................57
5.2.19. Use case 19: CSP providing data portability vendor Lock-in of SaaSapplications....................................................................................................................58
5.2.20. Usecase20:SMElookingforInformationSecurityIncidentManagement...60
5.2.21. Usecase21:CSPallowingdataaccessforlawenforcement.........................62
5.2.22. Use case 22: SMEmigrating to IaaSwith several duration periods in theagreement......................................................................................................................63
5.2.23. Usecase23:SMEsettingupitsownhybridcloudecosystem.......................65
5.2.24. CRMtousecasesmapping.............................................................................66
5.3. Summarytakeaways................................................................................................77
6. CRMRECOMMENDATIONFORNEWUSECASES............................................................78
6.1. Inputdata:usecasesanalysis..................................................................................79
6.2. Phase1:Applyingclusteringmethodologiestotheinputdata...............................80
6.3. Phase2:Assigningnewusecasestoclusters..........................................................86
6.4. Recommendationmethodologyvalidation:Example1...........................................87
6.5. Recommendationmethodologyvalidation:Example2...........................................89
6.6. Summarytakeaways................................................................................................90
7. PROGRESSONDEVELOPINGTHESLA-READINESSINDEX...............................................91
7.1. MotivationfortheSLA-ReadinessIndex..................................................................91
7.1.1. Step1:CSPSLAself-assessment.....................................................................92
7.1.2. Step2:SLA-Repository...................................................................................92
7.1.3. Step3:ComputingtheSLA-ReadinessIndex..................................................92
7.1.4. Step4:UsingtheSLA-ReadinessIndex...........................................................93
7.2. TechniquesfortheassessmentofCSPs...................................................................94
7.3. ComparativeassessmentofrepresentativeCSPs....................................................97
Page5D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
7.3.1. EvaluationofsurveyedCSPsbasedontheCRM............................................98
7.3.2. Evaluationofself-assessedCSPsbasedontheCRM....................................100
7.4. Summarytakeaways..............................................................................................104
8. CONCLUSIONS..............................................................................................................105
REFERENCES.........................................................................................................................106
ANNEXA.USECASESLIST(ETSICSC)....................................................................................108
ANNEXB.CRMQUESTIONNAIREFORCSPS:CRMASSESSMENT..........................................134
ANNEXC.CRMQUESTIONNAIREFORCSPS:CONSENTANDGENERALDATA......................139
Page6D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
TableofTables
Table1.CRMGroups..............................................................................................................17Table2.GroupsandelementsoftheCRM............................................................................18Table3.StandardsandbestpracticesrelevantforvalidatingtheCRM................................24Table4.CRMcoverageofrelevantstandardsandbestpractices.........................................26Table5.UseCaseTemplate...................................................................................................31Table6.Usecase1:Fintech...................................................................................................32Table7.Usecase2:EstonianGovernmentalCloud...............................................................34Table8.Usecase3:ConsultLess,SMEforusingSaaS............................................................36Table9.Usecase4:SMEmigratingfromoneSaaSCSPtotheother....................................37Table10.Usecase5:CloudBrokering:CloudChargebackandShowback............................39Table11.Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees..............40Table12.Usecase7:EasyAgriSelling,SMEusingIaaS/PaaS..................................................41Table13.Usecase8:VideoStorageandstreamingfromtheCloud.....................................43Table14.Usecase9:Cloud-basedDevelopmentandTesting...............................................45Table15.Usecase10:LogisticsandProjectManagementintheloud.................................46Table16.Usecase11:LocalGovernmentServicesinaHybridCloud...................................47Table17.Usecase12:PayrollprocessingintheCloud..........................................................48Table18.Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms.........................49Table19.Usecase14:CSPchangingSLAatoperationtime..................................................51Table20.Usecase15:CSPprovidingservicesunderdifferentregulations...........................52Table21.Usecase16:CSPprovidingdataservicesforthehealthsector.............................54Table22.Usecase17:ASMEterminatingacontractwithaCSP..........................................56Table23.Usecase18:CSPmigratingdatabetweendifferentjurisdictions..........................57Table24.Usecase19:CSPprovidingdataportabilityvendorLock-inofSaaSapplications..59Table25.Usecase20:SMElookingforInformationSecurityIncidentManagement...........60Table26.Usecase21:CSPallowingdataaccessforlawenforcement.................................62Table 27. Use case 22: SME migrating to IaaS with several duration periods in theagreement..............................................................................................................................64Table28.Usecase23:SMEsettingupitsownhybridcloudecosystem...............................65Table29.CRM-UseCasesCoverage(part1)........................................................................68Table30.CRM-UseCasesCoverage(part2)........................................................................71Table31.CRM-UseCasesCoverage(part3)........................................................................74Table32.Classificationoftheusecaseoftheexample1......................................................88Table33.Classificationoftheusecaseoftheexample2......................................................89Table34.AnswersofthesurveyedCSPs................................................................................98Table35.Answersoftheself-assessedCSPs.......................................................................100
Page7D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
TableofFigures
Figure1.DevelopingandvalidatingtheSLA-ReadyCRM......................................................12Figure2.D2.3withinSLA-Ready............................................................................................13Figure3.CRMinceptionandinitialvalidationinD2.3...........................................................14Figure4.FinalCRMandextendedvalidationinD2.4............................................................15Figure5.Requirementselicitation.........................................................................................16Figure6.Groupedrequirements............................................................................................17Figure7.CRMhierarchicalspecification................................................................................21Figure8.ComponentsoftheSLO&MetricselementoftheCRM.........................................22Figure9.RecommendationprocessbasedontheCRMandusecases.................................79Figure10.Exampleofclusteringrepresentation...................................................................81Figure11.DBSCANapproach.................................................................................................82Figure12.Clusteringprocess.................................................................................................83Figure13.Exampleofrepresentativevectorforclusters......................................................84Figure14.ClustersdiscoveredfortheSLA-Readysamples....................................................85Figure15.ClustersandrepresentativesamplesfortheSLA-Readysamples.........................85Figure16.Exampleofrecommendationbasedondistancesbetweensamples...................87Figure17.Recommendationresultsfortheusecaseanalysedinexample1........................88Figure18.Recommendationresultsfortheusecaseanalysedinexample2........................90Figure19.ComputingtheSLA-ReadinessIndex.....................................................................91Figure20.ACSPentryonCSASTAR-AdditionalInfo............................................................93Figure21.StagescomprisingthequantitativeSLAassessment.............................................95Figure22.SLAhierarchycombiningtheCSACCMandtheISO/IEC19086............................95Figure 23. Evaluation done to get the readiness index at different levels in the CRMhierarchy................................................................................................................................97Figure24.ComparisonofsurveyedCSPs:readinessindexglobalscore................................99Figure25.ComparisonofsurveyedCSPsatgrouplevel......................................................100Figure26.Comparisonofself-assessedCSPs:readinessindexgiventheglobalscore........102Figure27.Comparisonofself-assessedCSPsatthegrouplevel..........................................103Figure28.Comparisonofself-assessedCSPsatthe"SLO&Metrics"grouplevel...............103
Page8D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Documentinformation
Deliverablenumber D2.4
Deliverabletitle A Common Reference Model to describe, promoteandsupporttheuptakeofSLAs–Finalreport
DeliverableNature Report
Deliverabledisseminationlevel
Public
Contractualdelivery Dec2016
Actualdeliverydate Dec2016
Author(s) RubénTrapero,NeerajSuri,TUDA
Contributor(s) Arthur van derWees, Arthur’s Legal;Marina BregouCSA
Task(s) contributing tothedeliverable
Task 2.3 – SLA challenges and requirements in cloudlandscape
Targetaudience(s) Projectpartners,membersoftheSLA-ReadyAdvisoryBoard and other external experts, EuropeanCommission,projectreviewers
Totalnumberofpages 141
Disclaimer
SLA-Ready has received funding under Horizon 2020, ICT-07-2014: Advanced CloudInfrastructures and Services. The information contained in this document is theresponsibilityofSLA-ReadyanddoesnotreflecttheviewsoftheEuropeanCommission.
Page9D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
ListofAcronymsCRM CommonReferenceModelCSA CloudSecurityAllianceCSC CloudServiceCustomerCSP CloudServiceProviderICT InformationandCommunicationsTechnologyENISA EuropeanNetworkandInformationSecurityAgencyETSI EuropeanTelecommunicationsStandardsInstituteEU EuropeanUnionFP7 TheSeventhFrameworkProgramme(2007-2013)H2020 Horizon2020ICT InformationandcommunicationstechnologyIPR IntellectualPropertyRightsISO InternationalOrganizationforStandardizationIT InformationTechnologyMSA MasterServiceAgreementPII PersonallyIdentifiableInformationRPO RecoveryPointObjectiveRTO RecoveryTimeObjectiveSLA ServiceLevelAgreementSLO ServiceLevelObjectiveSME SmallandMedium-sizedEnterpriseWCAG W3CWebContentAccessibilityGuidelines
Glossary1CloudService
ProviderData
Class of data objects, specific to the operation of the cloud service,underthecontrolofthecloudserviceprovider.Cloudserviceproviderdata includes but is not limited to resource configuration andutilization information, cloud service specific virtualmachine, storageand network resource allocations, overall data centre configurationandutilization,physicalandvirtual resource failure rates,operationalcostsandsoon
Datacontroller Thenaturalorlegalperson,publicauthority,agencyoranyotherbodywhichaloneorjointlywithothersdeterminesthepurposesandmeansoftheprocessingofpersonaldata
Dataintegrity Thepropertyofprotectingtheaccuracyandcompletenessofassets
1Inordertousecommunity-consistentterminology,theglossaryisextractedfromtherelevantstandards.Theexceptionistheterm"SLA-ReadinessIndex"whichhasbeenproposedbytheSLA-Readyconsortium.
Page10D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Data
intervenability
Thecapabilityofacloudserviceprovidertosupportthecloudservicecustomer in facilitating exercise of data subjects’ rights.�Note: Datasubjects’rightsincludewithoutlimitationaccess,rectification,erasureofthedatasubjects’personaldata.Theyalsoincludetheobjectiontoprocessing of the personal data when it is not carried out incompliancewiththeapplicablelegalrequirements
Dataprocessor Anaturalor legalperson,publicauthority, agencyoranyotherbodywhichprocessesPersonaldataonbehalfoftheDatacontroller
Dataprotection The employment of technical, organisational and legal measures inorder to achieve the goals of data security (confidentiality, integrityand availability), transparency, intervenability and portability, aswellascompliancewiththerelevantlegalframework
Datasubject An identified or identifiable natural person, being an identifiablepersonisonewhocanbeidentified,directlyorindirectly,inparticularby reference to an identification number or to one or more factorsspecific to his physical, physiological, mental, economic, cultural orsocialidentity
Disaster
recovery
Ability of the ICT elements of an organization to support its criticalbusiness functions to an acceptable level within a predeterminedperiodoftimefollowingadisruption
Failure
notification
policy
Specifiestheprocessbywhichcloudservicecustomerscannotifythecloud service provider that a service outage has been observed, theprocess by which the cloud service provider notifies cloud servicecustomers that a service outage has occurred, the process forprovidingupdates on serviceoutages,who receives notifications andupdates,themaximumtimebetweenthedetectionofaserviceoutageand the issuance of a notice of service outage, the maximum timeinterval between service outage updates and how service outageupdatesaredescribed
Identity
Assurance
Theabilityofarelyingpartytodetermine,withsomelevelofcertainty,thataclaimtoaparticularidentitymadebysomeentitycanbetrustedtoactuallybetheclaimant'strue,accurateandcorrectidentity
(Master)Cloud
services
agreement
(MSA)
A legal document that is the overarching part relating to the cloudservice,whichdescribes the terms agreedbetween theprovider andthe customer under which the cloud service is made available andused. The MSA has a number of synonyms such as "CustomerAgreement", "Terms of Service" or simply "Agreement". The MSAreferences a number of subsidiary parts, such as the cloud SLA,SecurityandPrivacyPolicies,theAcceptableUserPolicy,theBusinessContinuityPolicyandtheServiceDescription.
Metric Astandardofmeasurementthatdefinestheconditionsandtherulesforperformingthemeasurementandforunderstandingtheresultsof
Page11D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
ameasurementPersonalData Anyinformationrelatingtoanidentifiedoridentifiablenaturalperson
('data subject'); an identifiable person is one who can be identified,directly or indirectly, in particular by reference to an identificationnumberortooneormorefactorsspecifictohisphysical,physiological,mental,economic,culturalorsocialidentity
Personally
Identifiable
Information
(PII)
Any information about an individual maintained by an agency,including (1)any information thatcanbeused todistinguishor traceanindividual’sidentity,suchasname,socialsecuritynumber,dateandplace of birth,mother’smaiden name, or biometric records; and (2)anyotherinformationthatislinkedorlinkabletoanindividual,suchasmedical,educational,financial,andemploymentinformation
Remedy Compensationavailabletothecloudservicecustomerintheeventthecloudserviceproviderfailstomeetaspecifiedservicelevelobjective
Resilience Abilityofacloudservicetorecoveroperationalconditionquicklyafterafaultoccurs
ServiceLevel
Agreement
(SLA)
Documented agreement between the service provider and customerthatidentifiesservicesandservicelevelobjectives
ServiceLevel
Objective(SLO)
A specific,measurable characteristic of a cloud service forwhich thecloudserviceprovidermakesacommitment
SLA-Readiness
Index
AquantitativemetricthatcanbeusedtocomparetheCSPscontainedintheSLARepository
Vulnerability Aweaknessofanassetorgroupofassets,e.g.softwareorhardwarerelated,thatcanbeexploitedbyoneormorethreats
Page12D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
1. IntroductionThisdeliverable validates the final versionof the SLA-ReadyCommonReferenceModel(CRM), an integrated set of SLA components (i.e., attributes and SLOs), including theguidelines/state of practice and standard terminology. A high-level viewof theprocessfollowedtodevelopandvalidatetheCRMisillustratedinFigure1.
ThepurposeofthisdeliverableistodevelopaSLA-usagereferencedocument,whichwillbetransferredontotheSLA-READYmarketplaceasaneasytoreadreferencefortheSLA-READYstakeholderswhichareherewithcategorisedas:1.SMEs,2.LargeCompanies,3.CloudServiceProviders,and4.CloudServiceCustomers.
Figure1.DevelopingandvalidatingtheSLA-ReadyCRM.
Taking as a starting point the initial version of the CRM from deliverable D2.3, thisdeliverable consolidates the elements of the CRM and further validate it (beyond theinitialvalidationdoneinD2.3)withthelateststateofpracticeandrelevantstandardsandwithmoresector-specificusecases.
ThisdeliverablealsoprovidesarecommendationmethodologytoleveragetheadoptionoftheCRM,byprovidingwiththe levelof importanceoftheCRMelementsadaptedtothecharacteristicsofnewbusinesscases.
Finally, thisdeliverableextends the"SLA-Readiness Index" introduced inD2.3.TheSLA-ReadinessIndexcomplementstheevaluationoftheCRMagainstmultipleCSPs.
Page13D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
1.1. PositioningD2.4withinSLA-ReadyThisdeliverable (D2.4), is the final iteration for the creationof theCommonReferenceModel (CRM) todefine cloudSLAs.D2.4buildsuponD2.3 thatprovidedan initial CRMalongwithaninitialvalidationoftheCRM,whichissubsequentlyusedinD2.4toconductacomprehensivevalidationwithrespecttothecurrentmarketstatus.
Figure2showstherelationshipbetweenD2.4andtherestoftheWP2deliverables.TheCRM was created with the inputs received from: (i) WP3 (International cooperation,consensus and standardisation), (ii) the analysis of the state of practice carried out inD2.2,and(iii)thefeedbackreceivedfromtheSLA-Ready’sAdvisoryBoard.
Figure2.D2.3withinSLA-Ready
1.2. StructureofthisreportTheD2.4reportisorganizedasfollows:• Section2describestheprocessbehindthevalidationoftheCRM.• Section3describestheactualCRM.• Section4comparestheCRMwiththemainstandardsandbestpractices,andalsomaps
theCRMcomponents to theSLAmodelsproducedby thestandardizationcommunity.ThissectionanalysesthecoverageoftheCRMwithrespecttothestandards.
• Section5describestheanalysisofseveralusecaseswithrespecttotheCRM.• Section 6 describes the recommendationmethodologybasedon theCRMandon the
analysedusecases.• Section7includesthecomparisonbetweendifferentCSPsbyusingtheCRMandbased
oncloudassessmenttechniques.• Section8concludesthedeliverable.
Page14D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
PleasenotethatthelistingoftheconsideredusecasesandtheCRMquestionnairefortheCSPsappearsinAnnexesA,BandC.
2. ImprovingthevalidationoftheCRMThissectionpresentstheapproachfollowedinD2.4toconsolidateandvalidatetheCRM.Figure3representstheinitialprocessdevelopedinD2.3tovalidatetheCRM.InD2.3theprocess startedbyconductinga two-stepanalysis.First, theCRMwascompared to thedefinitionsandmodelsproposedbythestandardizationcommunityandworkinggroups.More specifically, the analysis was done with respect to five references, namely (a)ISO/IEC 19086, (b) the cloud SLA checklist from the European Union, (c) the CloudStandardsConsumerCouncil,(d)theC-SIGSLAguidelinesand(e)ETSI.
Figure3.CRMinceptionandinitialvalidationinD2.3
Secondly,theCRMwascomparedwithrespecttofourrepresentativeusecasesobtainedfrom the targeteddomainsof financial sector, public sector, and fromSMEs. Thebasicpurpose of this comparisonwas to ensure the broad relevance of the elements of theCRMacrossthediverseusecasebeinganalysed.
TheresultwasanoverviewoftheprioritiesthatmakessomeelementsoftheCRMmorerelevantthanothersacrosstheusecases.D2.4buildsworkuponthese initial resultstoprovidebothacomprehensiveanalysisoftheCRMandalsoestablishingitsbroadvaliditybyevaluatingoveranextensive23usecases.
Page15D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Another result obtained from the initial validation of the CRM in D2.3 was a generaloverviewofthetechniquestoevaluatethereadinessoftheCRM,includingalsotheinitialinsightsoftheSLAmarketplacealongwithD4.2.D2.4comprehensivelyextendsthiswithadditionalvalidationactions.
Figure4depictstheoverallprocessfollowedinD2.4.Inordertoimprovetheanalysisofthe CRM, D2.4 reports an extended evaluation of the CRM based on the analysis ofmultipleusecasescoveringinterdisciplinaryareas.TheCRMhasalsobeenupdatedwithrespecttothelatestdevelopmentsinongoingstandardsandworkinggroups.
Asaresult,theCRMhasbeenusedtocarryoutatwo-foldvalidation:• TheanalysisoftheCRMwithrespecttothecompletesetofusecaseshasallowed
identifyingthemostrepresentativeusecasesdomains.ThesedomainsareusedtoprovidewiththerecommendationofthemostimportantelementsoftheCRMfornewbusinesscases.Theprocess(asdescribedinSection6)classifiesnewbusinesscasesintodistinctcategories.Foreachcategory,therecommendationmethodologyinforms about the relevance of every element of the CRM. This information isadaptedtothecharacteristicsofthebusinesscasebeingstudied.
• The evaluation of the readiness index of the CRM. The security assessmenttechniquesintroducedinD2.3hasallowedustocomparedifferentrealworldCSPsaccordingtotheirofferedSLAandbasedontheCRM.TheresultscanbeorganizedinarankingthatprovidesCSPswithbothfeedbackandrecommendations.
Figure4.FinalCRMandextendedvalidationinD2.4
Page16D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
3. TheCommonReferenceModel(CRM)This section overviews the SLA-Ready’s proposed CRM. Section 3.1 summarizes therequirementselicitedfromD2.2,whileSection3.2outlinestheinitialversionoftheCRM.
D2.2conductedacomprehensiveanalysisoffoursignificantdomainsinordertoidentifythe common characteristics of the cloud service provisioning. Figure 5 represents theanalyseddomainsandalsohighlightsthevariedperspectives(i.e.,economic,sociologicalandlegalandgovernance)thatwereconsideredintheanalysisbyconsideringcustomersand stakeholders associated to the SLA-Ready partners. The technical perspectiveanalysedbothresearchprojects(ongoingandfinished)andthepertinentstandards.
Figure5.Requirementselicitation
The result of this analysis derives a list of requirements that represent the expectedinformation to be included in an SLA.We have used these requirements to transcendfromtheinformation“expected”inanSLAtoderivingtheproposedspecificelementsoftheCommonReferenceModel.
The process, to identify the elements of the CRM, starts by grouping the list ofrequirements elicited in D2.2. This identification process results into four initialrequirementsgroupsasdepictedinFigure6:
• Thegeneralrequirementscontainthe informationorcharacteristicsoftheSLAsthatdescribethegeneraltermsoftheserviceprovisioning,suchasthelanguageoftheSLAorthelengthoftheSLA.
• The responsibility related elements are the requirements that have to do with thepartiesinvolvedintheSLA.
Page17D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
• Theeconomicrelatedrequirementshavetodowithinformationrelatedtothebillingandcostassociatedtotheserviceprovided.
• The technical SLOs group the requirements related to the definition of technicalaspectsoftheserviceprovisioning.
Figure6.Groupedrequirements
ThisinitialsetofgroupshasbeenusedtofinetunethespecificationoftheelementsthatcomprisestheCRM.Overall,theSLA-ReadyCommonReferenceModelincludescommonvocabularies,SLOmetrics/measurements,bestpractices,recommendationsandstandardtemplates that can be used to define SLAs for different use cases and applicablecertifications.
Inorder to facilitate theapplicabilityof theCRMand to increase thegranularityof theanalyses that will be done using it, we have split these fourmain groups into severalsubgroups. This allows us to better adjust the elements of the CRM thatwill fulfil therequirementsidentifiedinD2.2.Furthermore,wehaveusedtherecommendationsfromtheISO/IEC19086toidentifythesegroups.Table1describesthe8groupsoftheCRM.
Table1.CRMGroups
CRMGroup Description
General DescribegeneralpurposefeaturesoftheSLA
Freshness DescribefeaturesrelatedtothevalidityoftheSLA
Readability DescribefeaturesrelatedtothelevelofunderstandingoftheSLA
Support DescribefeaturesrelatedtothelevelofsupportthatcustomerscanreceivefromtheCSP
Page18D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMGroup Description
Credits DescribefeaturesrelatedtothecostsandbillingmanagementoftheSLA
Changes Describe features related toeventualmodifications carriedout in theSLAand themanagementassociatedtothosechanges
Reporting Describe the features related to the communications that theCSP transmit to thecustomerswithrespecttotheSLAmanaged
SLO&Metrics Describe the features related to the technical elements of the SLA and itscorrespondingcomponents.
Eachidentifiedgroupwillcontainoneormoreelementswheretheseelementshavebeenextracted from the CRM requirements. Some of requirements can be directlyextrapolated from the CRM requirements while the other more implicit requirementshavebeendividedintomorethanoneelementasdepictedinTable2.
Table2categorizestheelementsidentifiedineachgroup.Asalreadypointedout,someCRMrequirementsdirectlymaptothesamegroup.Others,suchas"Choiceoflaw"havebeenmoved to the general group, as it describes the scopeof applicabilityof the SLA,whichrepresentsageneralaspect.
Table2.GroupsandelementsoftheCRM
Group NameofCRMelement Description
General SLAURL NeededforSMEstoeasilyreferencetheSLA.
Findable This element represents the difficulty to find the SLAontheCSP´swebsite.
Choiceoflaw DescribesiftheSLAappliestoaparticulargeographicalregion,jurisdiction.
Rolesandresponsibilities DescribestheresponsibilitiesofthepartiesinvolvedintheSLA(customerandprovider(s)).
CloudSLAdefinitions AdescriptionofthetermsusedintheSLA.
Freshness Revisiondate The revision date might be important for theuser/customerthatalreadycreatedSLAsbeforewithaCSP toeasily identify that theremaybe changes thatneedtobereviewed.
UpdateFrequency MostoftheCSPswillonlyupdatetheSLAwhenanewfunctionalityorway touse the services areprovided.For public SLA, CSP’s will avoid to have to managemultipleapplicableSLA. Inmostof thecases, the lastoneistheoneapplicableforallservicetransactions.Inmany cases, SLA updates are related to the monthlybillingprocess(anewSLAstartswithanewmonthandanewwaytocalculatethebill).
Page19D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Previousversionsandrevisions
The CSP should have a repository with the previousversions/revisionsoftheirSLAs.
SLAduration The common practice is to have a SLA valid until thenext one is released. The CSPwill try to have a validSLAaslongaspossibletoavoidanydisagreementwiththecustomer.
Readability SLAlanguage HavingtheSLAavailable/locatedinmultiplelanguagesfacilitatesitsreadabilityandunderstanding.
Machine-readableformat This aspect benefits automation on the SLAmanagement. May prove useful to empowerCustomers.
Nr.ofpages ThestateofpracticeistohavenotsoreadableSLAandquiteoftenbuildusingmanylinksandredirection.ForSME,SLAshallconsistoftwopagesatthemaximum.
Support Contactdetails Easy to locate contact details benefit SME trying tosolvequestions about the SLAduring the life cycleofthecloudservice.
Contactavailability Helpdesk availabilitymay benefit the SMEperceptionofassuranceontheCSP.
Credits ServiceCredit CreditreferstotheamountofmoneythatusuallytheCSPsparestotheCustomerforusingitsservices(e.g.,pre-payment).AftertheprovidedCredit,theCustomerwillbebilledbytheCSP.Forpubliccloud,thestateofpractice is "pay as you go". For most of CSP, thisfeatureisnotyetimplemented.Forsomeservices,thisfeaturecoulddamagethecustomer(forexample:endofthecredit,endofthecloudserviceanduncertaintyaboutcustomerdataifany).
Servicecreditsassignment
Refers to the stakeholder (CSP or Customer)determiningofthecreditsareprovided.
Maximumservicecredits(Euroamount)providedbytheCSP
Refers to the amount of credits (in Euros) that areprovidedinorderfortheCustomertousetheservicesfromtheCSP.
Changes SLAchangenotifications Thecommonpracticeistonotifyonlychangesthatcanimpact the service provided to the customer. Ascommon practice,minor changeswill not be notifiedto the customer. The number of change notificationsto customer have an impact on the customerperception of quality of the cloud platform, so CSPswillonlynotifymajorchanges.
Unilateralchange ThecommonpracticeistochangetheSLAunilaterally.The terms and conditions of the new SLA inmost ofthe case may have been evaluated through a set of"beta testers" chosen among trusted
Page20D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
customers/partners.
Reporting ServiceLevelsreporting Refers to the reporting done by the CSP (eithercontinuous or not) related to the achieved ServiceLevels in a period of time. This is useful for theCustomertocomparewithrespecttotheagreedSLOs.ThecommonpracticeistojointheSLAreportingwiththecustomer'sbill.
ServiceLevelscontinuousreporting
Specifies if the Service Levels reporting is actuallycontinuous.
Feasibilityofspecials&customisations
For IaaSCSP, theCustomer shouldexpect thatall thecustomisationsarefeasibleontheinstalledsoftware.
GeneralCarveouts Describes the potential exclusions of someprovisionsof the SLA, according to some kind of condition orassumption.
SLOs&
Metrics
SpecifiedSLOmetrics IndicateswhetherSLOmetricsareincludedintheSLA.Only few CSP describe the mechanism used tomeasuretheSLAattributes.Mainlybecauseitisnotaneasy task and the customer needs to be matureenough to analyse the rightness of themeasurementmechanism.
GeneralSLOs SLOs related to general aspects of the SLA, such asAvailability.
CloudServicePerformanceSLOs
SLOsdescribingperformanceindicators.
ServiceReliabilitySLOs SLOsrelatedtothereliabilityoftheservice.
DataManagementSLOs SLOs related to the management of the informationhandledbytheservice.
SecuritySLOs SLOsrelatedtosecurityaspectsoftheservice.
PersonalDataProtectionSLOs
SLOsrelatedtothemanagementofsensitivepersonalData.
Therefore,theCRMfollowsahierarchicalstructure(asdepictedinFigure7).ThetoplevelrepresentsthemainCRMGroupsthatorganizetherestoftheelementsoftheCRM.Thecore of the CRM is the CRM Element level that includes the main parts that can bemappedtothedifferentaspectsofSLAs.
Page21D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure7.CRMhierarchicalspecification
The lowest level comprises the CRM Components that could be part of some CRMElements. Currently just the "SLOs & Metrics" group contains elements that includescomponentsatthelowestlevelofthehierarchy.Figure8depictsthe7elementsthatarepart of the "SLO & Metrics" group and the components that are included in everyelement.ThosecomponentsarecompliantwiththeclassificationofSLOsasdescribedinthe ISO/IEC 19086 specification. Two elements of the "SLO & Metrics group" providegeneralinformation:
• The "Specified SLOmetrics" element is used to represent the existence of SLOsandmetrics in thedescriptionof theSLA.Obviously, if theSLAdoesnot specifysuchinformation,therestofthecomponentsofthisgroupwillalsonotappearintheSLA.
