· to this end, sla-ready has created a common reference model (crm) that helps towards the common...

D2.4ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport

www.sla-ready.eu

Title:ACommonReferenceModeltodescribe,promoteandsupporttheuptakeofSLAs–Finalreport

Author(s):RubenTrapero,NeerajSuri,TUDA

Contributor(s):ArthurvanderWees,Arthur’sLegal;MarinaBregou,CSA

Date:31Dec,2016


ExecutiveOverview

SLA-ReadyaimstoincreasethedegreeoftrustausercanputonCloudServiceProviders(CSP)toconsequentlyleveragethehigheruptakeofcloudservices.AsthelinkageacrosstheCSPandtheusertypicallytranspiresviacontractualServiceLevelAgreements(SLAs),the standardisation and transparency of SLAs is paramount to provide Cloud ServiceCustomers (CSCs)with enough informationaboutwhat services touse,what to expectfromthemandinwhattotrust.

To this end, SLA-Ready has created a Common Reference Model (CRM) that helpstowards the common understanding of SLAs for cloud services. The CRM integratesguidelines,standardsandbestpracticestocreateacomponentbasedreferencemodeltodefineSLAswithacommonterminology,SLAattributesandServiceLevelObjectives.

The CRM was introduced in D2.3 by evaluating the requirements elicited in D2.1 andD2.2. An initial evaluation of the CRM was also conducted in D2.3 by evaluating thepertinentstandards,bestpracticesandalsofourrepresentativeusecasesfromrealCSPs.

D2.4conductsanin-depthvalidationandestablishesthepracticalusefulnessoftheCRM.Morespecifically,D2.4progressesbeyondD2.3inthefollowingaspects:

• The update of the evaluation of the CRM with respect to the standardizationbodiesandagenciesforbestpractices.

• AcomprehensiveevaluationoftheCRMfromtheindustrialperspectivewiththeanalysisof23usecases.Theanalysis isbasedonanextendedtemplatethathasbeenmodifiedtoincludeaspectsrelatedtotheexpertiselevelsofthecompany.

• Anovel recommendationmethodology that provides the level of importanceofeveryelementoftheCRMtoSMEsthatwantstoprovidecloudservices.

• ThecomputationofaSLAreadinessindexbasedontheCRMthatcomparesacrosstheCSPsusingtheCRMasacomparisoncriteria.


TableofContents

LISTOFACRONYMS..................................................................................................................9

GLOSSARY.................................................................................................................................9

1. INTRODUCTION..............................................................................................................12

1.1. PositioningD2.4withinSLA-Ready..........................................................................13

1.2. Structureofthisreport............................................................................................13

2. IMPROVINGTHEVALIDATIONOFTHECRM...................................................................14

3. THECOMMONREFERENCEMODEL(CRM)....................................................................16

3.1. Summarytakeaways................................................................................................22

4. CRMMAPPINGTOSTANDARDSANDBESTPRACTICES..................................................24

4.1. Initiativesbeinganalysed........................................................................................24


5. SECTORSPECIFICITYOFCRMS........................................................................................30

5.1. Usecasetemplate...................................................................................................30

5.2. UsecasesandCRMmapping...................................................................................32

5.2.1. Usecase1:Fintech-Financialsectorusecase..............................................32

5.2.2. Usecase2:GovernmentalCloud...................................................................34

5.2.3. Usecase3:ConsultLess,SMEsusingSaaS......................................................35

5.2.4. Usecase4:SMEsmigratingfromoneSaaSCSPtotheother.........................37

5.2.5. Usecase5:CloudBrokering:ChargebackandShowback..............................39

5.2.6. Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees......40

5.2.7. Usecase7:EasyAgriSelling-SMEusingIaaS/PaaS.........................................41

5.2.8. Usecase8:VideostorageandstreamingfromtheCloud.............................43

5.2.9. Usecase9:Cloud-basedDevelopmentandTesting.......................................45

5.2.10. Usecase10:LogisticsandProjectManagementintheCloud.......................46

5.2.11. Usecase11:LocalGovernmentServicesusingaHybridCloud.....................47

5.2.12. Usecase12:PayrollProcessingintheCloud.................................................48

5.2.13. Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms.................49


5.2.14. Usecase14:CSPchangingSLAatoperationtime..........................................50

5.2.15. Usecase15:CSPprovidingservicesunderdifferentregulations...................51

5.2.16. Usecase16:CSPprovidingdataservicesforthehealthsector.....................53

5.2.17. Usecase17:ASMEterminatingacontractwithaCSP..................................55

5.2.18. Usecase18:CSPmigratingdatabetweendifferentjurisdictions..................57

5.2.19. Use case 19: CSP providing data portability vendor Lock-in of SaaSapplications....................................................................................................................58

5.2.20. Usecase20:SMElookingforInformationSecurityIncidentManagement...60

5.2.21. Usecase21:CSPallowingdataaccessforlawenforcement.........................62

5.2.22. Use case 22: SMEmigrating to IaaSwith several duration periods in theagreement......................................................................................................................63

5.2.23. Usecase23:SMEsettingupitsownhybridcloudecosystem.......................65

5.2.24. CRMtousecasesmapping.............................................................................66


6. CRMRECOMMENDATIONFORNEWUSECASES............................................................78

6.1. Inputdata:usecasesanalysis..................................................................................79

6.2. Phase1:Applyingclusteringmethodologiestotheinputdata...............................80

6.3. Phase2:Assigningnewusecasestoclusters..........................................................86

6.4. Recommendationmethodologyvalidation:Example1...........................................87

6.5. Recommendationmethodologyvalidation:Example2...........................................89


7. PROGRESSONDEVELOPINGTHESLA-READINESSINDEX...............................................91

7.1. MotivationfortheSLA-ReadinessIndex..................................................................91

7.1.1. Step1:CSPSLAself-assessment.....................................................................92

7.1.2. Step2:SLA-Repository...................................................................................92

7.1.3. Step3:ComputingtheSLA-ReadinessIndex..................................................92

7.1.4. Step4:UsingtheSLA-ReadinessIndex...........................................................93

7.2. TechniquesfortheassessmentofCSPs...................................................................94

7.3. ComparativeassessmentofrepresentativeCSPs....................................................97


7.3.1. EvaluationofsurveyedCSPsbasedontheCRM............................................98

7.3.2. Evaluationofself-assessedCSPsbasedontheCRM....................................100

7.4. Summarytakeaways..............................................................................................104

8. CONCLUSIONS..............................................................................................................105

REFERENCES.........................................................................................................................106

ANNEXA.USECASESLIST(ETSICSC)....................................................................................108

ANNEXB.CRMQUESTIONNAIREFORCSPS:CRMASSESSMENT..........................................134

ANNEXC.CRMQUESTIONNAIREFORCSPS:CONSENTANDGENERALDATA......................139


TableofTables

Table1.CRMGroups..............................................................................................................17Table2.GroupsandelementsoftheCRM............................................................................18Table3.StandardsandbestpracticesrelevantforvalidatingtheCRM................................24Table4.CRMcoverageofrelevantstandardsandbestpractices.........................................26Table5.UseCaseTemplate...................................................................................................31Table6.Usecase1:Fintech...................................................................................................32Table7.Usecase2:EstonianGovernmentalCloud...............................................................34Table8.Usecase3:ConsultLess,SMEforusingSaaS............................................................36Table9.Usecase4:SMEmigratingfromoneSaaSCSPtotheother....................................37Table10.Usecase5:CloudBrokering:CloudChargebackandShowback............................39Table11.Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees..............40Table12.Usecase7:EasyAgriSelling,SMEusingIaaS/PaaS..................................................41Table13.Usecase8:VideoStorageandstreamingfromtheCloud.....................................43Table14.Usecase9:Cloud-basedDevelopmentandTesting...............................................45Table15.Usecase10:LogisticsandProjectManagementintheloud.................................46Table16.Usecase11:LocalGovernmentServicesinaHybridCloud...................................47Table17.Usecase12:PayrollprocessingintheCloud..........................................................48Table18.Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms.........................49Table19.Usecase14:CSPchangingSLAatoperationtime..................................................51Table20.Usecase15:CSPprovidingservicesunderdifferentregulations...........................52Table21.Usecase16:CSPprovidingdataservicesforthehealthsector.............................54Table22.Usecase17:ASMEterminatingacontractwithaCSP..........................................56Table23.Usecase18:CSPmigratingdatabetweendifferentjurisdictions..........................57Table24.Usecase19:CSPprovidingdataportabilityvendorLock-inofSaaSapplications..59Table25.Usecase20:SMElookingforInformationSecurityIncidentManagement...........60Table26.Usecase21:CSPallowingdataaccessforlawenforcement.................................62Table 27. Use case 22: SME migrating to IaaS with several duration periods in theagreement..............................................................................................................................64Table28.Usecase23:SMEsettingupitsownhybridcloudecosystem...............................65Table29.CRM-UseCasesCoverage(part1)........................................................................68Table30.CRM-UseCasesCoverage(part2)........................................................................71Table31.CRM-UseCasesCoverage(part3)........................................................................74Table32.Classificationoftheusecaseoftheexample1......................................................88Table33.Classificationoftheusecaseoftheexample2......................................................89Table34.AnswersofthesurveyedCSPs................................................................................98Table35.Answersoftheself-assessedCSPs.......................................................................100


TableofFigures

Figure1.DevelopingandvalidatingtheSLA-ReadyCRM......................................................12Figure2.D2.3withinSLA-Ready............................................................................................13Figure3.CRMinceptionandinitialvalidationinD2.3...........................................................14Figure4.FinalCRMandextendedvalidationinD2.4............................................................15Figure5.Requirementselicitation.........................................................................................16Figure6.Groupedrequirements............................................................................................17Figure7.CRMhierarchicalspecification................................................................................21Figure8.ComponentsoftheSLO&MetricselementoftheCRM.........................................22Figure9.RecommendationprocessbasedontheCRMandusecases.................................79Figure10.Exampleofclusteringrepresentation...................................................................81Figure11.DBSCANapproach.................................................................................................82Figure12.Clusteringprocess.................................................................................................83Figure13.Exampleofrepresentativevectorforclusters......................................................84Figure14.ClustersdiscoveredfortheSLA-Readysamples....................................................85Figure15.ClustersandrepresentativesamplesfortheSLA-Readysamples.........................85Figure16.Exampleofrecommendationbasedondistancesbetweensamples...................87Figure17.Recommendationresultsfortheusecaseanalysedinexample1........................88Figure18.Recommendationresultsfortheusecaseanalysedinexample2........................90Figure19.ComputingtheSLA-ReadinessIndex.....................................................................91Figure20.ACSPentryonCSASTAR-AdditionalInfo............................................................93Figure21.StagescomprisingthequantitativeSLAassessment.............................................95Figure22.SLAhierarchycombiningtheCSACCMandtheISO/IEC19086............................95Figure 23. Evaluation done to get the readiness index at different levels in the CRMhierarchy................................................................................................................................97Figure24.ComparisonofsurveyedCSPs:readinessindexglobalscore................................99Figure25.ComparisonofsurveyedCSPsatgrouplevel......................................................100Figure26.Comparisonofself-assessedCSPs:readinessindexgiventheglobalscore........102Figure27.Comparisonofself-assessedCSPsatthegrouplevel..........................................103Figure28.Comparisonofself-assessedCSPsatthe"SLO&Metrics"grouplevel...............103


Documentinformation

Deliverablenumber D2.4

Deliverabletitle A Common Reference Model to describe, promoteandsupporttheuptakeofSLAs–Finalreport

DeliverableNature Report

Deliverabledisseminationlevel

Public

Contractualdelivery Dec2016

Actualdeliverydate Dec2016

Author(s) RubénTrapero,NeerajSuri,TUDA

Contributor(s) Arthur van derWees, Arthur’s Legal;Marina BregouCSA

Task(s) contributing tothedeliverable

Task 2.3 – SLA challenges and requirements in cloudlandscape

Targetaudience(s) Projectpartners,membersoftheSLA-ReadyAdvisoryBoard and other external experts, EuropeanCommission,projectreviewers

Totalnumberofpages 141

Disclaimer

SLA-Ready has received funding under Horizon 2020, ICT-07-2014: Advanced CloudInfrastructures and Services. The information contained in this document is theresponsibilityofSLA-ReadyanddoesnotreflecttheviewsoftheEuropeanCommission.


ListofAcronymsCRM CommonReferenceModelCSA CloudSecurityAllianceCSC CloudServiceCustomerCSP CloudServiceProviderICT InformationandCommunicationsTechnologyENISA EuropeanNetworkandInformationSecurityAgencyETSI EuropeanTelecommunicationsStandardsInstituteEU EuropeanUnionFP7 TheSeventhFrameworkProgramme(2007-2013)H2020 Horizon2020ICT InformationandcommunicationstechnologyIPR IntellectualPropertyRightsISO InternationalOrganizationforStandardizationIT InformationTechnologyMSA MasterServiceAgreementPII PersonallyIdentifiableInformationRPO RecoveryPointObjectiveRTO RecoveryTimeObjectiveSLA ServiceLevelAgreementSLO ServiceLevelObjectiveSME SmallandMedium-sizedEnterpriseWCAG W3CWebContentAccessibilityGuidelines

Glossary1CloudService

ProviderData

Class of data objects, specific to the operation of the cloud service,underthecontrolofthecloudserviceprovider.Cloudserviceproviderdata includes but is not limited to resource configuration andutilization information, cloud service specific virtualmachine, storageand network resource allocations, overall data centre configurationandutilization,physicalandvirtual resource failure rates,operationalcostsandsoon

Datacontroller Thenaturalorlegalperson,publicauthority,agencyoranyotherbodywhichaloneorjointlywithothersdeterminesthepurposesandmeansoftheprocessingofpersonaldata

Dataintegrity Thepropertyofprotectingtheaccuracyandcompletenessofassets

1Inordertousecommunity-consistentterminology,theglossaryisextractedfromtherelevantstandards.Theexceptionistheterm"SLA-ReadinessIndex"whichhasbeenproposedbytheSLA-Readyconsortium.


Data

intervenability

Thecapabilityofacloudserviceprovidertosupportthecloudservicecustomer in facilitating exercise of data subjects’ rights.�Note: Datasubjects’rightsincludewithoutlimitationaccess,rectification,erasureofthedatasubjects’personaldata.Theyalsoincludetheobjectiontoprocessing of the personal data when it is not carried out incompliancewiththeapplicablelegalrequirements

Dataprocessor Anaturalor legalperson,publicauthority, agencyoranyotherbodywhichprocessesPersonaldataonbehalfoftheDatacontroller

Dataprotection The employment of technical, organisational and legal measures inorder to achieve the goals of data security (confidentiality, integrityand availability), transparency, intervenability and portability, aswellascompliancewiththerelevantlegalframework

Datasubject An identified or identifiable natural person, being an identifiablepersonisonewhocanbeidentified,directlyorindirectly,inparticularby reference to an identification number or to one or more factorsspecific to his physical, physiological, mental, economic, cultural orsocialidentity

Disaster

recovery

Ability of the ICT elements of an organization to support its criticalbusiness functions to an acceptable level within a predeterminedperiodoftimefollowingadisruption

Failure

notification

policy

Specifiestheprocessbywhichcloudservicecustomerscannotifythecloud service provider that a service outage has been observed, theprocess by which the cloud service provider notifies cloud servicecustomers that a service outage has occurred, the process forprovidingupdates on serviceoutages,who receives notifications andupdates,themaximumtimebetweenthedetectionofaserviceoutageand the issuance of a notice of service outage, the maximum timeinterval between service outage updates and how service outageupdatesaredescribed

Identity

Assurance

Theabilityofarelyingpartytodetermine,withsomelevelofcertainty,thataclaimtoaparticularidentitymadebysomeentitycanbetrustedtoactuallybetheclaimant'strue,accurateandcorrectidentity

(Master)Cloud

services

agreement

(MSA)

A legal document that is the overarching part relating to the cloudservice,whichdescribes the terms agreedbetween theprovider andthe customer under which the cloud service is made available andused. The MSA has a number of synonyms such as "CustomerAgreement", "Terms of Service" or simply "Agreement". The MSAreferences a number of subsidiary parts, such as the cloud SLA,SecurityandPrivacyPolicies,theAcceptableUserPolicy,theBusinessContinuityPolicyandtheServiceDescription.

Metric Astandardofmeasurementthatdefinestheconditionsandtherulesforperformingthemeasurementandforunderstandingtheresultsof


ameasurementPersonalData Anyinformationrelatingtoanidentifiedoridentifiablenaturalperson

('data subject'); an identifiable person is one who can be identified,directly or indirectly, in particular by reference to an identificationnumberortooneormorefactorsspecifictohisphysical,physiological,mental,economic,culturalorsocialidentity

Personally

Identifiable

Information

(PII)

Any information about an individual maintained by an agency,including (1)any information thatcanbeused todistinguishor traceanindividual’sidentity,suchasname,socialsecuritynumber,dateandplace of birth,mother’smaiden name, or biometric records; and (2)anyotherinformationthatislinkedorlinkabletoanindividual,suchasmedical,educational,financial,andemploymentinformation

Remedy Compensationavailabletothecloudservicecustomerintheeventthecloudserviceproviderfailstomeetaspecifiedservicelevelobjective

Resilience Abilityofacloudservicetorecoveroperationalconditionquicklyafterafaultoccurs

ServiceLevel

Agreement

(SLA)

Documented agreement between the service provider and customerthatidentifiesservicesandservicelevelobjectives

ServiceLevel

Objective(SLO)

A specific,measurable characteristic of a cloud service forwhich thecloudserviceprovidermakesacommitment

SLA-Readiness

Index

AquantitativemetricthatcanbeusedtocomparetheCSPscontainedintheSLARepository

Vulnerability Aweaknessofanassetorgroupofassets,e.g.softwareorhardwarerelated,thatcanbeexploitedbyoneormorethreats


1. IntroductionThisdeliverable validates the final versionof the SLA-ReadyCommonReferenceModel(CRM), an integrated set of SLA components (i.e., attributes and SLOs), including theguidelines/state of practice and standard terminology. A high-level viewof theprocessfollowedtodevelopandvalidatetheCRMisillustratedinFigure1.

ThepurposeofthisdeliverableistodevelopaSLA-usagereferencedocument,whichwillbetransferredontotheSLA-READYmarketplaceasaneasytoreadreferencefortheSLA-READYstakeholderswhichareherewithcategorisedas:1.SMEs,2.LargeCompanies,3.CloudServiceProviders,and4.CloudServiceCustomers.

Figure1.DevelopingandvalidatingtheSLA-ReadyCRM.

Taking as a starting point the initial version of the CRM from deliverable D2.3, thisdeliverable consolidates the elements of the CRM and further validate it (beyond theinitialvalidationdoneinD2.3)withthelateststateofpracticeandrelevantstandardsandwithmoresector-specificusecases.

ThisdeliverablealsoprovidesarecommendationmethodologytoleveragetheadoptionoftheCRM,byprovidingwiththe levelof importanceoftheCRMelementsadaptedtothecharacteristicsofnewbusinesscases.

Finally, thisdeliverableextends the"SLA-Readiness Index" introduced inD2.3.TheSLA-ReadinessIndexcomplementstheevaluationoftheCRMagainstmultipleCSPs.


1.1. PositioningD2.4withinSLA-ReadyThisdeliverable (D2.4), is the final iteration for the creationof theCommonReferenceModel (CRM) todefine cloudSLAs.D2.4buildsuponD2.3 thatprovidedan initial CRMalongwithaninitialvalidationoftheCRM,whichissubsequentlyusedinD2.4toconductacomprehensivevalidationwithrespecttothecurrentmarketstatus.

Figure2showstherelationshipbetweenD2.4andtherestoftheWP2deliverables.TheCRM was created with the inputs received from: (i) WP3 (International cooperation,consensus and standardisation), (ii) the analysis of the state of practice carried out inD2.2,and(iii)thefeedbackreceivedfromtheSLA-Ready’sAdvisoryBoard.

Figure2.D2.3withinSLA-Ready

1.2. StructureofthisreportTheD2.4reportisorganizedasfollows:• Section2describestheprocessbehindthevalidationoftheCRM.• Section3describestheactualCRM.• Section4comparestheCRMwiththemainstandardsandbestpractices,andalsomaps

theCRMcomponents to theSLAmodelsproducedby thestandardizationcommunity.ThissectionanalysesthecoverageoftheCRMwithrespecttothestandards.