• The"General"elementisusedtorepresentwhetherthegeneralelementsoftheISO/IEC 19086 specification are included in the SLA. More specifically, the twocomponentsexpectedunderthiselementare(i)theexistenceofafieldintheSLAtodescribetherolesandresponsibilitiesand(ii)theexistenceofafieldtoexplainthecloudSLAdefinitions.
The rest of the elements of this group represent technical aspects of the SLA (such assecurityorprivacy).Forconsistency,thenamingconventionusedhereinhasbeentakenfromthe ISO/IEC19086specification.Thesecomponentsof theCRMareused tocheckwhetherthosetechnicalaspectsareincludedinSLAs.
Page22D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure8.ComponentsoftheSLO&MetricselementoftheCRM
Onthisbackground,thefollowingsectionsanalysetheCRMfromtwoperspectives:
• Fromthestandardizationcommunity,byanalysingthelevelofcomplianceoftheprominentstandardsonSLAspecifications.
• From the industrial perspectives by analysing use cases from representativesectors(suchasfinancial,SMEandpublicsectors).
3.1. SummarytakeawaysSummarytakeaways
• TheCRMisbasedonrequirementsgatheredfromthestudyoffourdifferentdomainsspanning the technical domains (including standardization bodies and researchprojects),theeconomicdomain,plusthesociologicalandlegaldomainsbyanalysingthecurrentstateofpracticeonSLAsintheindustrialsector.
• Thecompiledrequirementsweregroupedaccordingtofourmainareas identified inthestudyoftheaforementioneddomainsas:generalaspectsofSLAs(relatedtothesociological analysis), responsibility related aspects (related to the legal analysis),economicaspects(relatedtotheeconomicanalysis)andtechnicalaspects(relatedtotheanalysisoftheresearchandstandardizationdomains).
• TocreatetheCRM,wehaveevaluatedthecompiledrequirementsandsplitthefourareas identified in the requirements into eight derived groups compliant with thelatestISO/IEC19086specification.
• TheCRMisorganizedasahierarchy,with8Groupsatthetopcontaining30Elements.
Page23D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
• TheElementsof theCRMhavebeentakeneitherdirectly fromtherequirementsorfrom the current relevant standards, when a directmapping requirement-standardwaspossible.
• Additionally,theelementsofthegroupSLO&Metricscontain46componentsderivedfromthetechnicalaspectsidentifiedinresearchprojectsandstandards.
• Intotal,theCRMiscomposedof8groups,30elementsand46components
Page24D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
4. CRMmappingtostandardsandbestpracticesInordertomaximizetheimpactandtofacilitatetheadoptionofthecontributedCRMbythe industrial stakeholders, and in particular by SMEs, it is necessary to ensure itsalignmentwith relevant standards and best practices. This taskwill also benefit SMEs,whoaretypicallynotcloudexperts,andoftenhavevery limitedunderstandingofcloudSLAsandespeciallytheroleofrelevantrelatedstandards/bestpractices.
Consequently, this section starts thealignmentprocessby conductingagapanalysisoftheCRM from the standardisationandbestpracticesperspectivebyusingas input theworkdonebySLA-Ready'sWP3relatedtorelevantstandards/bestpracticesinthisfield.OurgoalistoascertainthedegreeofstandardisationrelatedcoverageoftheCRM,suchthattheSMEsusingithaveassurancethattheprovidedSLAguidanceisalignedwiththerelevant standards and best practices. Furthermore, the results of the gap-analysisperformed in this section can be used by the SLA-Ready marketplace (please refer toWP4) in order to create interactive guides that, based on the SMEs requirements, canrealise both the (i) CRM elements to consider for their own use cases, and (ii) outlinestandards/best practices that could be taken into consideration either as developmentguidelinesorreferences.
4.1. InitiativesbeinganalysedBased on the activities performed by WP3, this section focuses on gap analysing thecontributed CRM with respect to the following relevant set of standards and bestpractices:
Table3.StandardsandbestpracticesrelevantforvalidatingtheCRM
Organisation Initiative
acronym
Initiative RelevancetotheCRM
CSCC CSCCSLA PracticalGuide toCloudServiceLevelAgreements–v2[1]
The 10 recommended CSCC SLAstepsarestateofpractice.
EC C-SIGSLA Cloud SLA StandardisationGuidelines[2]
Theseguidelinesbecamepartofthe EC contribution to ISO/IEC19086-1, and represent one ofthe main results from therespectiveC-SIGgroup.
EC SMART Standards terms andperformance criteria in servicelevel agreements for Cloudcomputingservices[3]
The proposed Model SLA is themostcurrentEC-sponsoredstudyinthisfield.
ETSI TR103125 SLAsforCloudservices[4] The defined SLA template isrelevanttotheindustry.
Page25D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Organisation Initiative
acronym
Initiative RelevancetotheCRM
ISO 19086-1/-4 Cloud SLAs terminology, andsecurityandprivacy[5]
Both standards are generatinghigh expectations with theindustry, soCRMalignmentwiththem will also maximize itschancesforindustrialadoption.
EUH2020SLALOMProject
SLALOM SLALOM SLA Specification andReferenceModel[22]
The EU SLALOM projectproposed a cloud SLA model,including related best practices,which are also aligned to therelevant ISO/IEC19086 familyofstandards.
EUH2020SLALOMProject
SLALOM Model contract for CloudComputing[23]
This SLALOM deliverabledocuments he legal modelproposedbytheproject,whichisaimed to complement SLALOM’sSLASpecification.
Pleasenotethattheapproachfollowedinthissectionisdesignedtobeeasilyextendable(after the endof SLA-Ready) as new standards andbest practices (also relevant to theCRM)getreleased.
Table 4 summarizes the results of the performed gap analysis. For each analysedstandard/bestpractice,weassessifthecorrespondingCRMelementisbeingreferencedornot.Fromtheperformedanalyses,itmaybenotedthatthecontributedCRMhasthepotentialtoimprovecloudcustomers’understandingrelatedtoSLAs,whileatthesametimeprovidinggoodcoverageoftheelementsincludedintheserelevantstandards/bestpractices.ThemostevidentbenefitoftheCRMwithrespecttosurveyedworksisinthefollowinggroups:General,Freshness,ReadabilityandCredits.Asalreadymentioned,theresults shown in Table 4 were used to structure SLA-Ready’s guidance documentsproduced byWP3 andWP4. The current versions of the ISO/IEC 19086-1/-4 standardsusedfortheCRManalysishavenotbeenchangedsincetheresultsshowninthepreviousdeliverable(D2.3).
Page26D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table4.CRMcoverageofrelevantstandardsandbestpractices
CRMcoveragetorelevantstandards(Yes/No)
CRMelement ISO/IEC190862(Part1andPart4)
CloudSLAchecklist3
GuideforEvaluatingCloudSLAs4
C-SIGSLAGuidelines
ETSI’scloudSLAtemplate5
SLALOMSLASpecificationandReference
Model6
SLALOMModelcontractfor
CloudComputing7
SLAURL No No No No No No NoFindable No No No No No No No
Choiceoflaw No No No No No No Yes
Rolesandresponsibilities Yes Yes Yes No Yes No Yes
CloudSLAdefinitions Yes No No Yes Yes No Yes
Revisiondate No No Yes No Yes No No
UpdateFrequency No No Yes No Yes No No
2Analysisperformedwiththelatestversionsavailableatthetimeofwritingthisdocument:19086-1(DIS)and19086-4(WD)
3PleaserefertoAnnex1in“Standardstermsandperformancecriteriainservicelevelagreementsforcloudcomputingservices(SMART2013/0039)ModelSLA”
4Pleasereferto“PracticalguidetoCloudSLAsversion2“,CloudStandardsConsumerCouncil.2015.
5Pleasereferto“SLAsforCloudServices,"ETSITR103125,2012andthe"TemplateforSLAs"",ETSIEG202009-3,2006.
6Pleaserefertohttp://slalom-project.eu/.LastaccessedonNov2016.
7Pleaserefertofootnoteno.6
Page27D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMcoveragetorelevantstandards(Yes/No)
CRMelement ISO/IEC190862(Part1andPart4)
CloudSLAchecklist3
GuideforEvaluatingCloudSLAs4
C-SIGSLAGuidelines
ETSI’scloudSLAtemplate5
SLALOMSLASpecificationandReference
Model6
SLALOMModelcontractfor
CloudComputing7
Previousversionsandrevisions No No Yes No Yes No No
SLAduration No No Yes No Yes No Yes
SLAlanguage No No No No No No Yes
Machine-readableformat No No No Yes No No No
Nr.ofpages No No No No No No No
Contactdetails Yes Yes Yes Yes Yes No Yes
Contactavailability No No Yes Yes Yes No No
ServiceCredit No No Yes No No No Yes
Servicecreditsassignment No No No No No No Yes
Maximumservicecredits(Euroamount)providedbytheCSP
No No No No No No Yes
SLAchangenotifications Yes Yes Yes Yes Yes No Yes
Unilateralchange No Yes Yes No No No Yes
ServiceLevelsreporting Yes Yes Yes Yes Yes Yes Yes
ServiceLevelscontinuousreporting No Yes Yes No Yes No Yes
Feasibilityofspecials&customizations No No Yes No No No No
GeneralCarveouts Yes No Yes No No No Yes
SpecifiedSLOmetrics Yes No Yes Yes Yes Yes No
Page28D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMcoveragetorelevantstandards(Yes/No)
CRMelement ISO/IEC190862(Part1andPart4)
CloudSLAchecklist3
GuideforEvaluatingCloudSLAs4
C-SIGSLAGuidelines
ETSI’scloudSLAtemplate5
SLALOMSLASpecificationandReference
Model6
SLALOMModelcontractfor
CloudComputing7
GeneralSLOs Yes Yes Yes No Yes Yes No
CloudServicePerformanceSLOs Yes Yes Yes Yes No Yes No
ServiceReliabilitySLOs Yes Yes Yes Yes Yes Yes No
DataManagementSLOs Yes Yes Yes Yes Yes No No
SecuritySLOs Yes Yes Yes Yes Yes Yes No
PersonalDataProtectionSLOs Yes Yes Yes Yes No No No
Page29D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
4.2. Summarytakeaways
Summarytakeaways
• TheanalysisoftheCRMwithrespecttosurveyedstandardsandbestpracticesshows
thatthereisagoodcoveragerelatedtotheCRM’sSLOselements.However,general-
purpose SLOs (e.g., related to existing certifications, and SLA governance) are only
discussed in ISO/IEC 19086-1 and the Cloud Standards Consumer Council’s (CSCC)
"PracticalguidetoCloudSLAsversion2"[1].
• Mostoftheanalysedworksutilizedanystandardizedorconsistentformatstospecify
theactualSLOmetricstouse(pleaserefertoDeliverable2.2forexamples),although
inmanycasestheyprovidedselectivehigh-levelmetricsasexamples.Oneexception
is SLALOM [22], which proposed a machine-readable specification for SLA metrics
basedonISO/IEC19086-2.
• Unfortunately, relevant standards such as the upcoming ISO/IEC 19086-1/-4 do not
contain any reference related to essential CRM’s elements that SLA-Ready has
identified as significant means to empower/guide SMEs in their transition to the
cloud. For example, the advocatedelements suchas SLA findability, update/validity
period, available languages, are still not addressed by the standards. The same
situation occurs with known best practices such as the "Cloud SLA checklist"
containedintheSMARTECreport[3].AnexceptionisSLALOM[23]whichconsiders
someofthoseCRMelements.
• From the analysed-standards/best-practices both the CSCC and SLALOM reports
providedthehighestCRMcoverage.However,wenotethattheCSCCreportstillhas
conspicuous gaps related to CRM’s elements such as choice of law and others as
reported in ISO/IEC 19086-1/-4. Both SLALOM reports [22] and [23| altogether
provide a good coverage of the CRM proposed by SLA-Ready. While [22] is more
focusedonmetrics,thereport[23]coverssomeoftheotherCRMelements.
• Despitenotbeingcloud-specific, theSLA templatedefinedbyETSI in their "ETSIEG
202 009-3" report also shown a good coverage of the CRM elements. This was
expectedduetothefactthatsuchtemplatewasreferencedinETSI’s"SLAsforCloud
Services"technicalreport.
Page30D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5. SectorspecificityofCRMsThevalueoftheCRMcomesfromitscustomizabilitytothevariedapplicationdomains,
andhencethissectionanalysestheCRMbystudying23usecasesfromvarieddomains.
Each of the use cases is analysed by first taking the CRM as a reference, and then
assessing which CRM elements are actually applicable to these use cases along with
consideringtheirprioritiestherein.
5.1. Usecasetemplate
TheusecaseanalysisoftheCRMpresentedinthissectionaimsto(i)quantitativelyassess
the relative importance of each CRM element with respect to specific cloud Service
Customer(CSC)requirements/usecases,(ii)extrapolatetheconclusionsdrawnfromthe
CRM to the more general ETSI CSC use cases [6], and (iii) link the results from the
presented analysis to the SLO metrics introduced in D2.2. Furthermore, the use case
templateusedinthepresentreporthasbeenenhancedtobetterprofiletheSMEinorder
toprovideamajorfocusonextractinginformationrequiredforthefollowing:
• Theguidancein"D3.3-ABusinessGuidetoServiceLevelAgreements:Howtobe
awell-adviseduserofcloudservices".
• The analysis for the automated recommendation of CRM good practices,which
willbeintroducedinSection6.
For theanalysisof theusecases,wewillusethetemplateshown inTable5wherethe
detailedinformationaboutthetargetcloudscenarioandtheinvolvedSLAsarecollected.
With respect to the former, the proposed template gathers information related to the
more general ‘Base Use Case’ being used (as presented in D2.2), with the goal of
relating/extrapolatingtheresultsoftheanalysistotheETSIscenariospresentedinAnnex
Aof this report.Asmentionedabove, the templatealsocollects information related to
theSME’smaturity level in relationship to theusecasebeingdocumented (i.e.,novice,
basic or experienced), and target cloud service characteristics (i.e., life-cycle,
preconditionsandrequirements).
Moreover,theproposedtemplatecanbeeasilyre-usedandextendedtodocumentand
analysenewusecasesspecifictotheSMEsthatwouldliketoadoptSLA-Ready’sapproach
toleveragetheproposedCRM.
Page31D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table5.UseCaseTemplate
Identification Title UCname
SMEMaturity Oneormoreofthefollowing:
• Novice:noknowledge,noexperience
• Basic: some knowledge, but no practical
experience
• Experienced: some practical experience
(eithergoodorbad)
Base Use Case (cf., Deliverable2.2)
Reference Use Cases as taken from the ETSI CSC
report.Oneormorefrom:
• AP:ApponaCloud
• CB:CloudBursting
• SD:ProcessingSensitiveData
• DI:DataIntegrity
• HA:HighAvailability
PleaserefertoD2.2formoreinformation.
Shortdescription Short summary/user-story of the use case
highlightingapplicableindustrialsector
CloudActors Listofinvolvedactors/stakeholdersfromETSICSC:
• CloudServiceProvider
• CloudServiceCustomer
• CloudServicePartner
PleaserefertoAnnexAformoreinformation.
CloudServicelife-cyclephase Anyofthefollowing:
• Acquisition
• Operation
• Termination
PleaserefertoD2.2formoreinformation.
Legal and Data Protectioncompliancecriteria
List of legal and data protection requirements
associatedtotheusecase
PreconditionsandRequirements
Securityandprivacyrequirements
Summary of security requirements to be taken into
accountforthescenario
Additionalpreconditionsandrequirements(e.g.,performance)
Assumptionsmadeprior to theexecutionof theuse
case
ExistingSLAstandardsandbestpracticestorelyon
ListofSLAstandards/bestpracticestorelyon:
• ISO/IEC19086
• SMARTSLAModel
• CSCCPracticalGuidetoCloudSLAs
• C-SIGSLAGuidelines
• ETSICloudSLAtemplate
PleaserefertoSection4formoreinformation.
Additionalcomments Addcomments,remarks,suggestions,asyouseefit
Summary Conclusionsrelatedtotheusecaseanalysed
Page32D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.2. UsecasesandCRMmapping
This section demonstrates the applicability of the proposed template (cf., Table 5) for
analysingthedevelopedCRMfromtheusecasesperspective.Inparticular,wefocuson
the analysis of 23 real-world use cases, chosen by the consortium because of their
relevance to SMEs. Asmentioned in the previous section, the performed analysis (and
template)canbeextendedtootherusecasesreflectingtheneedsofspecificSMEswilling
toleverageSLA-Ready’soutcomes.Theresultsofthissectionwillbeusedasinputforthe
recommendationmethodologydetailedinSection6.
5.2.1. Usecase1:Fintech-Financialsectorusecase
Most start-ups and (other) SMEs that are active in the Fintech industry (where the
financial services meet new technologies and business models) wish to develop and
exploittheirrespectiveservicesandproductsontopofcloud-basedservices,inparticular
eitherIaaSorPaaS.Cloud-by-defaultisbecomingmoreandmorethestandard,asbasisto
develop, rely, and exploit its own PaaS, respectively SaaS. The use case has been
simplified inorder tomakeclearamajor requirementon theSMEsideasanassertion
that‘onecannotacquireorprocureanythingwithoutfirstassessingwhatitwouldliketo
acquireorprocure’.
Table6.Usecase1:Fintech
Identification Title FintechEarlyStageSeekingIaaS(Financialsector)
SMEMaturity • Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• SD:ProcessingSensitiveData
• DI:DataIntegrity
• HA:HighAvailability
Shortdescription There are lot of startups and SMEs that are active in
theFintechindustry(wherethefinancialservicesmeet
new technologies and business models) with an
operational and business plan to develop and exploit
cloud-basedservicestotheircustomersandend-users.
For this, most will consider procuring either IaaS or
PaaS from respective CSPs that offer these cloud
services, whichwill be used as basis to develop, rely,
andexploit theirownPaaSrespectivelySaaS.ThisUse
CasefocusesonaFintechcompanyprocuringIaaSfrom
majorIaaSCSP.
CloudActors IaaS CSP as vendor. Fintech Early Stage company as
customer, with the intent to build and exploit their
ownSaaS to itsowncustomerswhich in thisusecase
are financial institutions thatwish their bank account
holderstogiveaccesstosaidSaaS.
CloudServicelife-cyclephase • Acquisition
Legal and Data Protection Before looking for appropriate IaaS CSPs, and finding
Page33D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
compliancecriteria andassessingthetermsandconditions(includingSLA)
that may be applicable in the relationship between
such IaaS CSP and the Fintech Early Stage company,
first, this Fintech Early Stage company (with founders
and management with university degrees) maps the
mainlegalcompliancecriteriaitdeemsrelevantinthe
initialphase. (1)TheFintechEarlyStagecompanyand
itscustomer (bank)aswellas itscustomersarebased
in The Netherlands. (2) Furthermore, the financial
sector industry is high-regulated, including special
requirementsforvendors (includingwithout limitation
anyCSPs),whichincludetherightofthebankauthority
tobeabletoauditthevendorsintherespectivesupply
chain. (3) Personal data is involved, so the data
protection regulation and legislation is applicable as
well.Thesethreemain legalcriteriaareknowntothis
Fintech Early Stage company. (4) Its prospective
customers (banks) are known for their strict
procurement, including information security
requirements, andhigh levelofexpectationof service
delivery. (5) There are no particular needs on IaaS,
expectforthatitshouldberelatively(a)cheapand(b)
easytodevelop,exploitandmaintain itsownSaaSon
topoftheIaaSoftheselectedCSP.
PreconditionsandRequirements
Securityandprivacyrequirements
Thesecurityrequirementsthataregenerallyrequested
by prospective customers (banks) – to the extent
known beforehand – and that are known to be
commonpracticeintherelevantmarketaretakeninto
account.
Additionalpreconditionsandrequirements(e.g.,performance)
CSP Vendor pre-selection. After doing their internal
desk research on the above, this Fintech Early Stage
companystartswithlandscapingtheresultsandbased
on that it starts its pre-assessing of which IaaS CSP
wouldbeabletodeliver,andonwhatconditions.With
that,itwillrequestproposalsofthepre-selectedCSPs.
Existingstandardsandbestpracticestorelyon
Neither the prospective customers (banks) nor the
bank authorities have the standards or best practices
that are commonlyused. For instance thebankshave
theirown(withoutanFSIindustry)bestpracticebeing
available regarding cloud services. This is because the
bankauthoritiesdonotseeitasitstasktoprovidesuch
standard,guidelinesorthelike.
Additionalcomments N/A
Summary Without some reasonable assessment, it is impossible to procure cloud services. This
basicallygoesforgenerallyallprocurementbutitisespeciallyrelevantastherearemany
types of cloud services, services models, deployment models, and even in the right
categorythereisalotofvarietyinofferingsandterms.ThisUseCaseshowsthatwithout
diligenceandproperassessmentandpre-selectionlandscaping–whichcouldbeabitless
comprehensivethanintheUseCasedescribedabove–,evenareasonablyinformedCSC
isnotabletostartprocuringtherightcloudservices
Page34D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.2.2. Usecase2:GovernmentalCloud
The following use case is based on ENISA’s "Security Framework for Governmental
Clouds" report [7], more specifically on the Estonian Governmental Cloud (Gov Cloud)
which offers services to both citizens and Public Administrations based on a
geographicallydistributedcloudinfrastructure.Theusecasehasbeensimplifiedinorder
tofocusonitsSLA-relatedaspects.
This use case is relevant to SLA-Ready given that the requirements of small Public
Administrations provisioned by the Estonian Governmental Cloud resemble those
typicallyelicitedbyEuropeanSMEs.
Table7describesthisusecaseinfurtherdetailbasedontheproposedtemplate.
Table7.Usecase2:EstonianGovernmentalCloud
Identification Title Governmental Cloud (Small Public Administration
usingGovernmentalCloud)
SMEMaturity • Experienced
Base Use Case (cf., Deliverable2.2)
• AP:ApponaCloud
• HA:HighAvailability
• DI:DataIntegrity
Shortdescription
In 2013, the Government of Estonia took the first
steps to deploy a Governmental Cloud with three
mainprinciplesguidingitsdevelopment:
• Using Cloud solutions located within Estonia’s
nationalborders,
• UsinginternationalprivateCloudresources,and
• UsingDataEmbassies(cloudstorage).
TheEstoniangovernmenthasbuiltthefoundationof
a highly developed information society, and its ICT
development has taken Estonia to a stage where
manyregistersandservicesonlyexistindigitalform.
This development requires a flexible and secure
GovernmentalCloudsolution.Sufficientflexibilityhas
to be planned in advance. The State
Infocommunication Foundation leads the
Governmental Cloud development, which is
responsible fortheconsolidationofserverresources
and provision of high-quality server hosting services
withinEstonia’snationalborders.
The Estonian Public Administration (PA) is themain
cloudcustomerofthenationalGovernmentalCloud.
In some cases, PAs are provisioned with IaaS
resources (e.g., virtual machines), but also PAs
provision Governmental cloud-based services to
citizens. The Governmental Cloud system does not
storepersonalidentifiabledata.
CloudActors Listofinvolvedactors/stakeholders:
• Cloud Service Providers, which provision
Page35D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
their services to the Governmental Cloud
according to the requirements specified by
the Cloud Owner (Estonian Government),
and usually described on Service Level
Agreements(SLA)andothercontracts.
• Cloud Service Customer: the Public
Administrations using Governmental Cloud
services
Thisusecasedefinesanadditionalactor,namelythe
Governmental Cloud Owner, which relates to the
organization that legally owns the Governmental
Cloud and defines policies and requirements. The
analysis of this use case considers that the
Governmental Cloud Owner is the actor offering an
SLA to the cloud customers (PAs). The offered SLA
already takes into account the capabilities from
participantCSPs.
CloudServicelife-cyclephase • Operation
Legal and Data Protectioncompliancecriteria
The Governmental Cloud does not manage any PII
data from the citizens. Legal compliance criteria are
definedbytheEstonianPublicProcurementAct8.
PreconditionsandRequirements
Securityandprivacyrequirements
Thefollowingstandardsandbestpracticesarebeing
leveraged by the Estonian Governmental Cloud: ISO
27001, ISO 27002, BSI IT, and the Estonian ISKE
securityframework.[8]
Additionalpreconditionsandrequirements(e.g.,performance)
Highavailabilityisamainconcerninthisusecase,in
order to guarantee continuous provision of PA
servicestothecitizens.
ExistingSLAstandardsandbestpracticestorelyon
Notapplicable
Additionalcomments N/A
Summary This use case focused on a Governmental Cloud user (probably a small municipality),
which is not a cloud-computing expert but nevertheless needs to make use of this
technology. This use case is relevant to validate the CRM from a (small) Public
Administration perspective, and shows a particular focus on functional requirements.
Also,thisusecasetakesintoaccountthefactthatthissectorisparticularlyimportantfor
CSPs,thereforesomedegreeofflexibilityintheirSLAscouldbeexpected.
5.2.3. Usecase3:ConsultLess,SMEsusingSaaS
ThisusecaseisbasedonENISA’s"CloudSecurityGuideforSMEs"[9],inparticularrelated
to theexample scenario shown inAnnexAof the referenced report (i.e., "ConsultLess,
SMEusingSaaS").Therelevanceof thisusecaseforSLA-Ready isbasedon its focuson
8Pleaserefertohttps://www.riigiteataja.ee/en/eli/509072014009/consolide
Page36D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
both security and SLAs for SMEs that are transitioning to the cloud. Table 8 further
documentsthisusecase.
Table8.Usecase3:ConsultLess,SMEforusingSaaS
Identification Title ConsultLess,SMEforusingSaaS
SMEMaturity • Novice
• Basic
Base Use Case (cf., Deliverable2.2)
• AP:ApponaCloud
• SD:ProcessingSensitiveData
• DI:DataIntegrity
Shortdescription From ENISA’s report: "ConsultLess is a small
consultancy firm in the EU that has 20 employees
(mostly legal andmanagement experts). One of the
employees ispartnerandalso theChief Information
Officer (CIO) of the firm. ConsultLess decides to
procureofficesoftwareasaservice(SaaS)foruseby
its employees: the cloud service offers document
storage/editing, email and calendar. This cloud
service should replace an internal mail-server and
officesoftwareinstalledoncomputers."
CloudActors Listofinvolvedactors/stakeholders:
• CloudServiceProvider,whichprovisionsthe
storage/editing, email and calendar SaaS to
ConsultLess.ThisisapublicCSP.
• Cloud Service Customer, is the ConsultLess
SMEusingtheCSPSaaS.
CloudServicelife-cyclephase • Acquisition
Legal and Data Protectioncompliancecriteria
Compliance is a critical factor in this use case.
Furthermore, some (not all) of the data stored and
processed is sensitive, and data leaks could have a
severeimpactonthereputation/businessofthefirm.
PreconditionsandRequirements
Securityandprivacyrequirements
The following security and privacy requirements
applytoConsultLess:
• Physical security of the cloud assets should be
guaranteedbytheCSP.
• Timely patching and updating, adequate
backups,andsecurityasaserviceareallrequired
byConsultLess.
• TheCSPshoulddemonstratecompliancethrough
thosecertificationsrequiredbyConsultLess.
• ConsultLesswantstoavoidvendorlock-inissues.
Additionalpreconditionsandrequirements(e.g.,performance)
ConsulLess is an established SMEs that currently
provisions in-house the ICT services being procured
fromthepublicSaaS.
ExistingSLAstandardsandbestpracticestorelyon
NotbeingSLAsavvy,ConsultLessCIOrelaysontheC-
SIGSLAGuidelinesforprocuringitsSaaS.
Additionalcomments ConsultLess is not subject to any specific legal
requirements about cross-border processing or data
transfers.
Page37D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Summary This use case considers an SME cloud customer, having some experience on this
technology,which isplanning touseanewCSP (SaaS).Thisusecasevalidates theCRM
from theperspectiveof a SME familiarisedwith cloud computing, andwith aparticular
focusonthesecurity/privacyimplicationsofthistechnology.
5.2.4. Usecase4:SMEsmigratingfromoneSaaSCSPtotheother
ThisusecaseisbasedonseveralreallifecaseswhereaSMEisusingcertainSaaSservices
thatatthetimeofprocuringthemwerenotfelttobethatmissioncriticalfortheSME’s
business. Subsequently it findsout thatupon theplansmade to shift from theexisting
SaaSCSPtoanewSaaSCSP,thecloudservicesusedandtobeusedhavebecomemission
criticalforthesurvivalandsuccessoftheSME.
Table9.Usecase4:SMEmigratingfromoneSaaSCSPtotheother
Identification Title SMEmigratingfromoneSaaSCSPtotheother
SMEMaturity • Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• SD:ProcessingSensitiveData
• DI:DataIntegrity
• HA:HighAvailability
Shortdescription The SME is already using certain SaaS. At the time of
procuring it, itwas not felt to be thatmission critical
for the SME’s business. Upon the plansmade to shift
thecloudservicesfromtheexistingSaaSCSPtoanew
SaaS CSP, the SME founds out that its survival and
successdependsontheuseoftheparticularSaaS.
CloudActors The existing SaaS CSP as vendor, as well as the new
SaaSCSP.SMEascustomer,withthe intent toupdate
andrestructurethewaytheparticularSaaSisusedand
integratedintheorganizationoftheSME.
CloudServicelife-cyclephase • Termination
Legal and Data Protectioncompliancecriteria
Asquitecommon,theSMEthat isalreadyusingcloud
services,inthiscaseSaaS,findsoutthatwhenitwishes
to change, amend or terminate the respective cloud
services it is bound by the standards terms and
conditionsoftheCSP, includingtheSLA.Tostartwith,
theSMEdoesnotknowwhichversionofthetermsand
conditions it has accepted in the past (and the CSP
generally does not know as well as per immature
administrationrecordingpractices).Besides,mostCSPs
donotmakeorkeepavailablethepreviousversionsof
its terms and conditions. In most cases, the CSP will
refer to its recent standards terms and conditions of
the CSP, applicable at the time of the request of the
SME. So, regarding the first 14 of the 22+ CRM
requirements, almost none are met automatically,
meaningwithouttheSMEactingitself.Thismeansthat
theSMEhasahugedisadvantage in termsof its legal
Page38D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
position,negotiationpowerandhasnoalternativebut
toadheretothetermsandconditionsprovidedbythe
CSP.Secondly,andregardingall26CRMrequirements,
the SME finds out that he does not have specific,
tailored options beneficial for his needs to terminate
theagreementwiththeCSPinawaythatascertainthe
businesscontinuityofthatSaaS,theassistanceneeded
to migrate process flows, data (including metadata
where necessary) to another SaaS CSP environment,
and adequately and cost-effectively wind-down and
discontinue the SaaS provided by the former CSP. In
short,theformerCSPisinfullcontrol,andtheSMEhas
a very weak bargaining position. It is a hard and
expensive lessons-learnedexercise fortheSME,which
in this use case the SME has used to the intent to
improvehiswayofprocuringcloudservicesandfollow
theCRMwhereimportantforhisbusinessandbusiness
continuity.DependingontheCSPtheSMEchooses,the
SMEmaybe able to succeed to someextent in these
goals and approach, this as per the current immature
natureofcloudSLAsandofferingsofCSP.Inanycase,
withtheexperienceobtainedandtheCRM,theSMEis
now ready to make an informed decision what to
choose.
PreconditionsandRequirements
Security and privacyrequirements
Non-applicable,asperthisusecase.However, forthis
type of SME customary requirements have be taken
into account while procuring the subsequent cloud
services.Noparticularstomentioninthiscase.
Additional preconditions andrequirements (e.g.,performance)
Non-applicable,asperthisusecase.However, forthis
type of SME customary preconditions and
requirements have been taken into account while
procuringthesubsequentcloudservices.Noparticulars
tomentioninthiscase.
ExistingSLAstandardsandbestpracticestorelyon
Non-applicable,asperthisusecase.However, forthis
typeofSMEcustomarybestpracticeshavebeentaken
into account while procuring the subsequent cloud
services.Noparticularstomentioninthiscase.
Additionalcomments N/A
Summary SMEsgenerallydonotspendtimeorotherresourcesonprocuringcloudservices,untiltheyfindoutitisworthwhiletodoingso.Thishamperstheirdevelopmentandbusinessopportunities,whichSMEsfindoutwhenit
maybetoolatealreadyforthemtochangecourse,butitisalsotheirmomenttoimprove
and pay more attention to procurement in general, and procuring cloud services in
specific.
Page39D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.2.5. Usecase5:CloudBrokering:ChargebackandShowback
Thefollowingusecaseisbasedon“ISO/IECSC38StandingDocument1-Compendiumof
CloudComputingUsageScenariosandUseCases”.ItsrelevancetoSLA-Readyresideson
the use case’s focus on interoperability, multi-cloud and brokering where the CRM’s
usefulnesscanbeeasilyobserved. It is important tohighlight that theCRM-analysis for
thisusecaseisperformedfromtheCSCperspective(i.e.,theCloudBrokerandinvolved
CSP’sare“visible”totheCSC).
Table10.Usecase5:CloudBrokering:CloudChargebackandShowback
Identification Title CloudBrokering:CloudChargebackandShowback
SMEMaturity • Basic
Base Use Case (cf. Deliverable2.2)
• AP:ApponaCloud
Shortdescription A CSC uses the services of a Cloud Broker to select
the CSP that fulfils its specific requirements. The
Brokerimplementsaservicecatalogueencompassing
services from multiple CSPs. In addition, the
catalogue clearly outlines charges for the various
resources that canbeprovisioned.TheCSCmakesa
selectionandtheCloudBrokerseamlesslyprovisions
the requested resource from the appropriate CSP
throughtheirAPIorotherinterfaceusingtheirnative
commands.Atthesametime,theBrokerhandlesthe
chargebacktotheCSC’sorganization,ifappropriate.
CloudActors • CloudServiceProvider
• CloudServiceCustomer
• CloudServicePartnerCloudServicelife-cyclephase • Acquisition
Legal and Data Protectioncompliancecriteria
There are not generic legal/data protection criteria
applying to this particular use case. However, we
acknowledgethefactthatinthosecaseswheresuch
criteria exist, then the prospective cloud customer’s
analysisoftheCRMshouldreflectthose.
PreconditionsandRequirements
Securityandprivacyrequirements
CSCswillbeabletotrackutilizationperidentityfrom
CSPsandbill theappropriateorganization foruseof
resources.
Additionalpreconditionsandrequirements(e.g.performance)
CSPs will provide necessary accounting information
toenableCSCtobillaccordingly.CSPsinteroperability
(includingbillingsystems)isrequiredinthisusecase,
andmostlymanagedbytheBroker.
ExistingSLAstandardsandbestpracticestorelyon
• C-SIGSLAGuidelines
Additionalcomments None
Summary This use case is a representative example related to the usefulness of cloud SLAs for
decision-making processes. Cloud brokers are becoming more common in the cloud
ecosystem, so the analysis/good practices extracted from the CRM are expected to be
usedasguidelinesforprospectivecloudcustomers.
Page40D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.2.6. Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees
Thefollowingusecaseisbasedon"ISO/IECSC38StandingDocument1-Compendiumof
Cloud Computing Usage Scenarios and Use Cases". It considers a scenario which may
becomefamiliartoseveralSMEs,whereemployeesareinvolvedandneedtohave(cloud-
)ubiquitousaccesstodocumentationfromanyplace.
Table11.Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees
Identification Title Distribution of SME Training Material to Mobile
Employees
SMEMaturity • Basic
• Experienced
Base Use Case (cf., Deliverable2.2)
• AP:ApponaCloud
• DI:DataIntegrity
• HA:HighAvailability
Shortdescription A SME must deploy the technical processes and
considerations to distribute educationalmaterial for
newproductstotheiragents.
Given the potential network traffic to be generated
by this process, it is necessary to rely on cloud
services. This use case can be considered as one of
manyusecases thatarepossiblewithmobile cloud,
whichnotionissimilartoDaaS(DesktopasaService)
exceptthatallservicesareformobiledevices.
CloudActors • CloudServiceProvider
• CloudServiceCustomer
CloudServicelife-cyclephase • Operation
Legal and Data Protectioncompliancecriteria
This use case does not involve PII, therefore no
particular Data Protection requirement applies.
Authentication requirements (see below) are only
related to the IAM data contained in e.g., legacy
authenticationsystems.
PreconditionsandRequirements
Securityandprivacyrequirements
Acorrectversionofthematerialshouldbedelivered
to authorised agents, and with an auditable access
control mechanism that enforces the company’s
securitypolicies.
Identitymanagement for access authentication, and
authorizationiscrucialforthisusecase.
Additionalpreconditionsandrequirements(e.g.,performance)
The SME will distribute only static data (e.g.,
documents, presentations, leaflets digital format),
butitisnotconsideringdistributingdynamiccontent.
Besides integrity and consistency of distributed
content, it isnecessary toguaranteecommunication
betweenCSPandSME’sagents.
ExistingSLAstandardsandbestpracticestorelyon
None
Additionalcomments None
Summary Mobileandcloudcomputingarerepresentedinthisusecase.Thisscenariocanpotentially
applytoabroadvarietyofSMEs,thereforeitsrelevancetoSLA-Ready.Furthermore,this
Page41D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
scenario can be easily extended to comprise the integration of non-static content e.g.,
streamingvideotutorialsforthesalesrepresentatives.
5.2.7. Usecase7:EasyAgriSelling-SMEusingIaaS/PaaS
Thisusecaseisbasedonareallifecasewhereasmalltechstart-upintheEU,developed
an onlineweb shop software (as a service) for farmerswhowould like to start direct-
sellingtheirvegetablesandotherproducts.Farmerscansetupanonlineshop ina few
clicks - customizing their shop with a logo, colours and a description of their farm.
EasyAgriSellingisaSaaSproviderandtheyareacloudservicescustomerbuildingservices
onacloudproviderwhooffersthemIaaSandPaaSonwhichtobuildtheirproduct.The
relevanceofthisusecaseforSLA-Readyisbasedonitsfocusonsecurity,andalsoonSLAs
forSMEsthatarebeingbuiltinthecloud.
Table12.Usecase7:EasyAgriSelling,SMEusingIaaS/PaaS
Identification Title EasyAgriSelling,SMEusingIaaS/PaaS
SMEMaturity • Experienced
Base Use Case (cf. Deliverable2.2)
• AP:ApponaCloud
• HA:HighAvailability
Shortdescription EasyAgriSellingisasmalltechstart-upintheEU,
which developed an online web shop software
(asaservice)forfarmerswhowouldliketostart
direct-selling their vegetables and other
products. Their slogan is: “Selling your
agriculturalproduce to consumers,madeeasy”.
Farmerscansetupanonlineshopinafewclicks
-customizingtheirshopwithalogo,coloursand
a description of their farm. EasyAgriSelling
operates a pay-as-you-go model, charging no
monthly fee, but only charging their customers
whenproductsaresold.EasyAgriSellingisaSaaS
providerandtheyareacloudservicescustomer
buildingservicesonacloudproviderwhooffers
them IaaS and PaaS on which to build their
product. The SaaS platform runs on top of the
IaaS/PaaSplatform.
CloudActors • CloudServiceProvider
• CloudServiceCustomer
EasyAgriSelling - SaaS is both a vendor, as it is
paid by the farmers when they sell their
products andaCSC, as it pays for cloud service
from the IaaS/PaaS platform, which it uses for
running itsweb shop software for farmers. The
IaaS/PaaSplatformisaCSP.
CloudServicelife-cyclephase • Acquisition
• Operation
Legal and Data Protectioncompliancecriteria
Availability is a critical factor in this use case.
Furthermore, security and privacy of payment
Page42D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
data is very important, as well as some of the
consumers’personaldata.Dataleakscouldhave
a severe impact on the reputation/business of
thefirm.
TheSME (EasyAgriSelling) is alreadyusing cloud
services, in this case IaaS/PaaS, and the CSP
(IaaS/PaaS platform provider) guarantees end-
to-end quality of service as well as guaranteed
performance against an abrupt increase of the
load.
TheSMEisresponsibleforthesoftwaresecurity
of the online web shop software, the web
interfaces used by the farmers (customers of
EasyAgriSelling) and the personal data and
paymentdataoftheconsumersbuyingfromthe
farmers.
PreconditionsandRequirements
Security and privacyrequirements
For the SME (EasyAgriSelling) in this case,
software vulnerabilities are a big risk (because
thepaymentandpersonaldataofconsumers is
at stake). The SMEwill look closely at how the
IaaS/PaaSispatchedandupdated.
Some security tasks are outsourced to the
provider,butmanysecuritytasksstillhavetobe
carried out by the customer/SME
(EasyAgriSelling).
It is the responsibility of the SME
(EasyAgriSelling) to fix software flaws in the
deployed web shop software as well as
managingtheaccountsofthefarmersusingtheir
web shop software, the consumer accounts,
including resetting passwords, troubleshooting
issueswithpaymentsetc.
Their responsibility includes managing backups
ofapplicationsoftwareanddata.
Security considerations in the procurement
process really only regard security of the
facilities, the operating system and the
application servers which are under control of
theprovider.
Security tasks the provider carries out are
managing hardware and facilities, including
physicalsecurity,power,cooling,etc.;managing
theserveroperatingsystemsandtheapplication
server, including development, deployment,
patching, updating, monitoring, checking logs,
andsoon.
Thefollowingsecurityandprivacyrequirements
applytoEasyAgriSelling:
• Physical security of the cloud assets should
beguaranteedbytheCSP.
• Timely patching and updating, adequate
Page43D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
backups, and security as a service are all
requiredbyEasyAgriSelling.
• The CSP should demonstrate compliance
through those certifications required by
EasyAgriSelling.
• EasyAgriSelling requires a two-factor
authenticationprocess
• EasyAgriSellingwants to avoid vendor lock-
inissues.
Additional preconditions andrequirements(e.g.performance)
Availability is a main concern in this use case.
Also for this type of SME customary
preconditions and requirements have been
taken into account while procuring the
subsequent cloud services, e.g. a two-factor
authenticationprocess.
Existing SLA standards and bestpracticestorelyon
Non-applicable, as per this use case. However,
for this type of SME customary best practices
have been taken into account while procuring
thesubsequentcloudservices.Noparticularsto
mentioninthiscase.
Additionalcomments EasyAgriSelling works with farmers and
consumersfromseveralcountries.Thedataand
processes are about simple e- commerce and
there are no specific legal requirements that
couldcauseissueswithforeignjurisdiction.
Summary ThisusecaseconsidersanSMEcloudcustomerwithsomebackgroundexperienceon
this technology, which is planning to use a new CSP (IaaS/PaaS). This use case
validatestheCRMfromtheperspectiveofanSMEfamiliarisedwithcloudcomputing,
andwithaparticularfocusonthesecurity/privacyimplicationsofthistechnology.
5.2.8. Usecase8:VideostorageandstreamingfromtheCloud
Thefollowingusecaseisbasedon“CloudComputingUseCasegroup-CloudComputing
usecaseswhitepaper”[32].Itdescribesacustomerexperienceusingcloudcomputingfor
streamingandstoringvideointhecloudwhilemeetingsecurityrequirements.
Table13.Usecase8:VideoStorageandstreamingfromtheCloud
Identification Title SMEvideostorageandstreamingfromtheCloud
SMEMaturity • Novice
• Basic
Base Use Case (cf. Deliverable2.2)
• AP:ApponaCloud
• HA:HighAvailability
Shortdescription A financial investment company is launching new
investment products to its agents and affiliates. A
number of videos have been created to teach the
company’s agents and affiliates about the benefits
and features of the new products. The videos are
very large and need to be available on-demand, so
storingtheminthecloudlessensthedemandsonthe
corporate infrastructure. However, access to those
Page44D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
videosneedstobetightlycontrolled.Forcompetitive
reasons, only certified company agents should be
abletoviewthevideos.Anevenstrongerconstraint
is that regulations require the company to keep
product details, including the videos, confidential
during the quiet period before the launch of the
product.
The company’s decision is to use a public cloud
storage provider to scale the secure hosting and
streaming of the videos. The cloud solution must
control the videos with an auditable access control
mechanism that enforces the company’s security
policies.
CloudActors • CloudServiceProvider
• Cloud ServiceCustomer,which includes the
company but also the agents that will be
certifiedtohaveaccesstothevideos(agents
andaffiliates).
• CloudServicePartner-auditorswillhavethe
right toaudit the cloud solution inorder to
enforcethecompany’ssecuritypolicies.
CloudServicelife-cyclephase • Acquisition
• Operation
Legal and Data Protectioncompliancecriteria
This use case does not involve PII, therefore no
particular Data Protection requirement applies.
Authentication requirements (see below) are only
related to the IAM data contained in e.g. legacy
authentication systems. Confidentiality is also of
crucial importance because the product details,
including the videos, are highly confidential during
thequietperiodbeforethelaunchoftheproduct.
PreconditionsandRequirements
Securityandprivacyrequirements
For competitive reasons, only certified company
agents should be able to view the videos. An even
stronger constraint is that regulations require the
company to keep product details, including the
videos, confidential during the quiet period before
the launch of the product. An auditable access
control mechanism that enforces the company’s
securitypoliciesisrequired.
Identitymanagement for access authentication, and
authorizationiscrucialforthisusecase.
Additionalpreconditionsandrequirements(e.g.performance)
Apart from compliance, confidentiality and security
of distributed content, it is necessary to guarantee
communication between CSP and SME’s agents.
Accessmanagementisalsoimportant.
ExistingSLAstandardsandbestpracticestorelyon
Governmentalregulations.
Additionalcomments None
Summary Mobileandcloudcomputingarerepresentedinthisusecase.Thisscenariocanpotentially
apply to a broad variety of SMEs that need compliance for non-static content e.g.
streamingvideos,thereforeitisrelevanttoSLA-Ready.
Page45D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.2.9. Usecase9:Cloud-basedDevelopmentandTesting
This company chooses a cloud provider to deliver a cloud-based development
environmentwithhosteddevelopertoolingandasourcecoderepository.Italsochooses
anothercloudprovidertoprovideatestingenvironmentsothatthenewapplicationcan
interactwithmanydifferenttypesofmachinesandhugeworkloads.Therelevanceofthis
usecase forSLA-Ready resideson theusecase’s focusoncloud federationandservice
levelagreementsforthispurpose.Theusecaseisbasedon“CloudComputingUseCase
group-CloudComputingusecaseswhitepaper”[32].
Table14.Usecase9:Cloud-basedDevelopmentandTesting
Identification Title Cloud-basedDevelopmentandTesting
SMEMaturity • Experienced
Base Use Case (cf. Deliverable2.2)
• AP:ApponaCloud
• DI:DataIntegrity
• CB:CloudBursting
• HA:HighAvailability
Shortdescription An online retailer needs to develop a newWeb 2.0
storefront application, but doesnotwant toburden
its IT staff and existing resources. The company
chooses a cloud provider to deliver a cloud-based
development environment with hosted developer
toolinganda source code repository.Another cloud
provider is chosen to provide a testing environment
so that the new application can interact withmany
differenttypesofmachinesandhugeworkloads.
CloudActors • CloudServiceProvider
• CloudServiceCustomer
• CloudServicePartner-auditorswillhavethe
right toaudit the cloud solution inorder to
enforcethecompany’ssecuritypolicies.
CloudServicelife-cyclephase • Acquisition
• Operation
Legal and Data Protectioncompliancecriteria
This use case does not involve PII, therefore no
particular Data Protection requirement applies.
Authentication requirements (see below) are only
relatedtothedatacontained.
PreconditionsandRequirements
Securityandprivacyrequirements
Identitymanagement for access authentication, and
authorization is crucial for this use case. Controlled
access to source code and test plans is needed
therefore Cryptography, Endpoint Security, Identity,
Roles, Access Control, and Network Security are
crucial.
Additionalpreconditionsandrequirements(e.g.performance)
TheSMErequiresthatalltracesoftheapplicationor
data must be deleted when a VM is shut down,
controlled access to source code and test plans,
serviceautomationandeventauditingandreporting.
ExistingSLAstandardsandbest None
Page46D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
practicestorelyonAdditionalcomments None
Summary ThisusecasevalidatestheCRMfromtheperspectiveofacompany/SMEfamiliarisedwith
cloudcomputing,andwithaparticular focuson thesecurity/compliance implicationsof
this technology. This use case is a representative example related to the usefulness of
cloudSLAsforcloud-baseddevelopingandtestingprocesses.
5.2.10. Usecase10:LogisticsandProjectManagementintheCloud
Thefollowingusecaseisbasedon“CloudComputingUseCasegroup-CloudComputing
usecaseswhitepaper”[32].Itconsidersascenariowhichmaybecomefamiliartoseveral
SMEs,wheretheenterpriseneedstomovetheirdatatothecloudandthenitreachesthe
EndUser.
Table15.Usecase10:LogisticsandProjectManagementintheloud
Identification Title LogisticsandProjectManagementintheCloud
SMEMaturity • Novice
Base Use Case (cf. Deliverable2.2)
• AP:ApponaCloud
• DI:DataIntegrity
Shortdescription Asmallconstructioncompanywithapproximately20
administrative employees needed a way to manage
theirresources,optimizeprojectschedulingandtrack
job costs. The company had very specific
requirements that no commonly available system
addressed,sotheyusedacombinationofQuickbooks
and spreadsheets. This system was not elastic and
wasahugewasteofhumanresources.
The solution to the problemwas to build a custom
client-side application. All of the business logic
resides on the client (company). Data for the
applicationisservedfromaGoogleAppEngine(GAE)
datastore.Thedatastoredoesnotenforceanysortof
schema other than an RDF graph, although it does
host an RDF-OWL ontology. The client uses that
ontology to validate data before displaying it to the
userorsendingitbacktotheGAE.
CloudActors • CloudServiceProvider–GAEasPaaS
• CloudServiceCustomer–thecompany
CloudServicelife-cyclephase • Acquisition
• Operation
Legal and Data Protectioncompliancecriteria
This use case does not involve PII, therefore no
particularDataProtectionrequirementapplies.
PreconditionsandRequirements
Securityandprivacyrequirements
No particular security needs for this use case. Data
operations are communicated with the datastore
using an application - specific RESTful protocol over
HTTP.ThedatastoremaintainsRDFgraphsspecificto
theapplicationsit isservingwithinsilosmanagedon
the server. When Security is needed, it is
implemented separately for each silo depending on
therequirementsoftheapplicationusingaparticular
Page47D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
silo of data. Using this system, any number of
applicationscanusethedatastore.
Additionalpreconditionsandrequirements(e.g.performance)
None. The datamovedwas reconciled before being
uploadedtotheGAEdatastore.
ExistingSLAstandardsandbestpracticestorelyon
None
Additionalcomments None
Summary This use case presents the simple case of SMEs that have very specific needswhich no
commonlyavailablesystemaddresses.Thisusecase isarepresentativeexamplerelated
totheacquisitionofasimplePaaSimplementationthatprovidesdatabasesupport.
5.2.11. Usecase11:LocalGovernmentServicesusingaHybridCloud
Thefollowingusecaseisbasedon“CloudComputingUseCasegroup-CloudComputing
usecaseswhitepaper”.Itconsidersascenariowhichmaybecomefamiliartoseverallocal
governments thatwant to use a combination of services at a private and hybrid cloud
level. The relevance of this use case for SLA-Ready resides on the use case’s focus on
federationofapplicationsanddatainsidethehybridcloud.
Table16.Usecase11:LocalGovernmentServicesinaHybridCloud
Identification Title LocalGovernmentServicesinaHybridCloud
SMEMaturity • Expert
BaseUseCase(cf.Deliverable2.2) • AP:ApponaCloud
• CB:CloudBursting
Shortdescription Therearemorethan1800localgovernmentsacross
Japan, each of which has its own servers and IT
staff.AsecondarygoaloftheKasumigasekicloudis
toprovideahybridcloudenvironment. Inaddition
to the Kasumigaseki cloud, the Japanese central
government has decided to group local
governments at the prefecture level. Each
prefecture will have a private cloud and a
connection to the Kasumigaseki hybrid cloud.
Internal tasksand somedatawill behosted in the
prefecture’sprivatecloud,whileotherdatawillbe
stored locally.Wherever possible, existing systems
will be virtualized and hosted in the Kasumigaseki
cloud.
CloudActors • Cloud Service Provider – Kasumigaseki
hybridcloud
• CloudServiceCustomer–theprefecture
CloudServicelife-cyclephase • Operation
Legal and Data Protectioncompliancecriteria
Japanese law prevents some types of data from
being stored outside the local government’s
servers, so moving applications and data into the
Kasumigasekicloudisnotanoption.Itisalsoillegal
formany typesofpersonaldata tobe storedona
serveroutsideofJapan.
Preconditions Securityandprivacyrequirements Security and privacy requirements are set by the
Page48D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
andRequirements
central government of Japan, which has built a
secure, centralized infrastructure for hosting
governmentapplications.
Additionalpreconditionsandrequirements(e.g.performance)
Federation of applications and data inside the
hybridcloudiscrucial.
ExistingSLAstandardsandbestpracticestorelyon
None
Additionalcomments None
Summary Thisusecasepresentsthecaseofagovernmentbuildingaprivatecloudforitscentralised
applicationsandusingthatcloudashybridforfewdecentralisedapplicationsinorderto
reducecosts,energyconsumptionandITstaff.
5.2.12. Usecase12:PayrollProcessingintheCloud
Thefollowingusecaseisbasedon“CloudComputingUseCasegroup-CloudComputing
usecaseswhitepaper”[32].Itconsidersascenariowhichmaybecomefamiliartoseveral
SMEs,wheretheenterpriseneedstorunitspayrollprocessinthecloud.Therelevanceof
thisusecaseforSLA-Readyresidesontheusecase’sfocusonvirtualmachinesandcloud
storage(IaaS)
Table17.Usecase12:PayrollprocessingintheCloud
Identification Title PayrollprocessingintheCloud
SMEMaturity • Novice
BaseUseCase(cf.Deliverable2.2) • AP:ApponaCloud
Shortdescription The organization decided to see how practical it
wouldbetorunthepayrollprocessinthecloud.The
existing payroll system was architected as a
distributedapplication,somovingittothecloudwas
relativelystraightforward.
The payroll application used an SQL database for
processing employee data. Instead of rewriting the
application to use a cloud database service, a VM
with a database serverwas deployed. The database
server retrieved data from a cloud storage system
andconstructedrelational tables fromit.Becauseof
thesizeoftheoriginal(in-house)database,extraction
tools were used to select only the information
necessary for payroll processing. That extracted
information was transferred to a cloud storage
serviceandthenusedbythedatabaseserver.
The payroll application was deployed to four VMs
that run simultaneously; those four VMs work with
the VM hosting the database server. The
configurationof thepayrollapplicationwaschanged
tousetheVMhostingthedatabaseserver;otherwise
theapplicationwasnotchanged.
CloudActors • CloudServiceProvider
• CloudServiceCustomer–thecompany
CloudServicelife-cyclephase • Acquisition
Page49D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
• Operation
Legal and Data Protectioncompliancecriteria
This use case does not involve PII, therefore no
particularDataProtectionrequirementapplies.
PreconditionsandRequirements
Securityandprivacyrequirements Noparticularsecurityneedsforthisusecase.
Additionalpreconditionsandrequirements(e.g.performance)
Thepayroll application runsonFedoraand Java1.5,
soitwillrunwithoutchangesonanycloudprovider's
platform that supports Fedora. Modifying the
application touseadifferent cloud storageprovider
could be a problem if the other vendor does not
support the specific S3 APIs used in the payroll
process.
ExistingSLAstandardsandbestpracticestorelyon
None
Additionalcomments None
Summary This use case presents the simple case of SMEs that have very specific needs, as is the
processingofpayroll.Inthecloud-basedversionoftheapplication,processingtimeforthe
payroll taskwas reducedby80%. This is anexampleof SMEs/companies, that the cloud-
based version offers themmore elasticity, which can be a significant advantage as they
expand.
5.2.13. Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms
Each CSP provides qualified cloud services, as each has general carve-outs and other
limitations and exclusions written in its SLA documentation. Some may be
understandable,reasonableandwithinnormalriskallocationboundaries.Somearenot.
EspeciallySMEsdonothavetheknowledgeorexpertisewhethergeneralcarve-outsare
reasonableandacceptablefortheirspecificapplicationanduseofthecloudservices,and
whattheconsequenceswouldbeifacarve-outisspecified.
Table18.Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms
Identification Title CSP specifying carve-outs in its cloud service
terms(GeneralCarve-outs)
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase(cf.,Deliverable2.2)
• AP:ApponaCloud
Shortdescription As there is so much to think about while
choosing,selectingandprocuringcloudservices,
andtheSMEisawarethatcarve-outsarepartof
the cloud SLA where the CSP further limits or
excludes its responsibility and liability, it is not
always the highest priority to assess,
understand, discuss and negotiate these with
theCSP.WhenanincidenthappenstheCSPhas
defined the carve-out ‘force majeure’ very
Page50D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
broad,inawaythatallinfluencesofthirdparties
areexcluded,evenofthosetheCSPprocuresto
beable toprovide the cloud services. In sucha
case, if an incident happens, the SME usually
expectsthatitwouldbewithinthecontrolofthe
CSP, but is often unable to claim any resource.
TheCSPmerelyreferredtothegeneralcarve-out
intheapplicableSLA.
CloudActors CSPasvendor,andSMEascustomer.
Cloud Service life-cyclephase
• Operation
Legalcompliancecriteria Before looking foranappropriateCSP, theSME
should assess what kind of general carve-outs
theCSPhas stated in its SLA,askquestions if it
doesnotunderstandthecarve-outs,askwhat it
is paying for, and assess potential the
consequencesincaseofanincidentthatmayfall
withinscopeofthosegeneralcarve-outs.
PreconditionsandRequirements
Security and privacyrequirements
If the securityof thedatacentre is involved for
certain carve-outs, those requirements are an
absolute necessity to assess within view of
generalcarve-outsaswell.
Additional preconditionsand requirements (e.g.,performance)
Somebasicknowledgeaboutbusinessandother
risk allocation, as well as laws and regulations
arenecessarytoassessacloudSLA.
Existing SLA standards andbestpracticestorelyon
CSCCPracticalGuidetoCloudSLAs
C-SIGSLAGuidelines
Additionalcomments N/A
Summary The SME always needs to assess whether the general carve-outs are
understandable, not described too broad, towhat extent the CSP is in control,
where that control ends, andwhat the consequencesare in caseof an incident
thatiteitherthecontroloftheCSPorbeyondthereasonablecontrolofCSP.