• Section5describestheanalysisofseveralusecaseswithrespecttotheCRM.• Section 6 describes the recommendationmethodologybasedon theCRMandon the

analysedusecases.• Section7includesthecomparisonbetweendifferentCSPsbyusingtheCRMandbased

oncloudassessmenttechniques.• Section8concludesthedeliverable.


PleasenotethatthelistingoftheconsideredusecasesandtheCRMquestionnairefortheCSPsappearsinAnnexesA,BandC.

2. ImprovingthevalidationoftheCRMThissectionpresentstheapproachfollowedinD2.4toconsolidateandvalidatetheCRM.Figure3representstheinitialprocessdevelopedinD2.3tovalidatetheCRM.InD2.3theprocess startedbyconductinga two-stepanalysis.First, theCRMwascompared to thedefinitionsandmodelsproposedbythestandardizationcommunityandworkinggroups.More specifically, the analysis was done with respect to five references, namely (a)ISO/IEC 19086, (b) the cloud SLA checklist from the European Union, (c) the CloudStandardsConsumerCouncil,(d)theC-SIGSLAguidelinesand(e)ETSI.

Figure3.CRMinceptionandinitialvalidationinD2.3

Secondly,theCRMwascomparedwithrespecttofourrepresentativeusecasesobtainedfrom the targeteddomainsof financial sector, public sector, and fromSMEs. Thebasicpurpose of this comparisonwas to ensure the broad relevance of the elements of theCRMacrossthediverseusecasebeinganalysed.

TheresultwasanoverviewoftheprioritiesthatmakessomeelementsoftheCRMmorerelevantthanothersacrosstheusecases.D2.4buildsworkuponthese initial resultstoprovidebothacomprehensiveanalysisoftheCRMandalsoestablishingitsbroadvaliditybyevaluatingoveranextensive23usecases.


Another result obtained from the initial validation of the CRM in D2.3 was a generaloverviewofthetechniquestoevaluatethereadinessoftheCRM,includingalsotheinitialinsightsoftheSLAmarketplacealongwithD4.2.D2.4comprehensivelyextendsthiswithadditionalvalidationactions.

Figure4depictstheoverallprocessfollowedinD2.4.Inordertoimprovetheanalysisofthe CRM, D2.4 reports an extended evaluation of the CRM based on the analysis ofmultipleusecasescoveringinterdisciplinaryareas.TheCRMhasalsobeenupdatedwithrespecttothelatestdevelopmentsinongoingstandardsandworkinggroups.

Asaresult,theCRMhasbeenusedtocarryoutatwo-foldvalidation:• TheanalysisoftheCRMwithrespecttothecompletesetofusecaseshasallowed

identifyingthemostrepresentativeusecasesdomains.ThesedomainsareusedtoprovidewiththerecommendationofthemostimportantelementsoftheCRMfornewbusinesscases.Theprocess(asdescribedinSection6)classifiesnewbusinesscasesintodistinctcategories.Foreachcategory,therecommendationmethodologyinforms about the relevance of every element of the CRM. This information isadaptedtothecharacteristicsofthebusinesscasebeingstudied.

• The evaluation of the readiness index of the CRM. The security assessmenttechniquesintroducedinD2.3hasallowedustocomparedifferentrealworldCSPsaccordingtotheirofferedSLAandbasedontheCRM.TheresultscanbeorganizedinarankingthatprovidesCSPswithbothfeedbackandrecommendations.

Figure4.FinalCRMandextendedvalidationinD2.4


3. TheCommonReferenceModel(CRM)This section overviews the SLA-Ready’s proposed CRM. Section 3.1 summarizes therequirementselicitedfromD2.2,whileSection3.2outlinestheinitialversionoftheCRM.

D2.2conductedacomprehensiveanalysisoffoursignificantdomainsinordertoidentifythe common characteristics of the cloud service provisioning. Figure 5 represents theanalyseddomainsandalsohighlightsthevariedperspectives(i.e.,economic,sociologicalandlegalandgovernance)thatwereconsideredintheanalysisbyconsideringcustomersand stakeholders associated to the SLA-Ready partners. The technical perspectiveanalysedbothresearchprojects(ongoingandfinished)andthepertinentstandards.

Figure5.Requirementselicitation

The result of this analysis derives a list of requirements that represent the expectedinformation to be included in an SLA.We have used these requirements to transcendfromtheinformation“expected”inanSLAtoderivingtheproposedspecificelementsoftheCommonReferenceModel.

The process, to identify the elements of the CRM, starts by grouping the list ofrequirements elicited in D2.2. This identification process results into four initialrequirementsgroupsasdepictedinFigure6:

• Thegeneralrequirementscontainthe informationorcharacteristicsoftheSLAsthatdescribethegeneraltermsoftheserviceprovisioning,suchasthelanguageoftheSLAorthelengthoftheSLA.

• The responsibility related elements are the requirements that have to do with thepartiesinvolvedintheSLA.


• Theeconomicrelatedrequirementshavetodowithinformationrelatedtothebillingandcostassociatedtotheserviceprovided.

• The technical SLOs group the requirements related to the definition of technicalaspectsoftheserviceprovisioning.

Figure6.Groupedrequirements

ThisinitialsetofgroupshasbeenusedtofinetunethespecificationoftheelementsthatcomprisestheCRM.Overall,theSLA-ReadyCommonReferenceModelincludescommonvocabularies,SLOmetrics/measurements,bestpractices,recommendationsandstandardtemplates that can be used to define SLAs for different use cases and applicablecertifications.

Inorder to facilitate theapplicabilityof theCRMand to increase thegranularityof theanalyses that will be done using it, we have split these fourmain groups into severalsubgroups. This allows us to better adjust the elements of the CRM thatwill fulfil therequirementsidentifiedinD2.2.Furthermore,wehaveusedtherecommendationsfromtheISO/IEC19086toidentifythesegroups.Table1describesthe8groupsoftheCRM.

Table1.CRMGroups

CRMGroup Description

General DescribegeneralpurposefeaturesoftheSLA

Freshness DescribefeaturesrelatedtothevalidityoftheSLA

Readability DescribefeaturesrelatedtothelevelofunderstandingoftheSLA

Support DescribefeaturesrelatedtothelevelofsupportthatcustomerscanreceivefromtheCSP


CRMGroup Description

Credits DescribefeaturesrelatedtothecostsandbillingmanagementoftheSLA

Changes Describe features related toeventualmodifications carriedout in theSLAand themanagementassociatedtothosechanges

Reporting Describe the features related to the communications that theCSP transmit to thecustomerswithrespecttotheSLAmanaged

SLO&Metrics Describe the features related to the technical elements of the SLA and itscorrespondingcomponents.

Eachidentifiedgroupwillcontainoneormoreelementswheretheseelementshavebeenextracted from the CRM requirements. Some of requirements can be directlyextrapolated from the CRM requirements while the other more implicit requirementshavebeendividedintomorethanoneelementasdepictedinTable2.

Table2categorizestheelementsidentifiedineachgroup.Asalreadypointedout,someCRMrequirementsdirectlymaptothesamegroup.Others,suchas"Choiceoflaw"havebeenmoved to the general group, as it describes the scopeof applicabilityof the SLA,whichrepresentsageneralaspect.

Table2.GroupsandelementsoftheCRM

Group NameofCRMelement Description

General SLAURL NeededforSMEstoeasilyreferencetheSLA.

Findable This element represents the difficulty to find the SLAontheCSP´swebsite.

Choiceoflaw DescribesiftheSLAappliestoaparticulargeographicalregion,jurisdiction.

Rolesandresponsibilities DescribestheresponsibilitiesofthepartiesinvolvedintheSLA(customerandprovider(s)).

CloudSLAdefinitions AdescriptionofthetermsusedintheSLA.

Freshness Revisiondate The revision date might be important for theuser/customerthatalreadycreatedSLAsbeforewithaCSP toeasily identify that theremaybe changes thatneedtobereviewed.

UpdateFrequency MostoftheCSPswillonlyupdatetheSLAwhenanewfunctionalityorway touse the services areprovided.For public SLA, CSP’s will avoid to have to managemultipleapplicableSLA. Inmostof thecases, the lastoneistheoneapplicableforallservicetransactions.Inmany cases, SLA updates are related to the monthlybillingprocess(anewSLAstartswithanewmonthandanewwaytocalculatethebill).


Previousversionsandrevisions

The CSP should have a repository with the previousversions/revisionsoftheirSLAs.

SLAduration The common practice is to have a SLA valid until thenext one is released. The CSPwill try to have a validSLAaslongaspossibletoavoidanydisagreementwiththecustomer.

Readability SLAlanguage HavingtheSLAavailable/locatedinmultiplelanguagesfacilitatesitsreadabilityandunderstanding.

Machine-readableformat This aspect benefits automation on the SLAmanagement. May prove useful to empowerCustomers.

Nr.ofpages ThestateofpracticeistohavenotsoreadableSLAandquiteoftenbuildusingmanylinksandredirection.ForSME,SLAshallconsistoftwopagesatthemaximum.

Support Contactdetails Easy to locate contact details benefit SME trying tosolvequestions about the SLAduring the life cycleofthecloudservice.

Contactavailability Helpdesk availabilitymay benefit the SMEperceptionofassuranceontheCSP.

Credits ServiceCredit CreditreferstotheamountofmoneythatusuallytheCSPsparestotheCustomerforusingitsservices(e.g.,pre-payment).AftertheprovidedCredit,theCustomerwillbebilledbytheCSP.Forpubliccloud,thestateofpractice is "pay as you go". For most of CSP, thisfeatureisnotyetimplemented.Forsomeservices,thisfeaturecoulddamagethecustomer(forexample:endofthecredit,endofthecloudserviceanduncertaintyaboutcustomerdataifany).

Servicecreditsassignment

Refers to the stakeholder (CSP or Customer)determiningofthecreditsareprovided.

Maximumservicecredits(Euroamount)providedbytheCSP

Refers to the amount of credits (in Euros) that areprovidedinorderfortheCustomertousetheservicesfromtheCSP.

Changes SLAchangenotifications Thecommonpracticeistonotifyonlychangesthatcanimpact the service provided to the customer. Ascommon practice,minor changeswill not be notifiedto the customer. The number of change notificationsto customer have an impact on the customerperception of quality of the cloud platform, so CSPswillonlynotifymajorchanges.

Unilateralchange ThecommonpracticeistochangetheSLAunilaterally.The terms and conditions of the new SLA inmost ofthe case may have been evaluated through a set of"beta testers" chosen among trusted


customers/partners.

Reporting ServiceLevelsreporting Refers to the reporting done by the CSP (eithercontinuous or not) related to the achieved ServiceLevels in a period of time. This is useful for theCustomertocomparewithrespecttotheagreedSLOs.ThecommonpracticeistojointheSLAreportingwiththecustomer'sbill.

ServiceLevelscontinuousreporting

Specifies if the Service Levels reporting is actuallycontinuous.

Feasibilityofspecials&customisations

For IaaSCSP, theCustomer shouldexpect thatall thecustomisationsarefeasibleontheinstalledsoftware.

GeneralCarveouts Describes the potential exclusions of someprovisionsof the SLA, according to some kind of condition orassumption.

SLOs&

Metrics

SpecifiedSLOmetrics IndicateswhetherSLOmetricsareincludedintheSLA.Only few CSP describe the mechanism used tomeasuretheSLAattributes.Mainlybecauseitisnotaneasy task and the customer needs to be matureenough to analyse the rightness of themeasurementmechanism.

GeneralSLOs SLOs related to general aspects of the SLA, such asAvailability.

CloudServicePerformanceSLOs

SLOsdescribingperformanceindicators.

ServiceReliabilitySLOs SLOsrelatedtothereliabilityoftheservice.

DataManagementSLOs SLOs related to the management of the informationhandledbytheservice.

SecuritySLOs SLOsrelatedtosecurityaspectsoftheservice.

PersonalDataProtectionSLOs

SLOsrelatedtothemanagementofsensitivepersonalData.

Therefore,theCRMfollowsahierarchicalstructure(asdepictedinFigure7).ThetoplevelrepresentsthemainCRMGroupsthatorganizetherestoftheelementsoftheCRM.Thecore of the CRM is the CRM Element level that includes the main parts that can bemappedtothedifferentaspectsofSLAs.


Figure7.CRMhierarchicalspecification

The lowest level comprises the CRM Components that could be part of some CRMElements. Currently just the "SLOs & Metrics" group contains elements that includescomponentsatthelowestlevelofthehierarchy.Figure8depictsthe7elementsthatarepart of the "SLO & Metrics" group and the components that are included in everyelement.ThosecomponentsarecompliantwiththeclassificationofSLOsasdescribedinthe ISO/IEC 19086 specification. Two elements of the "SLO & Metrics group" providegeneralinformation:

• The "Specified SLOmetrics" element is used to represent the existence of SLOsandmetrics in thedescriptionof theSLA.Obviously, if theSLAdoesnot specifysuchinformation,therestofthecomponentsofthisgroupwillalsonotappearintheSLA.

• The"General"elementisusedtorepresentwhetherthegeneralelementsoftheISO/IEC 19086 specification are included in the SLA. More specifically, the twocomponentsexpectedunderthiselementare(i)theexistenceofafieldintheSLAtodescribetherolesandresponsibilitiesand(ii)theexistenceofafieldtoexplainthecloudSLAdefinitions.

The rest of the elements of this group represent technical aspects of the SLA (such assecurityorprivacy).Forconsistency,thenamingconventionusedhereinhasbeentakenfromthe ISO/IEC19086specification.Thesecomponentsof theCRMareused tocheckwhetherthosetechnicalaspectsareincludedinSLAs.


Figure8.ComponentsoftheSLO&MetricselementoftheCRM

Onthisbackground,thefollowingsectionsanalysetheCRMfromtwoperspectives:

• Fromthestandardizationcommunity,byanalysingthelevelofcomplianceoftheprominentstandardsonSLAspecifications.

• From the industrial perspectives by analysing use cases from representativesectors(suchasfinancial,SMEandpublicsectors).

3.1. SummarytakeawaysSummarytakeaways

• TheCRMisbasedonrequirementsgatheredfromthestudyoffourdifferentdomainsspanning the technical domains (including standardization bodies and researchprojects),theeconomicdomain,plusthesociologicalandlegaldomainsbyanalysingthecurrentstateofpracticeonSLAsintheindustrialsector.

• Thecompiledrequirementsweregroupedaccordingtofourmainareas identified inthestudyoftheaforementioneddomainsas:generalaspectsofSLAs(relatedtothesociological analysis), responsibility related aspects (related to the legal analysis),economicaspects(relatedtotheeconomicanalysis)andtechnicalaspects(relatedtotheanalysisoftheresearchandstandardizationdomains).

• TocreatetheCRM,wehaveevaluatedthecompiledrequirementsandsplitthefourareas identified in the requirements into eight derived groups compliant with thelatestISO/IEC19086specification.

• TheCRMisorganizedasahierarchy,with8Groupsatthetopcontaining30Elements.


• TheElementsof theCRMhavebeentakeneitherdirectly fromtherequirementsorfrom the current relevant standards, when a directmapping requirement-standardwaspossible.

• Additionally,theelementsofthegroupSLO&Metricscontain46componentsderivedfromthetechnicalaspectsidentifiedinresearchprojectsandstandards.

• Intotal,theCRMiscomposedof8groups,30elementsand46components


4. CRMmappingtostandardsandbestpracticesInordertomaximizetheimpactandtofacilitatetheadoptionofthecontributedCRMbythe industrial stakeholders, and in particular by SMEs, it is necessary to ensure itsalignmentwith relevant standards and best practices. This taskwill also benefit SMEs,whoaretypicallynotcloudexperts,andoftenhavevery limitedunderstandingofcloudSLAsandespeciallytheroleofrelevantrelatedstandards/bestpractices.

Consequently, this section starts thealignmentprocessby conductingagapanalysisoftheCRM from the standardisationandbestpracticesperspectivebyusingas input theworkdonebySLA-Ready'sWP3relatedtorelevantstandards/bestpracticesinthisfield.OurgoalistoascertainthedegreeofstandardisationrelatedcoverageoftheCRM,suchthattheSMEsusingithaveassurancethattheprovidedSLAguidanceisalignedwiththerelevant standards and best practices. Furthermore, the results of the gap-analysisperformed in this section can be used by the SLA-Ready marketplace (please refer toWP4) in order to create interactive guides that, based on the SMEs requirements, canrealise both the (i) CRM elements to consider for their own use cases, and (ii) outlinestandards/best practices that could be taken into consideration either as developmentguidelinesorreferences.

4.1. InitiativesbeinganalysedBased on the activities performed by WP3, this section focuses on gap analysing thecontributed CRM with respect to the following relevant set of standards and bestpractices:

Table3.StandardsandbestpracticesrelevantforvalidatingtheCRM

Organisation Initiative

acronym

Initiative RelevancetotheCRM

CSCC CSCCSLA PracticalGuide toCloudServiceLevelAgreements–v2[1]

The 10 recommended CSCC SLAstepsarestateofpractice.

EC C-SIGSLA Cloud SLA StandardisationGuidelines[2]

Theseguidelinesbecamepartofthe EC contribution to ISO/IEC19086-1, and represent one ofthe main results from therespectiveC-SIGgroup.

EC SMART Standards terms andperformance criteria in servicelevel agreements for Cloudcomputingservices[3]

The proposed Model SLA is themostcurrentEC-sponsoredstudyinthisfield.

ETSI TR103125 SLAsforCloudservices[4] The defined SLA template isrelevanttotheindustry.


Organisation Initiative

acronym

Initiative RelevancetotheCRM

ISO 19086-1/-4 Cloud SLAs terminology, andsecurityandprivacy[5]

Both standards are generatinghigh expectations with theindustry, soCRMalignmentwiththem will also maximize itschancesforindustrialadoption.

EUH2020SLALOMProject

SLALOM SLALOM SLA Specification andReferenceModel[22]

The EU SLALOM projectproposed a cloud SLA model,including related best practices,which are also aligned to therelevant ISO/IEC19086 familyofstandards.

EUH2020SLALOMProject

SLALOM Model contract for CloudComputing[23]

This SLALOM deliverabledocuments he legal modelproposedbytheproject,whichisaimed to complement SLALOM’sSLASpecification.

Pleasenotethattheapproachfollowedinthissectionisdesignedtobeeasilyextendable(after the endof SLA-Ready) as new standards andbest practices (also relevant to theCRM)getreleased.

Table 4 summarizes the results of the performed gap analysis. For each analysedstandard/bestpractice,weassessifthecorrespondingCRMelementisbeingreferencedornot.Fromtheperformedanalyses,itmaybenotedthatthecontributedCRMhasthepotentialtoimprovecloudcustomers’understandingrelatedtoSLAs,whileatthesametimeprovidinggoodcoverageoftheelementsincludedintheserelevantstandards/bestpractices.ThemostevidentbenefitoftheCRMwithrespecttosurveyedworksisinthefollowinggroups:General,Freshness,ReadabilityandCredits.Asalreadymentioned,theresults shown in Table 4 were used to structure SLA-Ready’s guidance documentsproduced byWP3 andWP4. The current versions of the ISO/IEC 19086-1/-4 standardsusedfortheCRManalysishavenotbeenchangedsincetheresultsshowninthepreviousdeliverable(D2.3).


Table4.CRMcoverageofrelevantstandardsandbestpractices

CRMcoveragetorelevantstandards(Yes/No)

CRMelement ISO/IEC190862(Part1andPart4)

CloudSLAchecklist3

GuideforEvaluatingCloudSLAs4

C-SIGSLAGuidelines

ETSI’scloudSLAtemplate5

SLALOMSLASpecificationandReference

Model6

SLALOMModelcontractfor

CloudComputing7

SLAURL No No No No No No NoFindable No No No No No No No

Choiceoflaw No No No No No No Yes

Rolesandresponsibilities Yes Yes Yes No Yes No Yes

CloudSLAdefinitions Yes No No Yes Yes No Yes

Revisiondate No No Yes No Yes No No

UpdateFrequency No No Yes No Yes No No

2Analysisperformedwiththelatestversionsavailableatthetimeofwritingthisdocument:19086-1(DIS)and19086-4(WD)

3PleaserefertoAnnex1in“Standardstermsandperformancecriteriainservicelevelagreementsforcloudcomputingservices(SMART2013/0039)ModelSLA”

4Pleasereferto“PracticalguidetoCloudSLAsversion2“,CloudStandardsConsumerCouncil.2015.