5.2.14. Usecase14:CSPchangingSLAatoperationtime
Anychangemadeincontractualarrangements,whetheranSLAorotherwise,withoutthe
consent of all the parties involved seems impossible and unlawful. However,many CSPs
havedesignatedthecontractualrighttounilaterallychangetheSLAandthecloudservices
itself, whether beneficial or detrimental to the CSC. Thismeans the CSPwill be able to
change itsrightsandobligations,withouttheconsentof theCSC.Most,althoughnotall,
willnotifyyouofachange,butthenitmayalreadybetoolate.
Page51D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table19.Usecase14:CSPchangingSLAatoperationtime
Identification Title CSP changing SLA at operation time (Change
Notifications&UnilateralChange)
SMEMaturity • Novice
• Basic
BaseUseCase(cf.,Deliverable2.2)
• AP:ApponaCloud
• HA:HighAvailability
Shortdescription An SME has built its own SaaS on the PaaS
infrastructureofamajorCSP.TheSMEprovides
its SaaS to its customer under its own Master
Service Agreement, Terms and Conditions and
SLA.However, theSaaSSMEdidnotnotice that
the PaaS CSP is contractually entitled right to
unilaterallychangethePaaSserviceofferingsand
conditions in the SLA, since the SME ticked the
box while registering online without taking the
time to assess the SLA and related terms. The
CSPnow invoked this right to lower the uptime
and level of redundancy. Therefore, the SaaS
cloud Services from the SME cannot meet the
servicelevelithasgrantedtoitsowncustomers.
Migrating the application on a PaaS of another
CSPwouldbea very timeconsumingandcostly
task.
CloudActors CloudServiceProviderasPaaSProvider,SMEas
Cloud Service Partner and SMEs customer as
CloudServiceCustomer.
CloudServicelife-cyclephase • Operation
Legalcompliancecriteria N/A
PreconditionsandRequirements
Securityandprivacyrequirements
N/A
Additionalpreconditionsandrequirements(e.g.,performance)
N/A
ExistingSLAstandardsandbestpracticestorelyon
SMARTSLAModel
CSCCPracticalGuidetoCloudSLAs
C-SIGSLAGuidelines
ETSICloudSLAtemplate
Additionalcomments N/A
Summary ManyCSPhavereservedtherighttounilaterallychangetheserviceconditionsand
terms,howeverthiscouldbeaseriousobstacleforSaaSSMEproviderswhoareina
contractualrelationshipwiththeirowncustomers.
5.2.15. Usecase15:CSPprovidingservicesunderdifferentregulations
Cloud services areoftenhosted inone country and consumed inothers. CSPsmayuse
distributeddatacentresscatteredaroundtheglobe,whileCSCsusingcloudserviceshave
thedesireandevennecessitytoknowthelocationoftheirdata. Inaddition,theremay
Page52D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
beissuesoflegaljurisdictionintheeventofdisputeanduncertaintyabouttheapplicable
law.Theseissuesareduetothesedifferentnationallegalframeworksanduncertainties
about applicable law, data location and the free flow of data ranks concerns arisen
amongstthepotentialcloudadopters,particularlyforlargeenterprisesalreadyusingthe
cloud9. This is in particular related to complexities of managing services and usage
patternsthatspanmultiplejurisdictionsandinrelationtotrustandsecurityinfieldssuch
asdataprotection,contractsandconsumerprotection.Thiscouldmeantherecouldbea
complexvaluechainwith stakeholdersandconflictingagreements,especiallywhen the
SMEisprocuringcloudtodeveloptheirownSaaS.
Table20.Usecase15:CSPprovidingservicesunderdifferentregulations
Identification
Title CSPproviding services under different regulations
(ChoiceofLaw)
SMEMaturity • Basic
• Experienced
Base Use Case (cf.,Deliverable2.2)
• AP:ApponaCloud
• SD:ProcessingSensitiveData
Shortdescription TheChoiceoflawclauseisatermofacontractin
which parties specify that any dispute arising
undertheSLAshallbegovernedby inaccordance
with the laws of a particular jurisdiction. Since
most of themajor CSPs haveheadquarters in the
United States of Americas, many of these CSP’s
have designated the governing law of the state
they have their headquarters applicable to the
agreement. TheSMEhasdonediligenceonwhat
CSPwouldfititsSaaSandbusinessambitionsbest
with regard to the provided IaaS. However, it did
not notice the choice of law the SLA is governed
by.AstheSMEisprovidingSaaStoend-usersbeing
consumers in the EU member state where it is
based, it is obliged to provide the services under
thelawsofthatmemberstate,includingconsumer
rightprovisions.Therefore,thesupplychainisnot
workable for this SME as it cannot hold its IaaS
supplier accountable or responsible if certain
issues arise. The SME will bear the full liability
9EurostatNewsRelease9December2014(lateststatisticstodate).
Page53D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
towardsitsend-userswithoutanyrecourse,which
happenedseveraltimesforthisSaaSSME.
CloudActors Cloud Service Provider as PaaS Provider, SME as
CloudServicePartnerandSMEscustomerasCloud
ServiceCustomer.
Cloud Service life-cyclephase
• Acquisition
• Operation
Legal compliancecriteria
Mandatory rules cannot be avoided if the main
activitytakesplaceinthecountryoftheSMEorits
end-users within the EU. Before looking for
appropriate CSPs, and finding and assessing the
terms and conditions (including SLA) thatmay be
applicable in the relationship between such CSP
and SME, the SME should identify themain legal
compliance criteria relevant in (1) the local
regulationof theSMEand thecountries inwhere
theSMEwouldliketodobusinessand(2)thelaws
oftheapplicablegoverninglaw.
PreconditionsandRequirements
Security and privacyrequirements
If Personal data is involved the data protection
regulation and legislation of the data-subject is
applicableaswell.
Additionalpreconditions andrequirements (e.g.,performance)
N/A
ExistingSLAstandardsand best practices torelyon
ListofSLAstandards/bestpracticestorelyon:
C-SIGSLAGuidelines
Additionalcomments N/A
Summary AllCSPandallCSCs(includingSMEs) ineverydeploymentmodelhavetodeal
withGoverningLawIssues,butitisespeciallyaburdensomeiftheSMEwishes
to develop and exploit its respective services and products on top of cloud-
based services, in particular either IaaS or PaaS. The use case has been
simplified inorder tomakeclearamajor requirementon theSMEsideasan
assertionthat ‘onecannotacquireorprocureanythingwithout firstassessing
whatitwouldliketoacquireorprocure’.
5.2.16. Usecase16:CSPprovidingdataservicesforthehealthsector
Back-up,certificationsandencryptionareimportantservicesaCSPoffers.Inmostcases
theCSPs have several certifications, back-upprograms and encryptionpossibilities, but
Page54D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
thecustomerandthereforetheSMEneedstobeawarethatthosecertifications,back-up
programs and encryption tools will not necessarily apply to the cloud services they
subscribedto.
Table21.Usecase16:CSPprovidingdataservicesforthehealthsector
Identification Title CSP providing data services for the health sector
(CustomerBack-UpandEncryption)
SMEMaturity • Novice
• Basic
Base Use Case (cf.,Deliverable2.2)
• SD:ProcessingSensitiveData
• DI:DataIntegrity
Shortdescription AnSMEintheHealthSectorwhohasbuiltitsSaaS
applicationonanIaaS/PaaSfromtheCSP.Anyone
in the health sector has to be compliant to
mandatory sectorial standardsandneeds tohave
certaincertifications.Furthermore,sincethisSME
will process sensitive personal data, it also needs
to encrypt the data in light of the applicable
personal protection regulations in the EU. Even
though many CSPs have such specific
certifications,encryptionpossibilitiesandbackup
possibilities, in most cases the layers in the
provided IaaS/PaaS where the customer of the
SaaSCSPprocessesitssensitiveandotherdatado
not fall under these certifications, or encryption
and back-up by default. This SME made the
mistakeintrustingthattheprovidedcertifications
wereapplicableforthatuse,whereitdoesnot.
CloudActors CloudServiceProviderasIaaS/PaaSProvider,SME
as Cloud Service Partner and SME’s customer as
CloudServiceCustomer.
Cloud Service life-cyclephase
• Acquisition
• Operation
Legal compliancecriteria
BeforelookingforappropriateIaaS/PaaSCSPs,and
finding and assessing its certifications, terms and
conditions that may be applicable in the
relationshipbetween such IaaS/PaaSCSPand the
SMEHealthTechcompany, firstly this SMEneeds
tomapthemainlegalcompliancecriteriaitdeems
relevant for theHealthTechSector.Furthermore,
as the health sector industry is high-regulated,
there are special requirements for vendors and
Page55D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
their certifications,which include the right of the
authority to be able to audit the vendors in the
respective supply chain. Personal data is involved
of data subjects for which the customer of the
SMEisprimarilyresponsibleasdatacontroller,so
the personal protection regulations in the EU is
essential as well. These three main legal criteria
should be well-known to any Health Tech
company.TheSaaSSMEthereafterneedstomake
sureitcanandwilltaketheappropriatemeasures
in order to fulfil all the sector specific
requirementswith the help of the CSP they have
pre-selected.
PreconditionsandRequirements
Security and privacyrequirements
According to the applicable personal protection
regulations in the EU, a data controller needs to
make sure they take appropriate security
measures which are covered with certifications
andencryptionmeasures.
Additionalpreconditions andrequirements (e.g.,performance)
Back-Up
ExistingSLAstandardsand best practices torelyon
C-SIGSLAGuidelines
Additionalcomments N/A
Summary Many CSPs have several backup, certifications and encryption offerings,
however please note that the SME shouldmake sure their ownenvironment
withinthatIaaS/PaaSisalsocertified,encryptedandback-upsaccordingtothe
industry standard andpolicies.Never just tick the box and think itwill all be
alright.
5.2.17. Usecase17:ASMEterminatingacontractwithaCSP
Data deletion, including data retention should be addressed in the SLA, and the SaaS
applicationshouldhaveembeddedtechniquestoremovedataandensuresthatdeleted
datawillnotberecovered.Itisnotalwaysclearhowdatadeletionanddataretentionis
covered by the CSP, unless data deletion and retention are required as per data
protectionlawsandregulations.
Page56D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table22.Usecase17:ASMEterminatingacontractwithaCSP
Identification Title A SME terminating a contract with a CSP (Data
deletionanddataretention)
SMEMaturity • Novice
• Basic
• Experienced
Base Use Case (cf.,Deliverable2.2)
• SD:ProcessingSensitiveData
• DI:DataIntegrity
Shortdescription The case is simple, and will happen to all CSCs: an
SME wished to terminate the MSA with a CSP, and
then starts thinking about whether and to what
extenttheCSPwilldelete itsdata,aftertheSMEhas
extractedandexportedthatdataasmuchaspossible.
This SME, as will others, finds out that nothing is
arrangedfor,andisleftinthedark.
CloudActors CSPasvendor,andSMEorenduserascustomer.
Cloud Service life-cyclephase
• Operation
• Termination
Legalcompliancecriteria In case of termination, there is no need and no
purpose to process or store any data of the CSC or
relateddata subjects anymore, soall data related to
the specific user should be deleted. Data deletion
shouldbethelastdataprocessingaCSPtakescareof.
However,thereareseveraldataretentionregulations
fordifferentsetsofdata,anddifferentcontexts.
PreconditionsandRequirements
Securityandprivacyrequirements
Privacyrequirementsareinvolvedbydatadeletionas
based on the data protection act. Based on the
privacyregulation,allpersonaldatashouldbedeleted
if there is no lawful interest to store or process any
more, but there are exceptions. For instance, for
financialdatathedataretentionperiodisinmostEU
member states seven years based on the local
financial and tax laws and regulations, and even HR
data has a different data retention period based on
labour law. Furthermore, some CSPs do not have
technical capabilities in place to strongly delete the
data.
Additionalpreconditionsandrequirements(e.g.,performance)
AftertheinternalcheckofwhatkindofdatatheSME
process, the SME needs to assess if all the data
processing are necessary for using the services. The
basicfordatastorageisdataminimisation,wherean
SMEneedstoprocessaslessdataaspossible,tolimit
the consequencesof a databreach, data loss or any
unlawfulprocessing.
ExistingSLAstandardsandbestpracticestorelyon
ISO/IEC19086
CSCCPracticalGuidetoCloudSLAs
C-SIGSLAGuidelines
Additionalcomments N/A
Summary Therequirementsfordatadeletionanddataretentionbasedonthedifferentlaws
and regulations are mostly not the same and contain different periods and
Page57D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
requirements. Therefore, the basics for data processing should be data
minimisation. Furthermore, the SME should assess before it will look to an
appropriate CSP all types of data it processes and the relevant data retention
periods,aswellasiftheCSPhasthecorrecttechniquetodeletethedatawithout
the possibility to recover the deleted data. Before entering into an agreement
with a CSP, the SME should assess if data deletion is possible if all datawill be
deleted.Thereafter,theSMEshouldidentifyandlandscapewhatkindofdataits
stores,processetc.and the related retention requirementsof thedifferent laws
andregulations.
5.2.18. Usecase18:CSPmigratingdatabetweendifferentjurisdictions
Thelocation(s)wherepersonaldatamaybestoredorotherwiseprocessedbytheCSPis
relevantforaSMEasanyCSC,whetherithasoneormoreentitiesandwhetherornotit
is active different geographical locations, as each country has different regulations
regardingpersonaldataandwheresuchpersonaldatamaybestoredandprocessed.In
thiscase,theSMEhasentitiesinadozencountries.
Table23.Usecase18:CSPmigratingdatabetweendifferentjurisdictions
Identification Title CSP migrating data between different
jurisdictions(datalocation)
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• SD:ProcessingSensitiveData
Shortdescription Since both within the European Union and
outside the EU each country has different laws
and regulations regarding personal data
protection, the data locationwhere the SME is
active isrelevantaswellasthedata locationof
theserveroftheCSP.Inthiscaseitconcernsan
SME active in a dozen countries and wishes to
migrate to cloud services its HR data which
concerns almost 100% personal data. In some
jurisdictions, such HR data is even especially
arranged in the law. If an entity of a SME is
based in Russia and the headquarter is within
the European Union, then it is not allowed by
local law to store personal data, including HR
data outside of Russia. The server of the CSP
shouldbebasedinRussia,andinsomecasesthe
CSP will cooperate with a local data centre
where a back-up copywill be stored on a data
location intheEuropeanUnion.This isnotonly
relevant in Russia, as the same applies for
Germany,forexample.ThisSMEsegmentedthe
data in advance, and together with its legal
counsel architected where what data is to be
stored,whatback-upmechanismsshouldapply,
Page58D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
andwith success opened thedialoguewith the
relevantCSP.
CloudActors CSP as vendor, SME as customer, and its
employeesasdatasubjects.
CloudServicelife-cyclephase • Acquisition
• Operation
Legalcompliancecriteria Before looking for appropriate CSPs, the data
and cloud architecture of the SME should be
landscapedonwhatkindof (personal)data the
SME is required to process on which location.
Thereafter the SME should identify the local
governing laws on data protection who are
applicable to the SME and the countrieswhere
theSMEwouldliketodobusiness.
PreconditionsandRequirements
Securityandprivacyrequirements
If personal data is involved the data protection
regulation and legislation of the data subject is
applicable, and theplacewhere the locationof
theserverisaswell.
Additionalpreconditionsandrequirements(e.g.,performance)
After the internal check of the SME on the
above, the SME can startwith landscaping and
pre-assessing of which CSP would be able to
deliver,andwherethedatalocationsoftheCSP
are.
ExistingSLAstandardsandbestpracticestorelyon
CSCCPracticalGuidetoCloudSLAs
C-SIGSLAGuidelines
Additionalcomments N/A
Summary Datalocationisveryimportanttocomplywiththelocallawsandregulations,which
shouldalwaysbediscussedandagreedbetweentheCSPandtheSME.Thisisnota
problemof theSMEonly; theCSPhas similarandparallelproblems to solveas it
needstocomplywiththelocallawsandlegislationaswellifitprocesseddatafora
CSC. Both CSPs and SMEs each have to deal with local laws and regulations.
EspeciallyforSMEswhohavemoreentitiesandnotallofthemarebasedwithinthe
European Union a SME needs to assess what kind of laws and regulations are
applicable on the different types of data even a SME stores and process. Such
assessmentcouldhavetheresultthattheSMEcannotchooseforonedatalocation
as the local data protection act does not allow this, and has to choose different
locations.
5.2.19. Use case 19: CSP providing data portability vendor Lock-in of SaaSapplications
Vendorlock-inisasituationinwhichacustomerusingaproductorservicecannoteasily
switch or otherwisemigrate (part of) its data to product or service of another vendor.
Vendor lock-in is not exclusive to cloud services. Vendor lock-in is usually the result of
outdatedorjustdifferenttechnologiesandmethodologiesofdataformattingandmaking
availabledatarecordsthatareincompatiblewiththoseofothervendors.However,itcan
also be caused by contract constraints, among others. In conjunction with data
portability, the concerns of SME’s across Europe regarding the risk of vendor lock-in is
Page59D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
one themost common barriers for adoption of cloud. In this case the SME is CSC and
foundout ina laterphase thatextractingandexporting itsdata toanotherpartof the
sameCSPsSaaSwasburdensome,letalonedoingthesametoanotherCSPimpossible.
Table24.Usecase19:CSPprovidingdataportabilityvendorLock-inofSaaSapplications
Identification Title CSPprovidingdataportabilityvendorLock-inof
SaaSCRMapplications
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• CB:CloudBursting
• SD:ProcessingSensitiveData
Shortdescription A European SME who has formally used CRM
SaaS to keep track of its customer relationship
managementandsalescyclewouldliketoswitch
certainpartofitsdatatoanotheraccountinthe
sameCRMSaaS, and–when thatdidnotwork
out–toswitchthatdatatoanotherCSP.Thisin
turn requires the ability to migrate data
between different environments or providers.
However, the former CRM SaaS did not specify
anything on data portability, data format,what
datawould exactly be possible tomigrate, and
whatnot,orwhethermetadatawouldbepartof
that.TheSMEsettledforgettingpartofitsdata
out in a structured, workable way, where the
remainder of its data cannot be extracted or
otherwiseexportedinasuitablewaysobasically
lostthelatterdataandrelatedanalytics.
CloudActors SaaS CRM Cloud Service Provider, SME Cloud
ServiceCustomer.
CloudServicelife-cyclephase • Operation
• Termination
Legalcompliancecriteria Before looking for appropriate CRM SaaS CSPs,
and then finding and assessing the terms and
conditions(includingSLA)thatmaybeapplicable
intherelationshipbetweensuchCRMSaaSCSP
and theSME, first, theSMEneeds to look in to
the data formats, data export policies,
termination and other data portability related
clauses. Furthermore, if personal data is
involved, data protection regulation and
legislationisapplicableaswell.AlsofortheCSP,
which is an argument to highlightwhen having
anydiscussionwithaCSP.
PreconditionsandRequirements
Security and privacyrequirements
TheGeneral Data Protection Regulation (GDPR)
adoptedinApril2016createsanewrighttodata
portability for data subjects with regards to its
Page60D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
own personal data a CSP as data controller or
processorprocessesinanyway.Thisalsomeans
thatdatasubjectshavetherighttoextracttheir
personaldatafromtheSMEinthisusecase.
Additional preconditions andrequirements (e.g.,performance)
Assumptionsmadepriortotheexecutionofthe
usecase
ExistingSLAstandardsandbestpracticestorelyon
C-SIGSLAGuidelines
Additionalcomments Othertopicscoverdataportabilityaswell,such
asfreeflowofdata.Insuringdataportabilityisa
relevant objective of European policies in the
contextoftheDigitalSingleMarketstrategy.The
DSM strategy identified the lack of data
portability as a potential barrier, noticing the
shortcomingsofcloudcontractsinthisfield.
Summary Dataportabilityisanotherveryimportanttopicwhichshouldalwaysbeaddressed
byeveryonewhoiswillingorusingthecloud.Incasepersonaldataisinvolved,data
protection regulationand legislation is applicable tobothCSCaswell as theCSP,
which isanargument tohighlightwhenhavinganydiscussionwithaCSP. Incase
the CSP is notwilling to adapt the terms, it is advisable to look further to other
alternatives.
5.2.20. Usecase20:SMElookingforInformationSecurityIncidentManagement
Securityincidentsareanongoingtopicinthenewspapersnowadays,andnoonelikesto
beintheheadlinesbecauseofasecurityincident,nexttootherobviousreasonswhyto
avoid and be prepared for security incidents. However, realistically every organisation,
SMEs included will at some point be subject to or otherwise involved in a security
incident. Besides and quite important aswell, there are several current and upcoming
mandatoryregulationsthatbothCSPsandCSCneedtocomplywith.So,therearequite
somereasonstoaddressinformationsecurityincidentmanagementintheSLA.
Table25.Usecase20:SMElookingforInformationSecurityIncidentManagement
Identification Title SME looking for Information Security Incident
Management
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• SD:ProcessingSensitiveData
• DI:DataIntegrity
Shortdescription Asperanabove-averageawarenesslevelasper
security breaches in its sector, being the
financial services industry, this SME is quite
concernedaboutkeepingitsdatasafewhilealso
complying to current and upcoming regulation.
Page61D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Withallthetopicsinthenewspapersonsecurity
incidents, every SME should be keen on the
management of those incidents, and this SME
actuallydoes.Besidesthat,newregulationssuch
as the General Data Protection Regulation
(GDPR) and the Network Information Security
(NIS)Directivewithdauntinghighpenaltiesarea
trigger as well. However, it is not easy for the
SME to obtain the right in-depth information
from the CSP it needs to assess the risks, the
waybreachnotificationistakencareof,towhat
extent and how fast, and how incidents are
managedandrepeat-incidentsavoided.
CloudActors SMEorenduserasuser.
CloudServicelife-cyclephase • Acquisition
• Operation
Legalcompliancecriteria Before entering into an agreement with a CSP,
theSMEshouldassesshowtheCSPwillmanage
and report any information security incidents.
Thereafter, the SME should identify and
landscapewhatkindoflawsandregulationsare
applicable; local law, European laws or sectoral
regulations. In the Netherlands, and fromMay
2018 in each member state; if you are a CSC,
SME or not, and there is an availability or
confidentialitybreachof(personal)datawhichis
notencrypted,theSMEneedstonotifytheData
Protection Authority, the sectorial authority (if
any),theCERTofthememberstateandthedata
subject of such data breach. Such notification
requires certain information about the security
incident and how the breach will be managed.
Besidesthat,thebreachwillhaveconsequences
for the availability and the trustworthiness of
theservices.
PreconditionsandRequirements
Securityandprivacyrequirements
Security and privacy requirements are essential
in information security incident management.
The CSP should manage and report all the
security incidents, note that not all incidents
needstobenotifiedtotheauthorities.
Additionalpreconditionsandrequirements(e.g.,performance)
The SME and CSP should agree on how and
when security incidents will be notified,
especiallythetimeframeafterthediscoveryof
the incident by the CSP and the notification to
the SME. Preferably notification to the SME
needstobedoneat leastwithin48hoursafter
discoveringofaninformationsecurityincident.
ExistingSLAstandardsandbestpracticestorelyon
ISO/IEC19086
CSCCPracticalGuidetoCloudSLAs
C-SIGSLAGuidelines
Additionalcomments N/A
Page62D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Summary Relatedtoinformationsecurityincidentsthereareseveralnotificationactsincase
there is a breach with personal data. The SLA needs to assess what kind of
proceedings the CSP has for notification, monitoring and management thereof.
However, both parties are responsible for the information security management
andcooperationtopreventthisisamust.
5.2.21. Usecase21:CSPallowingdataaccessforlawenforcement
Based on several laws and regulations certain government authorities are allowed to
requestaccesstothedatacentreandothersystemsCSP.BasedontheNSAstoriesusers
do not trust the access of the government and quite a few CSPs have insufficient
knowledgeandprocesses inplacetodealwithsuchrequestofagovernmentauthority,
where someCSP in such real-life case tend tomore take their own interest in account
thanfight fortheirCSC. IntheSLAshouldbestatedhowtheCSPwillproceedanddeal
withsuchrequest.
Table26.Usecase21:CSPallowingdataaccessforlawenforcement
Identification Title CSP allowing data access for law enforcement
(Lawenforcementaccess)
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• SD:ProcessingSensitiveData
Shortdescription This use case is from an SME CSP that is quite
advancedandknowledgeableaboutdataaccess
requests by authorities, and it is good to
consider thedo'sanddon’ts.MostCSPsdonot
knowwhat to do if access to data is requested
froma government authority andmay give the
governmentauthoritythewrongaccesswithout
assessing such request. Generally, the scope of
theformalrequeststoobtainaccessistoobroad
instead of a detailed scope, because the
authoritydoesnotyetexactlyknowwhatkindof
datatheyneedtoknow.However,fishingbythe
government authorities is not allowed. CSPs
needs to check the scope of the request to
access and should provide as little information
and access as possible, keeping in mind the
contractual, ethical and trust relationship they
havewiththeirCSC.ACSCexpectaCSPtostand
up for the rights of the CSC. Furthermore, if a
CSPgivesaccesswithinthescopethenitshould
not affect more data protection infringements
than the strictly necessary. Any CSC, SMEs
included, should request a detailed data access
policy of the CSP itself with the processes and
consequences.
Page63D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudActors CSPasvendor,andSMEascustomer.
CloudServicelife-cyclephase • Operation
• Termination
Legalcompliancecriteria Before a CSP gives the government authority
access it should assess and identify what the
legal ground is on which the government
authorityrequestforaccessandifsuchauthority
is authorised to get access within a detailed
scope of request. The SME should identify and
landscape the related laws and regulations for
suchrequest.
PreconditionsandRequirements
Securityandprivacyrequirements
Security and privacy requirements are involved
by law enforcement access. The CSP has the
obligationtoprotectthesecurityandprivacyof
datasubjectsevenbyarequestofagovernment
authority, and the privacy should not be
breachedmorethannecessary.
Additionalpreconditionsandrequirements(e.g.,performance)
The CSP should provide a minimum of
information and data within the scope of the
request.
ExistingSLAstandardsandbestpracticestorelyon
ISO/IEC19086
CSCCPracticalGuidetoCloudSLAs
C-SIGSLAGuidelines
Additionalcomments N/A
Summary The requirements for providing access to government authorities aremostof
thetimetoobroad,aswelltherequestitself.Therefore,aCSPneedalwaysto
check the legal ground and scope of the request, and provide as less
information as possible to prevent of more privacy breaches based on data
protectionacts.AnyCSC,SMEsincludedshouldrequestadetaileddataaccess
policyoftheCSPtofamiliarizeitselfwiththeprocessesandconsequences.
5.2.22. Use case 22: SMEmigrating to IaaSwith several duration periods in the
agreement
WiththeuseofaSaaSapplicationthereareseveraldurationperiodsanddataretention
periods applicable, either set forth in the related MSA or SLA or not. Such as the
subscriptiontermoftheMSA,theaccessperiodtotheSaaS,theavailabilityofthedatain
the SaaS, the retention period data needs to be stored/archived by the CSP for legal
purposed, and so on. The duration and qualification of each can be totally different.
Theseseveraldurationperiodsofsubscription,access,useandauditoftheSaaSshould
beclearlyunderstoodbytheCSC,addocumentedbetweenCSPandCSC.However,even
CSPhavenotquitethoughtoverthesedifferentdurationperiods,andsomearealsonot
easytorecognize.
Page64D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table27.Usecase22:SMEmigratingtoIaaSwithseveraldurationperiodsintheagreement
Identification Title SME migrating to IaaS with several duration
periods in the agreement (duration of different
termsoftheSaaSapplication)
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• CB:CloudBursting
Shortdescription ThisSMEismigratingitsinfrastructuretoIaaSof
a major CSP. Being a software company itself
doesnotnecessarilymeantohavethenecessary
knowledge for migrating to the SaaS. And, to
startwith, in order to provide a good proposal
and businessmodel based on subscription fees
this SME needs to knowwhat kind of different
duration period are applicable, and what the
financial, technical and operational
consequences are. In this case for example (i)
theMSAisforanindefiniteperiodandthestart
isat thedayofsigning, this is the firstduration
period(ii)theMSAiseffectiveatthemomentof
signing, but only after implementation of the
SaaS in general and then the deployment of a
customer a userwill be able to access to SaaS,
on which date the one-year subscription starts
between the SME and its customer. This is the
second duration period. Thirdly (iii), the
subscription is based on the actual use of
content,whichmeansthatthedurationofuseis
shorterthanthedurationoftherighttoaccess.
Two more for this use case, is (iv) the data
retentionperiodduringwiththeCSPisrequired
by law to retain certain data, and (v) the
durationtheSMEanditscustomersareentitled
toextractandexportdata.
CloudActors CSPasvendor,theSMEasCSCaswellasaCSP,
andSMEcustomerastheend-user.
CloudServicelife-cyclephase Acquisition
Operation
Termination
Legalcompliancecriteria N/A
PreconditionsandRequirements
Securityandprivacyrequirements
N/A
Additionalpreconditionsandrequirements(e.g.,performance)
N/A
ExistingSLAstandardsandbestpracticestorelyon
N/A
Additionalcomments N/A
Page65D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Summary Inordertomakeabusinessmodelbasedonsubscriptionfeeswhereaccessanduse
of the SaaS application depends on payment and the amount of time to use is
limited,theSaaSprovidershouldassessall thoseaspectswhicharerelevant fora
subscriptionbusinessmodel, inordertohaveagoodproposalandagreement. In
short, both the CSP and CSC need to familiarize themselves with the numerous
duration periods, landscape and structure those before discussing business and
legaltermsandconditions.
5.2.23. Usecase23:SMEsettingupitsownhybridcloudecosystem
Cloud computing has been a trending topic over the last 10 years but only recently a
reasonably matured common definition of cloud computing has been established.
However,bothCSPsandCSCstendtodefinecloudservices,servicemodels,deployment
models,uptimeandotheravailabilitydifferentlywhich leadstoconfusionandconflicts.
EspeciallywhenaCSCsuchasthetechnostarterSMEsinthisusecase,wouldliketoset
upitsownhybridcloudecosystemtotrustandbuilditsbusinesson,andthereforeuses
multipleCSPstobuildthisecosystem.
Table28.Usecase23:SMEsettingupitsownhybridcloudecosystem
Identification Title SME settingup its ownhybrid cloudecosystem
(CloudSLADefinitions)
SMEMaturity • Novice
• Basic
• Experienced
BaseUseCase (cf.,Deliverable2.2)
• AP:ApponaCloud
• CB:CloudBursting
Shortdescription ThisSMEisasmallstart-upbutisenvisioningto
benumber1 in itsmarket,globally. Itwillneed
cloud service to do so, and as per different
technical, business, risk mitigation and risk
reasons it is working on architecting a hybrid
ecosystemwhereseveralmajoraswellasniche
CSPswill be involved. However, all CSPs define
their definitions and legal terms differently
whichmakes ithardtocreateaclear landscape
of what rights and obligation the SME has
towardstherespectiveCSP,andwhatrightsand
obligations it can arrange for with its own
customers and end-users. Analysing legal
documentation from A to Z concerning cloud
services such as SLAs is quite cumbersome and
time and resources consuming, CSPs even use
different quantitative attributes, metrics,
measurementsandremedies.TheSMEfeelsthat
some CSPs prefer to keep their applicable
documentation less transparent than their
customerswishfor,andtheCSPswouldbeable
to. Getting to the bottom of Master Service
Agreements, SLAs and other contractual
Page66D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
arrangements is time-consuming, and a SME,
especially a start-up does not have those
resources. It will either lead in delay in its
business plans, or making the wrong decisions
whichwillbeverycostlyinalaterphase.
CloudActors CSPasvendor.SMEascustomer.
CloudServicelife-cyclephase • Acquisition
• Operation
Legalcompliancecriteria It all starts with unambiguous and technology
neutraldefinitions.Keepingthedefinitionsofall
relevant documentation well-defined and
unambiguous is important to ensure that CSPs
and CSCs both have a common understanding
andclearcommunicationofthattoexpectfrom
each other and the services contracted.
Currently, the most up to date definitions that
havebeengloballyvalidated,haverecentlybeen
re-endorsed by the European Commission and
are used by many leading companies,
government bodies and other organizations.
These are contained in the EC Cloud SLA
StandardisationGuidelines.
PreconditionsandRequirements
Securityandprivacyrequirements
N/A
Additionalpreconditionsandrequirements(e.g.,performance)
99.95%uptimewillnotnecessarilymean99.95%
uptime sincemanyof theCSPdefineuptime in
multiple ways. For instance, when the
measurement starts,what is in or out of scope
ofsuchmeasurement,andsoon.
ExistingSLAstandardsandbestpracticestorelyon
ListofSLAstandards/bestpracticestorelyon:
ISO/IEC19086
C-SIGSLAGuidelines
CloudQuadrantsReport
Additionalcomments N/A
Summary Withouthavingclearunambiguousdefinitions,itisimpossibletodiligentlyprocure
cloudservices.Thisgoesforgenerallyallprocurementbutitisespeciallyrelevantas
therearemanytypesofcloudservices,servicesmodels,deploymentmodels,and
evenintherightcategorythereisalotofvarietyindefinitionsandterms.Thesame
issuesariseregardingthevariouslanguages.
5.2.24. CRMtousecasesmapping
Thissectionanalysestheusecasesdescribedintheprevioussectionswithrespecttothe
CRM.Derivedfromtheaforementionedanalysis,wehavefoundthatsomeelementsof
the CRM are more important than others for some use cases. In general, the priority
betweenoneelementandanotherdependsmostlyonthedomaininwhichtheusecase
belongs to.The following tables represent theprioritiesof theCRMelements forevery
Page67D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
use case analysed. A colour code is given, the "red" ones being the most important
elements, followedby the "yellow", and the "green" ones as being the less important.
ThelevelofimportantgiventooneelementsoftheCRMwithrespecttoothersdepends
on the typeofusecaseanalysed (including the typeofdomain, typeofcustomers, the
specificrequirementsforeachusecase,etc.).
Page68D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table29.CRM-UseCasesCoverage(part1)
CRMelementimportanceforeveryusecase(PART1)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
Fintech (Financial sector)
(UC1)
Estonian Governmental Cloud
(UC2)
ConsultLess, SME for using SaaS
(UC3)
SMEs migrating from one SaaS CSP to the other
(UC4)
Cloud Brokering: Cloud Chargeback and
Showback
(UC5)
Distribution of SME Training Material to Mobile Employees
(UC6)
EasyAgriSelling, SME using IaaS/PaaS
(UC7)
Video storage and streaming from the
Cloud
(UC8)
1 SLA URL 2 Findable 3 Choice of law 4 Roles and
responsibilities
5 Cloud SLA definitions
6 Revision date 7 Update
Frequency
8 Previous versions and revisions
9 SLA duration 10 SLA language 11 Machine-
readable format
12 Nr. of pages
Page69D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelementimportanceforeveryusecase(PART1)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
Fintech (Financial sector)
(UC1)
Estonian Governmental Cloud
(UC2)
ConsultLess, SME for using SaaS
(UC3)
SMEs migrating from one SaaS CSP to the other
(UC4)
Cloud Brokering: Cloud Chargeback and
Showback
(UC5)
Distribution of SME Training Material to Mobile Employees
(UC6)
EasyAgriSelling, SME using IaaS/PaaS
(UC7)
Video storage and streaming from the
Cloud
(UC8)
13 Contact details 14 Contact
availability
15 Service Credit 16 Service credits
assignment
17 Maximum service credits (Euro amount) provided by the CSP
18 SLA change notifications
19 Unilateral
change
20 Service Levels reporting
21 Service Levels
continuous reporting
22 Feasibility of specials & customizations
Page70D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelementimportanceforeveryusecase(PART1)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
Fintech (Financial sector)
(UC1)
Estonian Governmental Cloud
(UC2)
ConsultLess, SME for using SaaS
(UC3)
SMEs migrating from one SaaS CSP to the other
(UC4)
Cloud Brokering: Cloud Chargeback and
Showback
(UC5)
Distribution of SME Training Material to Mobile Employees
(UC6)
EasyAgriSelling, SME using IaaS/PaaS
(UC7)
Video storage and streaming from the
Cloud
(UC8)
23 General Carveouts
24 Specified SLO
metrics
25 General SLOs 26 Cloud Service
Performance SLOs
27 Service Reliability SLOs
28 Data Management SLOs
29 Security SLOs 30 Personal Data
Protection SLOs
Page71D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table30.CRM-UseCasesCoverage(part2)
CRMelementimportanceforeveryusecase(PART2)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
Cloud-basedDevelopmentand
Testing
(UC9)
LogisticsandProject
Management
(UC10)
LocalGovernmentServicesinHybrid
Cloud
(UC11)
PayrollProcessingintheCloud
(UC12)
CSP specifying Carve-outs in its cloud
service terms
(UC13)
CSP changing SLA at operation time
(UC14)
1 SLA URL 2 Findable 3 Choice of law 4 Roles and
responsibilities
5 Cloud SLA definitions 6 Revision date 7 Update Frequency 8 Previous versions and
revisions
9 SLA duration 10 SLA language 11 Machine-readable
format
12 Nr. of pages
Page72D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelementimportanceforeveryusecase(PART2)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
Cloud-basedDevelopmentand
Testing
(UC9)
LogisticsandProject
Management
(UC10)
LocalGovernmentServicesinHybrid
Cloud
(UC11)
PayrollProcessingintheCloud
(UC12)
CSP specifying Carve-outs in its cloud
service terms
(UC13)
CSP changing SLA at operation time
(UC14)
13 Contact details
14 Contact availability 15 Service Credit 16 Service credits
assignment
17 Maximum service credits (Euro amount) provided by the CSP
18 SLA change notifications
19 Unilateral change 20 Service Levels
reporting
21 Service Levels continuous reporting
22 Feasibility of specials &
customizations
23 General Carveouts 24 Specified SLO metrics
Page73D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelementimportanceforeveryusecase(PART2)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
Cloud-basedDevelopmentand
Testing
(UC9)
LogisticsandProject
Management
(UC10)
LocalGovernmentServicesinHybrid
Cloud
(UC11)
PayrollProcessingintheCloud
(UC12)
CSP specifying Carve-outs in its cloud
service terms
(UC13)
CSP changing SLA at operation time
(UC14)
25 General SLOs 26 Cloud Service
Performance SLOs
27 Service Reliability SLOs
28 Data Management SLOs
29 Security SLOs 30 Personal Data
Protection SLOs
Page74D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Table31.CRM-UseCasesCoverage(part3)
CRMelementimportanceforeveryusecase(PART3)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
CSP providing services under
different regulations
(UC15)
CSP providing data services for the health sector
(UC16)
A SME terminating a contract with a
CSP
(UC17)
CSP migrating data between
different jurisdictions
(UC18)
CSP providing data portability vendor Lock-in of SaaS
applications
(UC19)
ISME looking for Information
Security Incident Management
(UC20)
CSP allowing data access for law enforcement
access
(UC21)
SME migrating to IaaS with several
duration periods in the agreement
(UC22)
SME setting up its own hybrid
cloud ecosystem
(UC23)
1 SLA URL 2 Findable 3 Choice of law 4 Roles and
responsibilities
5 Cloud SLA definitions 6 Revision date 7
Update Frequency
8 Previous versions and revisions
9 SLA duration 10 SLA language 11 Machine-readable
format
12 Nr. of pages
Page75D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelementimportanceforeveryusecase(PART3)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
CSP providing services under
different regulations
(UC15)
CSP providing data services for the health sector
(UC16)
A SME terminating a contract with a
CSP
(UC17)
CSP migrating data between
different jurisdictions
(UC18)
CSP providing data portability vendor Lock-in of SaaS
applications
(UC19)
ISME looking for Information
Security Incident Management
(UC20)
CSP allowing data access for law enforcement
access
(UC21)
SME migrating to IaaS with several
duration periods in the agreement
(UC22)
SME setting up its own hybrid
cloud ecosystem
(UC23)
13 Contact details
14 Contact availability 15 Service Credit 16 Service credits
assignment
17 Maximum service credits (Euro amount) provided by the CSP
18 SLA change notifications
19 Unilateral change 20 Service Levels
reporting
21 Service Levels continuous reporting
22 Feasibility of specials
& customizations
23 General Carveouts 24 Specified SLO
metrics
Page76D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelementimportanceforeveryusecase(PART3)
(red:highest,yellow:medium,green:lowest)
Item Name of CRM element
CSP providing services under
different regulations
(UC15)
CSP providing data services for the health sector
(UC16)
A SME terminating a contract with a
CSP
(UC17)
CSP migrating data between
different jurisdictions
(UC18)
CSP providing data portability vendor Lock-in of SaaS
applications
(UC19)
ISME looking for Information
Security Incident Management
(UC20)
CSP allowing data access for law enforcement
access
(UC21)
SME migrating to IaaS with several
duration periods in the agreement
(UC22)
SME setting up its own hybrid
cloud ecosystem
(UC23)
25 General SLOs 26 Cloud Service
Performance SLOs
27 Service Reliability SLOs
28 Data Management
SLOs
29 Security SLOs 30 Personal Data
Protection SLOs
Page77D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
5.3. Summarytakeaways
Summarytakeaways
• TheCRMhasbeenvalidatedwith theanalysisof 23use cases taken fromdifferent
businessdomains.
• Suchvalidationhasallowedustoidentifytheimportance/applicabilityofeveryCRM
elementforeveryusecase.
• Atemplateisusedforacomprehensiveanalysisoftheusecases.Theimplementation
ofthetemplateforeveryusecaseisusedtoidentifytheimportance/applicabilityof
everyCRMelement.
• The importance/applicabilityofeveryCRMelementdependsonaspectssuchas the
actorsinvolvedintheusecase,thesensitivityofthedatamanaged,thetypeofcloud
servicestouseortheregulationstoimplement.
• Thetemplateclassifieseveryusecaseaccordingtothefivebaseusecasesdefinedthe
ETSICSCreport. Italsoclassifieseveryusecasesaccordingto theCloudServiceLife
Cycle created in Deliverable 2.2. This information is used by the recommendation
methodologydescribedinthefollowingsection.
Page78D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
6. CRMrecommendationfornewusecasesVeryoften,companiesdecidetomovetheirbusinesstothecloudwithoutreallyknowing
whataspectstotackle:DoIhavetostrengthenperformanceaspects?Howimportantis
securityformybusiness?DoIhavetoconsiderpotentiallegalimplicationswhenoffering
myservice?Thissectionproposesamethodologythatcanbeusedtoprovidecompanies
with a recommendation based on the CRM that can help them to choose the best
possibleSLAaccordingtotheirbusinesstarget.
Asdescribedinprevioussections,theCRMprovideswithaframeworkthatclassifiesthe
mostrelevantaspectsthataCSPhastoconsiderwhenprovidingcloudservicesbasedon
SLAs to its customers.TheCRMcanbeused topublish thesecurity levels thataCSP is
providing or to know how transparent is a CSP with respect to all the non-functional
features associated with the cloud service provision. The CRM can also be used to
recommend themost suitableCSPs to customers according to their requirements. This
willbedemonstrated inSection7with theusageofassessmentalgorithms toevaluate
CSPsbasedonthequantificationoftheelementsoftheCRM.
However, the CRM offers greater potential beyond a recommendation means for
customers.AnadditionaladdedvalueoftheCRMconsistsofrecommendingtoCSPsthe
most relevant elements of the CRM. In D2.3 an initial validation exercisewas done to
evaluateusecasesfromdifferentdomains(financial,publicandSMEsectors)andanalyse
themwithrespecttotheCRM.Theresultofthestudyshowsthatsomeelementsofthe
CRM that aremore important than others depending on the characteristics of the use
case.For instance,the legalaspectsoftheCRMweremoreimportantfortheusecases
thatfocusedonthepublicsectorratherthantherestoftheusecases.
One of the objectives of D2.4 is to go in depth into this direction and to provide a
methodologythatallowstorecommendwhatelementsoftheCRMaremoreimportant,
according to the type of business case analysed. This process is done in two phases
(Figure9):
• Phase 1 – Clustering use cases. Use cases that share common characteristics
(either due to their domain or business requirements) can be organized in
representative domains. These representative domains denote the level of
importanceofeachCRMelementforaspecificdomain.Givenasetofmusecases,
theycanbegroupedintongroups,beingCRMioneofthesegroups,suchthat:
CRMi ( i=1…n),for n representative domains
Page79D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
This phase uses clustering algorithms (see Section 6.2) which, for a given input
(i.e.,theusecasescomingfromSection5.2),estimatesthelevelofimportanceof
theCRMelementfortheidentifiedclusters.
• Phase 2: Recommendation of a CRMi for new use cases. In this phase, newbusinesscasescanbeassignedtoanyofthenrepresentativedomainsidentified
inphase1.ThecorrespondingCRMi is returnedwhichcontainsaspecific report
onthelevelofimportanceofeveryelementoftheCRM.
The following picture depicts this process, beingCRMdomains the clusterswhere the use
casesaregrouped:
Figure9.RecommendationprocessbasedontheCRMandusecases
TheoutputofthisprocessisarecommendationbasedontheCRM,CRMi,thatcontains
the levelof importance foreveryelementof theCRM.Thiswill provideSMEswith the
informationtheyneedtoknowaboutwhataretheaspectsoftheCRMthatneedspecial
attention,accordingtotheirspecificbusinesscase.
Thefollowingsubsectionsdetailthephasesinvolvedintherecommendationprocess.
6.1. Inputdata:usecasesanalysisWehaveusedasinputatotalof23usecases:4usecasesanalysedinD2.3(whichhave
beenextendedtobe includedinD2.4)and19newusecasesaddedtoSection5ofthis
deliverable. For every use case (from now on, we will refer to the new use case as
"sample")theinformationusedasinputfortherecommendationprocessis:
• Thebaseusecases thatcorrespondstoeverysample.Abaseusecase isoneofthe five types identified in the ETSI CSC report: Application to the Cloud (AP),
Page80D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Cloud Bursting (CB), processing sensitive data (SD), high availability (HA), Data
integrity(DI).
• Thestageofthelifecyclewheretheusecaseoperates(acquisition,operationortermination).
• AlevelofimportanceforeveryelementoftheCRM,ashigh,mediumorlow.
Asa result,wehave representedevery sampleasa vectorof38elements (5elements
correspondtothebaseusecase,3elementstothestageofthelifecycleand30forthe
elementsoftheCRM).Theseelementsarequantifiedusingacommonscale(from0to2).
Thequantifiedvaluesareusedasinputfortheclusteringmethodused.
6.2. Phase1:Applyingclusteringmethodologiestotheinputdata
The next step entails the classification of the input data in order to find the n most
representativedomains.Todosowehaveusedclusteringtechniquesthatallowtogroup
informationaccordingtosimilaritiesinthedifferentdimensionsthatarepartofthedata
analysed. Clustering techniques are widely used in machine learning and data mining.
Theyrepresentanefficientandanaccuratewayto identifypatternsandpredictresults
andbehaviours.Clusteringtechniquesgroupdata(apparentlyuncorrelated) intogroups
wheretheelementsbelongingtoeachgrouparemoresimilartoeachotherthantothose
intheothergroups.Thesegroups,calledclusters,arecomposedofavariablenumberof
elements. Figure 10 represents a typical clustering representation of two-dimensional
samples. Three clusters are clearly identifiedwhile there are still some samples (black
dots)thatcannotbeassignedtoanycluster(referredas"noise").
Page81D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure10.Exampleofclusteringrepresentation10
The rules to map elements to clusters depends on the clustering methodology used.
Thereareseveralclusteringtechniquesinthestateoftheart:
• Partitioning Method (i.e., K-means [11]). For a set of x elements, these methods
buildy clustersandassigneveryelement to someof they clusters, typicallyusingEuclideandistances.
• Hierarchical Methods [12]. Decomposes the input data into a hierarchy which is
classifiedaccordingtothedecompositionofthehierarchy.Theclustersareidentified
accordingtothedensity(numberofelements)oftheclassifications.
• Density-basedMethod(i.e.,DBSCAN[10]).Unlikethepartitioningmethods,density
basedmethodsdonotneedtosetthenumberofclustersinadvance.Density-based
methods dynamically create them according to a predefined expected density of
elementsinacertainarea.
• Grid-BasedMethod (i.e., STING [13]). Clusters areorganized in a grid and samples
areassignedtoeachcellof thegrid.Onlycellswithaminimumdensity (minimum
numberofelements)areconsideredasacluster.Adjacentcellsmightbemergedto
gettheexpecteddensitytocreateacluster.
10https://cssanalytics.wordpress.com/2013/11/26/fast-threshold-clustering-algorithm-ftca/
Page82D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
• Model-Based Method (i.e., MCLUST [14]). Uses Gaussian statistical models to
calculatethedensityofafinitecollectionofelements.
• Constraint-basedMethod (CBM[15]).This technique isusedwhentheclustersare
conditionedbysomeconstraintsthattheelementshavetomatch.
InSLA-Ready,theelementstoclassify(i.e.,thesamples)arenotcorrelatedandwedonot
knowinadvancehowmanyclusterswewillhave.Aswedonothaveanyconstraintsforthe
elements that are part of any clusters, consequently we have chosen a density-based
methodtoclassifytheelementsthatarepartofoursampleset.
While therearemanytechniquestodealwithdensity-basedclustering,wehaveusedthe
DBSCANapproachforitssimplicityandefficiency.DBSCANcalculatesdistancesbetweenthe
elements of the sample set to find out clusters. The algorithm is configured with two
parameters:
• Theminimumnumberofelementsinacluster,representedasm.• Themaximumdistancebetweentheelementsofacluster,representedask.
Figure11depictsanexamplefortheDBSCANalgorithm.Oneclusterisidentifiedinred.The
elementsofthisclusterareatadistanceequalorlessthanthedistancek.ElementsC,Band
N are not considered part of the red cluster as their distance to any element of the red
clusterisgreaterthank.Theymightbepartofaclusterifatleastmotherelementsappear
atadistanceequalorlesstok.
Figure11.DBSCANapproach
Oneoftheproblemsthatclusteringmethodologiesfacewhentheyareusedisthatvery
oftenthenumberofsamples is fewerthanthenumberofdimensionsofeverysample.
This isexactlywhathappens inSLA-Ready,aswehave23samplesandevery sample is
Page83D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
composed of 38 elements. This is a problemwhen applying clustering techniques as it
makes difficult to find clusters where samples are at a distance k (as the number of
samplesislimitedandthenumberofdimensionpersampleisbig).Tosolvethisproblem,
machine learning techniques use dimensionality reduction to decrease (without losing
toomuch information) the number of elements of the sample. As an example, in SLA-
Readywehavereducedthedimensionsfrom38to3withaminimumlossofinformation,
which will facilitate discovering clusters. While several algorithms can be found for
dimensionalityreduction[11],wehaveusedaverywell-knowntechnique:PCA(Principal
ComponentAnalysis)[17].
PCA relies on the projection of information into a spacewith reduced dimensions. For
example,ifwehaveinformationdefinedonaspaceofthreedimensionsandwewantto
reduce it inonedimension,PCAwillproject the threedimension samples intoaplane,
which is used as new coordinates system. The projection is done trying to lose the
minimum amount of informationwhen projecting the samples to the new coordinates
system. To do so, the distance between the samples and the new coordinate’s axis is
minimized.
Insummary,theprocessthatwehavefollowedtoclusterelementscomprisesthreesteps
asdepictedinthefollowingpicture:
Figure12.Clusteringprocess
• Step1:Dimensionalityreductionreducesthedimensionsofthesamplesbyusingthe
PCAalgorithm.
• Step 2: Clusters discovering finds clusters with the samples used as input by using
DBSCAN.
• Step3:Calculatesthemostrepresentativesamplefortheclustersidentified.Todoso
wehavecalculatedthemeanvectorforallthesamplesthatarepartoftheidentified
clusters.
Step1:Dimensionality
reduction
Step2:Clustersdiscovering
Step3:Representative
samplecalculation
Page84D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure13.Exampleofrepresentativevectorforclusters
WehaveappliedtheclusteringmethodologytothesamplesavailableinSLA-Ready:
• Instep1wehavereducedthedimensionalityofthesamplesfrom38to3.
• Instep2wehaveusedDBSCANtofindthepotentialclustersforthesamples.We
have configured the DBSCAN algorithm with k=2 and m=3. This results in theidentificationof3clusters.Aswehavereducedthedimensionofsamplestothree
we can depict a 3D representation of the samples and clearly see the three
clusters identified. Figure 14 depicts the results of the clustering. Red crosses
samplesarepartofcluster #1.Green squaresaregrouped intocluster #2whilebluediamondsaregrouped incluster #3. There is a sample (black circle) that is
consideredasnoiseandwillnottakepartintherecommendationmethodology.
Page85D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure14.ClustersdiscoveredfortheSLA-Readysamples
• Instep3therepresentativesamplesofeachclusterare identifiedbycalculating
the mean among all the vectors that belong to the same cluster. Figure 15
representsthesesamplesaddedtothesamplesofeverycluster.
Figure15.ClustersandrepresentativesamplesfortheSLA-Readysamples
Although Figure 15 depicts the representative samples after reducing their dimensions
(otherwise it would not be possible to be represented), in practice themean value is
calculatedusingthenon-reducedsamples,asthisrepresentativevectorwillcontainthe
recommendationdataofalltheCRMelements.
Page86D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
6.3. Phase2:AssigningnewusecasestoclustersThe second phase of the methodology provides with the recommended level of
importance for every element of the CRM, depending on the characteristics of the
business case to evaluate. This is especially useful for SMEs that want to move
applicationstothecloudorsimplywanttoexplorenewopportunitiesbyprovidingtheir
owncloudservices.VeryoftentheseSMEsarenotactuallyawareofhowtomanagethe
relationshipstotheircustomersintermsofSLAs,forexampleconsideringsecurityorlaw
enforcementaspects.
In this phase the recommendationmethodology uses a subset of characteristics (non-
technical)thatdescribethebusinesscasethattheSMEwantstoevaluate.Wehaveused
only the fields included in the template of Table 5 that gives a high-level view of the
service:
• Thebaseusecase,asoneormoreofthebaseusecasesdefinedbytheETSICSC.
• Thestageofthecloudservicelifecyclewheretheusecaseoperates.
No further detail on any element of the CRM is required, since this is precisely the
informationthatthisrecommendationmethodologyisproviding.
Theprocessstartsbyobtainingthenearestclustertothebusinesscasetoevaluate,and
thenreturntherepresentativesamplecalculated inphase1.This isdonebycalculating
the distance between the vector that represents the new use case (which contains 8
elements:5forthebaseusecaseand3forthelifecyclestage)andthepartialvectorsof
therepresentativesamples.Therepresentativesamplewiththeminimumdistanceisthe
best possible recommendation, which is returned to the SME. Figure 16 depicts this
processwhereanewsample(thisis,anewbusinesscase)iscomparedwiththeclusters
identified.Thedistancetoeachrepresentativesample isthencalculated(d1,d2andd3forclusters #1,#2 and#3 respectively).Asd3 is theminimumdistance,wechoose the
representative sample of cluster #3 as the recommendation result.
Page87D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure16.Exampleofrecommendationbasedondistancesbetweensamples
Thismethodology isextensible.Newbusinesscasescanprovidewithnewsamples that
canchangetherepresentativesampleofclusters,thenumberofclustersorthemembers
oftheclusters. Infact,machinelearningtechniquesare indeeddesignedtodynamically
adaptthemselvestonon-correlatedsamplescomingintothesystematanymoment.
6.4. Recommendationmethodologyvalidation:Example1
Inthissectionwepresenttheexampleofacompanythatisstartinganewbusinessand
wantstoberecommendedabouttheSLAthatshouldbeprovidedtoitscustomers:
This company provides IT services for hospitals and is moving towards providing computational resources for research activities required by hospitals. More specifically, this company provides computational resources for processing genetic based information from patients. The new service is designed in such a way that, depending on the workload, the data is moved between different clouds (public or private), in order to maximize efficiency. The service is also based on previous services that the company has moved to the cloud to save costs and increase performance. The company needs to change the service terms provided to their customers. As a result, a new SLA will have to be offered to its customers. In order to deal with the features of the new service this company is asking for a recommendation on the terms of the SLA to which they should pay more attention.
Page88D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Following the recommendation methodology described previously, the new service is
analysedaccordingtotherequestedparameters:
• Base use case (according to ETSI CSC classification). The company is moving
applications to the cloud (base use case: AP). It is also moving computational
resources between different clouds depending on the workload (base use case
CB).Finally,itisalsoprocessingsensitivedata,asitdealswithgeneticinformation
from patients of hospitals (base use case: SD). Therefore, we can classify the
serviceasAP,CBandSD.
• Stage of the life cycle. The cloud is used during the operation of the serviceoffered.Asaresult,wecanclassifytheserviceintheoperationstage.
Therefore,thesampletoprocesswillbethefollowing:
Table32.Classificationoftheusecaseoftheexample1
Baseusecase LifecyclestageAP CB SD DI HA Acq. Op. Term.YES YES YES NO NO NO YES NO
AfterapplyingPhase2oftherecommendationmethodology,andhavingtheclustersand
representativesamplesdescribedinSection6.2(anddepictedinFigure15),wecanassign
thisbusinesscasetocluster #2.TherecommendationontheCRMelementsisbasedon
therepresentativesampleforcluster #2,whichgivesthefollowingresult.
CRMelement 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Recommendation
CRMelement 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30Recommendation
Red:highimportance.Yellow:mediumimportance.Green:LowimportanceFigure17.Recommendationresultsfortheusecaseanalysedinexample1
Wecanseefromtheresultsobtainedthatforthegivenusecasetheelements28,29and
30 of the CRM are labelled as highly important. This is quite consistent with the
characteristicsof theuse caseanalysed, aselements28,29and30are related todata
protection. This is consistent with the results obtained as the service to evaluate is
focusedonthemanagementofsensitivedata(geneticsinformationfrompatients).