5Pleasereferto“SLAsforCloudServices,"ETSITR103125,2012andthe"TemplateforSLAs"",ETSIEG202009-3,2006.

6Pleaserefertohttp://slalom-project.eu/.LastaccessedonNov2016.

7Pleaserefertofootnoteno.6




CloudSLAchecklist3


C-SIGSLAGuidelines



Model6


CloudComputing7

Previousversionsandrevisions No No Yes No Yes No No

SLAduration No No Yes No Yes No Yes

SLAlanguage No No No No No No Yes

Machine-readableformat No No No Yes No No No

Nr.ofpages No No No No No No No

Contactdetails Yes Yes Yes Yes Yes No Yes

Contactavailability No No Yes Yes Yes No No

ServiceCredit No No Yes No No No Yes

Servicecreditsassignment No No No No No No Yes


No No No No No No Yes

SLAchangenotifications Yes Yes Yes Yes Yes No Yes

Unilateralchange No Yes Yes No No No Yes

ServiceLevelsreporting Yes Yes Yes Yes Yes Yes Yes

ServiceLevelscontinuousreporting No Yes Yes No Yes No Yes

Feasibilityofspecials&customizations No No Yes No No No No

GeneralCarveouts Yes No Yes No No No Yes

SpecifiedSLOmetrics Yes No Yes Yes Yes Yes No




CloudSLAchecklist3


C-SIGSLAGuidelines



Model6


CloudComputing7

GeneralSLOs Yes Yes Yes No Yes Yes No

CloudServicePerformanceSLOs Yes Yes Yes Yes No Yes No

ServiceReliabilitySLOs Yes Yes Yes Yes Yes Yes No

DataManagementSLOs Yes Yes Yes Yes Yes No No

SecuritySLOs Yes Yes Yes Yes Yes Yes No

PersonalDataProtectionSLOs Yes Yes Yes Yes No No No


4.2. Summarytakeaways

Summarytakeaways

• TheanalysisoftheCRMwithrespecttosurveyedstandardsandbestpracticesshows

thatthereisagoodcoveragerelatedtotheCRM’sSLOselements.However,general-

purpose SLOs (e.g., related to existing certifications, and SLA governance) are only

discussed in ISO/IEC 19086-1 and the Cloud Standards Consumer Council’s (CSCC)

"PracticalguidetoCloudSLAsversion2"[1].

• Mostoftheanalysedworksutilizedanystandardizedorconsistentformatstospecify

theactualSLOmetricstouse(pleaserefertoDeliverable2.2forexamples),although

inmanycasestheyprovidedselectivehigh-levelmetricsasexamples.Oneexception

is SLALOM [22], which proposed a machine-readable specification for SLA metrics

basedonISO/IEC19086-2.

• Unfortunately, relevant standards such as the upcoming ISO/IEC 19086-1/-4 do not

contain any reference related to essential CRM’s elements that SLA-Ready has

identified as significant means to empower/guide SMEs in their transition to the

cloud. For example, the advocatedelements suchas SLA findability, update/validity

period, available languages, are still not addressed by the standards. The same

situation occurs with known best practices such as the "Cloud SLA checklist"

containedintheSMARTECreport[3].AnexceptionisSLALOM[23]whichconsiders

someofthoseCRMelements.

• From the analysed-standards/best-practices both the CSCC and SLALOM reports

providedthehighestCRMcoverage.However,wenotethattheCSCCreportstillhas

conspicuous gaps related to CRM’s elements such as choice of law and others as

reported in ISO/IEC 19086-1/-4. Both SLALOM reports [22] and [23| altogether

provide a good coverage of the CRM proposed by SLA-Ready. While [22] is more

focusedonmetrics,thereport[23]coverssomeoftheotherCRMelements.

• Despitenotbeingcloud-specific, theSLA templatedefinedbyETSI in their "ETSIEG

202 009-3" report also shown a good coverage of the CRM elements. This was

expectedduetothefactthatsuchtemplatewasreferencedinETSI’s"SLAsforCloud

Services"technicalreport.


5. SectorspecificityofCRMsThevalueoftheCRMcomesfromitscustomizabilitytothevariedapplicationdomains,

andhencethissectionanalysestheCRMbystudying23usecasesfromvarieddomains.

Each of the use cases is analysed by first taking the CRM as a reference, and then

assessing which CRM elements are actually applicable to these use cases along with

consideringtheirprioritiestherein.

5.1. Usecasetemplate

TheusecaseanalysisoftheCRMpresentedinthissectionaimsto(i)quantitativelyassess

the relative importance of each CRM element with respect to specific cloud Service

Customer(CSC)requirements/usecases,(ii)extrapolatetheconclusionsdrawnfromthe

CRM to the more general ETSI CSC use cases [6], and (iii) link the results from the

presented analysis to the SLO metrics introduced in D2.2. Furthermore, the use case

templateusedinthepresentreporthasbeenenhancedtobetterprofiletheSMEinorder

toprovideamajorfocusonextractinginformationrequiredforthefollowing:

• Theguidancein"D3.3-ABusinessGuidetoServiceLevelAgreements:Howtobe

awell-adviseduserofcloudservices".

• The analysis for the automated recommendation of CRM good practices,which

willbeintroducedinSection6.

For theanalysisof theusecases,wewillusethetemplateshown inTable5wherethe

detailedinformationaboutthetargetcloudscenarioandtheinvolvedSLAsarecollected.

With respect to the former, the proposed template gathers information related to the

more general ‘Base Use Case’ being used (as presented in D2.2), with the goal of

relating/extrapolatingtheresultsoftheanalysistotheETSIscenariospresentedinAnnex

Aof this report.Asmentionedabove, the templatealsocollects information related to

theSME’smaturity level in relationship to theusecasebeingdocumented (i.e.,novice,

basic or experienced), and target cloud service characteristics (i.e., life-cycle,

preconditionsandrequirements).

Moreover,theproposedtemplatecanbeeasilyre-usedandextendedtodocumentand

analysenewusecasesspecifictotheSMEsthatwouldliketoadoptSLA-Ready’sapproach

toleveragetheproposedCRM.


Table5.UseCaseTemplate

Identification Title UCname

SMEMaturity Oneormoreofthefollowing:

• Novice:noknowledge,noexperience

• Basic: some knowledge, but no practical

experience

• Experienced: some practical experience

(eithergoodorbad)

Base Use Case (cf., Deliverable2.2)

Reference Use Cases as taken from the ETSI CSC

report.Oneormorefrom:

• AP:ApponaCloud

• CB:CloudBursting

• SD:ProcessingSensitiveData

• DI:DataIntegrity

• HA:HighAvailability

PleaserefertoD2.2formoreinformation.

Shortdescription Short summary/user-story of the use case

highlightingapplicableindustrialsector

CloudActors Listofinvolvedactors/stakeholdersfromETSICSC:

• CloudServiceProvider

• CloudServiceCustomer

• CloudServicePartner

PleaserefertoAnnexAformoreinformation.

CloudServicelife-cyclephase Anyofthefollowing:

• Acquisition

• Operation

• Termination

PleaserefertoD2.2formoreinformation.

Legal and Data Protectioncompliancecriteria

List of legal and data protection requirements

associatedtotheusecase

PreconditionsandRequirements

Securityandprivacyrequirements

Summary of security requirements to be taken into

accountforthescenario

Additionalpreconditionsandrequirements(e.g.,performance)

Assumptionsmadeprior to theexecutionof theuse

case

ExistingSLAstandardsandbestpracticestorelyon

ListofSLAstandards/bestpracticestorelyon:

• ISO/IEC19086

• SMARTSLAModel

• CSCCPracticalGuidetoCloudSLAs

• C-SIGSLAGuidelines

• ETSICloudSLAtemplate

PleaserefertoSection4formoreinformation.

Additionalcomments Addcomments,remarks,suggestions,asyouseefit

Summary Conclusionsrelatedtotheusecaseanalysed


5.2. UsecasesandCRMmapping

This section demonstrates the applicability of the proposed template (cf., Table 5) for

analysingthedevelopedCRMfromtheusecasesperspective.Inparticular,wefocuson

the analysis of 23 real-world use cases, chosen by the consortium because of their

relevance to SMEs. Asmentioned in the previous section, the performed analysis (and

template)canbeextendedtootherusecasesreflectingtheneedsofspecificSMEswilling

toleverageSLA-Ready’soutcomes.Theresultsofthissectionwillbeusedasinputforthe

recommendationmethodologydetailedinSection6.

5.2.1. Usecase1:Fintech-Financialsectorusecase

Most start-ups and (other) SMEs that are active in the Fintech industry (where the

financial services meet new technologies and business models) wish to develop and

exploittheirrespectiveservicesandproductsontopofcloud-basedservices,inparticular

eitherIaaSorPaaS.Cloud-by-defaultisbecomingmoreandmorethestandard,asbasisto

develop, rely, and exploit its own PaaS, respectively SaaS. The use case has been

simplified inorder tomakeclearamajor requirementon theSMEsideasanassertion

that‘onecannotacquireorprocureanythingwithoutfirstassessingwhatitwouldliketo

acquireorprocure’.

Table6.Usecase1:Fintech

Identification Title FintechEarlyStageSeekingIaaS(Financialsector)

SMEMaturity • Experienced

BaseUseCase (cf.,Deliverable2.2)

• AP:ApponaCloud




Shortdescription There are lot of startups and SMEs that are active in

theFintechindustry(wherethefinancialservicesmeet

new technologies and business models) with an

operational and business plan to develop and exploit

cloud-basedservicestotheircustomersandend-users.

For this, most will consider procuring either IaaS or

PaaS from respective CSPs that offer these cloud

services, whichwill be used as basis to develop, rely,

andexploit theirownPaaSrespectivelySaaS.ThisUse

CasefocusesonaFintechcompanyprocuringIaaSfrom

majorIaaSCSP.

CloudActors IaaS CSP as vendor. Fintech Early Stage company as

customer, with the intent to build and exploit their

ownSaaS to itsowncustomerswhich in thisusecase

are financial institutions thatwish their bank account

holderstogiveaccesstosaidSaaS.

CloudServicelife-cyclephase • Acquisition

Legal and Data Protection Before looking for appropriate IaaS CSPs, and finding


compliancecriteria andassessingthetermsandconditions(includingSLA)

that may be applicable in the relationship between

such IaaS CSP and the Fintech Early Stage company,

first, this Fintech Early Stage company (with founders

and management with university degrees) maps the

mainlegalcompliancecriteriaitdeemsrelevantinthe

initialphase. (1)TheFintechEarlyStagecompanyand

itscustomer (bank)aswellas itscustomersarebased

in The Netherlands. (2) Furthermore, the financial

sector industry is high-regulated, including special

requirementsforvendors (includingwithout limitation

anyCSPs),whichincludetherightofthebankauthority

tobeabletoauditthevendorsintherespectivesupply

chain. (3) Personal data is involved, so the data

protection regulation and legislation is applicable as

well.Thesethreemain legalcriteriaareknowntothis

Fintech Early Stage company. (4) Its prospective

customers (banks) are known for their strict

procurement, including information security

requirements, andhigh levelofexpectationof service

delivery. (5) There are no particular needs on IaaS,

expectforthatitshouldberelatively(a)cheapand(b)

easytodevelop,exploitandmaintain itsownSaaSon

topoftheIaaSoftheselectedCSP.



Thesecurityrequirementsthataregenerallyrequested

by prospective customers (banks) – to the extent

known beforehand – and that are known to be

commonpracticeintherelevantmarketaretakeninto

account.


CSP Vendor pre-selection. After doing their internal

desk research on the above, this Fintech Early Stage

companystartswithlandscapingtheresultsandbased

on that it starts its pre-assessing of which IaaS CSP

wouldbeabletodeliver,andonwhatconditions.With

that,itwillrequestproposalsofthepre-selectedCSPs.

Existingstandardsandbestpracticestorelyon

Neither the prospective customers (banks) nor the

bank authorities have the standards or best practices

that are commonlyused. For instance thebankshave

theirown(withoutanFSIindustry)bestpracticebeing

available regarding cloud services. This is because the

bankauthoritiesdonotseeitasitstasktoprovidesuch

standard,guidelinesorthelike.

Additionalcomments N/A

Summary Without some reasonable assessment, it is impossible to procure cloud services. This

basicallygoesforgenerallyallprocurementbutitisespeciallyrelevantastherearemany

types of cloud services, services models, deployment models, and even in the right

categorythereisalotofvarietyinofferingsandterms.ThisUseCaseshowsthatwithout

diligenceandproperassessmentandpre-selectionlandscaping–whichcouldbeabitless

comprehensivethanintheUseCasedescribedabove–,evenareasonablyinformedCSC

isnotabletostartprocuringtherightcloudservices


5.2.2. Usecase2:GovernmentalCloud

The following use case is based on ENISA’s "Security Framework for Governmental

Clouds" report [7], more specifically on the Estonian Governmental Cloud (Gov Cloud)

which offers services to both citizens and Public Administrations based on a

geographicallydistributedcloudinfrastructure.Theusecasehasbeensimplifiedinorder

tofocusonitsSLA-relatedaspects.

This use case is relevant to SLA-Ready given that the requirements of small Public

Administrations provisioned by the Estonian Governmental Cloud resemble those

typicallyelicitedbyEuropeanSMEs.

Table7describesthisusecaseinfurtherdetailbasedontheproposedtemplate.

Table7.Usecase2:EstonianGovernmentalCloud

Identification Title Governmental Cloud (Small Public Administration

usingGovernmentalCloud)



• AP:ApponaCloud



Shortdescription

In 2013, the Government of Estonia took the first

steps to deploy a Governmental Cloud with three

mainprinciplesguidingitsdevelopment:

• Using Cloud solutions located within Estonia’s

nationalborders,

• UsinginternationalprivateCloudresources,and

• UsingDataEmbassies(cloudstorage).

TheEstoniangovernmenthasbuiltthefoundationof

a highly developed information society, and its ICT

development has taken Estonia to a stage where

manyregistersandservicesonlyexistindigitalform.

This development requires a flexible and secure

GovernmentalCloudsolution.Sufficientflexibilityhas

to be planned in advance. The State

Infocommunication Foundation leads the

Governmental Cloud development, which is

responsible fortheconsolidationofserverresources

and provision of high-quality server hosting services

withinEstonia’snationalborders.

The Estonian Public Administration (PA) is themain

cloudcustomerofthenationalGovernmentalCloud.

In some cases, PAs are provisioned with IaaS

resources (e.g., virtual machines), but also PAs

provision Governmental cloud-based services to

citizens. The Governmental Cloud system does not

storepersonalidentifiabledata.

CloudActors Listofinvolvedactors/stakeholders:

• Cloud Service Providers, which provision


their services to the Governmental Cloud

according to the requirements specified by

the Cloud Owner (Estonian Government),

and usually described on Service Level

Agreements(SLA)andothercontracts.

• Cloud Service Customer: the Public

Administrations using Governmental Cloud

services

Thisusecasedefinesanadditionalactor,namelythe

Governmental Cloud Owner, which relates to the

organization that legally owns the Governmental

Cloud and defines policies and requirements. The

analysis of this use case considers that the

Governmental Cloud Owner is the actor offering an

SLA to the cloud customers (PAs). The offered SLA

already takes into account the capabilities from

participantCSPs.

CloudServicelife-cyclephase • Operation


The Governmental Cloud does not manage any PII

data from the citizens. Legal compliance criteria are

definedbytheEstonianPublicProcurementAct8.



Thefollowingstandardsandbestpracticesarebeing

leveraged by the Estonian Governmental Cloud: ISO

27001, ISO 27002, BSI IT, and the Estonian ISKE

securityframework.[8]


Highavailabilityisamainconcerninthisusecase,in

order to guarantee continuous provision of PA

servicestothecitizens.


Notapplicable


Summary This use case focused on a Governmental Cloud user (probably a small municipality),

which is not a cloud-computing expert but nevertheless needs to make use of this

technology. This use case is relevant to validate the CRM from a (small) Public

Administration perspective, and shows a particular focus on functional requirements.

Also,thisusecasetakesintoaccountthefactthatthissectorisparticularlyimportantfor

CSPs,thereforesomedegreeofflexibilityintheirSLAscouldbeexpected.

5.2.3. Usecase3:ConsultLess,SMEsusingSaaS

ThisusecaseisbasedonENISA’s"CloudSecurityGuideforSMEs"[9],inparticularrelated

to theexample scenario shown inAnnexAof the referenced report (i.e., "ConsultLess,

SMEusingSaaS").Therelevanceof thisusecaseforSLA-Ready isbasedon its focuson

8Pleaserefertohttps://www.riigiteataja.ee/en/eli/509072014009/consolide


both security and SLAs for SMEs that are transitioning to the cloud. Table 8 further

documentsthisusecase.

Table8.Usecase3:ConsultLess,SMEforusingSaaS

Identification Title ConsultLess,SMEforusingSaaS

SMEMaturity • Novice

• Basic


• AP:ApponaCloud



Shortdescription From ENISA’s report: "ConsultLess is a small

consultancy firm in the EU that has 20 employees

(mostly legal andmanagement experts). One of the

employees ispartnerandalso theChief Information

Officer (CIO) of the firm. ConsultLess decides to

procureofficesoftwareasaservice(SaaS)foruseby

its employees: the cloud service offers document

storage/editing, email and calendar. This cloud

service should replace an internal mail-server and

officesoftwareinstalledoncomputers."

CloudActors Listofinvolvedactors/stakeholders:

• CloudServiceProvider,whichprovisionsthe

storage/editing, email and calendar SaaS to

ConsultLess.ThisisapublicCSP.

• Cloud Service Customer, is the ConsultLess

SMEusingtheCSPSaaS.



Compliance is a critical factor in this use case.

Furthermore, some (not all) of the data stored and

processed is sensitive, and data leaks could have a

severeimpactonthereputation/businessofthefirm.



The following security and privacy requirements

applytoConsultLess:

• Physical security of the cloud assets should be

guaranteedbytheCSP.

• Timely patching and updating, adequate

backups,andsecurityasaserviceareallrequired

byConsultLess.

• TheCSPshoulddemonstratecompliancethrough

thosecertificationsrequiredbyConsultLess.

• ConsultLesswantstoavoidvendorlock-inissues.


ConsulLess is an established SMEs that currently

provisions in-house the ICT services being procured

fromthepublicSaaS.


NotbeingSLAsavvy,ConsultLessCIOrelaysontheC-

SIGSLAGuidelinesforprocuringitsSaaS.

Additionalcomments ConsultLess is not subject to any specific legal

requirements about cross-border processing or data

transfers.


Summary This use case considers an SME cloud customer, having some experience on this

technology,which isplanning touseanewCSP (SaaS).Thisusecasevalidates theCRM

from theperspectiveof a SME familiarisedwith cloud computing, andwith aparticular

focusonthesecurity/privacyimplicationsofthistechnology.

5.2.4. Usecase4:SMEsmigratingfromoneSaaSCSPtotheother

ThisusecaseisbasedonseveralreallifecaseswhereaSMEisusingcertainSaaSservices

thatatthetimeofprocuringthemwerenotfelttobethatmissioncriticalfortheSME’s

business. Subsequently it findsout thatupon theplansmade to shift from theexisting

SaaSCSPtoanewSaaSCSP,thecloudservicesusedandtobeusedhavebecomemission

criticalforthesurvivalandsuccessoftheSME.

Table9.Usecase4:SMEmigratingfromoneSaaSCSPtotheother

Identification Title SMEmigratingfromoneSaaSCSPtotheother

SMEMaturity • Basic

• Experienced


• AP:ApponaCloud




Shortdescription The SME is already using certain SaaS. At the time of

procuring it, itwas not felt to be thatmission critical

for the SME’s business. Upon the plansmade to shift

thecloudservicesfromtheexistingSaaSCSPtoanew

SaaS CSP, the SME founds out that its survival and

successdependsontheuseoftheparticularSaaS.

CloudActors The existing SaaS CSP as vendor, as well as the new

SaaSCSP.SMEascustomer,withthe intent toupdate

andrestructurethewaytheparticularSaaSisusedand

integratedintheorganizationoftheSME.

CloudServicelife-cyclephase • Termination


Asquitecommon,theSMEthat isalreadyusingcloud

services,inthiscaseSaaS,findsoutthatwhenitwishes

to change, amend or terminate the respective cloud

services it is bound by the standards terms and

conditionsoftheCSP, includingtheSLA.Tostartwith,

theSMEdoesnotknowwhichversionofthetermsand

conditions it has accepted in the past (and the CSP

generally does not know as well as per immature

administrationrecordingpractices).Besides,mostCSPs

donotmakeorkeepavailablethepreviousversionsof

its terms and conditions. In most cases, the CSP will

refer to its recent standards terms and conditions of

the CSP, applicable at the time of the request of the

SME. So, regarding the first 14 of the 22+ CRM

requirements, almost none are met automatically,

meaningwithouttheSMEactingitself.Thismeansthat

theSMEhasahugedisadvantage in termsof its legal


position,negotiationpowerandhasnoalternativebut

toadheretothetermsandconditionsprovidedbythe

CSP.Secondly,andregardingall26CRMrequirements,

the SME finds out that he does not have specific,

tailored options beneficial for his needs to terminate

theagreementwiththeCSPinawaythatascertainthe

businesscontinuityofthatSaaS,theassistanceneeded

to migrate process flows, data (including metadata

where necessary) to another SaaS CSP environment,

and adequately and cost-effectively wind-down and

discontinue the SaaS provided by the former CSP. In

short,theformerCSPisinfullcontrol,andtheSMEhas

a very weak bargaining position. It is a hard and

expensive lessons-learnedexercise fortheSME,which

in this use case the SME has used to the intent to

improvehiswayofprocuringcloudservicesandfollow

theCRMwhereimportantforhisbusinessandbusiness

continuity.DependingontheCSPtheSMEchooses,the

SMEmaybe able to succeed to someextent in these

goals and approach, this as per the current immature

natureofcloudSLAsandofferingsofCSP.Inanycase,

withtheexperienceobtainedandtheCRM,theSMEis

now ready to make an informed decision what to

choose.


Security and privacyrequirements

Non-applicable,asperthisusecase.However, forthis

type of SME customary requirements have be taken

into account while procuring the subsequent cloud

services.Noparticularstomentioninthiscase.

Additional preconditions andrequirements (e.g.,performance)


type of SME customary preconditions and

requirements have been taken into account while

procuringthesubsequentcloudservices.Noparticulars

tomentioninthiscase.



typeofSMEcustomarybestpracticeshavebeentaken

into account while procuring the subsequent cloud

services.Noparticularstomentioninthiscase.


Summary SMEsgenerallydonotspendtimeorotherresourcesonprocuringcloudservices,untiltheyfindoutitisworthwhiletodoingso.Thishamperstheirdevelopmentandbusinessopportunities,whichSMEsfindoutwhenit

maybetoolatealreadyforthemtochangecourse,butitisalsotheirmomenttoimprove

and pay more attention to procurement in general, and procuring cloud services in

specific.


5.2.5. Usecase5:CloudBrokering:ChargebackandShowback

Thefollowingusecaseisbasedon“ISO/IECSC38StandingDocument1-Compendiumof

CloudComputingUsageScenariosandUseCases”.ItsrelevancetoSLA-Readyresideson

the use case’s focus on interoperability, multi-cloud and brokering where the CRM’s

usefulnesscanbeeasilyobserved. It is important tohighlight that theCRM-analysis for

thisusecaseisperformedfromtheCSCperspective(i.e.,theCloudBrokerandinvolved

CSP’sare“visible”totheCSC).

Table10.Usecase5:CloudBrokering:CloudChargebackandShowback

Identification Title CloudBrokering:CloudChargebackandShowback


Base Use Case (cf. Deliverable2.2)

• AP:ApponaCloud

Shortdescription A CSC uses the services of a Cloud Broker to select

the CSP that fulfils its specific requirements. The

Brokerimplementsaservicecatalogueencompassing

services from multiple CSPs. In addition, the

catalogue clearly outlines charges for the various

resources that canbeprovisioned.TheCSCmakesa

selectionandtheCloudBrokerseamlesslyprovisions

the requested resource from the appropriate CSP

throughtheirAPIorotherinterfaceusingtheirnative

commands.Atthesametime,theBrokerhandlesthe

chargebacktotheCSC’sorganization,ifappropriate.

CloudActors • CloudServiceProvider


• CloudServicePartnerCloudServicelife-cyclephase • Acquisition


There are not generic legal/data protection criteria

applying to this particular use case. However, we

acknowledgethefactthatinthosecaseswheresuch

criteria exist, then the prospective cloud customer’s

analysisoftheCRMshouldreflectthose.



CSCswillbeabletotrackutilizationperidentityfrom

CSPsandbill theappropriateorganization foruseof

resources.

Additionalpreconditionsandrequirements(e.g.performance)

CSPs will provide necessary accounting information

toenableCSCtobillaccordingly.CSPsinteroperability

(includingbillingsystems)isrequiredinthisusecase,

andmostlymanagedbytheBroker.


• C-SIGSLAGuidelines

Additionalcomments None

Summary This use case is a representative example related to the usefulness of cloud SLAs for

decision-making processes. Cloud brokers are becoming more common in the cloud

ecosystem, so the analysis/good practices extracted from the CRM are expected to be

usedasguidelinesforprospectivecloudcustomers.


5.2.6. Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees

Thefollowingusecaseisbasedon"ISO/IECSC38StandingDocument1-Compendiumof

Cloud Computing Usage Scenarios and Use Cases". It considers a scenario which may

becomefamiliartoseveralSMEs,whereemployeesareinvolvedandneedtohave(cloud-

)ubiquitousaccesstodocumentationfromanyplace.

Table11.Usecase6:DistributionofSMETrainingMaterialtoMobileEmployees

Identification Title Distribution of SME Training Material to Mobile

Employees


• Experienced


• AP:ApponaCloud



Shortdescription A SME must deploy the technical processes and

considerations to distribute educationalmaterial for

newproductstotheiragents.

Given the potential network traffic to be generated

by this process, it is necessary to rely on cloud

services. This use case can be considered as one of

manyusecases thatarepossiblewithmobile cloud,

whichnotionissimilartoDaaS(DesktopasaService)

exceptthatallservicesareformobiledevices.





This use case does not involve PII, therefore no

particular Data Protection requirement applies.

Authentication requirements (see below) are only

related to the IAM data contained in e.g., legacy

authenticationsystems.



Acorrectversionofthematerialshouldbedelivered

to authorised agents, and with an auditable access

control mechanism that enforces the company’s

securitypolicies.

Identitymanagement for access authentication, and

authorizationiscrucialforthisusecase.


The SME will distribute only static data (e.g.,

documents, presentations, leaflets digital format),

butitisnotconsideringdistributingdynamiccontent.

Besides integrity and consistency of distributed

content, it isnecessary toguaranteecommunication

betweenCSPandSME’sagents.


None


Summary Mobileandcloudcomputingarerepresentedinthisusecase.Thisscenariocanpotentially

applytoabroadvarietyofSMEs,thereforeitsrelevancetoSLA-Ready.Furthermore,this


scenario can be easily extended to comprise the integration of non-static content e.g.,

streamingvideotutorialsforthesalesrepresentatives.

5.2.7. Usecase7:EasyAgriSelling-SMEusingIaaS/PaaS

Thisusecaseisbasedonareallifecasewhereasmalltechstart-upintheEU,developed

an onlineweb shop software (as a service) for farmerswhowould like to start direct-

sellingtheirvegetablesandotherproducts.Farmerscansetupanonlineshop ina few

clicks - customizing their shop with a logo, colours and a description of their farm.

EasyAgriSellingisaSaaSproviderandtheyareacloudservicescustomerbuildingservices

onacloudproviderwhooffersthemIaaSandPaaSonwhichtobuildtheirproduct.The

relevanceofthisusecaseforSLA-Readyisbasedonitsfocusonsecurity,andalsoonSLAs

forSMEsthatarebeingbuiltinthecloud.

Table12.Usecase7:EasyAgriSelling,SMEusingIaaS/PaaS

Identification Title EasyAgriSelling,SMEusingIaaS/PaaS



• AP:ApponaCloud


Shortdescription EasyAgriSellingisasmalltechstart-upintheEU,

which developed an online web shop software

(asaservice)forfarmerswhowouldliketostart

direct-selling their vegetables and other

products. Their slogan is: “Selling your

agriculturalproduce to consumers,madeeasy”.

Farmerscansetupanonlineshopinafewclicks

-customizingtheirshopwithalogo,coloursand

a description of their farm. EasyAgriSelling

operates a pay-as-you-go model, charging no

monthly fee, but only charging their customers

whenproductsaresold.EasyAgriSellingisaSaaS

providerandtheyareacloudservicescustomer

buildingservicesonacloudproviderwhooffers

them IaaS and PaaS on which to build their

product. The SaaS platform runs on top of the

IaaS/PaaSplatform.



EasyAgriSelling - SaaS is both a vendor, as it is

paid by the farmers when they sell their

products andaCSC, as it pays for cloud service

from the IaaS/PaaS platform, which it uses for

running itsweb shop software for farmers. The

IaaS/PaaSplatformisaCSP.


• Operation


Availability is a critical factor in this use case.

Furthermore, security and privacy of payment


data is very important, as well as some of the

consumers’personaldata.Dataleakscouldhave

a severe impact on the reputation/business of

thefirm.

TheSME (EasyAgriSelling) is alreadyusing cloud

services, in this case IaaS/PaaS, and the CSP

(IaaS/PaaS platform provider) guarantees end-

to-end quality of service as well as guaranteed

performance against an abrupt increase of the

load.

TheSMEisresponsibleforthesoftwaresecurity

of the online web shop software, the web

interfaces used by the farmers (customers of

EasyAgriSelling) and the personal data and

paymentdataoftheconsumersbuyingfromthe

farmers.



For the SME (EasyAgriSelling) in this case,

software vulnerabilities are a big risk (because

thepaymentandpersonaldataofconsumers is

at stake). The SMEwill look closely at how the

IaaS/PaaSispatchedandupdated.

Some security tasks are outsourced to the

provider,butmanysecuritytasksstillhavetobe

carried out by the customer/SME

(EasyAgriSelling).

It is the responsibility of the SME

(EasyAgriSelling) to fix software flaws in the

deployed web shop software as well as

managingtheaccountsofthefarmersusingtheir

web shop software, the consumer accounts,

including resetting passwords, troubleshooting

issueswithpaymentsetc.

Their responsibility includes managing backups

ofapplicationsoftwareanddata.

Security considerations in the procurement

process really only regard security of the

facilities, the operating system and the

application servers which are under control of

theprovider.

Security tasks the provider carries out are

managing hardware and facilities, including

physicalsecurity,power,cooling,etc.;managing

theserveroperatingsystemsandtheapplication

server, including development, deployment,

patching, updating, monitoring, checking logs,

andsoon.

Thefollowingsecurityandprivacyrequirements

applytoEasyAgriSelling:

• Physical security of the cloud assets should

beguaranteedbytheCSP.

• Timely patching and updating, adequate


backups, and security as a service are all

requiredbyEasyAgriSelling.

• The CSP should demonstrate compliance

through those certifications required by

EasyAgriSelling.

• EasyAgriSelling requires a two-factor

authenticationprocess

• EasyAgriSellingwants to avoid vendor lock-

inissues.

Additional preconditions andrequirements(e.g.performance)

Availability is a main concern in this use case.

Also for this type of SME customary

preconditions and requirements have been

taken into account while procuring the

subsequent cloud services, e.g. a two-factor

authenticationprocess.

Existing SLA standards and bestpracticestorelyon

Non-applicable, as per this use case. However,

for this type of SME customary best practices

have been taken into account while procuring

thesubsequentcloudservices.Noparticularsto

mentioninthiscase.

Additionalcomments EasyAgriSelling works with farmers and

consumersfromseveralcountries.Thedataand

processes are about simple e- commerce and

there are no specific legal requirements that

couldcauseissueswithforeignjurisdiction.

Summary ThisusecaseconsidersanSMEcloudcustomerwithsomebackgroundexperienceon

this technology, which is planning to use a new CSP (IaaS/PaaS). This use case

validatestheCRMfromtheperspectiveofanSMEfamiliarisedwithcloudcomputing,

andwithaparticularfocusonthesecurity/privacyimplicationsofthistechnology.

5.2.8. Usecase8:VideostorageandstreamingfromtheCloud

Thefollowingusecaseisbasedon“CloudComputingUseCasegroup-CloudComputing

usecaseswhitepaper”[32].Itdescribesacustomerexperienceusingcloudcomputingfor

streamingandstoringvideointhecloudwhilemeetingsecurityrequirements.

Table13.Usecase8:VideoStorageandstreamingfromtheCloud

Identification Title SMEvideostorageandstreamingfromtheCloud


• Basic


• AP:ApponaCloud


Shortdescription A financial investment company is launching new

investment products to its agents and affiliates. A

number of videos have been created to teach the

company’s agents and affiliates about the benefits

and features of the new products. The videos are

very large and need to be available on-demand, so

storingtheminthecloudlessensthedemandsonthe

corporate infrastructure. However, access to those


videosneedstobetightlycontrolled.Forcompetitive

reasons, only certified company agents should be

abletoviewthevideos.Anevenstrongerconstraint

is that regulations require the company to keep

product details, including the videos, confidential

during the quiet period before the launch of the

product.

The company’s decision is to use a public cloud

storage provider to scale the secure hosting and

streaming of the videos. The cloud solution must

control the videos with an auditable access control

mechanism that enforces the company’s security

policies.


• Cloud ServiceCustomer,which includes the

company but also the agents that will be

certifiedtohaveaccesstothevideos(agents

andaffiliates).

• CloudServicePartner-auditorswillhavethe

right toaudit the cloud solution inorder to

enforcethecompany’ssecuritypolicies.


• Operation





related to the IAM data contained in e.g. legacy

authentication systems. Confidentiality is also of

crucial importance because the product details,

including the videos, are highly confidential during

thequietperiodbeforethelaunchoftheproduct.



For competitive reasons, only certified company

agents should be able to view the videos. An even

stronger constraint is that regulations require the

company to keep product details, including the

videos, confidential during the quiet period before

the launch of the product. An auditable access

control mechanism that enforces the company’s

securitypoliciesisrequired.


authorizationiscrucialforthisusecase.


Apart from compliance, confidentiality and security

of distributed content, it is necessary to guarantee

communication between CSP and SME’s agents.

Accessmanagementisalsoimportant.


Governmentalregulations.


Summary Mobileandcloudcomputingarerepresentedinthisusecase.Thisscenariocanpotentially

apply to a broad variety of SMEs that need compliance for non-static content e.g.

streamingvideos,thereforeitisrelevanttoSLA-Ready.


5.2.9. Usecase9:Cloud-basedDevelopmentandTesting

This company chooses a cloud provider to deliver a cloud-based development

environmentwithhosteddevelopertoolingandasourcecoderepository.Italsochooses

anothercloudprovidertoprovideatestingenvironmentsothatthenewapplicationcan

interactwithmanydifferenttypesofmachinesandhugeworkloads.Therelevanceofthis

usecase forSLA-Ready resideson theusecase’s focusoncloud federationandservice

levelagreementsforthispurpose.Theusecaseisbasedon“CloudComputingUseCase

group-CloudComputingusecaseswhitepaper”[32].

Table14.Usecase9:Cloud-basedDevelopmentandTesting

Identification Title Cloud-basedDevelopmentandTesting



• AP:ApponaCloud




Shortdescription An online retailer needs to develop a newWeb 2.0

storefront application, but doesnotwant toburden

its IT staff and existing resources. The company

chooses a cloud provider to deliver a cloud-based

development environment with hosted developer

toolinganda source code repository.Another cloud

provider is chosen to provide a testing environment

so that the new application can interact withmany

differenttypesofmachinesandhugeworkloads.



• CloudServicePartner-auditorswillhavethe

right toaudit the cloud solution inorder to

enforcethecompany’ssecuritypolicies.


• Operation





relatedtothedatacontained.




authorization is crucial for this use case. Controlled

access to source code and test plans is needed

therefore Cryptography, Endpoint Security, Identity,

Roles, Access Control, and Network Security are

crucial.


TheSMErequiresthatalltracesoftheapplicationor

data must be deleted when a VM is shut down,

controlled access to source code and test plans,

serviceautomationandeventauditingandreporting.

ExistingSLAstandardsandbest None


practicestorelyonAdditionalcomments None

Summary ThisusecasevalidatestheCRMfromtheperspectiveofacompany/SMEfamiliarisedwith

cloudcomputing,andwithaparticular focuson thesecurity/compliance implicationsof

this technology. This use case is a representative example related to the usefulness of

cloudSLAsforcloud-baseddevelopingandtestingprocesses.

5.2.10. Usecase10:LogisticsandProjectManagementintheCloud


usecaseswhitepaper”[32].Itconsidersascenariowhichmaybecomefamiliartoseveral

SMEs,wheretheenterpriseneedstomovetheirdatatothecloudandthenitreachesthe

EndUser.

Table15.Usecase10:LogisticsandProjectManagementintheloud

Identification Title LogisticsandProjectManagementintheCloud



• AP:ApponaCloud


Shortdescription Asmallconstructioncompanywithapproximately20

administrative employees needed a way to manage

theirresources,optimizeprojectschedulingandtrack

job costs. The company had very specific

requirements that no commonly available system

addressed,sotheyusedacombinationofQuickbooks

and spreadsheets. This system was not elastic and

wasahugewasteofhumanresources.

The solution to the problemwas to build a custom

client-side application. All of the business logic

resides on the client (company). Data for the

applicationisservedfromaGoogleAppEngine(GAE)

datastore.Thedatastoredoesnotenforceanysortof

schema other than an RDF graph, although it does

host an RDF-OWL ontology. The client uses that

ontology to validate data before displaying it to the

userorsendingitbacktotheGAE.

CloudActors • CloudServiceProvider–GAEasPaaS

• CloudServiceCustomer–thecompany


• Operation



particularDataProtectionrequirementapplies.



No particular security needs for this use case. Data

operations are communicated with the datastore

using an application - specific RESTful protocol over

HTTP.ThedatastoremaintainsRDFgraphsspecificto

theapplicationsit isservingwithinsilosmanagedon

the server. When Security is needed, it is

implemented separately for each silo depending on

therequirementsoftheapplicationusingaparticular


silo of data. Using this system, any number of

applicationscanusethedatastore.


None. The datamovedwas reconciled before being

uploadedtotheGAEdatastore.


None


Summary This use case presents the simple case of SMEs that have very specific needswhich no

commonlyavailablesystemaddresses.Thisusecase isarepresentativeexamplerelated

totheacquisitionofasimplePaaSimplementationthatprovidesdatabasesupport.

5.2.11. Usecase11:LocalGovernmentServicesusingaHybridCloud


usecaseswhitepaper”.Itconsidersascenariowhichmaybecomefamiliartoseverallocal

governments thatwant to use a combination of services at a private and hybrid cloud

level. The relevance of this use case for SLA-Ready resides on the use case’s focus on

federationofapplicationsanddatainsidethehybridcloud.

Table16.Usecase11:LocalGovernmentServicesinaHybridCloud

Identification Title LocalGovernmentServicesinaHybridCloud

SMEMaturity • Expert

BaseUseCase(cf.Deliverable2.2) • AP:ApponaCloud


Shortdescription Therearemorethan1800localgovernmentsacross

Japan, each of which has its own servers and IT

staff.AsecondarygoaloftheKasumigasekicloudis

toprovideahybridcloudenvironment. Inaddition

to the Kasumigaseki cloud, the Japanese central

government has decided to group local

governments at the prefecture level. Each

prefecture will have a private cloud and a

connection to the Kasumigaseki hybrid cloud.

Internal tasksand somedatawill behosted in the

prefecture’sprivatecloud,whileotherdatawillbe

stored locally.Wherever possible, existing systems

will be virtualized and hosted in the Kasumigaseki

cloud.

CloudActors • Cloud Service Provider – Kasumigaseki

hybridcloud

• CloudServiceCustomer–theprefecture



Japanese law prevents some types of data from

being stored outside the local government’s

servers, so moving applications and data into the

Kasumigasekicloudisnotanoption.Itisalsoillegal

formany typesofpersonaldata tobe storedona

serveroutsideofJapan.

Preconditions Securityandprivacyrequirements Security and privacy requirements are set by the


andRequirements

central government of Japan, which has built a

secure, centralized infrastructure for hosting

governmentapplications.


Federation of applications and data inside the

hybridcloudiscrucial.