Page89D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
6.5. Recommendationmethodologyvalidation:Example2
The following is theexampleof company thatwants tomovecriticaloperations to the
cloud:
A company wants to support the activities of a rail transport operator with cloud services (for example for incident response management). The target customer is a critical infrastructure provider (the rail transport operator), thus the cloud service must be reliable and with high availability.
Following the recommendationmethodologydescribed in Section6, thenew service is
analysedaccordingtotherequestedparameters:
• Baseusecase(accordingtoETSICSCclassification).Thetargetoftheserviceistomove the current operations carried by rail transport companies to the cloud.
Therefore, we can initially classify it as AP (moving application to the cloud).
Furthermore,inthisusecasetherearestrictrequirementsinregardtoavailability.
Thecloudserviceswillbeuseduponacritical infrastructurethatrequiresahigh
availability inorder toproperlyandquickmanage incidents.Asa result,wecan
classifythisservicealsoasHA(Highavailability).
• Stageofthelifecycle:Thenewservicewillbeusedatoperationtime.However,in
this service it is paramount to consider also critical requirements, such as the
expectedavailabilityortheresponsetime.Theseconsiderationsmakeusclassify
theusecasealsointheacquisitionstageofthelifecycle.
Therefore,thesampletoprocesswillbethefollowing:
Table33.Classificationoftheusecaseoftheexample2
Baseusecase LifecyclestageAP CB SD DI HA Acq. Op. Term.YES NO NO NO YES YES YES NO
Applying Phase 2 of the recommendation methodology, and having the clusters and
representativesamplesdescribed inSection6.2 (anddepicted inFigure18),weendup
assigningthisbusinesscasetocluster #1.TherecommendationontheCRMelements is
basedontherepresentativesampleforcluster #1,whichgivesthefollowingresult.
Page90D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CRMelement 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Recommendation
CRMelement 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30Recommendation
Red:highimportance.Yellow:mediumimportance.Green:LowimportanceFigure18.Recommendationresultsfortheusecaseanalysedinexample2
Lookingattheresultswecanseethatforthegivenbusinesscasetheelements26,27and
28oftheCRMarelabelledashighly important.This isquiteconsistentwiththetypeof
business case. Elements 26, 27 and 28 are "Cloud Service Performance SLOs", "Service
ReliabilitySLOs"and"DataManagementSLOs"whichareindeedveryimportantaspects
foracloudservicebuiltforacriticalinfrastructureastheoneinthisexample2.
6.6. Summarytakeaways
Summarytakeaways
• AnovelrecommendationmethodologybasedontheCRMhasbeencreatedtohelp
potential new cloud customers/providers to identify the CRM Elements that are
mostrelevantfortheirbusinesscase.
• Therecommendationmethodologyusesthe23usecasesevaluatedinSection5.It
utilizesclusteringtechniquestofindthecorrelationamongthegivenusecases.
• Theresultoftheclusteringtechniqueisasetofusecasesgroupedinclusters.Every
identified cluster has a representative CRM, which includes a specific level of
importance(high,medium,low)foreveryCRMElement.
• The informationused togroup theusecases is: thebaseusecases (asdefinedby
theETSICSC),thestageoftheCloudServiceLifeCyclewheretheusecaseoperates,
andthelevelofimportanceidentifiedforeveryCRMelement.
• Ahigh-leveldescriptionofSME’sbusinesscasesisusedtoidentifythebaseusecase
(asdefinedbytheETSICSC)andthestageoftheCloudServiceLifeCyclewherethe
SME’s business case operates. With that information, the recommendation
methodologymapseveryusecasetotheclustersdiscoveredduringtheanalysisand
provideswiththecorrespondentlevelofimportanceforeveryCRMelement.
Page91D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
7. ProgressondevelopingtheSLA-ReadinessIndexTheconceptoftheSLA-ReadinessIndexi.e.,ahigh-levelmetricdesignedtoassessaCSP
alignment to theCRM,was first introduced inDeliverable4.2within thecontextof the
envisionedSLAMarketplace.TherestofthissectionreportsthedevelopmentoftheSLA-
Readiness Index, mostly focused on the CSP assessment criteria designed by the
consortium, the quantitative techniques used to perform the computation of the SLA-
ReadinessIndex,andsomedevelopedproofofconceptexampleswithrealCSPdata.
7.1. MotivationfortheSLA-ReadinessIndex
During the early phase of the project and while designing the SLA-Repository (cf.,
Deliverables2.1and2.2),theconsortiumrealisedthatinordertoprovidecomprehensive
cloud SLA information to (prospective) cloud customers itwas necessary to go beyond
justofferinga"raw"collectionofSLAs.Therefore,asreportedinD4.3theSLA-Repository
became a collection of cloud SLAs analysed according to the elements defined by the
CRM(cf. Section3). Fromthe feedback received fromstakeholdersandAdvisoryBoard
(cf.,D4.4),weconcludedthat theentries in theSLA-Repositorycouldhavebecometoo
granularforSMEsjustwillingtohaveaquickunderstandingoftheofferedCSPSLAbefore
going into all involved details. For this reason, the project has proposed the SLA-
Readiness Index: a quantitativemetric that could be used by cloud customers, mainly
SMEs,toassessataglancetheCSPSLA.
Figure19.ComputingtheSLA-ReadinessIndex.
Figure19showsahigh-levelviewof theproposedsetofstepsneededtocomputeand
makepubliclyavailabletheSLA-ReadinessIndex.Thefollowingsectionspresentsinmore
detailseachoneofthestepsdepictedinFigure19.
Page92D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
7.1.1. Step1:CSPSLAself-assessment
DuringthisfirststagetheCSPisaskedtoperformtheself-assessmentofitsSLA(s)based
onthedevelopedCRM.Thisinitialstephastwomaingoals:
1. ValidatetheusefulnessoftheCRMfromtheCSPperspective
2. Collectreal-worldSLAdatafortheSLA-Repository(alongwiththeCSPapprovalfor
publishingthatinformation).
InorderfortheCSPtoanalysetheCRMinsuchawaythattheresultinginformationcan
be used to compute the SLA-Readiness Index, it is necessary to assign a
qualitative/interval scale to each CRM element (e.g., a YES/NO answer). This approach
hasproved itsusefulness inthedevelopmentofcloudsecurityrepositoriessuchasCSA
STAR[25],whereCSPsself-assessthe implementationofsecuritycontrolsbasedonthe
ConsensusAssessmentInitiativeQuestionnaire(i.e.,CSACAIQ[24]).
The SLA-Ready consortium has developed a questionnaire for allowing CSPs to assess
theirSLAsbasedonthedevelopedCRM.ThisquestionnaireisshowninAnnexBandwas
usedtodeveloptheSLA-ReadinessIndex.FurtherdetailsrelatedtotheSLA-ReadyIndex,
including the analysis of received CSP answers to the questionnaire, are presented in
D4.3.
7.1.2. Step2:SLA-Repository
OncetheCSPshaveansweredthequestionnaireshowninAnnexB,thenitisfeasibleto
store the received answers in the SLA-Repository for further exploitation. The current
versionoftherepositoryisacollectionofthereceivedCSPquestionnaires,althoughsome
initial efforts to develop a machine-readable version of the repository have already
started by collaborating with projects like H2020 MUSA11. In order to support
transparencyinthecloudmarket,allCSPsansweringthequestionnairehavebeenasked
toprovidetheirconsentformakingtheiranswerspubliclyavailable(cf.,AnnexC).More
detailsrelatedtotheSLA-ReadyRepositoryarepresentedinD4.3
7.1.3. Step3:ComputingtheSLA-ReadinessIndex
The CSP SLA information collected into the SLA-Repository is structured in a way that
allows for its quantitative reasoning; in particular, we refer to its aggregation into auniquequantitative/qualitativeleveli.e.,theSLA-ReadinessIndex.Atthestateoftheart,
11Pleaserefertohttp://www.musa-project.eu/.LastaccessedonNovember2016.
Page93D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
there are some well-known methodologies that can be used to aggregate
quantitative/qualitativemetricsorganisedinahierarchicalstructureinordertoobtaina
uniquemeasure.
Anadequateaggregationtechniquecanbeappliedtothequalitativedatacompiledfrom
the CSP questionnaires to result in a numeric SLA-Readiness Index value. The latter is
proportional to the amount of positive answers provided by the CSPs to the
questionnaire.Forexample,aCSPreplyingwithmorepositive(i.e.,YES)answerstothe
CRMwill have a higher SLA-Readiness Index than another CSP that replied withmore
negativeanswers(i.e.,NO).Furthermore,thenumericSLA-ReadinessIndexcanbeeasily
transformedintoaqualitativemetricwheremoreSME-friendly labelscanbeassociated
to the SLAs e.g., Gold/Silver/Bronze. Section 7.3 further elaborates about the
computation of the SLA-Readiness Index, and also presents some proof of concept
examplesbasedonreal-worldinformationfromtheSLA-ReadyRepository.
7.1.4. Step4:UsingtheSLA-ReadinessIndex
For each CSP entry on the SLA-Ready Repository it can be computed a unique SLA-
Readiness Index, which can be then used as entry-point to provide more detailed
information about the CSP SLA. The SLA-Readiness Index can be deployed (for public
access)ontheSLA-Readywebsite12andalsoontheCSASTARwebpage(e.g.,Figure20).
Figure20.ACSPentryonCSASTAR-AdditionalInfo
12Pleaserefertohttp://www.sla-ready.eu/
Page94D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
MoredetailsassociatedwithpublishingandusingtheSLA-ReadinessIndexarediscussed
inD4.3.
7.2. TechniquesfortheassessmentofCSPs
The evaluation of the SLA-Readiness index depends on the assessment techniques that
allowonetoascertain(qualitativelyorquantitatively)howgoodorbadaCSP'sSLAiswith
respecttocustomers’requirementsandwithrespecttotheSLAsofotherCSPs.
However, there are only very limited techniques available to provide such an SLA
assessment. This is indeed, as reported in D2.2, another impediment that customers
encounter when they decide to migrate their key applications to the cloud.
Notwithstanding,severalapproachesareemergingaimingtoevaluatethefunctionalityand
securityofCSPs.WebrieflyoutlinethestateoftheartinSLAassessments.
Lietal.[18]focusesonperformanceindicatorstocomparedifferentCSPs.Thisapproachis
based on the active measurement of elastic computing, persistent storage and network
services.Tothisendasetofmetricsarecreatedwhicharealsousedtoevaluatetheimpact
ontheperformanceoftheservice.
TheQoS of CSPs is evaluated byGarg et al [19] that uses the Analytic Hierarchy Process
(AHP)toevaluateperformancedataandprovidewitharanking.Thetechniqueisbasedon
the Service Measurement Index (SMI) indicator as defined by the Cloud Service
MeasurementIndexConsortium(CSMIC)[29].TheSMIconsistsofasetofbusiness-relevant
KeyPerformance Indicators (KPIs) thatprovide a standardizedmethod formeasuring and
comparingabusinessservice.ThismethodologyusestheseKPIstocreateasetofmetrics
that are used to compare the providers. These KPIs are measured through the
corresponding metrics by monitoring directly the system. The evaluation of these
measurementsisdonebyapplyingtheAnalyticalHierarchyProcess(AHP)[27]thatprovides
arankingoftheanalysedproviders.
Several activities are devoted to evaluating SLAs focused on security. Hegging [20] is
probablythefirstinitiativethatintroducedthetermsecurityinSLAs.Heggingdefinesaset
ofquantifiablesecuritymetricsthatcanbeusedtoevaluateservices.
Althoughthepreviousreferencesareinterestingapproachestodealwiththeevaluationof
SLAs, the following ones providewith a structuredmethodology based on a quantitative
evaluation of the controls that comprise the SLA. Although the aforementioned
methodologies for cloudassessmentaremainly focusedon security controls, they canbe
easilytranslatedtoanysetofcontrolsincludedinaSLAaslongastheyarequantifiable.
ThefollowingfiguredepictsthethreeprogressivestagesdrivingSLAassessmentas:
Page95D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure21.StagescomprisingthequantitativeSLAassessment
- Definition of requirements: In this stage both customers’ requirements and CSP
SLAsareexpressed inasetofcommonelements (forexampleusingtheCSACCM
[21]). The most prominent characteristic of these elements is the hierarchical
structureusedtoorganizethem.Forexample,atypicalhierarchyusedtoevaluate
SLAsistheonethatcombinestheCSACCMwiththeISO/IEC19086,whichresultsin
athreelevelstree(categories,groupsandSLOsasdepictedinFigure22)
Figure22.SLAhierarchycombiningtheCSACCMandtheISO/IEC19086
- Quantification.Eachelementofthepreviousstageisthenquantitativelyevaluated.
The specific way to evaluate each element of the SLA depends on the concrete
methodology but the common denominator for all of them is based on the
definition of all the possible service levels for each element. For example, an
elementoftheSLAmightbedefinedinsuchawaythatitcanonlygettwopossible
values (YES andNO orTRUE andFALSE). In this case the quantificationwould
Page96D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
assignscorestoeachpossiblevalue(i.e.,1 toYESand0 toNO). Inthecaseofan
element with more than one possible value (i.e., the cryptographic key length
specified by 128, 256 and 512 bits), the scores would be given in the range of
possible values (i.e., {0, 1, 2, 3} for the {128, 256, 512} bits levels of thecryptographickeylengthexample).
- Evaluation.Thisstagecomprisestheuseofalgorithmswiththequantifiedelements
oftheSLA.Thealgorithmshighlydependonthemethodologyusedbutallofthem
arebasedontheaggregationofthequantifiedelementsoftheSLAalongwiththe
hierarchyusedtoorganizetheelementsoftheSLA.
A very relevant evaluationmethodology is the one presented by Luna et al. in [22]. This
methodology(calledQuantitativePolicyTrees(QPT))evaluatesandcomparessecuritySLAs
basedontheCAIQ[24]structureandtakenfromtheSTARrepository[25].Themethodology
isbasedonscoresgiven to theelementsof theSLAhierarchyaccording to thequantified
values.Thescoresarecalculatedasthedistanceofthescoresforthequantifiedlevelofan
element for the CSP and for the customer, weighted with respect to the maximum
quantification level for thatelement.Thescoresarecalculated foreverynodeof the tree
andareaggregatedtowardsthehigherlevelsofthehierarchytillgettingaglobalscore.This
methodology allows also to define basic dependencies between the lowest nodes of the
hierarchybyusingAND/ORrulesintheaggregationprocess.
TheQPTmethodologyisveryrelatedtotheReferenceEvaluationMethodology(REM)[26].
The definition of requirements and the quantification process is very similar toQPT. The
maindifferenceisintheevaluationprocess.InREMthequantificationprocessleadstoaset
of matrices. The REM uses matrices arithmetic to calculate distances between matrices
representingtheSLAsofcustomers’requirementsandCSPs.
ThenewestapproachistheQuantitativeHierarchyProcess(QHP)presentedbyTahaetal.
in[21].Theproposedframeworkallowsbothbasicandexpertuserstoexpresstheirsecurity
requirements according to their expertise and specific needs by using qualitative
requirementsthatcanevenbeexpressedinnaturallanguage.Thequantificationprocessis
basicallythesameastheoneusedbyQPTandREM.ThealgorithmtoevaluatetheSLA is
basedontheAHPforsolvingMultipleCriteriaDecisionMaking(MCDM)[28]problems.The
algorithmisalsobasedontheaggregationofquantifiedcontrolsalloverthehierarchy.The
aggregation is done by carrying out a pair-wise comparison between the (quantified)
elementsoftheSLAprovidedbyalltheCSPsthataretobecompared.Theresultisamatrix
whoseEigenvector isusedtoobtainthefinalscore.Therelevanceofthismethodology is
that thepair-wisecomparisoncanbedoneatany levelof thehierarchy.Thus, theresults
Page97D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
canbeobtainedwithdifferentlevelsofgranularity,dependingonthedepthoftheanalysis
thatisrequired.SuchananalysiswillbediscussedfurtherinD2.4
7.3. ComparativeassessmentofrepresentativeCSPs
This section presents the calculation of the readiness index for several providers with
respect to the CRM. The QHP approach was used as the assessment technique to
compare CSPs. QHP has been developed in TUDA by the DEEDS group and allows to
evaluate the level of security provided by CSPs.WithQHPwe can compare across the
CSPsandalsocompareagainstasetofsecurityrequirementsspecifiedby,forexample,a
customer. QHP takes as input the security SLA of CSPs, which is then organized in a
hierarchical structure. QHP has also been chosen as it allows to evaluate the CSPs at
different levels of granularity: partial scores can be obtained at different levels of the
CRMhierarchy.Wehave adaptedQHP to use the CRMas input. Figure 23 depicts the
levelsusedfortheanalysiswhenusingtheCRM.
Figure23.EvaluationdonetogetthereadinessindexatdifferentlevelsintheCRMhierarchy
We have performed two evaluations. Each evaluation uses different information to
calculatethereadinessindex:
• Evaluation of surveyed CSPs. In this case, the input has been taken from the
answers given by several CSPs to the survey included in Annex B. This survey
allowstoknowthecomplianceofeveryCSPwithrespecttoeveryelementofthe
CRM.WehaveusedasimplifiedversionoftheCRMwheretheelementlevelisthe
lowestlayeroftheCRMhierarchy.WehavedoneittomakeCSPs’lifeeasierwhen
answeringtothesurvey,answeringto30questions (30elementsof theCRMas
Page98D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
listed in Table 2) instead of answering to 70 questions (elements and technical
components).
• Evaluationofself-assessedCSPs.WehavecomparedtheCRMwithrespecttothe
information from CSPs that is publicly available (for example published in their
respectiveweb sites) and information taken from SLA repositories (such as the
CSA STAR repository [25]). In this case, we have used the complete hierarchy,
consideringalsothecomponentsthatareundertheSLO&Metricelement.
7.3.1. EvaluationofsurveyedCSPsbasedontheCRM
Table34showstheanswersoffiveCSPsforthesurveyshowninAnnexB.Thevaluesof
theanswersaretakenfromthecolumn“CSPself-assessment”ofthesurvey.Forexample,
a number “2” in the CRM element “Findable”means that the SLA is findable using an
internalsearchenginewhilea“0”meansthattheSLA isnotavailable inthewebsiteof
theCSP.WehaveusedthatinformationtoapplytheQHPmethodologytocomparethem.
Table34.AnswersofthesurveyedCSPs
Group Name of CRM element CSP1 CSP2 CSP3 CSP4 CSP5
General (GR)
SLA URL 0 0 0 1 0 Findable 2 0 0 0 1 Choice of law 1 0 1 1 0 Roles and responsibilities 1 1 1 0 1 Cloud SLA definitions 1 1 1 1 1
Freshness (FR)
Revision date 1 1 0 1 1 Update Frequency 1 1 0 1 0 Previous versions and revisions 0 0 0 1 0 SLA duration 1 0 1 0 1
Readability (RE)
SLA language 1 0 0 0 0 Machine-readable format 1 0 0 0 0 Nr. of pages 0 >1 >1 >1 1
Support (SU)
Contact details 1 1 1 0 1 Contact availability 1 1 1 0 1
Credits (CR)
Service Credit 1 1 1 0 1 Service credits assignment 1 1 0 0 1 Maximum service credits (Euro amount) provided by the CSP 1 1 0 0 1
Changes (CH)
SLA change notifications 1 1 0 0 0 Unilateral change 1 0 1 0 0
Reporting (REP)
Service Levels reporting 0 1 1 1 1 Service Levels continuous reporting 0 1 0 0 0 Feasibility of specials & customisations 1 1 0 0 1
Page99D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
General Carveouts 1 1 0 1 1 SLOs & Metrics
(SL)
Specified SLO metrics 0 1 1 1 1 General SLOs 1 1 1 1 1 Cloud Service Performance SLOs 1 1 1 1 1 Service Reliability SLOs 1 1 1 0 0 Data Management SLOs 0 0 0 0 0 Security SLOs 0 1 0 0 0 Personal Data Protection SLOs 1 0 0 0 0
TheresultsareshowninFigure24andFigure25.Figure24representsthecomparisonof
thefivesurveyedCSPsatthehigherleveloftheCRMhierarchy.Thisistheglobalscoreof
everyCSPwithrespecttothecompleteCRM.Wecanseethat,comparedwiththerestof
theevaluatedCSPs,CSP1isthebestone,followedbyCSP2andCSP5.Ofcourse,thisisan aggregated evaluation and does notmean that CSP1 is better than the rest of the
providerswithregardtoeveryelementoftheCRM.Tobeabletogetadetailedanalysis
wehavetogolowerintheCRMhierarchyandevaluatetheCSPsatthegrouplevel.QHP
allowsustodosuchdeeperanalysis.
Figure24.ComparisonofsurveyedCSPs:readinessindexglobalscore
Figure25representsthecomparisonofthesurveyedCSPsatthegroupleveloftheCRM.
AswecanseeCSP1isespeciallygoodinthe"Readability"(RE)andinthe"Changes"(CH)groups. CSP4 provides detailed information about general aspects of the SLA and
especially in what regards to the "Freshness" (FR) group (which is the specification of
changesandupdatesoftheSLA).Finally,itisworthmentioninghowCSP2standsoutin"Reporting"(REP)features.
Page100D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Figure25.ComparisonofsurveyedCSPsatgrouplevel
Asithasbeenalreadypointedout,theseresultsarecomparisonsbetweentheproviders
usedintheevaluation.Theresultsobtainedarenotabsolutebutrelativewithrespectto
therestoftheprovidersevaluated.
7.3.2. Evaluationofself-assessedCSPsbasedontheCRM
Table 35 shows the information for the CRM extracted for four self-assessed CSPs (as
basedontheinformationtakenfromtheSTARrepositoryandtheirrespectivewebsites).
Additionally,thisevaluationincludesvaluesforthecomponentsthatarepartoftheSLO
&Metricsgroup,being“1”whenthecomponentappearsintheSLAoftheCSPand“0”
whenitdoesnot.Table35.Answersoftheself-assessedCSPs
Group Item Name of CRM element/components CSP6 CSP7 CSP8 CSP9
General (GE)
1 SLA URL 2 1 2 0 2 Findable 1 1 1 0 3 Choice of law 0 0 0 0 4 Roles and responsibilities 0 0 0 0 5 Cloud SLA definitions 1 1 1 0
Freshness (FE)
6 Revision date 1 1 1 1 7 Update Frequency 2 1 2 2 8 Previous versions and revisions 0 0 0 0 9 SLA duration 1 0 0 1
Readability (RE)
10 SLA language 1 1 1 0 11 Machine-readable format 0 0 0 0 12 Nr. of pages 1 1 1 0
Support (SU)
13 Contact details 1 1 1 1 14 Contact availability 0 0 0 0
Credits (CR)
15 Service Credit 0 0 0 0 16 Service credits assignment 0 0 0 0
17 Maximum service credits (Euro amount) provided by the CSP 0 0 0 0
Page101D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Changes (CH)
18 SLA change notifications 0 0 0 0 19 Unilateral change 0 0 0 0
Reporting (REP)
20 Service Levels reporting 0 0 0 0 21 Service Levels continuous reporting 0 0 0 0 22 Feasibility of specials & customisations 0 0 0 0 23 General Carveouts 1 1 1 1
SLOs & Metrics
(SL)
24 Specified SLO metrics (SM) 0 0 0 0 25
General SLOs (GR)
Service monitoring 0 0 0 0 26 Accessibility 0 1 0 1 27 Availability 0 1 0 1 28 Termination of service 0 1 0 1 29 Cloud Service Support 0 1 0 0 30 Governance 0 1 0 0
31 Attestations, certifications and audits
0 1 0 0
32 Cloud Service
Performance SLOs (CP)
Response time 0 0 0 0
33 Capacity 0 0 0 0
34 Elasticity 0 0 0 0 35 Service
Reliability SLOs (SR)
Service Resilience 0 0 0 0
36 Customer data backup/restore 0 1 0 0
37 Disaster Recovery 0 0 0 0 38
Data Management
SLOs (DM)
IPR 0 1 0 0
39 Cloud Service Customer Data 0 0 0 0
40 Cloud Service Provider Data 0 0 0 0
41 Account Data 0 0 0 0 42 Derived Data 0 0 0 0 43 Data portability 0 0 0 0 44 Data deletion 0 1 0 0 45 Data location 0 0 0 0 46 Data examination 0 0 0 0
47 Law Enforcement Access 0 0 0 1
48
Security SLOs (Sec)
Organization of Information Security 0 0 0 0
49 Human Resources Security 0 0 0 0
50 Asset Management 0 1 0 0 51 Access Control 0 1 1 1 52 Cryptography 0 1 1 0
53 Physical and Environmental Security 0 1 0 0
54 Operations Security 0 1 0 0
55 Communications Security 0 1 1 0
Page102D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
56 Systems Acquisition, Development and Maintenance
0 1 0 0
57 Supplier Relationships 0 0 0 0
58 Information Security Incident Management 0 1 1 0
59 Business Continuity Management 0 1 0 0
60 Compliance 0 1 0 0 61
Personal Data
Protection SLOs (PDP)
Consent and choice 0 0 0 0
62 Purpose legitimacy and specification 0 0 0 0
63 Collection limitation 0 0 0 0 64 Data minimization 0 0 0 0
65 Use, retention and disclosure limitation 0 0 0 0
66 Accuracy and quality 0 0 0 0
67 Openness, transparency and notice
0 0 0 0
68 Individual participation and access 0 1 0 0
69 Accountability 0 0 0 0 70 Privacy compliance 0 1 0 0
Figure26representsthereadinessindexoftheSLAsforthefourself-assessedCSPsgiven
theglobalscoreatthehighestleveloftheCRM.Aswecansee,thistimeitisCSP7thatstands out overCSP8 andCSP6 in this order. Far behind them it isCSP9. Again, thisprovides just a global score and does not allow us to know how well or bad these
providersbehaveforeverygroupoftheCRM.
Figure26.Comparisonofself-assessedCSPs:readinessindexgiventheglobalscore
Toobtainamoredetailed comparisonwehavecarriedouta comparisonof these four
providers at the group level. The results aredepicted in Figure27. In general, the four
Page103D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CSPsbehavequitesimilarinmostofthegroups.JustCSP7standsoutinthespecificationofSLOsandMetrics(SL).WecanalsoseeinFigure27thereasonforthelowglobalscore
of CSP9 as it does not provide information about 4 out of the 8 groups evaluated.
Furthermore, it isworthnoticing that thegroups"Credits" (CR)and"Changes" (CH)are
giving a score of 0 for all the CSPs. The reason is that they are not detailing such
information in the self-assessment report stored in the STAR repository andno further
detailsaregiveninthepublicinformationthatcanbeextractedfromtheirwebsites(or
atleastwehavenotbeenabletofindit).
Figure27.Comparisonofself-assessedCSPsatthegrouplevel
AdeeperanalysisoftheSLA&MetricgroupexplainsthehighscoreofCSP7andthelowscoreofCSP6forthatgroup.Figure28representsthescoresofthefourprovidersintheSLO&Metricgroup.Thisanalysistakesintoconsiderationthevaluesofeverycomponent
atthelowestlevelofthehierarchy.Wecanseethat,onlyCSP7detailsinformationabout
5 out of the 7 elements of the SLO&Metrics group. This explains the high score that
CSP7hasforthisgroupinFigure27.WecanalsoseethatCSP8isonlyprovidingvaluesforSecuritySLOs(asitcanbeseeninTable35).
Figure28.Comparisonofself-assessedCSPsatthe"SLO&Metrics"grouplevel
Page104D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
As a result, the evaluationmethodologies, such asQHP, combinedwith the SLA-Ready
CRMprovideswithapowerful toolnotonly toevaluateandcompareCSPs,butalso to
discovertheaspectsinwhichtherespectiveCSPsarestrongerorweakerthanothers.For
example,thisoffersanopportunityforCSPstoknowinwhataspectstoimprove.
7.4. Summarytakeaways
Summarytakeaways
• The CRM, as added value, can additionally be used to compare across the CSPs or
comparingtheCSPsagainstcustomers’requirements.Thiscanbedonebycalculating
theSLA-Readinessindex.
• The SLA-Readiness index can be obtained by using different types of input. In SLA-
Readywehaveused:(i)informationtakenfromCSPsthatansweredtoasurveybased
on the CRM (see Annex B) or (ii) public information (available inWeb sites or SLA
repositories)thathasbeenmappedtotheCRM.
• The SLA-Readiness index is obtained by applying an assessment methodology
developedbyTUDA:TheQuantitativeHierarchyProcess(QHP).
• QHPallowstoperformcomparisonsatanyleveloftheCRMhierarchy,dependingon
thelevelofgranularityrequested.
Page105D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
8. ConclusionsThisreportdescribesandvalidatestheSLA-Ready'sCommonReferenceModelbasedon
theanalysisoftherequirementselicitedinD2.1andD2.2andontheinitialanalysisdone
inD2.3.D2.4reportsacomprehensiveanalysisofdifferentdomains(standards,industry)
withrespecttotheCRM.
Fromtheanalysisofthestandardizationdomainwehaveupdatedtheevaluationofthe
standards and best practices analysed in D2.3. Furthermore, we have extended the
evaluation by adding to additional best practices taken from the SLALOM project. The
outcomeofthisassessmentisthatmostofthestandardsprovideagoodcoverageofthe
technicalelementsoftheCRM(namelySLOeitherforsecurity,privacyandperformance).
However, the coverage of categories such as general and economic aspects is quite
limited.OnlytheETSICloudSLAtemplatehasabettercoverageofnon-technicalaspects.
The SLALOM specification for SLAs is alsomainly focused on technical aspects. On the
contrary, the SLALOM specification for contracts is mainly focused on legal and
administrativeaspects,whiletechnicalaspectsareavoided.
For theanalysisof the industrialdomain,wehaveextendedtheevaluationof theCRM
withadditional19usecasesfromdifferentdomainsandextendedthe4usecasesstudied
in D2.3. We have also extended the template to evaluate use cases with information
about the level of expertise required by the CSPs to implement such use case and the
stageofthelifecyclewheretheusecasesareapplied.
We have used this additional information to propose a recommendationmethodology
based on the CRM that uses machine learning techniques. The recommendation
methodology receives as input a high-level description of a business case (such as the
type of cloud service provided and the stage of the life cycle) and returns information
aboutthelevelofimportanceofeveryCRMelement,whichwillbethemostsuitableone
forthecharacteristicsofthebusinesscase.
Finally, we have also proposed a technique to obtain the readiness index of SLAs by
evaluatingtheSLAsofseveralCSPswithrespect totheCRM.Ontheoneside,wehave
analysedmorethan100CSPswiththeinformationthatispublicityavailable.Ontheother
side,wehavereceivedsurveysfromseveralCSPswhichhaveself-assessedtheirSLAswith
respect to the CRM. We have used that information to compare (by using cloud
assessmentmethodologies)severalCSPsintermsoftheCRM.
Theoutcomesof thevalidationof theCRMcarriedout inD2.4canbeusedto leverage
the creation of tools that integrate the calculation of the readiness index and the
recommendationmethodology.
Page106D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
References[1] Cloud Standards Customer Council. Practical Guide to Cloud Service Agreements –
Version 2.0. [Online]. Available: http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf,2015.
[2] CSIG – Cloud Service Level Agreement Standardisation Guidelines. [Online]. Available:https://ec.europa.eu/digital-single-market/en/news/cloud-service-level-agreement-standardisation-guidelines,2014
[3] European Commission, "Standards terms and performance criteria in service levelagreements for cloud computing services", [Online]. Available:https://ec.europa.eu/digital-single-market/en/news/study-report-standards-terms-and-performances-criteria-service-level-agreements-cloud-computing,2015
[4] ETSI,TR.103125V1.1.1:"CLOUD."SLAsforCloudservices(2012).[5] International Organization for Standardization (ISO/IEC), "ISO/IEC 19086, Information
Technology – cloud computing – Service level agreement (SLA) framework andterminology(Draft),"2014.�
[6] ETSI. "Cloud Standards Coordination. Final Report". 2013. [Online]. Available:http://csc.etsi.org/resources/CSC-Phase-1/CSC-Deliverable-008-Final_Report-V1_0.pdf.2013.
[7] ENISA. "Security Framework for Governmental Clouds". [Online]. Available:https://www.enisa.europa.eu/publications/security-framework-for-governmental-clouds,2015.
[8] Riigi Infosüsteemi Amet. "Estonian Security System Overview". [Online]. Available:https://www.ria.ee/public/ISKE/ISKE_english_2012.pdf.2016
[9] ENISA. "Cloud Security Guide for SMEs". [Online]. Available:https://www.enisa.europa.eu/publications/cloud-security-guide-for-smes,2015.
[10] Ester, Martin, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. "A density-basedalgorithmfordiscoveringclustersinlargespatialdatabaseswithnoise."InKdd,vol.96,no.34,pp.226-231.1996.
[11] MacQueen, James. "Some methods for classification and analysis of multivariateobservations." InProceedings of the fifth Berkeley symposium on mathematicalstatisticsandprobability,vol.1,no.14,pp.281-297.1967.
[12] Johnson,StephenC."Hierarchicalclusteringschemes."Psychometrika32,no.3,241-254.1967
[13] Wang,Wei, Jiong Yang, and RichardMuntz. "STING: A statistical information gridapproachtospatialdatamining."InVLDB,vol.97,pp.186-195.1997.
[14] Fraley, Chris, and Adrian E. Raftery. "MCLUST: Software for model-based clusteranalysis."JournalofClassification16,no.2:297-306.1999
[15] Tung, Anthony KH, Jiawei Han, Laks VS Lakshmanan, and Raymond T. Ng."Constraint-based clustering in large databases." In International Conference onDatabaseTheory,pp.405-419.SpringerBerlinHeidelberg,2001.
Page107D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
[16] Saul, LawrenceK., KilianQ.Weinberger, JihunH.Ham,Fei Sha, andDanielD. Lee."Spectral methods for dimensionality reduction," Semisupervised learning: 293-308.2006
[17] Jolliffe,Ian.Principalcomponentanalysis.JohnWiley&Sons,Ltd,2002.[18] A. Li, X. Yang, S. Kandula, and M. Zhang, "Cloudcmp: Comparing public cloud
providers," IEEE Internet Computing, vol.15, no. 2, pp. 50-53, March/April 2011,doi:10.1109/MIC.2011.36.�
[19] S. K.Garg, S. Versteeg, andR. Buyya, "SMICloud: A framework for comparing andranking cloud services," InUtility and Cloud Computing (UCC), 2011 Fourth IEEEInternationalConferenceon,pp.210-218.IEEE,2011.�
[20] R.Henning, "SecuritySLAs:Quantifiable security for theenterprise?" inProc.ACMWorkshopNewSecurityParadigms,1999,�pp.54–60.���
[21] Cloud Security Alliance. Cloud controls matrix v3. [Online]. Available:https://cloudsecurityalliance.org/research/ccm/,2015.�
[22] A. Taha, R. Trapero, J. Luna, and N. Suri, "AHP-based quantitative approach forassessingandcomparingcloudsecurity,"inProc.IEEEConferenceTrust,SecurityPrivacyinComputingCommunications,2014,�pp.284–291.�
[23] J.Luna,R.Langenberg,andN.Suri,"Benchmarkingcloudsecurity levelagreementsusing quantitative policy trees," in Proc. �ACM Cloud Computing Security Workshop,2012,pp.103–112.�
[24] Cloud Security Alliance, "Consensus Assessments Initiative (CAI) Questionnaire,"2012. [Online]. Available: https://cloudsecurityalliance.org/research/initiatives/consensus-assessments-initiative/,2011.
[25] CloudSecurityAlliance, "The security, trust&Assurance registry (STAR)". [Online].Available:https://cloudsecurityal-liance.org/star/,2012.
[26] V.Casola,R.Preziosi,M.Rak,andL.Troiano,"Areferencemodel forsecurity levelevaluation:Policyandfuzzytechniques,"J.UniversalComputingScience,vol.11,no.1,pp.150–174,2005.�
[27] T. Saaty, "How to make a decision: The analytic hierarchy process," Eur. J.OperationalRes.,vol.48,pp.9–26,1990.�
[28] M.Zeleny,MultipleCriteriaDecisionMaking.NewYork,NY,USA:McGrawHill,1982.[29] C.S.M.I.C.(CSMIC),"SMIFramework,"[Online].Available:
http://betawww.cloudcommons.com/servicemeasurementindex.[30] EUH2020SLALOM,"SLASpecificationandReferenceModel".Online:
http://www.slalom-project.eu2016[31] EUH2020SLALOM,"ModelcontractforCloudComputing".Online:
http://www.slalom-project.eu2016[32] Cloud Computing Use Case Discussion Group. “Cloud Computing Use CasesWhite
Paper”. [Online]. Available: http://www.cloud-council.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf
Page108D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
AnnexA.UseCaseslist(ETSICSC)CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition SetupCloudService CreateServiceTemplate
Acloudservicedevelopercreatesatemplateofaservicethatmaylaterbeusedtocreateaninstanceofaservice.
CSP,CloudServicePartner
Acquisition SetupCloudService CreateServiceOffering
Thelifecycleofanewserviceofferingisinitiatedandpublicizedforpotentialsubsequent:•Advertisement•Contractassignment•Provisioning•Monitoring•Update•Consumption•Deletion
CSP
Acquisition SetupCloudService BuildApplicationandPackage
Developerbuildsanapplicationandpackageitfordeploymentonacloud CSP,CloudServicePartner
Acquisition SetupCloudServiceBuildApplicationinCloudandOptionallyPackage
Developanapplicationandoptionallypackageitusinganapplicationdevelopmentenvironmentonthecloud. CSP,CloudService
Partner
13OneormoreofCloudServiceProvider(CSP),CloudServiceCustomer(CSC)orCloudServicePartner.
Page109D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition SetupCloudService
Clouddevelopermakesapplicationavailablefromcloudinfrastructure
ISVorapplicationdevelopermakestheirapplicationavailableasaservice,bydeployingtheapplicationonIaaSinfrastructureofacloudserviceprovider
CSP,CloudServicePartner
Acquisition SetupCloudServiceDeployapplicationtoaPaaScloudservice
ApplicationdevelopermustpreparetheapplicationcomponentsandassociatedmetadataandenabledeploymenttothePaaSplatformofferedbythecloudserviceprovider
CSP,CloudServicePartner
Acquisition SetupCloudService
Automatedeploymentoftestenvironmentsforapplications
Applicationdeveloperrequirestotestanapplicationtodeterminethecauseofaproblem-requiresthedeploymentoftheapplicationinanenvironmentthatmatchestheenvironmentinwhichtheproblemwasexperienced
CloudServicePartner
Acquisition SetupCloudService
IDEdrivenclouddevelopment,deploymentandoperation
TheIDEdrivenclouddevelopment,deploymentandoperationUseCaseisbasedonthecreationofnewvalue-addedservicesandhowbusinessprocessesareimplementedandadaptedtobedeployedonthecloud.NewservicesbySMEshavetobeeasilyimplementedandadaptedforbenefitingfromtheadvantagesofthecloud.FordevelopingtheValue-AddedService,theServiceDeveloperusestheOPTIMISProgrammingModelandIDEforassistinghim/hertomakeanefficientimplementationforthecloud.Duringthisprocess,theServiceDeveloperimplementstheservice,focusingonthebusinesslogicoftheservicewithoutworryingaboutthecloudissues,andasresultofthisimplementation,he/sheobtaintheServiceManifestandServiceImagesrequiredfordeployingtheserviceinthecloud.ThisinformationisprovidedtotheServiceProviderwhichusestheOPTIMIStoolkittoselectthemostappropriateInfrastructureProvidertodeploytheservice.OncetheValue-addedServiceisdeployed,thefinalusersoftheservicecaninvoketheservice,accessingdirectlytothedeployedserviceVMsasanotherstandardwebservice.
CSP,CloudServicePartner
Page110D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition SetupCloudService Okeanos(GRNET)
Okeanos is an open-source IaaS cloud software for the deployment ofcloud services. The software is modular, comprising a number ofcomponentsthatcanbedeployedandexploitedindependently.Accesstothe services is through an intuitive user-friendly web interface andcommand line tools. It is currently being tested with beta releaseexpectedinspring2013.Programmatically,itoffersasetofdocumentedproprietaryRESTAPIsandstandardAPIs likeOpenStackCompute(Nova)andOpenStackObjectStorage(swiftcompliant).
CSP,CloudServicePartner
Acquisition SetupCloudService
FinnishCloudSoftwareProgramme(nationalcloudstrategy)
It creates a new ecosystem that focuses on the most profitable cloudservicesforsustainabledevelopmentwhileensuringinformationsecurity.The programme has applied the agile development methods of thesoftware industry in collaboration with companies and researchinstitutions.Client-centricapproachesenabletherapidcreationofaddedvalue services and flexible models of operation. The programme alsoproposes a set of "standard contract clauses",which canbeoffered forvoluntary adoption for cloud service providers and customers andcompletedafterriskanalysis.
CSP,CloudServicePartner
Page111D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition SetupCloudService EGIFederatedCloudTaskForce
Develop a ‘blueprint’ for EGI resource centres wishing to securelyfederate and share their local virtualised environments externally withcollaboratorsaspartoftheproductioninfrastructure.Ongoingeffortsarecentredaroundninecorecapabilities requiredofa futureEGI federatedcloud. Implement interoperability across different cloud platforms.The core capabilities are virtual machine management, storage/datamanagement,informationdiscovery,accounting,monitoring,notification,federated authentication& authorisation infrastructure, virtualmachineimage sharing, brokering. The capabilities are currently implemented orbeing tested through resource provider test cases to cover all thenecessaryfunctionalities.EGI'sCloud InfrastructurePlatformisbasedontheuseoftechnicalstandardsdefiningtheinterfacesandexchangepointsbetweentheservicesexposedto thepublic.The followingcloudrelatedstandards are of key importance: OCCI as the universal and extensibleinterface description for the provisioning of virtualised computingresources; CDMI for describing the access interface to generic cloudstorageresources(bothblockandobjectstorageresources)andOVFasadeclarative language for pre-packaged virtual server images andnecessary contextualisation information. Several complementarystandards are used to integratewith EGI's Core Infrastructure Platform:X.509v3-based federated authentication is used for safe and secureidentification for services and end users; the Usage Resource isextensively used to account for resource usage (virtualised computeresources).TheemergingTOSCAlanguageisofinterestforextendingOVFwith a richer deployment language across all cloud deployment levels(IaaS,PaaS,SaaS).
CSP,CloudServicePartner
Page112D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService EndUsertoCloudApplicationsrunningonthecloudandaccessedbyendusers CSC
CSP
Acquisition Prepare&ProcureServiceEnterprisetocustomerandemployee
Applicationsrunninginthepubliccloudandaccessedbyemployeesandcustomers CSC
CSP
Acquisition Prepare&ProcureService EnterprisetoCloudCloudapplicationsintegratedwithinternalITcapabilities CSC
CSP
Acquisition Prepare&ProcureService EnterprisetoCloudtoEnterprise
Cloudapplicationsrunninginthepubliccloudandinteroperatingwithpartnerapplications(supplychain)
CSCCSP
Acquisition Prepare&ProcureService PrivateCloudAcloudhostedbyanorganizationinsidethatorganization’sfirewall. CSC
CSP
Acquisition Prepare&ProcureService BrokercoordinatedHybridCloud
Multiplecloudsworktogether,coordinatedbyacloudbrokerthatfederatesdata,applications,useridentity,securityandotherdetails.
CSCCSP
Acquisition Prepare&ProcureService DesktopasaService
End users access the enterprise applications and data hosted in virtualdesktopswhicharecreatedwithinaDaaSserver.Thesalesstaffalsocanviewcustomerinformationandmarketingrecordsontheenterprisewebsite.The DaaS server interacts with traditional enterprise IT facilities toachievemanycontroltasks,forinstance,authenticationviaADenterpriseserver.
CSCCSP
CloudServicePartner
Acquisition Prepare&ProcureService Virtualdesktoppool
Virtualdesktoppoolsupportsthedistributeddeploymentmodelwiththedynamic stretching of resources to consolidate queuing resource anddesktop resources. Unified phone call dispatching and delivery andmaintenanceofthedesktopcanbeachievedinanintensiveway.
CSCCSP
CloudServicePartner
Page113D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureServiceMobileCloudAppsdevelopment&deployment
Amobile cloud application can be developed by service partners, or bythecloudprovider,orbythird-partyserviceproviderandcanbestoredinamarketplace.The mobile cloud application sends processing tasks to the cloud andstoresdatainthecloud,andreceivesresultsgeneratedbytheresourcesfromthecloud,includingcomputingresourcesandstoragesources.
CSCCSP
CloudServicePartner
Acquisition Prepare&ProcureService TelcousesCloudfordataanalytics
Large-scaletelecomoperatorsgeneratealotofinformationinthenormalcourseofrunningtheircommunicationnetworks.TypicaldatacomprisesCall Data Records (CDR) and Internet-surfing data records (IDR). Inaddition, the network also generates various signalling data betweenswitches and nodes. We need all the data to complete the telecomservices and bill customers. At the same time, we also need them toanalyse and predict user behaviour, optimize network QoS, filter spammessages,andsoforth.Becauseofthelimitationsofthecurrentsystem,the parallel data inquiry and mining tool, set on the cloud distributedparallel processing systems could be a better solution and achievemassivescalabilityandhigh-speedprocessing.
CSP
CloudServicePartner
Acquisition Prepare&ProcureService
SLAmappingbetweenISB(inter-cloudservicebroker)andCSP
CSP-ISB is the contact point for CSU, and there is SLA (SLA0) betweenthem.CSP-ISB integrates services from multiple CSPs, for instance, storageservicefromCSP-1andcomputingservicefromCSP-2.ThereareB2BlevelSLA between CSP-ISB and CSP-1, CSP-2 respectively (SLA1, SLA2).ForCSP-ISB,inordertoguaranteeSLA0forCSU,itneedstomapSLA0toSLA1andSLA2,becauseSLA0isactuallyimplementedbySLA1andSLA2.
CSP
CloudServicePartner
Acquisition Prepare&ProcureService
Contractingguaranteedperformanceregardingdelay
CSP-ISBisthecontactpointforCloudServiceUser(CSU),andthereisSLA(SLA0)betweenthem.CSP-ISBintegratesservicesfrommultipleCSPs,forinstance, storage service fromCSP-1andcomputing service fromCSP-2.ThereareB2BlevelSLAbetweenCSP-ISBandCSP-1,CSP-2
CSPCloudService
Partner
Page114D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService Citizencentricone-stopservice
The e-application service provided by City A has been pre-arranged toallow interaction with other provider’s services (e.g., family registrymanagement service in a municipality cloud, passport managementserviceofthenationalgovernment,etc.)bynegotiatingthemethodsforcoordinatingIDinformationandsecuritymeasures.A citizen in City A applies for his or her passport using the relevant e-application service providedby themunicipality A.Whenhe or she hasenteredrequiredinformation,suchashisorheridentityinformation,theinput data is transferred to other cloud system’s services (e.g., familyregistry management service, passport management service, etc.) toauthenticate, sharing user ID information entered for application, theninformation acquisition and inquiry take place. The results of theinteractedservicesareprovidedtotheconsumer.Thus,theconsumercanreceiveaone-stopservice,whichenhanceshis/herconvenience.
CSCCSP
Acquisition Prepare&ProcureServiceMarkettransactionsviabrokers
Whenaconsumerwantstousesservicesprovidedbycloudsystems,heorsheneedstocomparehisorherqualityrequirementsfortheserviceswith the SLAs ofmultiple providers, and to select themost appropriateprovider.Forthispurpose,theconsumerprovidesBrokerAwithinformationabouthis or her quality requirements for services. By receiving informationprovidedbyBrokerA,thatProviderBprovidesanSLAthatbestmeetsthequality requirementsof consumer, consumer canuse serviceswithbestfit to his or her quality requirement. The consumer selects a cloudprovider included in the provider list provided by broker, and contractswithProviderB.
CSCCSP
CloudServicePartner
Acquisition Prepare&ProcureService EstablishRelationship
A potential consumer of a cloud-based service establishes their identitywithacloudserviceproviderforuseinfuturetransactions.
CSCCSP
Page115D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService AdministerRelationship
Apotentialconsumerofacloud-basedservicerequestsadministrationofacontract.Administration is distinguished from changing a service becauseadministrationdoesnotaffectthetechnicaldeliveryofaservice.Usually,contract administration involves actions like adding new users orchanging user passwords that are associatedwith an umbrella contract(usuallycalledthe"relationship"),notacontractforaspecificservice.
CSCCSP
Acquisition Prepare&ProcureService EstablishServiceContract
Apotentialconsumerofacloud-basedservicerequestsaservicecontractforacloud-basedservice.
CSCCSP
Acquisition Prepare&ProcureService UpdateServiceContract
Aconsumerofacloudservicecontractandaproviderofacloudservicecontractagreetoupdatethecontract.
CSCCSP
Acquisition Prepare&ProcureService AddSubscriberThe consumer enters into a business relationship with the provider toenableittouseanagreedtosetacloudservice.
Acquisition Prepare&ProcureService
Createcloudapplicationwithcomponentsthatrunonmultipleclouds
Anorganizationchoosestodevelopacloudapplicationwithcomponentsthatrunonmultiplecloudssimultaneously. CSP,CloudService
Partner
Acquisition Prepare&ProcureServiceCustomerscan"shoparound"forcloudservices
Customersanddevelopers shopacrosshostedorpublic cloud searchingfor services offering adequate price and the desired level of non-functional properties like performance, security, availability, expressedviaServiceLevelAgreements(SLAs)/certificates.
CSC
Page116D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureServiceMaterialDistributiontoAgents
A global insurance company named "ABC" uses manuals and videos toteachthecompany’sagentsandaffiliatesabouttheirnew life insuranceproduct.Thecompanydistributes theeducationalmaterials throughthecompany’s PDAs assigned to every agent considering mobilecharacteristicsof theirwork. Theuse casedescribes technicalprocessesandconsiderationstodistributecompany’seducationalmaterialfornewproduct to their agents. A correct version of thematerial among threedifferent versions shouldbedelivered toagents inaqualifiedVOgroupwithanauditableaccesscontrolmechanismthatenforcesthecompany’ssecuritypolicies.
CSC
Acquisition Prepare&ProcureService cloudstorageasaservice
Customer uses public cloud storage as a service offering to store ever-increasing volumes of data as an alternative to adding to on-premisesstorageinfrastructure
CSC
Acquisition Prepare&ProcureService
ProvisionofDatabasecapabilitiesasacloudservice
CustomerwantstouseaDatabaseasaServicecapabilitieswithabilitytouploaddatabaseimagescontainingdataandconfigurationinformation. CSC
Acquisition Prepare&ProcureServiceProvisionofbigdataanalyticsplatform
Cloud serviceproviderprovidesadedicatedHadoopclusterasa serviceplatformforbigdataanalytics CSP
Page117D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService CloudBrokerage
The cloud broker offers cloud service intermediation for services to addvalue-additionandcloudserviceaggregationbringingtwoormorecloudbased services. The Cloud Brokerage use case brings out the followinginnovations/value to the cloudecosystem.A)provide support formulti-cloud deployment B) provide standards-based SLA negotiation andagreementmechanismstoallowthebrokertoperformamatchbetweenthe requirements of the C) Allows the broker to make SP-IP matchesbased on the Trust, risk, eco-efficiency and cost. D) The servicedeploymenttakesintoaccountthelegalboundariesasconstraintsintheservicemanifest. E) The cloud broker provides a framework to providevarietyofvalueaddedservicestotheSP.Sometheexistingvaluedaddedservicesimplementedasasupportfortheserviceincludes,VPNoverlay,IntelligentProtectionsystemandSecuredatastorage.F)Thecloudbrokerallows deployment of service in the non-optimis IP, providinginteroperabilitysupport.
CSC,CSP,CloudServicePartner
Acquisition Prepare&ProcureService goBerlin
The focus of goBerlin is the provisioning of a service marketplacecombiningcommercialservicesandpublicgovernmentalservicestostate-of-the-artapplicationswithpersonalisedSaaSforadministrativematters(e.g. birth, marriage, children). The architecture is a loosely coupledcombination of functional and security related aspects, e.g. accesscontrol,privacy,multi-tenancy. It canbeapplied toother cloudservicesrunninginsimilarcloudinfrastructures,operatedbypublicdatacentres.
CSC,CSP,CloudServicePartner
Page118D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService
Bioinformatics-BLASTandBLATtoolsforsequencemapping
Provide a framework for the seamless execution of widely usedbioinformatics tools in theVENUS-C cloud (IaaS,PaaS), easingmigrationacross target platforms (commercial and non-commercial providers).The aim of the VENUS-C user scenario on bioinformatics (TechnicalUniversityofValencia)wastoaddressthechallengesfacedbybiomedicalresearchers in coping with the exponential growth of annotateddatabases and increases in the throughput of sequencing. The overallobjectivewas towrapdifferentprocessing tools (e.g. for alignment andphylogeny) inauser-friendly framework running in thecloud.Migrationacross target platforms is ensured by implementation of standards, e.g.OGF-BES, OCCI, OVF, CDMI. Cost-effectiveness, flexibility and scalabilityovergridinfrastructureshavebeendemonstrated.
CSC,CSP,CloudServicePartner
Acquisition Prepare&ProcureServiceWildfire:FireRiskEstimationandFirePropagation
Provideaframeworktoexecutefireriskestimationsandfirepropagationmodels,enablingend-useractors(e.g.fire-fighters,emergencycrewsandcivilprotectionauthorities) to run themodels in thecloudusingauser-friendlyweb-basedgraphicaluserinterface.TheaimoftheVENUS-Cuserscenario,Wildfire(UniversityoftheAegean)was toprovidea tool for calculating fire risk indexes (hourlyandover5days) and the expected propagation, usingweather forecasts (includingthe direction of the wind), topography, vegetation and socio-economicparameters. Itusesahybridcloudapproach(MSAzureandOpenNebulaviatheEngineeringGroup)andhasbeentestedandusedbyfire-fightingcrews inGreece,who can respond todifferentworkload situations; e.g.unpredictable and/or predictable bursting of CPU needs during thesummerperiod.
CSC,CSP,CloudServicePartner
Page119D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService
Radiotherapyplanning(CloudERTpilotdeploymentinSpain)
Provide an eIMRT platformwith remote tools to facilitate physicians indefining cancer treatment plans and verification using Monte Carlosimulations.Generateasinglevirtualclusterforeachrequesttomovethecomputingback-endtothecloud,whichensuresindependentprocessingforeachrequest.TheVENUS-Cpilot,CloudERT, is ledbytheCentreofSupercomputingofGalicia (CESGA). It is aimed at improving hospital planning for cancertreatmentwithapilotdeployment inSpain,whichcurrently involves65usersfrom47hospitals.TheeIRMTplatformhasbeenanalysedfromthepointofviewofSaaS,whichmustscaletothousandsofusersandservicerequestseveryday.Itleveragesthecloudtoovercomethelimitationsoflocal clusters,which increase time-to-solutionanddecreaseQoS,andofthegrid,duetotaskgroupingandthemovementoflargefiles.
CSC,CSP,CloudServicePartner
Acquisition Prepare&ProcureServiceDrugDiscoveryservicebyMolplex(SME)
Provide a framework to calculatemolecular virtual profiles that includeshape/docking characteristics and QSAR biological activity predictions.Theshape/dockingcalculationoffersanembarrassinglyparallelexecutionmodel, and has been parallelised with the use of OpenMP threads.Molplex requires regular access to computer resources to calculate thevirtualprofilesofmolecules.TheaimoftheMolplexpilot(CloudAgainstDiseases) in VENUS-C is to boost the performance of the comany'ssystemsand reduce costsby allocating computing resources asneeded.The virtual profiles are calculated using two techniques: shape/dockingprofileandQSARprofile.Thedeploymentof former is supportedby theBarcelonaSupercomputingCenterviatheCOMPSSinterface,whilepartofthe QSAR application is deployed on Azure using a legacy system fromNewcastle University. Being able to solve a higher number of scientificproblems (virtual profiling) gives the SME better market exposure andopportunities,aswellasincreasestaffproductivity.
CSC,CSP,CloudServicePartner
Page120D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Acquisition Prepare&ProcureService Cloud4SOA(FP7project)
Interconnectpublicandprivateplatformvendors fordevelopers tohelpcompare, manage and migrate between vendors by offering an open-sourceaddedvaluefeaturesetforPaaScustomers(developersandSaaSproviders).Cloud4SOA interconnects platforms for added-value capabilities such asmulti-platform management, comparative monitoring and applicationportabilityacrosscollaboratingorcompetingofferings.ItpreparesforthewiderpotentialasthePaaSsegmentofcloudcomputingevolves,pointingtowards concepts such as federation of multiple platforms andmanagement between hybrid use cases of public and private PaaS. ItleveragesexistingPaaSAPIsandbringsaharmonisedlayerandadaptersto support its advanced features. Standardisation focuses on basicmanagement protocols to enable platforms to focus on innovativeconceptsandecosystem-empoweredcapabilities.
CSC,CSP,CloudServicePartner
Operation OperateService-Manage
Guaranteeingperformanceagainstanabruptincreaseoftheload
•ACSPguarantees its serviceperformance,evenwhenanunexpectedsurgeofaccesstotheservicearises,byusingcloudresourcesprovidedbyotherCSPsonatemporarybasis.•Network connections among interworking CSPs are instantaneouslyestablishedor reconfigured.Then service-relateddata includinguser ID,userdata, andapplicationdata are transferred from theoriginal CSP totheCSPthatisleasingtheresources.•AccessfromCSUsisappropriatelychangedtotheinterworkingCSPssoas to achieve load distribution, and thus mitigate the overload of theoriginalCSP.
CSPCloudService
Partner
Page121D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Manage
Guaranteeingavailabilityintheeventofadisasteroralarge-scalefailure
•CSPscontinuetheirserviceofferingbytheresourcesleasedfromeachother, even when systems in one CSP are damaged due to naturaldisastersorlarge-scalefailures.• Available resources in other CSPs are autonomously discovered andreservedthroughtheinter-cloudfederation.• The services with a high priority are only recovered if availableresources are not enough to recover all services. In examining theavailabilityof theresourcesgivenfromotherCSPs, theguaranteed levelofqualityoftheresourcesistakenintoaccount.• The services requiring early recovery are recovered using availableresources on a best-effort basis even if their quality requirements arepartlysatisfied.• Network connections among interworking CSPs are instantaneouslyestablished or reconfigured. The lead CSP, which is preconfigured andgovernstherecoveryprocedure,managestherolesofavailableCSPsandinstructsservicecontinuationbasedontheoriginalCSPdata.•AccessfromCSUsisappropriatelydistributedtotheinterworkingCSPsso as to achieve the disaster recovery, and thus mitigate the servicediscontinuity.