None


Summary Thisusecasepresentsthecaseofagovernmentbuildingaprivatecloudforitscentralised

applicationsandusingthatcloudashybridforfewdecentralisedapplicationsinorderto

reducecosts,energyconsumptionandITstaff.

5.2.12. Usecase12:PayrollProcessingintheCloud


usecaseswhitepaper”[32].Itconsidersascenariowhichmaybecomefamiliartoseveral

SMEs,wheretheenterpriseneedstorunitspayrollprocessinthecloud.Therelevanceof

thisusecaseforSLA-Readyresidesontheusecase’sfocusonvirtualmachinesandcloud

storage(IaaS)

Table17.Usecase12:PayrollprocessingintheCloud

Identification Title PayrollprocessingintheCloud


BaseUseCase(cf.Deliverable2.2) • AP:ApponaCloud

Shortdescription The organization decided to see how practical it

wouldbetorunthepayrollprocessinthecloud.The

existing payroll system was architected as a

distributedapplication,somovingittothecloudwas

relativelystraightforward.

The payroll application used an SQL database for

processing employee data. Instead of rewriting the

application to use a cloud database service, a VM

with a database serverwas deployed. The database

server retrieved data from a cloud storage system

andconstructedrelational tables fromit.Becauseof

thesizeoftheoriginal(in-house)database,extraction

tools were used to select only the information

necessary for payroll processing. That extracted

information was transferred to a cloud storage

serviceandthenusedbythedatabaseserver.

The payroll application was deployed to four VMs

that run simultaneously; those four VMs work with

the VM hosting the database server. The

configurationof thepayrollapplicationwaschanged

tousetheVMhostingthedatabaseserver;otherwise

theapplicationwasnotchanged.


• CloudServiceCustomer–thecompany



• Operation



particularDataProtectionrequirementapplies.


Securityandprivacyrequirements Noparticularsecurityneedsforthisusecase.


Thepayroll application runsonFedoraand Java1.5,

soitwillrunwithoutchangesonanycloudprovider's

platform that supports Fedora. Modifying the

application touseadifferent cloud storageprovider

could be a problem if the other vendor does not

support the specific S3 APIs used in the payroll

process.


None


Summary This use case presents the simple case of SMEs that have very specific needs, as is the

processingofpayroll.Inthecloud-basedversionoftheapplication,processingtimeforthe

payroll taskwas reducedby80%. This is anexampleof SMEs/companies, that the cloud-

based version offers themmore elasticity, which can be a significant advantage as they

expand.

5.2.13. Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms

Each CSP provides qualified cloud services, as each has general carve-outs and other

limitations and exclusions written in its SLA documentation. Some may be

understandable,reasonableandwithinnormalriskallocationboundaries.Somearenot.

EspeciallySMEsdonothavetheknowledgeorexpertisewhethergeneralcarve-outsare

reasonableandacceptablefortheirspecificapplicationanduseofthecloudservices,and

whattheconsequenceswouldbeifacarve-outisspecified.

Table18.Usecase13:CSPspecifyingcarve-outsinitscloudserviceterms

Identification Title CSP specifying carve-outs in its cloud service

terms(GeneralCarve-outs)


• Basic

• Experienced

BaseUseCase(cf.,Deliverable2.2)

• AP:ApponaCloud

Shortdescription As there is so much to think about while

choosing,selectingandprocuringcloudservices,

andtheSMEisawarethatcarve-outsarepartof

the cloud SLA where the CSP further limits or

excludes its responsibility and liability, it is not

always the highest priority to assess,

understand, discuss and negotiate these with

theCSP.WhenanincidenthappenstheCSPhas

defined the carve-out ‘force majeure’ very


broad,inawaythatallinfluencesofthirdparties

areexcluded,evenofthosetheCSPprocuresto

beable toprovide the cloud services. In sucha

case, if an incident happens, the SME usually

expectsthatitwouldbewithinthecontrolofthe

CSP, but is often unable to claim any resource.

TheCSPmerelyreferredtothegeneralcarve-out

intheapplicableSLA.

CloudActors CSPasvendor,andSMEascustomer.

Cloud Service life-cyclephase

• Operation

Legalcompliancecriteria Before looking foranappropriateCSP, theSME

should assess what kind of general carve-outs

theCSPhas stated in its SLA,askquestions if it

doesnotunderstandthecarve-outs,askwhat it

is paying for, and assess potential the

consequencesincaseofanincidentthatmayfall

withinscopeofthosegeneralcarve-outs.



If the securityof thedatacentre is involved for

certain carve-outs, those requirements are an

absolute necessity to assess within view of

generalcarve-outsaswell.

Additional preconditionsand requirements (e.g.,performance)

Somebasicknowledgeaboutbusinessandother

risk allocation, as well as laws and regulations

arenecessarytoassessacloudSLA.

Existing SLA standards andbestpracticestorelyon

CSCCPracticalGuidetoCloudSLAs

C-SIGSLAGuidelines


Summary The SME always needs to assess whether the general carve-outs are

understandable, not described too broad, towhat extent the CSP is in control,

where that control ends, andwhat the consequencesare in caseof an incident

thatiteitherthecontroloftheCSPorbeyondthereasonablecontrolofCSP.

5.2.14. Usecase14:CSPchangingSLAatoperationtime

Anychangemadeincontractualarrangements,whetheranSLAorotherwise,withoutthe

consent of all the parties involved seems impossible and unlawful. However,many CSPs

havedesignatedthecontractualrighttounilaterallychangetheSLAandthecloudservices

itself, whether beneficial or detrimental to the CSC. Thismeans the CSPwill be able to

change itsrightsandobligations,withouttheconsentof theCSC.Most,althoughnotall,

willnotifyyouofachange,butthenitmayalreadybetoolate.


Table19.Usecase14:CSPchangingSLAatoperationtime

Identification Title CSP changing SLA at operation time (Change

Notifications&UnilateralChange)


• Basic

BaseUseCase(cf.,Deliverable2.2)

• AP:ApponaCloud


Shortdescription An SME has built its own SaaS on the PaaS

infrastructureofamajorCSP.TheSMEprovides

its SaaS to its customer under its own Master

Service Agreement, Terms and Conditions and

SLA.However, theSaaSSMEdidnotnotice that

the PaaS CSP is contractually entitled right to

unilaterallychangethePaaSserviceofferingsand

conditions in the SLA, since the SME ticked the

box while registering online without taking the

time to assess the SLA and related terms. The

CSPnow invoked this right to lower the uptime

and level of redundancy. Therefore, the SaaS

cloud Services from the SME cannot meet the

servicelevelithasgrantedtoitsowncustomers.

Migrating the application on a PaaS of another

CSPwouldbea very timeconsumingandcostly

task.

CloudActors CloudServiceProviderasPaaSProvider,SMEas

Cloud Service Partner and SMEs customer as

CloudServiceCustomer.


Legalcompliancecriteria N/A



N/A


N/A


SMARTSLAModel


C-SIGSLAGuidelines

ETSICloudSLAtemplate


Summary ManyCSPhavereservedtherighttounilaterallychangetheserviceconditionsand

terms,howeverthiscouldbeaseriousobstacleforSaaSSMEproviderswhoareina

contractualrelationshipwiththeirowncustomers.

5.2.15. Usecase15:CSPprovidingservicesunderdifferentregulations

Cloud services areoftenhosted inone country and consumed inothers. CSPsmayuse

distributeddatacentresscatteredaroundtheglobe,whileCSCsusingcloudserviceshave

thedesireandevennecessitytoknowthelocationoftheirdata. Inaddition,theremay


beissuesoflegaljurisdictionintheeventofdisputeanduncertaintyabouttheapplicable

law.Theseissuesareduetothesedifferentnationallegalframeworksanduncertainties

about applicable law, data location and the free flow of data ranks concerns arisen

amongstthepotentialcloudadopters,particularlyforlargeenterprisesalreadyusingthe

cloud9. This is in particular related to complexities of managing services and usage

patternsthatspanmultiplejurisdictionsandinrelationtotrustandsecurityinfieldssuch

asdataprotection,contractsandconsumerprotection.Thiscouldmeantherecouldbea

complexvaluechainwith stakeholdersandconflictingagreements,especiallywhen the

SMEisprocuringcloudtodeveloptheirownSaaS.

Table20.Usecase15:CSPprovidingservicesunderdifferentregulations

Identification

Title CSPproviding services under different regulations

(ChoiceofLaw)


• Experienced

Base Use Case (cf.,Deliverable2.2)

• AP:ApponaCloud


Shortdescription TheChoiceoflawclauseisatermofacontractin

which parties specify that any dispute arising

undertheSLAshallbegovernedby inaccordance

with the laws of a particular jurisdiction. Since

most of themajor CSPs haveheadquarters in the

United States of Americas, many of these CSP’s

have designated the governing law of the state

they have their headquarters applicable to the

agreement. TheSMEhasdonediligenceonwhat

CSPwouldfititsSaaSandbusinessambitionsbest

with regard to the provided IaaS. However, it did

not notice the choice of law the SLA is governed

by.AstheSMEisprovidingSaaStoend-usersbeing

consumers in the EU member state where it is

based, it is obliged to provide the services under

thelawsofthatmemberstate,includingconsumer

rightprovisions.Therefore,thesupplychainisnot

workable for this SME as it cannot hold its IaaS

supplier accountable or responsible if certain

issues arise. The SME will bear the full liability

9EurostatNewsRelease9December2014(lateststatisticstodate).


towardsitsend-userswithoutanyrecourse,which

happenedseveraltimesforthisSaaSSME.

CloudActors Cloud Service Provider as PaaS Provider, SME as

CloudServicePartnerandSMEscustomerasCloud

ServiceCustomer.


• Acquisition

• Operation

Legal compliancecriteria

Mandatory rules cannot be avoided if the main

activitytakesplaceinthecountryoftheSMEorits

end-users within the EU. Before looking for

appropriate CSPs, and finding and assessing the

terms and conditions (including SLA) thatmay be

applicable in the relationship between such CSP

and SME, the SME should identify themain legal

compliance criteria relevant in (1) the local

regulationof theSMEand thecountries inwhere

theSMEwouldliketodobusinessand(2)thelaws

oftheapplicablegoverninglaw.



If Personal data is involved the data protection

regulation and legislation of the data-subject is

applicableaswell.

Additionalpreconditions andrequirements (e.g.,performance)

N/A

ExistingSLAstandardsand best practices torelyon


C-SIGSLAGuidelines


Summary AllCSPandallCSCs(includingSMEs) ineverydeploymentmodelhavetodeal

withGoverningLawIssues,butitisespeciallyaburdensomeiftheSMEwishes

to develop and exploit its respective services and products on top of cloud-

based services, in particular either IaaS or PaaS. The use case has been

simplified inorder tomakeclearamajor requirementon theSMEsideasan

assertionthat ‘onecannotacquireorprocureanythingwithout firstassessing

whatitwouldliketoacquireorprocure’.

5.2.16. Usecase16:CSPprovidingdataservicesforthehealthsector

Back-up,certificationsandencryptionareimportantservicesaCSPoffers.Inmostcases

theCSPs have several certifications, back-upprograms and encryptionpossibilities, but


thecustomerandthereforetheSMEneedstobeawarethatthosecertifications,back-up

programs and encryption tools will not necessarily apply to the cloud services they

subscribedto.

Table21.Usecase16:CSPprovidingdataservicesforthehealthsector

Identification Title CSP providing data services for the health sector

(CustomerBack-UpandEncryption)


• Basic




Shortdescription AnSMEintheHealthSectorwhohasbuiltitsSaaS

applicationonanIaaS/PaaSfromtheCSP.Anyone

in the health sector has to be compliant to

mandatory sectorial standardsandneeds tohave

certaincertifications.Furthermore,sincethisSME

will process sensitive personal data, it also needs

to encrypt the data in light of the applicable

personal protection regulations in the EU. Even

though many CSPs have such specific

certifications,encryptionpossibilitiesandbackup

possibilities, in most cases the layers in the

provided IaaS/PaaS where the customer of the

SaaSCSPprocessesitssensitiveandotherdatado

not fall under these certifications, or encryption

and back-up by default. This SME made the

mistakeintrustingthattheprovidedcertifications

wereapplicableforthatuse,whereitdoesnot.

CloudActors CloudServiceProviderasIaaS/PaaSProvider,SME

as Cloud Service Partner and SME’s customer as

CloudServiceCustomer.


• Acquisition

• Operation

Legal compliancecriteria

BeforelookingforappropriateIaaS/PaaSCSPs,and

finding and assessing its certifications, terms and

conditions that may be applicable in the

relationshipbetween such IaaS/PaaSCSPand the

SMEHealthTechcompany, firstly this SMEneeds

tomapthemainlegalcompliancecriteriaitdeems

relevant for theHealthTechSector.Furthermore,

as the health sector industry is high-regulated,

there are special requirements for vendors and


their certifications,which include the right of the

authority to be able to audit the vendors in the

respective supply chain. Personal data is involved

of data subjects for which the customer of the

SMEisprimarilyresponsibleasdatacontroller,so

the personal protection regulations in the EU is

essential as well. These three main legal criteria

should be well-known to any Health Tech

company.TheSaaSSMEthereafterneedstomake

sureitcanandwilltaketheappropriatemeasures

in order to fulfil all the sector specific

requirementswith the help of the CSP they have

pre-selected.



According to the applicable personal protection

regulations in the EU, a data controller needs to

make sure they take appropriate security

measures which are covered with certifications

andencryptionmeasures.

Additionalpreconditions andrequirements (e.g.,performance)

Back-Up

ExistingSLAstandardsand best practices torelyon

C-SIGSLAGuidelines


Summary Many CSPs have several backup, certifications and encryption offerings,

however please note that the SME shouldmake sure their ownenvironment

withinthatIaaS/PaaSisalsocertified,encryptedandback-upsaccordingtothe

industry standard andpolicies.Never just tick the box and think itwill all be

alright.

5.2.17. Usecase17:ASMEterminatingacontractwithaCSP

Data deletion, including data retention should be addressed in the SLA, and the SaaS

applicationshouldhaveembeddedtechniquestoremovedataandensuresthatdeleted

datawillnotberecovered.Itisnotalwaysclearhowdatadeletionanddataretentionis

covered by the CSP, unless data deletion and retention are required as per data

protectionlawsandregulations.


Table22.Usecase17:ASMEterminatingacontractwithaCSP

Identification Title A SME terminating a contract with a CSP (Data

deletionanddataretention)


• Basic

• Experienced




Shortdescription The case is simple, and will happen to all CSCs: an

SME wished to terminate the MSA with a CSP, and

then starts thinking about whether and to what

extenttheCSPwilldelete itsdata,aftertheSMEhas

extractedandexportedthatdataasmuchaspossible.

This SME, as will others, finds out that nothing is

arrangedfor,andisleftinthedark.

CloudActors CSPasvendor,andSMEorenduserascustomer.


• Operation

• Termination

Legalcompliancecriteria In case of termination, there is no need and no

purpose to process or store any data of the CSC or

relateddata subjects anymore, soall data related to

the specific user should be deleted. Data deletion

shouldbethelastdataprocessingaCSPtakescareof.

However,thereareseveraldataretentionregulations

fordifferentsetsofdata,anddifferentcontexts.



Privacyrequirementsareinvolvedbydatadeletionas

based on the data protection act. Based on the

privacyregulation,allpersonaldatashouldbedeleted

if there is no lawful interest to store or process any

more, but there are exceptions. For instance, for

financialdatathedataretentionperiodisinmostEU

member states seven years based on the local

financial and tax laws and regulations, and even HR

data has a different data retention period based on

labour law. Furthermore, some CSPs do not have

technical capabilities in place to strongly delete the

data.


AftertheinternalcheckofwhatkindofdatatheSME

process, the SME needs to assess if all the data

processing are necessary for using the services. The

basicfordatastorageisdataminimisation,wherean

SMEneedstoprocessaslessdataaspossible,tolimit

the consequencesof a databreach, data loss or any

unlawfulprocessing.


ISO/IEC19086


C-SIGSLAGuidelines


Summary Therequirementsfordatadeletionanddataretentionbasedonthedifferentlaws

and regulations are mostly not the same and contain different periods and


requirements. Therefore, the basics for data processing should be data

minimisation. Furthermore, the SME should assess before it will look to an

appropriate CSP all types of data it processes and the relevant data retention

periods,aswellasiftheCSPhasthecorrecttechniquetodeletethedatawithout

the possibility to recover the deleted data. Before entering into an agreement

with a CSP, the SME should assess if data deletion is possible if all datawill be

deleted.Thereafter,theSMEshouldidentifyandlandscapewhatkindofdataits

stores,processetc.and the related retention requirementsof thedifferent laws

andregulations.

5.2.18. Usecase18:CSPmigratingdatabetweendifferentjurisdictions

Thelocation(s)wherepersonaldatamaybestoredorotherwiseprocessedbytheCSPis

relevantforaSMEasanyCSC,whetherithasoneormoreentitiesandwhetherornotit

is active different geographical locations, as each country has different regulations

regardingpersonaldataandwheresuchpersonaldatamaybestoredandprocessed.In

thiscase,theSMEhasentitiesinadozencountries.

Table23.Usecase18:CSPmigratingdatabetweendifferentjurisdictions

Identification Title CSP migrating data between different

jurisdictions(datalocation)


• Basic

• Experienced



Shortdescription Since both within the European Union and

outside the EU each country has different laws

and regulations regarding personal data

protection, the data locationwhere the SME is

active isrelevantaswellasthedata locationof

theserveroftheCSP.Inthiscaseitconcernsan

SME active in a dozen countries and wishes to

migrate to cloud services its HR data which

concerns almost 100% personal data. In some

jurisdictions, such HR data is even especially

arranged in the law. If an entity of a SME is

based in Russia and the headquarter is within

the European Union, then it is not allowed by

local law to store personal data, including HR

data outside of Russia. The server of the CSP

shouldbebasedinRussia,andinsomecasesthe

CSP will cooperate with a local data centre

where a back-up copywill be stored on a data

location intheEuropeanUnion.This isnotonly

relevant in Russia, as the same applies for

Germany,forexample.ThisSMEsegmentedthe

data in advance, and together with its legal

counsel architected where what data is to be

stored,whatback-upmechanismsshouldapply,


andwith success opened thedialoguewith the

relevantCSP.

CloudActors CSP as vendor, SME as customer, and its

employeesasdatasubjects.


• Operation

Legalcompliancecriteria Before looking for appropriate CSPs, the data

and cloud architecture of the SME should be

landscapedonwhatkindof (personal)data the

SME is required to process on which location.

Thereafter the SME should identify the local

governing laws on data protection who are

applicable to the SME and the countrieswhere

theSMEwouldliketodobusiness.



If personal data is involved the data protection

regulation and legislation of the data subject is

applicable, and theplacewhere the locationof

theserverisaswell.


After the internal check of the SME on the

above, the SME can startwith landscaping and

pre-assessing of which CSP would be able to

deliver,andwherethedatalocationsoftheCSP

are.



C-SIGSLAGuidelines


Summary Datalocationisveryimportanttocomplywiththelocallawsandregulations,which

shouldalwaysbediscussedandagreedbetweentheCSPandtheSME.Thisisnota

problemof theSMEonly; theCSPhas similarandparallelproblems to solveas it

needstocomplywiththelocallawsandlegislationaswellifitprocesseddatafora

CSC. Both CSPs and SMEs each have to deal with local laws and regulations.

EspeciallyforSMEswhohavemoreentitiesandnotallofthemarebasedwithinthe

European Union a SME needs to assess what kind of laws and regulations are

applicable on the different types of data even a SME stores and process. Such

assessmentcouldhavetheresultthattheSMEcannotchooseforonedatalocation

as the local data protection act does not allow this, and has to choose different

locations.

5.2.19. Use case 19: CSP providing data portability vendor Lock-in of SaaSapplications

Vendorlock-inisasituationinwhichacustomerusingaproductorservicecannoteasily

switch or otherwisemigrate (part of) its data to product or service of another vendor.

Vendor lock-in is not exclusive to cloud services. Vendor lock-in is usually the result of

outdatedorjustdifferenttechnologiesandmethodologiesofdataformattingandmaking

availabledatarecordsthatareincompatiblewiththoseofothervendors.However,itcan

also be caused by contract constraints, among others. In conjunction with data

portability, the concerns of SME’s across Europe regarding the risk of vendor lock-in is


one themost common barriers for adoption of cloud. In this case the SME is CSC and

foundout ina laterphase thatextractingandexporting itsdata toanotherpartof the

sameCSPsSaaSwasburdensome,letalonedoingthesametoanotherCSPimpossible.

Table24.Usecase19:CSPprovidingdataportabilityvendorLock-inofSaaSapplications

Identification Title CSPprovidingdataportabilityvendorLock-inof

SaaSCRMapplications


• Basic

• Experienced


• AP:ApponaCloud



Shortdescription A European SME who has formally used CRM

SaaS to keep track of its customer relationship

managementandsalescyclewouldliketoswitch

certainpartofitsdatatoanotheraccountinthe

sameCRMSaaS, and–when thatdidnotwork

out–toswitchthatdatatoanotherCSP.Thisin

turn requires the ability to migrate data

between different environments or providers.

However, the former CRM SaaS did not specify

anything on data portability, data format,what

datawould exactly be possible tomigrate, and

whatnot,orwhethermetadatawouldbepartof

that.TheSMEsettledforgettingpartofitsdata

out in a structured, workable way, where the

remainder of its data cannot be extracted or

otherwiseexportedinasuitablewaysobasically

lostthelatterdataandrelatedanalytics.

CloudActors SaaS CRM Cloud Service Provider, SME Cloud

ServiceCustomer.


• Termination

Legalcompliancecriteria Before looking for appropriate CRM SaaS CSPs,

and then finding and assessing the terms and

conditions(includingSLA)thatmaybeapplicable

intherelationshipbetweensuchCRMSaaSCSP

and theSME, first, theSMEneeds to look in to

the data formats, data export policies,

termination and other data portability related

clauses. Furthermore, if personal data is

involved, data protection regulation and

legislationisapplicableaswell.AlsofortheCSP,

which is an argument to highlightwhen having

anydiscussionwithaCSP.



TheGeneral Data Protection Regulation (GDPR)

adoptedinApril2016createsanewrighttodata

portability for data subjects with regards to its


own personal data a CSP as data controller or

processorprocessesinanyway.Thisalsomeans

thatdatasubjectshavetherighttoextracttheir

personaldatafromtheSMEinthisusecase.

Additional preconditions andrequirements (e.g.,performance)

Assumptionsmadepriortotheexecutionofthe

usecase


C-SIGSLAGuidelines

Additionalcomments Othertopicscoverdataportabilityaswell,such

asfreeflowofdata.Insuringdataportabilityisa

relevant objective of European policies in the

contextoftheDigitalSingleMarketstrategy.The

DSM strategy identified the lack of data

portability as a potential barrier, noticing the

shortcomingsofcloudcontractsinthisfield.

Summary Dataportabilityisanotherveryimportanttopicwhichshouldalwaysbeaddressed

byeveryonewhoiswillingorusingthecloud.Incasepersonaldataisinvolved,data

protection regulationand legislation is applicable tobothCSCaswell as theCSP,

which isanargument tohighlightwhenhavinganydiscussionwithaCSP. Incase

the CSP is notwilling to adapt the terms, it is advisable to look further to other

alternatives.

5.2.20. Usecase20:SMElookingforInformationSecurityIncidentManagement

Securityincidentsareanongoingtopicinthenewspapersnowadays,andnoonelikesto

beintheheadlinesbecauseofasecurityincident,nexttootherobviousreasonswhyto

avoid and be prepared for security incidents. However, realistically every organisation,

SMEs included will at some point be subject to or otherwise involved in a security

incident. Besides and quite important aswell, there are several current and upcoming

mandatoryregulationsthatbothCSPsandCSCneedtocomplywith.So,therearequite

somereasonstoaddressinformationsecurityincidentmanagementintheSLA.

Table25.Usecase20:SMElookingforInformationSecurityIncidentManagement

Identification Title SME looking for Information Security Incident

Management


• Basic

• Experienced


• AP:ApponaCloud



Shortdescription Asperanabove-averageawarenesslevelasper

security breaches in its sector, being the

financial services industry, this SME is quite

concernedaboutkeepingitsdatasafewhilealso

complying to current and upcoming regulation.


Withallthetopicsinthenewspapersonsecurity

incidents, every SME should be keen on the

management of those incidents, and this SME

actuallydoes.Besidesthat,newregulationssuch

as the General Data Protection Regulation

(GDPR) and the Network Information Security

(NIS)Directivewithdauntinghighpenaltiesarea

trigger as well. However, it is not easy for the

SME to obtain the right in-depth information

from the CSP it needs to assess the risks, the

waybreachnotificationistakencareof,towhat

extent and how fast, and how incidents are

managedandrepeat-incidentsavoided.

CloudActors SMEorenduserasuser.


• Operation

Legalcompliancecriteria Before entering into an agreement with a CSP,

theSMEshouldassesshowtheCSPwillmanage

and report any information security incidents.

Thereafter, the SME should identify and

landscapewhatkindoflawsandregulationsare

applicable; local law, European laws or sectoral

regulations. In the Netherlands, and fromMay

2018 in each member state; if you are a CSC,

SME or not, and there is an availability or

confidentialitybreachof(personal)datawhichis

notencrypted,theSMEneedstonotifytheData

Protection Authority, the sectorial authority (if

any),theCERTofthememberstateandthedata

subject of such data breach. Such notification

requires certain information about the security

incident and how the breach will be managed.

Besidesthat,thebreachwillhaveconsequences

for the availability and the trustworthiness of

theservices.



Security and privacy requirements are essential

in information security incident management.

The CSP should manage and report all the

security incidents, note that not all incidents

needstobenotifiedtotheauthorities.


The SME and CSP should agree on how and

when security incidents will be notified,

especiallythetimeframeafterthediscoveryof

the incident by the CSP and the notification to

the SME. Preferably notification to the SME

needstobedoneat leastwithin48hoursafter

discoveringofaninformationsecurityincident.


ISO/IEC19086


C-SIGSLAGuidelines



Summary Relatedtoinformationsecurityincidentsthereareseveralnotificationactsincase

there is a breach with personal data. The SLA needs to assess what kind of

proceedings the CSP has for notification, monitoring and management thereof.

However, both parties are responsible for the information security management

andcooperationtopreventthisisamust.

5.2.21. Usecase21:CSPallowingdataaccessforlawenforcement

Based on several laws and regulations certain government authorities are allowed to

requestaccesstothedatacentreandothersystemsCSP.BasedontheNSAstoriesusers

do not trust the access of the government and quite a few CSPs have insufficient

knowledgeandprocesses inplacetodealwithsuchrequestofagovernmentauthority,

where someCSP in such real-life case tend tomore take their own interest in account

thanfight fortheirCSC. IntheSLAshouldbestatedhowtheCSPwillproceedanddeal

withsuchrequest.

Table26.Usecase21:CSPallowingdataaccessforlawenforcement

Identification Title CSP allowing data access for law enforcement

(Lawenforcementaccess)


• Basic

• Experienced


• AP:ApponaCloud


Shortdescription This use case is from an SME CSP that is quite

advancedandknowledgeableaboutdataaccess

requests by authorities, and it is good to

consider thedo'sanddon’ts.MostCSPsdonot

knowwhat to do if access to data is requested

froma government authority andmay give the

governmentauthoritythewrongaccesswithout

assessing such request. Generally, the scope of

theformalrequeststoobtainaccessistoobroad

instead of a detailed scope, because the

authoritydoesnotyetexactlyknowwhatkindof

datatheyneedtoknow.However,fishingbythe

government authorities is not allowed. CSPs

needs to check the scope of the request to

access and should provide as little information

and access as possible, keeping in mind the

contractual, ethical and trust relationship they

havewiththeirCSC.ACSCexpectaCSPtostand

up for the rights of the CSC. Furthermore, if a

CSPgivesaccesswithinthescopethenitshould

not affect more data protection infringements

than the strictly necessary. Any CSC, SMEs

included, should request a detailed data access

policy of the CSP itself with the processes and

consequences.


CloudActors CSPasvendor,andSMEascustomer.


• Termination

Legalcompliancecriteria Before a CSP gives the government authority

access it should assess and identify what the

legal ground is on which the government

authorityrequestforaccessandifsuchauthority

is authorised to get access within a detailed

scope of request. The SME should identify and

landscape the related laws and regulations for

suchrequest.



Security and privacy requirements are involved

by law enforcement access. The CSP has the

obligationtoprotectthesecurityandprivacyof

datasubjectsevenbyarequestofagovernment

authority, and the privacy should not be

breachedmorethannecessary.


The CSP should provide a minimum of

information and data within the scope of the

request.


ISO/IEC19086


C-SIGSLAGuidelines


Summary The requirements for providing access to government authorities aremostof

thetimetoobroad,aswelltherequestitself.Therefore,aCSPneedalwaysto

check the legal ground and scope of the request, and provide as less

information as possible to prevent of more privacy breaches based on data

protectionacts.AnyCSC,SMEsincludedshouldrequestadetaileddataaccess

policyoftheCSPtofamiliarizeitselfwiththeprocessesandconsequences.

5.2.22. Use case 22: SMEmigrating to IaaSwith several duration periods in the

agreement

WiththeuseofaSaaSapplicationthereareseveraldurationperiodsanddataretention

periods applicable, either set forth in the related MSA or SLA or not. Such as the

subscriptiontermoftheMSA,theaccessperiodtotheSaaS,theavailabilityofthedatain

the SaaS, the retention period data needs to be stored/archived by the CSP for legal

purposed, and so on. The duration and qualification of each can be totally different.

Theseseveraldurationperiodsofsubscription,access,useandauditoftheSaaSshould

beclearlyunderstoodbytheCSC,addocumentedbetweenCSPandCSC.However,even

CSPhavenotquitethoughtoverthesedifferentdurationperiods,andsomearealsonot

easytorecognize.


Table27.Usecase22:SMEmigratingtoIaaSwithseveraldurationperiodsintheagreement

Identification Title SME migrating to IaaS with several duration

periods in the agreement (duration of different

termsoftheSaaSapplication)


• Basic

• Experienced


• AP:ApponaCloud


Shortdescription ThisSMEismigratingitsinfrastructuretoIaaSof

a major CSP. Being a software company itself

doesnotnecessarilymeantohavethenecessary

knowledge for migrating to the SaaS. And, to

startwith, in order to provide a good proposal

and businessmodel based on subscription fees

this SME needs to knowwhat kind of different

duration period are applicable, and what the

financial, technical and operational

consequences are. In this case for example (i)

theMSAisforanindefiniteperiodandthestart

isat thedayofsigning, this is the firstduration

period(ii)theMSAiseffectiveatthemomentof

signing, but only after implementation of the

SaaS in general and then the deployment of a

customer a userwill be able to access to SaaS,

on which date the one-year subscription starts

between the SME and its customer. This is the

second duration period. Thirdly (iii), the

subscription is based on the actual use of

content,whichmeansthatthedurationofuseis

shorterthanthedurationoftherighttoaccess.

Two more for this use case, is (iv) the data

retentionperiodduringwiththeCSPisrequired

by law to retain certain data, and (v) the

durationtheSMEanditscustomersareentitled

toextractandexportdata.

CloudActors CSPasvendor,theSMEasCSCaswellasaCSP,

andSMEcustomerastheend-user.

CloudServicelife-cyclephase Acquisition

Operation

Termination

Legalcompliancecriteria N/A



N/A


N/A


N/A



Summary Inordertomakeabusinessmodelbasedonsubscriptionfeeswhereaccessanduse

of the SaaS application depends on payment and the amount of time to use is

limited,theSaaSprovidershouldassessall thoseaspectswhicharerelevant fora

subscriptionbusinessmodel, inordertohaveagoodproposalandagreement. In

short, both the CSP and CSC need to familiarize themselves with the numerous

duration periods, landscape and structure those before discussing business and

legaltermsandconditions.

5.2.23. Usecase23:SMEsettingupitsownhybridcloudecosystem

Cloud computing has been a trending topic over the last 10 years but only recently a

reasonably matured common definition of cloud computing has been established.

However,bothCSPsandCSCstendtodefinecloudservices,servicemodels,deployment

models,uptimeandotheravailabilitydifferentlywhich leadstoconfusionandconflicts.

EspeciallywhenaCSCsuchasthetechnostarterSMEsinthisusecase,wouldliketoset

upitsownhybridcloudecosystemtotrustandbuilditsbusinesson,andthereforeuses

multipleCSPstobuildthisecosystem.

Table28.Usecase23:SMEsettingupitsownhybridcloudecosystem

Identification Title SME settingup its ownhybrid cloudecosystem

(CloudSLADefinitions)


• Basic

• Experienced


• AP:ApponaCloud


Shortdescription ThisSMEisasmallstart-upbutisenvisioningto

benumber1 in itsmarket,globally. Itwillneed

cloud service to do so, and as per different

technical, business, risk mitigation and risk

reasons it is working on architecting a hybrid

ecosystemwhereseveralmajoraswellasniche

CSPswill be involved. However, all CSPs define

their definitions and legal terms differently

whichmakes ithardtocreateaclear landscape

of what rights and obligation the SME has

towardstherespectiveCSP,andwhatrightsand

obligations it can arrange for with its own

customers and end-users. Analysing legal

documentation from A to Z concerning cloud

services such as SLAs is quite cumbersome and

time and resources consuming, CSPs even use

different quantitative attributes, metrics,

measurementsandremedies.TheSMEfeelsthat

some CSPs prefer to keep their applicable

documentation less transparent than their

customerswishfor,andtheCSPswouldbeable

to. Getting to the bottom of Master Service

Agreements, SLAs and other contractual


arrangements is time-consuming, and a SME,

especially a start-up does not have those

resources. It will either lead in delay in its

business plans, or making the wrong decisions

whichwillbeverycostlyinalaterphase.

CloudActors CSPasvendor.SMEascustomer.


• Operation

Legalcompliancecriteria It all starts with unambiguous and technology

neutraldefinitions.Keepingthedefinitionsofall

relevant documentation well-defined and

unambiguous is important to ensure that CSPs

and CSCs both have a common understanding

andclearcommunicationofthattoexpectfrom

each other and the services contracted.

Currently, the most up to date definitions that

havebeengloballyvalidated,haverecentlybeen

re-endorsed by the European Commission and

are used by many leading companies,

government bodies and other organizations.

These are contained in the EC Cloud SLA

StandardisationGuidelines.



N/A


99.95%uptimewillnotnecessarilymean99.95%

uptime sincemanyof theCSPdefineuptime in

multiple ways. For instance, when the

measurement starts,what is in or out of scope

ofsuchmeasurement,andsoon.



ISO/IEC19086

C-SIGSLAGuidelines

CloudQuadrantsReport


Summary Withouthavingclearunambiguousdefinitions,itisimpossibletodiligentlyprocure

cloudservices.Thisgoesforgenerallyallprocurementbutitisespeciallyrelevantas

therearemanytypesofcloudservices,servicesmodels,deploymentmodels,and

evenintherightcategorythereisalotofvarietyindefinitionsandterms.Thesame

issuesariseregardingthevariouslanguages.

5.2.24. CRMtousecasesmapping

Thissectionanalysestheusecasesdescribedintheprevioussectionswithrespecttothe

CRM.Derivedfromtheaforementionedanalysis,wehavefoundthatsomeelementsof

the CRM are more important than others for some use cases. In general, the priority

betweenoneelementandanotherdependsmostlyonthedomaininwhichtheusecase

belongs to.The following tables represent theprioritiesof theCRMelements forevery


use case analysed. A colour code is given, the "red" ones being the most important

elements, followedby the "yellow", and the "green" ones as being the less important.

ThelevelofimportantgiventooneelementsoftheCRMwithrespecttoothersdepends

on the typeofusecaseanalysed (including the typeofdomain, typeofcustomers, the

specificrequirementsforeachusecase,etc.).


Table29.CRM-UseCasesCoverage(part1)

CRMelementimportanceforeveryusecase(PART1)

(red:highest,yellow:medium,green:lowest)

Item Name of CRM element

Fintech (Financial sector)

(UC1)

Estonian Governmental Cloud

(UC2)

ConsultLess, SME for using SaaS

(UC3)

SMEs migrating from one SaaS CSP to the other

(UC4)

Cloud Brokering: Cloud Chargeback and

Showback

(UC5)

Distribution of SME Training Material to Mobile Employees

(UC6)

EasyAgriSelling, SME using IaaS/PaaS

(UC7)

Video storage and streaming from the

Cloud

(UC8)

1 SLA URL 2 Findable 3 Choice of law 4 Roles and

responsibilities

5 Cloud SLA definitions

6 Revision date 7 Update

Frequency

8 Previous versions and revisions

9 SLA duration 10 SLA language 11 Machine-

readable format

12 Nr. of pages






(UC1)


(UC2)


(UC3)


(UC4)


Showback

(UC5)


(UC6)


(UC7)


Cloud

(UC8)

13 Contact details 14 Contact

availability

15 Service Credit 16 Service credits

assignment

17 Maximum service credits (Euro amount) provided by the CSP

18 SLA change notifications

19 Unilateral

change

20 Service Levels reporting

21 Service Levels

continuous reporting

22 Feasibility of specials & customizations






(UC1)


(UC2)


(UC3)


(UC4)


Showback

(UC5)


(UC6)


(UC7)


Cloud

(UC8)

23 General Carveouts

24 Specified SLO

metrics

25 General SLOs 26 Cloud Service

Performance SLOs

27 Service Reliability SLOs

28 Data Management SLOs

29 Security SLOs 30 Personal Data

Protection SLOs






Cloud-basedDevelopmentand

Testing

(UC9)

LogisticsandProject

Management

(UC10)

LocalGovernmentServicesinHybrid

Cloud

(UC11)

PayrollProcessingintheCloud

(UC12)

CSP specifying Carve-outs in its cloud

service terms

(UC13)

CSP changing SLA at operation time

(UC14)


responsibilities

5 Cloud SLA definitions 6 Revision date 7 Update Frequency 8 Previous versions and

revisions

9 SLA duration 10 SLA language 11 Machine-readable

format

12 Nr. of pages






Testing

(UC9)

LogisticsandProject

Management

(UC10)


Cloud

(UC11)


(UC12)


service terms

(UC13)


(UC14)

13 Contact details

14 Contact availability 15 Service Credit 16 Service credits

assignment



19 Unilateral change 20 Service Levels

reporting

21 Service Levels continuous reporting

22 Feasibility of specials &

customizations

23 General Carveouts 24 Specified SLO metrics






Testing

(UC9)

LogisticsandProject

Management

(UC10)


Cloud

(UC11)


(UC12)


service terms

(UC13)


(UC14)


Performance SLOs


28 Data Management SLOs


Protection SLOs






CSP providing services under

different regulations

(UC15)

CSP providing data services for the health sector

(UC16)

A SME terminating a contract with a

CSP

(UC17)

CSP migrating data between

different jurisdictions

(UC18)

CSP providing data portability vendor Lock-in of SaaS

applications

(UC19)

ISME looking for Information

Security Incident Management

(UC20)

CSP allowing data access for law enforcement

access

(UC21)

SME migrating to IaaS with several

duration periods in the agreement

(UC22)

SME setting up its own hybrid

cloud ecosystem

(UC23)


responsibilities

5 Cloud SLA definitions 6 Revision date 7

Update Frequency

8 Previous versions and revisions

9 SLA duration 10 SLA language 11 Machine-readable

format

12 Nr. of pages







(UC15)


(UC16)


CSP

(UC17)



(UC18)


applications

(UC19)



(UC20)


access

(UC21)



(UC22)


cloud ecosystem

(UC23)

13 Contact details

14 Contact availability 15 Service Credit 16 Service credits

assignment



19 Unilateral change 20 Service Levels

reporting

21 Service Levels continuous reporting

22 Feasibility of specials

& customizations

23 General Carveouts 24 Specified SLO

metrics







(UC15)


(UC16)


CSP

(UC17)



(UC18)


applications

(UC19)



(UC20)


access

(UC21)



(UC22)


cloud ecosystem

(UC23)


Performance SLOs


28 Data Management

SLOs


Protection SLOs



Summarytakeaways

• TheCRMhasbeenvalidatedwith theanalysisof 23use cases taken fromdifferent

businessdomains.

• Suchvalidationhasallowedustoidentifytheimportance/applicabilityofeveryCRM

elementforeveryusecase.

• Atemplateisusedforacomprehensiveanalysisoftheusecases.Theimplementation

ofthetemplateforeveryusecaseisusedtoidentifytheimportance/applicabilityof

everyCRMelement.

• The importance/applicabilityofeveryCRMelementdependsonaspectssuchas the

actorsinvolvedintheusecase,thesensitivityofthedatamanaged,thetypeofcloud

servicestouseortheregulationstoimplement.

• Thetemplateclassifieseveryusecaseaccordingtothefivebaseusecasesdefinedthe

ETSICSCreport. Italsoclassifieseveryusecasesaccordingto theCloudServiceLife

Cycle created in Deliverable 2.2. This information is used by the recommendation

methodologydescribedinthefollowingsection.


6. CRMrecommendationfornewusecasesVeryoften,companiesdecidetomovetheirbusinesstothecloudwithoutreallyknowing

whataspectstotackle:DoIhavetostrengthenperformanceaspects?Howimportantis

securityformybusiness?DoIhavetoconsiderpotentiallegalimplicationswhenoffering

myservice?Thissectionproposesamethodologythatcanbeusedtoprovidecompanies

with a recommendation based on the CRM that can help them to choose the best

possibleSLAaccordingtotheirbusinesstarget.

Asdescribedinprevioussections,theCRMprovideswithaframeworkthatclassifiesthe

mostrelevantaspectsthataCSPhastoconsiderwhenprovidingcloudservicesbasedon

SLAs to its customers.TheCRMcanbeused topublish thesecurity levels thataCSP is

providing or to know how transparent is a CSP with respect to all the non-functional

features associated with the cloud service provision. The CRM can also be used to

recommend themost suitableCSPs to customers according to their requirements. This

willbedemonstrated inSection7with theusageofassessmentalgorithms toevaluate

CSPsbasedonthequantificationoftheelementsoftheCRM.

However, the CRM offers greater potential beyond a recommendation means for

customers.AnadditionaladdedvalueoftheCRMconsistsofrecommendingtoCSPsthe

most relevant elements of the CRM. In D2.3 an initial validation exercisewas done to

evaluateusecasesfromdifferentdomains(financial,publicandSMEsectors)andanalyse

themwithrespecttotheCRM.Theresultofthestudyshowsthatsomeelementsofthe

CRM that aremore important than others depending on the characteristics of the use

case.For instance,the legalaspectsoftheCRMweremoreimportantfortheusecases

thatfocusedonthepublicsectorratherthantherestoftheusecases.

One of the objectives of D2.4 is to go in depth into this direction and to provide a

methodologythatallowstorecommendwhatelementsoftheCRMaremoreimportant,

according to the type of business case analysed. This process is done in two phases

(Figure9):

• Phase 1 – Clustering use cases. Use cases that share common characteristics

(either due to their domain or business requirements) can be organized in

representative domains. These representative domains denote the level of

importanceofeachCRMelementforaspecificdomain.Givenasetofmusecases,

theycanbegroupedintongroups,beingCRMioneofthesegroups,suchthat:

CRMi ( i=1…n),for n representative domains


This phase uses clustering algorithms (see Section 6.2) which, for a given input

(i.e.,theusecasescomingfromSection5.2),estimatesthelevelofimportanceof

theCRMelementfortheidentifiedclusters.

• Phase 2: Recommendation of a CRMi for new use cases. In this phase, newbusinesscasescanbeassignedtoanyofthenrepresentativedomainsidentified

inphase1.ThecorrespondingCRMi is returnedwhichcontainsaspecific report

onthelevelofimportanceofeveryelementoftheCRM.

The following picture depicts this process, beingCRMdomains the clusterswhere the use

casesaregrouped:

Figure9.RecommendationprocessbasedontheCRMandusecases

TheoutputofthisprocessisarecommendationbasedontheCRM,CRMi,thatcontains

the levelof importance foreveryelementof theCRM.Thiswill provideSMEswith the

informationtheyneedtoknowaboutwhataretheaspectsoftheCRMthatneedspecial

attention,accordingtotheirspecificbusinesscase.

Thefollowingsubsectionsdetailthephasesinvolvedintherecommendationprocess.

6.1. Inputdata:usecasesanalysisWehaveusedasinputatotalof23usecases:4usecasesanalysedinD2.3(whichhave

beenextendedtobe includedinD2.4)and19newusecasesaddedtoSection5ofthis

deliverable. For every use case (from now on, we will refer to the new use case as

"sample")theinformationusedasinputfortherecommendationprocessis:

• Thebaseusecases thatcorrespondstoeverysample.Abaseusecase isoneofthe five types identified in the ETSI CSC report: Application to the Cloud (AP),


Cloud Bursting (CB), processing sensitive data (SD), high availability (HA), Data

integrity(DI).

• Thestageofthelifecyclewheretheusecaseoperates(acquisition,operationortermination).

• AlevelofimportanceforeveryelementoftheCRM,ashigh,mediumorlow.

Asa result,wehave representedevery sampleasa vectorof38elements (5elements

correspondtothebaseusecase,3elementstothestageofthelifecycleand30forthe

elementsoftheCRM).Theseelementsarequantifiedusingacommonscale(from0to2).

Thequantifiedvaluesareusedasinputfortheclusteringmethodused.

6.2. Phase1:Applyingclusteringmethodologiestotheinputdata

The next step entails the classification of the input data in order to find the n most

representativedomains.Todosowehaveusedclusteringtechniquesthatallowtogroup

informationaccordingtosimilaritiesinthedifferentdimensionsthatarepartofthedata

analysed. Clustering techniques are widely used in machine learning and data mining.

Theyrepresentanefficientandanaccuratewayto identifypatternsandpredictresults

andbehaviours.Clusteringtechniquesgroupdata(apparentlyuncorrelated) intogroups

wheretheelementsbelongingtoeachgrouparemoresimilartoeachotherthantothose

intheothergroups.Thesegroups,calledclusters,arecomposedofavariablenumberof

elements. Figure 10 represents a typical clustering representation of two-dimensional

samples. Three clusters are clearly identifiedwhile there are still some samples (black

dots)thatcannotbeassignedtoanycluster(referredas"noise").


Figure10.Exampleofclusteringrepresentation10

The rules to map elements to clusters depends on the clustering methodology used.

Thereareseveralclusteringtechniquesinthestateoftheart:

• Partitioning Method (i.e., K-means [11]). For a set of x elements, these methods

buildy clustersandassigneveryelement to someof they clusters, typicallyusingEuclideandistances.

• Hierarchical Methods [12]. Decomposes the input data into a hierarchy which is

classifiedaccordingtothedecompositionofthehierarchy.Theclustersareidentified

accordingtothedensity(numberofelements)oftheclassifications.

• Density-basedMethod(i.e.,DBSCAN[10]).Unlikethepartitioningmethods,density

basedmethodsdonotneedtosetthenumberofclustersinadvance.Density-based

methods dynamically create them according to a predefined expected density of

elementsinacertainarea.

• Grid-BasedMethod (i.e., STING [13]). Clusters areorganized in a grid and samples

areassignedtoeachcellof thegrid.Onlycellswithaminimumdensity (minimum

numberofelements)areconsideredasacluster.Adjacentcellsmightbemergedto

gettheexpecteddensitytocreateacluster.

10https://cssanalytics.wordpress.com/2013/11/26/fast-threshold-clustering-algorithm-ftca/


• Model-Based Method (i.e., MCLUST [14]). Uses Gaussian statistical models to

calculatethedensityofafinitecollectionofelements.

• Constraint-basedMethod (CBM[15]).This technique isusedwhentheclustersare

conditionedbysomeconstraintsthattheelementshavetomatch.

InSLA-Ready,theelementstoclassify(i.e.,thesamples)arenotcorrelatedandwedonot

knowinadvancehowmanyclusterswewillhave.Aswedonothaveanyconstraintsforthe

elements that are part of any clusters, consequently we have chosen a density-based

methodtoclassifytheelementsthatarepartofoursampleset.

While therearemanytechniquestodealwithdensity-basedclustering,wehaveusedthe

DBSCANapproachforitssimplicityandefficiency.DBSCANcalculatesdistancesbetweenthe

elements of the sample set to find out clusters. The algorithm is configured with two

parameters:

• Theminimumnumberofelementsinacluster,representedasm.• Themaximumdistancebetweentheelementsofacluster,representedask.

Figure11depictsanexamplefortheDBSCANalgorithm.Oneclusterisidentifiedinred.The

elementsofthisclusterareatadistanceequalorlessthanthedistancek.ElementsC,Band

N are not considered part of the red cluster as their distance to any element of the red

clusterisgreaterthank.Theymightbepartofaclusterifatleastmotherelementsappear

atadistanceequalorlesstok.

Figure11.DBSCANapproach

Oneoftheproblemsthatclusteringmethodologiesfacewhentheyareusedisthatvery

oftenthenumberofsamples is fewerthanthenumberofdimensionsofeverysample.

This isexactlywhathappens inSLA-Ready,aswehave23samplesandevery sample is


composed of 38 elements. This is a problemwhen applying clustering techniques as it

makes difficult to find clusters where samples are at a distance k (as the number of

samplesislimitedandthenumberofdimensionpersampleisbig).Tosolvethisproblem,

machine learning techniques use dimensionality reduction to decrease (without losing

toomuch information) the number of elements of the sample. As an example, in SLA-

Readywehavereducedthedimensionsfrom38to3withaminimumlossofinformation,

which will facilitate discovering clusters. While several algorithms can be found for

dimensionalityreduction[11],wehaveusedaverywell-knowntechnique:PCA(Principal

ComponentAnalysis)[17].

PCA relies on the projection of information into a spacewith reduced dimensions. For

example,ifwehaveinformationdefinedonaspaceofthreedimensionsandwewantto

reduce it inonedimension,PCAwillproject the threedimension samples intoaplane,

which is used as new coordinates system. The projection is done trying to lose the

minimum amount of informationwhen projecting the samples to the new coordinates

system. To do so, the distance between the samples and the new coordinate’s axis is

minimized.

Insummary,theprocessthatwehavefollowedtoclusterelementscomprisesthreesteps

asdepictedinthefollowingpicture:

Figure12.Clusteringprocess

• Step1:Dimensionalityreductionreducesthedimensionsofthesamplesbyusingthe

PCAalgorithm.

• Step 2: Clusters discovering finds clusters with the samples used as input by using

DBSCAN.

• Step3:Calculatesthemostrepresentativesamplefortheclustersidentified.Todoso

wehavecalculatedthemeanvectorforallthesamplesthatarepartoftheidentified

clusters.

Step1:Dimensionality

reduction

Step2:Clustersdiscovering

Step3:Representative

samplecalculation


Figure13.Exampleofrepresentativevectorforclusters

WehaveappliedtheclusteringmethodologytothesamplesavailableinSLA-Ready:

• Instep1wehavereducedthedimensionalityofthesamplesfrom38to3.

• Instep2wehaveusedDBSCANtofindthepotentialclustersforthesamples.We

have configured the DBSCAN algorithm with k=2 and m=3. This results in theidentificationof3clusters.Aswehavereducedthedimensionofsamplestothree

we can depict a 3D representation of the samples and clearly see the three

clusters identified. Figure 14 depicts the results of the clustering. Red crosses

samplesarepartofcluster #1.Green squaresaregrouped intocluster #2whilebluediamondsaregrouped incluster #3. There is a sample (black circle) that is

consideredasnoiseandwillnottakepartintherecommendationmethodology.


Figure14.ClustersdiscoveredfortheSLA-Readysamples

• Instep3therepresentativesamplesofeachclusterare identifiedbycalculating

the mean among all the vectors that belong to the same cluster. Figure 15

representsthesesamplesaddedtothesamplesofeverycluster.

Figure15.ClustersandrepresentativesamplesfortheSLA-Readysamples

Although Figure 15 depicts the representative samples after reducing their dimensions

(otherwise it would not be possible to be represented), in practice themean value is

calculatedusingthenon-reducedsamples,asthisrepresentativevectorwillcontainthe

recommendationdataofalltheCRMelements.


6.3. Phase2:AssigningnewusecasestoclustersThe second phase of the methodology provides with the recommended level of

importance for every element of the CRM, depending on the characteristics of the

business case to evaluate. This is especially useful for SMEs that want to move

applicationstothecloudorsimplywanttoexplorenewopportunitiesbyprovidingtheir

owncloudservices.VeryoftentheseSMEsarenotactuallyawareofhowtomanagethe

relationshipstotheircustomersintermsofSLAs,forexampleconsideringsecurityorlaw

enforcementaspects.

In this phase the recommendationmethodology uses a subset of characteristics (non-

technical)thatdescribethebusinesscasethattheSMEwantstoevaluate.Wehaveused

only the fields included in the template of Table 5 that gives a high-level view of the

service:

• Thebaseusecase,asoneormoreofthebaseusecasesdefinedbytheETSICSC.

• Thestageofthecloudservicelifecyclewheretheusecaseoperates.

No further detail on any element of the CRM is required, since this is precisely the

informationthatthisrecommendationmethodologyisproviding.

Theprocessstartsbyobtainingthenearestclustertothebusinesscasetoevaluate,and

thenreturntherepresentativesamplecalculated inphase1.This isdonebycalculating

the distance between the vector that represents the new use case (which contains 8

elements:5forthebaseusecaseand3forthelifecyclestage)andthepartialvectorsof

therepresentativesamples.Therepresentativesamplewiththeminimumdistanceisthe

best possible recommendation, which is returned to the SME. Figure 16 depicts this

processwhereanewsample(thisis,anewbusinesscase)iscomparedwiththeclusters

identified.Thedistancetoeachrepresentativesample isthencalculated(d1,d2andd3forclusters #1,#2 and#3 respectively).Asd3 is theminimumdistance,wechoose the

representative sample of cluster #3 as the recommendation result.


Figure16.Exampleofrecommendationbasedondistancesbetweensamples

Thismethodology isextensible.Newbusinesscasescanprovidewithnewsamples that

canchangetherepresentativesampleofclusters,thenumberofclustersorthemembers

oftheclusters. Infact,machinelearningtechniquesare indeeddesignedtodynamically

adaptthemselvestonon-correlatedsamplescomingintothesystematanymoment.

6.4. Recommendationmethodologyvalidation:Example1

Inthissectionwepresenttheexampleofacompanythatisstartinganewbusinessand

wantstoberecommendedabouttheSLAthatshouldbeprovidedtoitscustomers:

This company provides IT services for hospitals and is moving towards providing computational resources for research activities required by hospitals. More specifically, this company provides computational resources for processing genetic based information from patients. The new service is designed in such a way that, depending on the workload, the data is moved between different clouds (public or private), in order to maximize efficiency. The service is also based on previous services that the company has moved to the cloud to save costs and increase performance. The company needs to change the service terms provided to their customers. As a result, a new SLA will have to be offered to its customers. In order to deal with the features of the new service this company is asking for a recommendation on the terms of the SLA to which they should pay more attention.


Following the recommendation methodology described previously, the new service is

analysedaccordingtotherequestedparameters:

• Base use case (according to ETSI CSC classification). The company is moving

applications to the cloud (base use case: AP). It is also moving computational

resources between different clouds depending on the workload (base use case

CB).Finally,itisalsoprocessingsensitivedata,asitdealswithgeneticinformation

from patients of hospitals (base use case: SD). Therefore, we can classify the

serviceasAP,CBandSD.

• Stage of the life cycle. The cloud is used during the operation of the serviceoffered.Asaresult,wecanclassifytheserviceintheoperationstage.

Therefore,thesampletoprocesswillbethefollowing:

Table32.Classificationoftheusecaseoftheexample1

Baseusecase LifecyclestageAP CB SD DI HA Acq. Op. Term.YES YES YES NO NO NO YES NO

AfterapplyingPhase2oftherecommendationmethodology,andhavingtheclustersand

representativesamplesdescribedinSection6.2(anddepictedinFigure15),wecanassign

thisbusinesscasetocluster #2.TherecommendationontheCRMelementsisbasedon

therepresentativesampleforcluster #2,whichgivesthefollowingresult.

CRMelement 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Recommendation

CRMelement 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30Recommendation

Red:highimportance.Yellow:mediumimportance.Green:LowimportanceFigure17.Recommendationresultsfortheusecaseanalysedinexample1

Wecanseefromtheresultsobtainedthatforthegivenusecasetheelements28,29and

30 of the CRM are labelled as highly important. This is quite consistent with the

characteristicsof theuse caseanalysed, aselements28,29and30are related todata

protection. This is consistent with the results obtained as the service to evaluate is

focusedonthemanagementofsensitivedata(geneticsinformationfrompatients).


6.5. Recommendationmethodologyvalidation:Example2

The following is theexampleof company thatwants tomovecriticaloperations to the

cloud:

A company wants to support the activities of a rail transport operator with cloud services (for example for incident response management). The target customer is a critical infrastructure provider (the rail transport operator), thus the cloud service must be reliable and with high availability.

Following the recommendationmethodologydescribed in Section6, thenew service is

analysedaccordingtotherequestedparameters:

• Baseusecase(accordingtoETSICSCclassification).Thetargetoftheserviceistomove the current operations carried by rail transport companies to the cloud.

Therefore, we can initially classify it as AP (moving application to the cloud).

Furthermore,inthisusecasetherearestrictrequirementsinregardtoavailability.

Thecloudserviceswillbeuseduponacritical infrastructurethatrequiresahigh

availability inorder toproperlyandquickmanage incidents.Asa result,wecan

classifythisservicealsoasHA(Highavailability).

• Stageofthelifecycle:Thenewservicewillbeusedatoperationtime.However,in

this service it is paramount to consider also critical requirements, such as the

expectedavailabilityortheresponsetime.Theseconsiderationsmakeusclassify

theusecasealsointheacquisitionstageofthelifecycle.

Therefore,thesampletoprocesswillbethefollowing:

Table33.Classificationoftheusecaseoftheexample2

Baseusecase LifecyclestageAP CB SD DI HA Acq. Op. Term.YES NO NO NO YES YES YES NO

Applying Phase 2 of the recommendation methodology, and having the clusters and

representativesamplesdescribed inSection6.2 (anddepicted inFigure18),weendup

assigningthisbusinesscasetocluster #1.TherecommendationontheCRMelements is

basedontherepresentativesampleforcluster #1,whichgivesthefollowingresult.


CRMelement 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Recommendation

CRMelement 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30Recommendation

Red:highimportance.Yellow:mediumimportance.Green:LowimportanceFigure18.Recommendationresultsfortheusecaseanalysedinexample2

Lookingattheresultswecanseethatforthegivenbusinesscasetheelements26,27and

28oftheCRMarelabelledashighly important.This isquiteconsistentwiththetypeof

business case. Elements 26, 27 and 28 are "Cloud Service Performance SLOs", "Service

ReliabilitySLOs"and"DataManagementSLOs"whichareindeedveryimportantaspects

foracloudservicebuiltforacriticalinfrastructureastheoneinthisexample2.


Summarytakeaways

• AnovelrecommendationmethodologybasedontheCRMhasbeencreatedtohelp

potential new cloud customers/providers to identify the CRM Elements that are

mostrelevantfortheirbusinesscase.

• Therecommendationmethodologyusesthe23usecasesevaluatedinSection5.It

utilizesclusteringtechniquestofindthecorrelationamongthegivenusecases.

• Theresultoftheclusteringtechniqueisasetofusecasesgroupedinclusters.Every

identified cluster has a representative CRM, which includes a specific level of

importance(high,medium,low)foreveryCRMElement.

• The informationused togroup theusecases is: thebaseusecases (asdefinedby

theETSICSC),thestageoftheCloudServiceLifeCyclewheretheusecaseoperates,

andthelevelofimportanceidentifiedforeveryCRMelement.

• Ahigh-leveldescriptionofSME’sbusinesscasesisusedtoidentifythebaseusecase

(asdefinedbytheETSICSC)andthestageoftheCloudServiceLifeCyclewherethe

SME’s business case operates. With that information, the recommendation

methodologymapseveryusecasetotheclustersdiscoveredduringtheanalysisand

provideswiththecorrespondentlevelofimportanceforeveryCRMelement.


7. ProgressondevelopingtheSLA-ReadinessIndexTheconceptoftheSLA-ReadinessIndexi.e.,ahigh-levelmetricdesignedtoassessaCSP

alignment to theCRM,was first introduced inDeliverable4.2within thecontextof the

envisionedSLAMarketplace.TherestofthissectionreportsthedevelopmentoftheSLA-

Readiness Index, mostly focused on the CSP assessment criteria designed by the

consortium, the quantitative techniques used to perform the computation of the SLA-

ReadinessIndex,andsomedevelopedproofofconceptexampleswithrealCSPdata.

7.1. MotivationfortheSLA-ReadinessIndex

During the early phase of the project and while designing the SLA-Repository (cf.,

Deliverables2.1and2.2),theconsortiumrealisedthatinordertoprovidecomprehensive

cloud SLA information to (prospective) cloud customers itwas necessary to go beyond

justofferinga"raw"collectionofSLAs.Therefore,asreportedinD4.3theSLA-Repository

became a collection of cloud SLAs analysed according to the elements defined by the

CRM(cf. Section3). Fromthe feedback received fromstakeholdersandAdvisoryBoard

(cf.,D4.4),weconcludedthat theentries in theSLA-Repositorycouldhavebecometoo

granularforSMEsjustwillingtohaveaquickunderstandingoftheofferedCSPSLAbefore

going into all involved details. For this reason, the project has proposed the SLA-

Readiness Index: a quantitativemetric that could be used by cloud customers, mainly

SMEs,toassessataglancetheCSPSLA.

Figure19.ComputingtheSLA-ReadinessIndex.

Figure19showsahigh-levelviewof theproposedsetofstepsneededtocomputeand

makepubliclyavailabletheSLA-ReadinessIndex.Thefollowingsectionspresentsinmore

detailseachoneofthestepsdepictedinFigure19.


7.1.1. Step1:CSPSLAself-assessment

DuringthisfirststagetheCSPisaskedtoperformtheself-assessmentofitsSLA(s)based

onthedevelopedCRM.Thisinitialstephastwomaingoals:

1. ValidatetheusefulnessoftheCRMfromtheCSPperspective

2. Collectreal-worldSLAdatafortheSLA-Repository(alongwiththeCSPapprovalfor

publishingthatinformation).

InorderfortheCSPtoanalysetheCRMinsuchawaythattheresultinginformationcan

be used to compute the SLA-Readiness Index, it is necessary to assign a

qualitative/interval scale to each CRM element (e.g., a YES/NO answer). This approach

hasproved itsusefulness inthedevelopmentofcloudsecurityrepositoriessuchasCSA

STAR[25],whereCSPsself-assessthe implementationofsecuritycontrolsbasedonthe

ConsensusAssessmentInitiativeQuestionnaire(i.e.,CSACAIQ[24]).

The SLA-Ready consortium has developed a questionnaire for allowing CSPs to assess

theirSLAsbasedonthedevelopedCRM.ThisquestionnaireisshowninAnnexBandwas

usedtodeveloptheSLA-ReadinessIndex.FurtherdetailsrelatedtotheSLA-ReadyIndex,

including the analysis of received CSP answers to the questionnaire, are presented in

D4.3.

7.1.2. Step2:SLA-Repository

OncetheCSPshaveansweredthequestionnaireshowninAnnexB,thenitisfeasibleto

store the received answers in the SLA-Repository for further exploitation. The current

versionoftherepositoryisacollectionofthereceivedCSPquestionnaires,althoughsome

initial efforts to develop a machine-readable version of the repository have already

started by collaborating with projects like H2020 MUSA11. In order to support

transparencyinthecloudmarket,allCSPsansweringthequestionnairehavebeenasked

toprovidetheirconsentformakingtheiranswerspubliclyavailable(cf.,AnnexC).More

detailsrelatedtotheSLA-ReadyRepositoryarepresentedinD4.3

7.1.3. Step3:ComputingtheSLA-ReadinessIndex

The CSP SLA information collected into the SLA-Repository is structured in a way that

allows for its quantitative reasoning; in particular, we refer to its aggregation into auniquequantitative/qualitativeleveli.e.,theSLA-ReadinessIndex.Atthestateoftheart,

11Pleaserefertohttp://www.musa-project.eu/.LastaccessedonNovember2016.


there are some well-known methodologies that can be used to aggregate

quantitative/qualitativemetricsorganisedinahierarchicalstructureinordertoobtaina

uniquemeasure.

Anadequateaggregationtechniquecanbeappliedtothequalitativedatacompiledfrom

the CSP questionnaires to result in a numeric SLA-Readiness Index value. The latter is

proportional to the amount of positive answers provided by the CSPs to the

questionnaire.Forexample,aCSPreplyingwithmorepositive(i.e.,YES)answerstothe

CRMwill have a higher SLA-Readiness Index than another CSP that replied withmore

negativeanswers(i.e.,NO).Furthermore,thenumericSLA-ReadinessIndexcanbeeasily

transformedintoaqualitativemetricwheremoreSME-friendly labelscanbeassociated

to the SLAs e.g., Gold/Silver/Bronze. Section 7.3 further elaborates about the

computation of the SLA-Readiness Index, and also presents some proof of concept

examplesbasedonreal-worldinformationfromtheSLA-ReadyRepository.

7.1.4. Step4:UsingtheSLA-ReadinessIndex

For each CSP entry on the SLA-Ready Repository it can be computed a unique SLA-

Readiness Index, which can be then used as entry-point to provide more detailed

information about the CSP SLA. The SLA-Readiness Index can be deployed (for public

access)ontheSLA-Readywebsite12andalsoontheCSASTARwebpage(e.g.,Figure20).

Figure20.ACSPentryonCSASTAR-AdditionalInfo

12Pleaserefertohttp://www.sla-ready.eu/


MoredetailsassociatedwithpublishingandusingtheSLA-ReadinessIndexarediscussed

inD4.3.

7.2. TechniquesfortheassessmentofCSPs

The evaluation of the SLA-Readiness index depends on the assessment techniques that

allowonetoascertain(qualitativelyorquantitatively)howgoodorbadaCSP'sSLAiswith

respecttocustomers’requirementsandwithrespecttotheSLAsofotherCSPs.

However, there are only very limited techniques available to provide such an SLA

assessment. This is indeed, as reported in D2.2, another impediment that customers

encounter when they decide to migrate their key applications to the cloud.

Notwithstanding,severalapproachesareemergingaimingtoevaluatethefunctionalityand

securityofCSPs.WebrieflyoutlinethestateoftheartinSLAassessments.

Lietal.[18]focusesonperformanceindicatorstocomparedifferentCSPs.Thisapproachis

based on the active measurement of elastic computing, persistent storage and network

services.Tothisendasetofmetricsarecreatedwhicharealsousedtoevaluatetheimpact

ontheperformanceoftheservice.

TheQoS of CSPs is evaluated byGarg et al [19] that uses the Analytic Hierarchy Process

(AHP)toevaluateperformancedataandprovidewitharanking.Thetechniqueisbasedon

the Service Measurement Index (SMI) indicator as defined by the Cloud Service

MeasurementIndexConsortium(CSMIC)[29].TheSMIconsistsofasetofbusiness-relevant

KeyPerformance Indicators (KPIs) thatprovide a standardizedmethod formeasuring and

comparingabusinessservice.ThismethodologyusestheseKPIstocreateasetofmetrics

that are used to compare the providers. These KPIs are measured through the

corresponding metrics by monitoring directly the system. The evaluation of these

measurementsisdonebyapplyingtheAnalyticalHierarchyProcess(AHP)[27]thatprovides

arankingoftheanalysedproviders.

Several activities are devoted to evaluating SLAs focused on security. Hegging [20] is

probablythefirstinitiativethatintroducedthetermsecurityinSLAs.Heggingdefinesaset

ofquantifiablesecuritymetricsthatcanbeusedtoevaluateservices.

Althoughthepreviousreferencesareinterestingapproachestodealwiththeevaluationof

SLAs, the following ones providewith a structuredmethodology based on a quantitative

evaluation of the controls that comprise the SLA. Although the aforementioned

methodologies for cloudassessmentaremainly focusedon security controls, they canbe

easilytranslatedtoanysetofcontrolsincludedinaSLAaslongastheyarequantifiable.

ThefollowingfiguredepictsthethreeprogressivestagesdrivingSLAassessmentas:


Figure21.StagescomprisingthequantitativeSLAassessment

- Definition of requirements: In this stage both customers’ requirements and CSP

SLAsareexpressed inasetofcommonelements (forexampleusingtheCSACCM

[21]). The most prominent characteristic of these elements is the hierarchical

structureusedtoorganizethem.Forexample,atypicalhierarchyusedtoevaluate

SLAsistheonethatcombinestheCSACCMwiththeISO/IEC19086,whichresultsin

athreelevelstree(categories,groupsandSLOsasdepictedinFigure22)

Figure22.SLAhierarchycombiningtheCSACCMandtheISO/IEC19086

- Quantification.Eachelementofthepreviousstageisthenquantitativelyevaluated.

The specific way to evaluate each element of the SLA depends on the concrete

methodology but the common denominator for all of them is based on the

definition of all the possible service levels for each element. For example, an

elementoftheSLAmightbedefinedinsuchawaythatitcanonlygettwopossible

values (YES andNO orTRUE andFALSE). In this case the quantificationwould


assignscorestoeachpossiblevalue(i.e.,1 toYESand0 toNO). Inthecaseofan

element with more than one possible value (i.e., the cryptographic key length

specified by 128, 256 and 512 bits), the scores would be given in the range of

possible values (i.e., {0, 1, 2, 3} for the {128, 256, 512} bits levels of thecryptographickeylengthexample).

- Evaluation.Thisstagecomprisestheuseofalgorithmswiththequantifiedelements

oftheSLA.Thealgorithmshighlydependonthemethodologyusedbutallofthem

arebasedontheaggregationofthequantifiedelementsoftheSLAalongwiththe

hierarchyusedtoorganizetheelementsoftheSLA.

A very relevant evaluationmethodology is the one presented by Luna et al. in [22]. This

methodology(calledQuantitativePolicyTrees(QPT))evaluatesandcomparessecuritySLAs

basedontheCAIQ[24]structureandtakenfromtheSTARrepository[25].Themethodology

isbasedonscoresgiven to theelementsof theSLAhierarchyaccording to thequantified

values.Thescoresarecalculatedasthedistanceofthescoresforthequantifiedlevelofan

element for the CSP and for the customer, weighted with respect to the maximum

quantification level for thatelement.Thescoresarecalculated foreverynodeof the tree

andareaggregatedtowardsthehigherlevelsofthehierarchytillgettingaglobalscore.This

methodology allows also to define basic dependencies between the lowest nodes of the

hierarchybyusingAND/ORrulesintheaggregationprocess.

TheQPTmethodologyisveryrelatedtotheReferenceEvaluationMethodology(REM)[26].

The definition of requirements and the quantification process is very similar toQPT. The

maindifferenceisintheevaluationprocess.InREMthequantificationprocessleadstoaset

of matrices. The REM uses matrices arithmetic to calculate distances between matrices

representingtheSLAsofcustomers’requirementsandCSPs.

ThenewestapproachistheQuantitativeHierarchyProcess(QHP)presentedbyTahaetal.

in[21].Theproposedframeworkallowsbothbasicandexpertuserstoexpresstheirsecurity

requirements according to their expertise and specific needs by using qualitative

requirementsthatcanevenbeexpressedinnaturallanguage.Thequantificationprocessis

basicallythesameastheoneusedbyQPTandREM.ThealgorithmtoevaluatetheSLA is

basedontheAHPforsolvingMultipleCriteriaDecisionMaking(MCDM)[28]problems.The

algorithmisalsobasedontheaggregationofquantifiedcontrolsalloverthehierarchy.The

aggregation is done by carrying out a pair-wise comparison between the (quantified)

elementsoftheSLAprovidedbyalltheCSPsthataretobecompared.Theresultisamatrix

whoseEigenvector isusedtoobtainthefinalscore.Therelevanceofthismethodology is

that thepair-wisecomparisoncanbedoneatany levelof thehierarchy.Thus, theresults


canbeobtainedwithdifferentlevelsofgranularity,dependingonthedepthoftheanalysis

thatisrequired.SuchananalysiswillbediscussedfurtherinD2.4

7.3. ComparativeassessmentofrepresentativeCSPs

This section presents the calculation of the readiness index for several providers with

respect to the CRM. The QHP approach was used as the assessment technique to

compare CSPs. QHP has been developed in TUDA by the DEEDS group and allows to

evaluate the level of security provided by CSPs.WithQHPwe can compare across the

CSPsandalsocompareagainstasetofsecurityrequirementsspecifiedby,forexample,a

customer. QHP takes as input the security SLA of CSPs, which is then organized in a

hierarchical structure. QHP has also been chosen as it allows to evaluate the CSPs at

different levels of granularity: partial scores can be obtained at different levels of the

CRMhierarchy.Wehave adaptedQHP to use the CRMas input. Figure 23 depicts the

levelsusedfortheanalysiswhenusingtheCRM.

Figure23.EvaluationdonetogetthereadinessindexatdifferentlevelsintheCRMhierarchy

We have performed two evaluations. Each evaluation uses different information to

calculatethereadinessindex:

• Evaluation of surveyed CSPs. In this case, the input has been taken from the

answers given by several CSPs to the survey included in Annex B. This survey

allowstoknowthecomplianceofeveryCSPwithrespecttoeveryelementofthe

CRM.WehaveusedasimplifiedversionoftheCRMwheretheelementlevelisthe

lowestlayeroftheCRMhierarchy.WehavedoneittomakeCSPs’lifeeasierwhen

answeringtothesurvey,answeringto30questions (30elementsof theCRMas


listed in Table 2) instead of answering to 70 questions (elements and technical

components).

• Evaluationofself-assessedCSPs.WehavecomparedtheCRMwithrespecttothe

information from CSPs that is publicly available (for example published in their

respectiveweb sites) and information taken from SLA repositories (such as the

CSA STAR repository [25]). In this case, we have used the complete hierarchy,

consideringalsothecomponentsthatareundertheSLO&Metricelement.

7.3.1. EvaluationofsurveyedCSPsbasedontheCRM

Table34showstheanswersoffiveCSPsforthesurveyshowninAnnexB.Thevaluesof

theanswersaretakenfromthecolumn“CSPself-assessment”ofthesurvey.Forexample,

a number “2” in the CRM element “Findable”means that the SLA is findable using an

internalsearchenginewhilea“0”meansthattheSLA isnotavailable inthewebsiteof

theCSP.WehaveusedthatinformationtoapplytheQHPmethodologytocomparethem.

Table34.AnswersofthesurveyedCSPs

Group Name of CRM element CSP1 CSP2 CSP3 CSP4 CSP5

General (GR)

SLA URL 0 0 0 1 0 Findable 2 0 0 0 1 Choice of law 1 0 1 1 0 Roles and responsibilities 1 1 1 0 1 Cloud SLA definitions 1 1 1 1 1

Freshness (FR)

Revision date 1 1 0 1 1 Update Frequency 1 1 0 1 0 Previous versions and revisions 0 0 0 1 0 SLA duration 1 0 1 0 1

Readability (RE)

SLA language 1 0 0 0 0 Machine-readable format 1 0 0 0 0 Nr. of pages 0 >1 >1 >1 1

Support (SU)

Contact details 1 1 1 0 1 Contact availability 1 1 1 0 1

Credits (CR)

Service Credit 1 1 1 0 1 Service credits assignment 1 1 0 0 1 Maximum service credits (Euro amount) provided by the CSP 1 1 0 0 1

Changes (CH)

SLA change notifications 1 1 0 0 0 Unilateral change 1 0 1 0 0

Reporting (REP)

Service Levels reporting 0 1 1 1 1 Service Levels continuous reporting 0 1 0 0 0 Feasibility of specials & customisations 1 1 0 0 1


General Carveouts 1 1 0 1 1 SLOs & Metrics

(SL)

Specified SLO metrics 0 1 1 1 1 General SLOs 1 1 1 1 1 Cloud Service Performance SLOs 1 1 1 1 1 Service Reliability SLOs 1 1 1 0 0 Data Management SLOs 0 0 0 0 0 Security SLOs 0 1 0 0 0 Personal Data Protection SLOs 1 0 0 0 0

TheresultsareshowninFigure24andFigure25.Figure24representsthecomparisonof

thefivesurveyedCSPsatthehigherleveloftheCRMhierarchy.Thisistheglobalscoreof

everyCSPwithrespecttothecompleteCRM.Wecanseethat,comparedwiththerestof

theevaluatedCSPs,CSP1isthebestone,followedbyCSP2andCSP5.Ofcourse,thisisan aggregated evaluation and does notmean that CSP1 is better than the rest of the

providerswithregardtoeveryelementoftheCRM.Tobeabletogetadetailedanalysis

wehavetogolowerintheCRMhierarchyandevaluatetheCSPsatthegrouplevel.QHP

allowsustodosuchdeeperanalysis.

Figure24.ComparisonofsurveyedCSPs:readinessindexglobalscore

Figure25representsthecomparisonofthesurveyedCSPsatthegroupleveloftheCRM.

AswecanseeCSP1isespeciallygoodinthe"Readability"(RE)andinthe"Changes"(CH)groups. CSP4 provides detailed information about general aspects of the SLA and

especially in what regards to the "Freshness" (FR) group (which is the specification of

changesandupdatesoftheSLA).Finally,itisworthmentioninghowCSP2standsoutin"Reporting"(REP)features.


Figure25.ComparisonofsurveyedCSPsatgrouplevel

Asithasbeenalreadypointedout,theseresultsarecomparisonsbetweentheproviders

usedintheevaluation.Theresultsobtainedarenotabsolutebutrelativewithrespectto

therestoftheprovidersevaluated.

7.3.2. Evaluationofself-assessedCSPsbasedontheCRM

Table 35 shows the information for the CRM extracted for four self-assessed CSPs (as

basedontheinformationtakenfromtheSTARrepositoryandtheirrespectivewebsites).

Additionally,thisevaluationincludesvaluesforthecomponentsthatarepartoftheSLO

&Metricsgroup,being“1”whenthecomponentappearsintheSLAoftheCSPand“0”

whenitdoesnot.Table35.Answersoftheself-assessedCSPs

Group Item Name of CRM element/components CSP6 CSP7 CSP8 CSP9

General (GE)

1 SLA URL 2 1 2 0 2 Findable 1 1 1 0 3 Choice of law 0 0 0 0 4 Roles and responsibilities 0 0 0 0 5 Cloud SLA definitions 1 1 1 0

Freshness (FE)

6 Revision date 1 1 1 1 7 Update Frequency 2 1 2 2 8 Previous versions and revisions 0 0 0 0 9 SLA duration 1 0 0 1

Readability (RE)

10 SLA language 1 1 1 0 11 Machine-readable format 0 0 0 0 12 Nr. of pages 1 1 1 0

Support (SU)

13 Contact details 1 1 1 1 14 Contact availability 0 0 0 0

Credits (CR)

15 Service Credit 0 0 0 0 16 Service credits assignment 0 0 0 0

17 Maximum service credits (Euro amount) provided by the CSP 0 0 0 0


Changes (CH)

18 SLA change notifications 0 0 0 0 19 Unilateral change 0 0 0 0

Reporting (REP)

20 Service Levels reporting 0 0 0 0 21 Service Levels continuous reporting 0 0 0 0 22 Feasibility of specials & customisations 0 0 0 0 23 General Carveouts 1 1 1 1

SLOs & Metrics

(SL)

24 Specified SLO metrics (SM) 0 0 0 0 25

General SLOs (GR)

Service monitoring 0 0 0 0 26 Accessibility 0 1 0 1 27 Availability 0 1 0 1 28 Termination of service 0 1 0 1 29 Cloud Service Support 0 1 0 0 30 Governance 0 1 0 0

31 Attestations, certifications and audits

0 1 0 0

32 Cloud Service

Performance SLOs (CP)

Response time 0 0 0 0

33 Capacity 0 0 0 0

34 Elasticity 0 0 0 0 35 Service

Reliability SLOs (SR)

Service Resilience 0 0 0 0

36 Customer data backup/restore 0 1 0 0

37 Disaster Recovery 0 0 0 0 38

Data Management

SLOs (DM)

IPR 0 1 0 0

39 Cloud Service Customer Data 0 0 0 0

40 Cloud Service Provider Data 0 0 0 0

41 Account Data 0 0 0 0 42 Derived Data 0 0 0 0 43 Data portability 0 0 0 0 44 Data deletion 0 1 0 0 45 Data location 0 0 0 0 46 Data examination 0 0 0 0

47 Law Enforcement Access 0 0 0 1

48

Security SLOs (Sec)

Organization of Information Security 0 0 0 0

49 Human Resources Security 0 0 0 0

50 Asset Management 0 1 0 0 51 Access Control 0 1 1 1 52 Cryptography 0 1 1 0

53 Physical and Environmental Security 0 1 0 0

54 Operations Security 0 1 0 0

55 