CSPCloudService
Partner
Page122D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Manage Servicecontinuity
• A CSP continues its service offering by the collaboration with otherCSPs,evenwhentheoriginalCSPterminatesitsbusiness.•AvailableresourcesinCSPsotherthantheservice-terminatingCSParediscoveredandreservedinadvance.• Network connections among interworking CSPs are established orreconfigured.Thenservice-relateddata includinguser ID,userdataand,applicationdataaretransferredfromtheoriginalCSPtonewCSPs.•AccessfromCSUsisappropriatelychangedtotheinterworkingCSPssothatthesameserviceiscontinuouslyoffered.•Ifthecapabilities(VMandapplications)attheoriginalCSPmigratetootherCSPs,theCSU,whokeepsthesameuserID,cancontinuouslyaccesstheserviceatthesamelevelofperformancesasbefore.
CSPCloudService
Partner
Operation OperateService-Manage
Markettransactionsviabrokers
•TheCSPwithanISBrole(CSP-ISB)mediatesbetweenCSPsmeetingtheCSU’squality requirementsandprovides the listof selectedCSPs to theCSU.•TheCSP-ISBcoordinatesmultipleservicesofferedbyotherCSPs
CSPCloudService
Partner
Operation OperateService-Manage
Guaranteedend-to-endqualityofserviceGuaranteedperformance
Use case of guaranteeing performance against a abrupt increase of theload CSP
CloudServicePartner
Operation OperateService-Manage
Guaranteedend-to-endqualityofserviceGuaranteedavailability
Usecaseofguaranteeingavailabilityintheeventofadisasteroralarge-scalefailure CSP
CloudServicePartner
Page123D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Manage
Servicecontinuitybypre-configurationofalternativeservices
Normally,ifthebusinessofProviderAissuspended,theconsumersneedto re-register with similar services that are provided by differentproviders.To avoid a situation above, resources, applications, and consumer’s IDdatafortheservicesprovidedbyProviderAaretransferredtothecloudsystems of Providers B and C in advance. Then, in the situation of thebusiness suspension of Provider A, its consumers can continue to usesimilarservicesprovidedbyProvidersBandC.Thisarrangementcanalsobe applied when a service consumer requests a transfer of his or herservicetoanotherprovider.
CSPCloudService
Partner
Operation OperateService-Manage ContractBilling
A cloud service provider issues an invoice for contracted or consumedservices.
CSPCloudService
Partner
Operation OperateService-Manage
ChangeResourceCapacity
A cloud service consumer adds or changes the capacity or resourcesassociated with a service instance, which is an instance of a servicetemplate. This can include adding or removing whole resources, orexpandingorcontractingresourcelimitsassociatedwiththeservice.
CSPCloudService
Partner
Operation OperateService-Manage Hibernate/Resume
Puts a running application into hibernation. Resume a hibernatingapplication. CSC
Operation OperateService-Manage Stop/Restart
Stop a running application and create a "snapshot". Resume from asnapshot. CSC
Operation OperateService-Manage Patch
Patch(update)oneormorecomponentsinanapplicationtemplate.CSC
Page124D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Manage CreateNetwork
The cloud consumerwishes to create a new instanceof a "network". Anetwork isanabstractionofa layer2broadcastdomain.Anytwonodes(machines, volumes,etc.)attached to the samenetworkcanconnect tooneanother.Toconnecttoanodeonanothernetworkaroutemustbecreated between the source network and the destination network. Acommonreasonforcreatingnetworksistoisolatemachinesandvolumesintoprotectedsub-domainsforsecurityandadministrationpurposes.
CSPCloudService
Partner
Operation OperateService-Manage
Cloudapplicationworkloadrequiresuseofmultipleclouds(cloudburst)
Sometimesreferredtoasacloudburstscenario,theapplicationnormallyrunningon-premisesorinaprivatecloudneedstoelasticallyrunonotherclouds in the cases of short-term, significant increase in user demandload. Cloud tenants can use both their own private clouds as well ashosted/publiccloudsastheworkloadmayrequire.VMsandapplicationscan migrate between private cloud and public/hosted clouds and canseamlesslybemanagedfromeithersideregardlessoftheirlocation.
CSPCloudService
Partner
Operation OperateService-Manage
Documentreleasetowardsanadministration
An Electronic Document Storage (EDS) is a secure storage for officialdocumentsprovidedasSaaS.Governmental institutionsorotherpartiessuchasemployerscanaccesstheEDStoenterdocuments(suchasofficialnotifications, certificates of salary, rental contracts, insurance policies,etc.) fortheowneroftheEDS,andaccessthosedocuments ifnecessaryto perform an administrative procedure. The use case describes how apublicadministrationrequestsadocumentfromacitizeninthecourseofanadministrativeprocess.
CSC
Operation OperateService-Manage BurstCapacity
Asystemorservicerunsinadefined"source"location,andburstsintoanalternatelocationorcloudenvironmentsuchasasharedorpubliccloud(target) to obtain additional resources to accommodate business peakprocessingrequirements.Requireslicenseflexibility,andsufficientnetworkandsecuritycontrols.
CSPCloudService
Partner
Page125D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Manage
Integrationofon-premiseresourceswithpubliccloudresources
CloudservicecustomermakesuseofpubliccloudIaaSresourcesforsomeworkloads but still has other workloads retained on-premises, with theneedtolinktheon-premisesworkloadsandthepubliccloudworkloads CSC
Operation OperateService-Provision/Configure/Administer
ProvisionResources(fromacontractedpool)
Within the context of an existing contract, an administrator allocatesresourcesfromthecontractedpool.Theresourcescouldbeofawidevariety,suchasvirtualsystemplatformsor a preconfigured mini data centre that contains virtual systems andvirtualstorage,connectedviaavirtualnetwork.
CSC
Operation OperateService-Provision/Configure/Administer
DeployServiceTemplate
A cloud service consumer deploys a parameterized service template inthecontextofaserviceoffering. CSC
Operation OperateService-Provision/Configure/Administer
ProvisionNewAdministrationDomain(orProvisionNewTenant)
Subscriber administrator is provisioned with a new administrationdomain.
CSC
Operation OperateService-Provision/Configure/Administer
Add/Change/DeleteUser
Acloudconsumeradministratoraddsorremoveduser,orchangestheirprivileges. CSC
Operation OperateService-Provision/Configure/Administer
InstallApplicationComponent
Anewapplicationcomponentisuploadedandinstalledtothecloud.CSC
Operation OperateService-Provision/Configure/Administer
DeployApplication(alsoUndeploy)
Todeployapackagecomprisingalltherequiredapplicationcomponentstoanexecutiondomain. CSC
Operation OperateService-Provision/Configure/Administer Startanapplication
Tostartexecutinganapplicationsuchthatend-usermaystartinteractingwiththehostedapplications. CSC
Page126D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Provision/Configure/Administer
UploadMachineImage
The cloud user or third party software provider has a local copy of a"machine image" (a snapshot of a stack of softwarewhichmay includeoperating systems, virtual machine runtimes, database servers,applicationservers,applications,etc.)thattheywishtomakeavailablefordeploymentonanIaaScloud.
CSC
Operation OperateService-Provision/Configure/Administer
DeployMachineImage
The cloud consumerwishes to create a new instanceof a "machine" (alogical instance of one or more CPUs connected to local memory and,optionally, local data storage) with software loaded from a machineimage.
CSC
Operation OperateService-Provision/Configure/Administer
CaptureExistingMachineInstance
Thecloudconsumerwishestocreateanewmachineimagethatcapturesthestateofanexistingvirtualmachineinstance. CSC
Operation OperateService-Provision/Configure/Administer
CreatePersistentStorageVolume
The cloud consumerwishes to createanew storagevolume image thatcapturestheinformationstoredonanexistingvolumeinstance. CSC
Operation OperateService-Provision/Configure/Administer
LoadImageontoStorageVolume
Thecloudconsumerwishestoloada"volumeimage"(e.g.anISOimage)ontoanexistingpersistentstoragevolume. CSC
Operation OperateService-Provision/Configure/Administer
AttachStorageVolumetoMachine
The cloud consumer wishes to attach a persistent storage volume to amachine instance.Onceattached, thevolume isaccessiblebyprocessesresident on that machine instance, usually as a local device (e.g./dev/sd2).
CSC
Operation OperateService-Provision/Configure/Administer
CaptureStorageImage
Thecloudconsumerwishestocreateanewstorageimagethatcapturestheinformationstoredonanexistingstorageimage. CSC
Operation OperateService-Provision/Configure/Administer
DetachStorageVolumefromMachine
The Cloud User wishes to detach a persistent storage volume from amachine instance.Oncedetached,thevolumeisno longeraccessiblebytheprocessesresidentonthatmachine.
CSC
Page127D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Provision/Configure/Administer
AttachMachinetoNetwork
Thecloudconsumerwishestoattachamachinetoanetwork.Thehigherlevelgoalistoallowthismachinetoconnecttooneormoreoftheothermachinesorvolumesonthetargetnetworkand/ortoallowoneormoremachinesonthetargetnetworktoconnecttothismachine.
CSC
Operation OperateService-Provision/Configure/Administer
DetachMachinefromNetwork
The Cloud User wishes to detach a machine from a network. This isusually a step in a higher-level network management process such as"attach this machine to the back-end, database network and detach itfromthedefaultnetwork".
CSC
Operation OperateService-Provision/Configure/Administer
AttachStorageVolumetoNetwork
TheCloudUserwishestoattachavolumetoanetwork.Thehigherlevelgoal is to allow this volume to be attached to one or more of themachinesonthetargetnetwork(seeAttachStorageVolumetoMachine).
CSC
Operation OperateService-Provision/Configure/Administer
DetachStorageVolumefromNetwork
The cloud consumerwishes todetacha volume fromanetwork. This isusually a step in a higher-level network management process such as"attachthisvolumetotheback-end,databasenetworkanddetachitfromthedefaultnetwork".
CSC
Operation OperateService-Provision/Configure/Administer
OnboardingforVEM
Onboardingofacustomer'sapplicationstoIaaSserviceCSC
Operation OperateService-Monitor SLAReporting
A cloud service consumer requests and receives a report about anestablishedservicecontract.
CSCCSP
CloudServicePartner
Operation OperateService-Monitor
MonitorServiceResources
A cloud consumer configures amonitor for a deployed service instanceand resources that support the service instance. Amonitormay collectdata(forexample,resourceconsumption,throughput,responsetimes,oravailability)orestablishanexceptionthreshold.
CSCCSP
CloudServicePartner
Page128D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Monitor
NotificationofServiceConditionorEvent
A servicehasbeenconfiguredand is inoperation.Certain conditionsorruntime operational events have been identified or detected that aresignificantenoughtodemandimmediatenotificationoftheconditionoreventtotheservicecustomer.Anexampleisthedetectionofanintrusionoranunexpectedconfigurationchange.
CSCCSP
CloudServicePartner
Operation OperateService-Monitor
Monitoring&managementofdeployedsoftware
Monitor the health of infrastructure & perform capacity planning forfutureneeds
CSCCSP
CloudServicePartner
Operation OperateService-Migrate
ChangingCloudVendors
Anorganizationusingcloudservicesdecidestoswitchcloudprovidersorworkwithadditionalproviders.
CSPCloudService
Partner
Operation OperateService-Migrate
Movethree-tierapplicationfromon-premisestocloud
An organization moves a three-tier application (front-end web server,back-enddatabase, andmiddle-tierbusiness logic) fromanon-premisesdatacentretoacloudinfrastructureproviderthatwillruntheapplicationoff-premises.Platformservicesfordata,identityandaccessareconsideredavailableforsource and target clouds but not addressed in this case.Thisusecaserepresentsthemostcommontypeofweb-basedapplicationdeployedbothinenterprisesandmid-sizedcompanies
CSPCloudService
Partner
Operation OperateService-Migrate
Movethree-tiercloudapplicationtoanothercloud
An organization moves a three-tier application from one cloudinfrastructureprovidertoanother.
CSPCloudService
Partner
Operation OperateService-Migrate
Movepartofon-premisesapplicationtocloudtocreate"hybrid"application
Anorganizationmovesoneormoreparts–ortiers–ofanon-premisesapplication to the cloud, in order to separate data storage fromprocessing, for example. This creates a cloud that is a hybrid of bothpublic(off-premises)andprivate(on-premises)clouds.
CSPCloudService
Partner
Page129D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Migrate
Hybridcloudapplicationthatusesplatformservices
Anorganizationmovesoneormoreparts–ortiers–ofanon-premisesapplicationtothecloudandchoosestoimplementcloudcomponentsofa hybrid application using platform services available from the cloudplatform provider, such as structured or unstructured cloud storage oridentityandaccesscontrolservices.
CSPCloudService
Partner
Operation OperateService-Migrate
Portcloudapplicationthatusesplatformservicestoanothercloud
Portinganapplication thatusesservicesprovidedby thecloudplatformto another cloud platform implies these requirements: 1) bulkimport/export of customer data, and 2) Semantic cloud applicationmanagementprotocol.
CSPCloudService
Partner
Operation OperateService-Migrate
CaptureAggregateAssembly
Thecloudconsumerwishestocaptureanaggregateassemblyconsistingofzeroormoremachineinstances,zeroormorevolumeinstances,zeroor more network instances, and the attachments/connections betweenthese entities. The artefacts generated by this capture operation (the"assemblypackage")canbeusedtodeploy"acopy"oftheassemblyontothisorsomeothercloud.
CSC
Operation OperateService-Migrate
UploadAggregateAssembly
Thecloudconsumeror thirdpartysoftwareproviderhasa localcopyofanassemblypackagewhichincludeszeroormoremachineimagesalongwithmetadatathatdescribesthemachinesonwhichtheseimagesmustbe deployed, zero or more volume images along with metadata thatdescribesthevolumesonwhichtheseimagesmustbedeployed,zeroormore descriptions of network instances, and a map of theattachments/connectionsbetweentheseentities.TheCloudconsumerorthirdpartysoftwareproviderwishestomakethisassemblyavailablefordeploymentonanIaaScloud.
CSC
Page130D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Migrate
DeployAggregateAssembly
Thecloudconsumerwishestodeployanaggregateassemblyconsistingofzeroormoremachineinstances,zeroormorevolumeinstances,zeroormore network instances, and the attachments/connections betweenthese entities for the purposes of re-creating the system that wascapturedinIR01.25(CaptureAggregateAssembly).
CSC
Operation OperateService-Migrate
Movethree-tierapplicationfromon-premisestocloud
An organization (customer) moves a three-tier application from an on-premises datacenter to a cloud infrastructure provider thatwill run theapplicationoff-premises.Thedataassociatedwiththeapplicationissensitiveandconfidentialanditisnecessarytoassureitsintegrity.Issues to be considered include:•suitableSLA/certificate,•responsibilityfortheprovisionandapplicationofencryption,•keymanagementprocesses•datavalidation•etc.…
CSPCloudService
Partner
Operation OperateService-Migrate
Movethree-tiercloudapplicationtoanothercloud
Anorganization(customer)movesathree-tierapplicationfromonecloudinfrastructureprovider1toanotherprovider2.
CSPCloudService
Partner
Operation OperateService-Migrate
Movepartofon-premisesapplicationtocloudtocreate"hybrid"application
Anorganization(customer)movesoneormoreparts–ortiers–ofanon-premisesapplicationtothecloud,inordertoseparatedatastoragefromprocessing, for example. This creates a cloud that is a hybrid of bothpublic(off-premises)andprivate(on-premises)clouds.
CSPCloudService
Partner
Page131D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Migrate
HybridapplicationwithshareduserIDandaccessservices
This use case is the same as the use case "Move part of on-premisesapplication to cloud to create 'hybrid' application" with the addedcondition that user ID and access are shared between on-premises andcloud components. This requires a common user ID and access controlmethodology between components based on either on-premisesdirectoryaccessoridentityfederation.
CSPCloudService
Partner
Operation OperateService-Migrate
Movehybridapplicationtoanothercloudwithcommoninfrastructures
An organization (customer) moves the cloud portions of a hybridapplication from cloud A to cloud B, both of which support commoninfrastructuresandVMpackages.
CSPCloudService
Partner
Operation OperateService-Migrate
Hybridcloudapplicationthatusesplatformservices
This use case is similar to the use case "Move part of on-premisesapplication to cloud to create 'hybrid' application" except the cloudapplication developer in this case chooses to implement cloudcomponentsofahybridapplicationusingplatformservicesavailablefromthe cloud platform provider, such as structured or unstructured cloudstorageoridentityandaccesscontrolservices.
CSPCloudService
Partner
Operation OperateService-Migrate
Portcloudapplicationthatusesplatformservicestoanothercloud
Portinganapplication thatusesservicesprovidedby thecloudplatformtoanothercloudplatform implies thesamerequirementsas for theusecase"Hybridcloudapplicationthatusesplatformservices".
CSPCloudService
Partner
Page132D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Operation OperateService-Migrate CloudBurst
An Electronic Document Storage (EDS) is a secure storage for officialdocumentsprovidedasSaaS.Governmental institutionsorotherpartiessuchasemployerscanaccesstheEDStoenterdocuments(suchasofficialnotifications, certificates of salary, rental contracts, insurance policies,etc.) fortheowneroftheEDS,andaccessthosedocuments ifnecessaryto perform an administrative procedure. To reduce its own operationalcosts,theEDSproviderdecidestoacceptanIaaSofferfromanothercloudprovideranduseitsvirtualizedresourcedtoprovidetheEDSservice.
CSPCloudService
Partner
Operation OperateService-Migrate
DocumentMigration
An Electronic Document Storage (EDS) is a secure storage for officialdocumentsprovidedasSaaS.Governmental institutionsorotherpartiessuchasemployerscanaccesstheEDStoenterdocuments(suchasofficialnotifications, certificates of salary, rental contracts, insurance policies,etc.) fortheowneroftheEDS,andaccessthosedocuments ifnecessaryto perform an administrative procedure. The use case describes how apublicadministrationrequestsadocumentfromacitizeninthecourseofanadministrativeprocess.Theusecasedescribes themigrationprocessofdocumentsfromoneEDS(EDS1)hostedbyEDSspaceproviderAintoanotherone(EDS2)(hostedbyproviderB):
CSPCloudService
Partner
Operation OperateService-Migrate ProjectCapacity
Temporarycapacityfromanalternatecloud(publicorsharedprivate)tosupportshortterminitiatives
CSPCloudService
Partner
Termination OperateService-Terminate
TerminateServiceContract
Aconsumerofacloudservicecontractandaproviderofacloudservicecontractagreetoterminateacloudservicecontract.
CSCCSP
Page133D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
CloudServicelife-cycle
phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13
Termination OperateService-Terminate
Terminatingcloudcontract
Anorganization(cloudservicecustomer)obtainingacloudservicefromacloud service provider directly or via a cloud service partner (a broker)wouldliketoterminateitscontract.Therecanbemanyreasonsfordoingso, for example the organization would like to changing cloud serviceproviderofpartnerorwantsexiting thecloudandmove toanon-cloudenvironment.Theuse case is focusingon the termsandconditions thatshouldbe inaSLA,andtheenforceabilityofthosetermsandconditionstodoso.
CSCCSP
CloudServicePartner
Operation AssureQuality-AuditService Independentthirdpartyassurance
Establishing an independent third party assurance (a regulator) to buildtrust whereby European SME's and other organizations (cloud servicecustomers) will use cloud computing services moreAn independent third party assurance can contribute to building trustwhereby European SME's and other organizations will use cloudcomputing services more. The idea is to establish a kind of active andproactiveescrowservice(aregulatorrole)byathirdpartyinsuchawaythat this party can assure a seamless takeover of the cloud operationsthat provider A executes for a user to cloud provider B. This shouldtherefore includethe(functionalityofthe)software,theusers’dataandthecurrentstateoftransactions.
CloudServicePartner
Page134D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
AnnexB.CRMquestionnaireforCSPs:CRMassessmentCSPname:
Webpage: CoveredSLAservice:
Group NameofCRMelement Explanation/AssessmentQuestion CSPSelf-assessment Comments
General
SLAURL Is there a publicly (online) availableversionofyourcloudSLA?
0=No,1=Yes(pleaseprovideURL)
Findable How can customers find the SLAonyourwebsite?
0=n/a,1=Externalsearchengine,2=
Internalsearchengine,3=Homepagelink
Choiceoflaw Is the SLA specific to a particularjurisdictionorgeographicalarea? 0=n/aorNo,1=Yes
Rolesandresponsibilities
Does your SLA contain a cleardefinition of roles andresponsibilities?
0=n/aorNo,1=Yes
CloudSLAdefinitions
Does your SLA contain relevantdefinitionsusedinthetext? 0=n/aorNo,1=Yes
Freshness
Revisiondate DoesyourSLAspecifythedateofitslastrevision? 0=n/aorNo,1=Yes
UpdateFrequency
DoesyourSLAspecifythefrequencyof performed updates based on areported"LastUpdate"value?
0=n/aorNo,1=Yes
Page135D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Previousversionsandrevisions
ArethepublicavailablethepreviousversionsoftheSLA? 0=n/aorNo,1=Yes
SLAduration DoesyourSLAcontainaclearspecificationofitsvalidityperiod? 0=n/aorNo,1=Yes
Readability
SLAlanguage Is your SLA specified in more thanonelanguage? 0=n/aorNo,1=Yes
Machine-readableformat
Is your SLA available in machine-readableformat? 0=n/aorNo,1=Yes
Nr.ofpagesWhat is the number of pages onyour SLA? Only applies to SLAs inPDF/documentformat.
0=n/aorNo,1=Pleasespecifythe
numberofSLApages
Support
ContactdetailsDoesyourSLAcontainareferencetothe helpdesk number or otherdetailstocontactsupport?
0=n/aorNo,1=Yes
Contactavailability
Does your SLA contain informationaboutcontactavailability, specifyingdays of the week and workinghours?
0=n/aorNo,1=Yes
Credits
ServiceCreditDoesyourSLAhasaclearspecificationoftheservicecreditsprovidedtotheCSC?
0=n/aorNo,1=Yes
Servicecreditsassignment
DoesyourSLAspecifytheconditionswhether a service credit shall beprovidedornottothecustomer?
0=n/aorNo,1=Yes
Page136D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
Maximumservicecredits(Euroamount)providedbytheCSP
Does your SLA describe how muchdoes the can CSP credit (Euros) tothecustomer?
0=n/aorNo,1=Yes
Changes
SLAchangenotifications
Does your SLA specify of how theCSP notifies customers about SLAchanges?
0=n/aorNo,1=Yes
Unilateralchange
DoesyourSLAdescribe if theCSP isentitledtounilaterallychangeit? 0=n/aorNo,1=Yes
Reporting
ServiceLevelsreporting
Does your SLA describe if reportsabout achieved Service Levels areprovidedtothecustomer?
0=n/aorNo,1=Yes
ServiceLevelscontinuousreporting
Does your SLA explain if/how theservice level reports arecontinuouslyupdated?
0=n/aorNo,1=Yes
Feasibilityofspecials&customisations
Does your SLA clearly define any"specials"/exceptions and otherpossiblecustomisations?
0=n/aorNo,1=Yes
GeneralCarveouts
Does your SLA clearly define CSPassumptions, exclusions, scope offorcemajeure,andothercarveoutsto the negotiated cloud services,SLOsandSLA?
0=n/aorNo,1=Yes
SLOs&Metrics SpecifiedSLOmetrics
DoesyourSLAclearlyandunambiguouslyspecifiesmetricsrelatedtotheSLOsdefinedintheSLA?
0=n/aorNo,1=Yes
Page137D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
GeneralSLOs
Does your SLA specify SLOs relatedto aspects like service monitoring,accessibility,availability,terminationof service, applicable certifications,andgovernance?
0=n/aorNo,1=Yes
CloudServicePerformanceSLOs
Does your SLA specify SLOs relatedto aspects like response time,capacity,andelasticity?
0=n/aorNo,1=Yes
ServiceReliabilitySLOs
Does your SLA specify SLOs relatedto aspects like service resilience,disaster recovery, and customer’sdatabackup/restore?
0=n/aorNo,1=Yes
DataManagementSLOs
Does your SLA specify SLOs relatedto aspects like IPR, CSC/CSP data,derived data, account data,portability, datadeletion/location/examination, andlaw enforcement access to CSCdata?
0=n/aorNo,1=Yes
SecuritySLOs
Does your SLA specify SLOs relatedto aspects like cryptography,physical/operational/communicationsecurity, incident management,compliance, and businesscontinuity?
0=n/aorNo,1=Yes
Page138D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
PersonalDataProtectionSLOs
Does your SLA specify SLOs relatedto aspects like consent and choice,limitation, accountability, PIIcollection/use/retention/disclosurelimitation,andprivacycompliance?
0=n/aorNo,1=Yes
Page139D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
AnnexC.CRMquestionnaireforCSPs:ConsentandGeneralDataDoyouneedtosignaCloudSLA&youwanttofindeverythingyouneed, intheone
place to make sure what you sign has the right: vocabularies, SLO
metrics/measurements,andcompliancewithstandards/bestpractices?WellthisMay2016,theEuropeanprojectSLA-Ready14hasdevelopedpreciselyallofthesefeaturesin
itsCommonReferenceModel (akaCRM). ThisCRMhopes tomakeEuropean SMEs’
life easier in sifting through time-consuming legal contracts for the uptake of cloud
computing.
InordertovalidatethedevelopedCRM15fromyourperspective,wekindlyaskyouto
answerthefollowingsetofquestions.
1. Informationabouttheparticipant’sprofile:a) WhichoneofthefollowingrolesbestdescribesyourCloudcomputingactivity?
(Pleasetickjustoneanswer)[]CloudServiceProviderorCSP(e.g.CxO,R&D,etc).
[]CloudServicePartner(e.g.securityauditor,Cloudbroker,developer)
b) Whichindustrialsectorisyourmaincloudservicecustomer?[]SmallandMedium-sizedEnterprise(SME,privatesector)
[]Non-SME(privatesector)
[]Publicsector
c) Whichmarketverticalbestdescribesyourcloudservicecustomerbase?(Pleasetickjustoneanswer)
14Pleaserefertohttp://www.sla-ready.eu/
15CRMfollowsa3-levelhierarchicalstructure:thetoplevelcontainseight(8)groups,organizethirty(30)elements that include the main notions that can be mapped to the different aspects of cloud SLAs.
FollowingtheISO/IECterminology,thelowestlevelcomprisesthecomponentsthatarepartoftheservicelevelobjectives(SLO)relatedelementsoftheCRM.
Page140D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
[]Education
[]FinancialServices
[]Government
[]InformationTechnology(IT)&Telecommunications
[]Other(pleasespecify):______________________________________
d) Howwellthefollowinghigh-levelusecases16describetheinterestsofyourcloudservicecustomers?(Pleaserankfrom1(better)to5(worst))[ ]ApplicationonaCloud.AnEnterprisedevelopsanApponaCloudService for
theirendusers.
[ ] Cloud bursting. Describes the scenario where workloads are migrated on-
demandtoapublicCSPasneededbythecloudcustomer.
[ ] Processing sensitive data. An enterprise wants to use an online cloud
application (SaaS) to process sensitive data, including Personally Identifiable
Information(PII).
[]Dataintegrity.Acustomermovesathree-tierapplicationfromanon-premises
datacentertoanIaaSCSPthatwillruntheapplicationoff-premises.
[]Highavailability.ThroughtheuseofoneofmoreCSPsanorganizationprovides
highavailabilityintheeventofadisasteroralarge-scalefailure.
e) InwhichaspectsoftheCloudservicelifecycleareyourcloudservicecustomersinterested?(Pleaserankfrom1(highinterest)to3(lowinterest))[]TheyareinterestedonhowtoacquireCloudservices(e.g.,choosingaCSP).
[ ]Theyare interestedontheactualoperationalstageoftheCloudservice(e.g.,
monitoring)
[ ] They are interested on the termination process of the Cloud service (e.g.,
understandingdataretentionclauses)
2. Based on your offered Service Level Agreement, please perform its self-assessment
16 Categorization based on ETSI’s “Cloud Standards Coordination – Final Report”. Available online:
http://csc.etsi.org/resources/CSC-Phase-1/CSC-Deliverable-008-Final_Report-V1_0.pdf
Page141D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport
basedonthecriteriapresentedontheattachedspreadsheet(seebelow)
3. From your point of view, is the CRMmissing critical groups/elements/componentsthatcouldcontributetoimprovethewaySMEsdealwithcloudservices?
4. Doyouagreetomakepubliclyavailable intheSLA-Readywebsitetheprovidedself-assessment?¨ Yes,Iagree¨ No,Idon’tagree.Pleasespecifyareason:
5. Would youbewilling toparticipate in a follow-updiscussionon this subject? If yespleaseprovideyournameandacontactemailaddress: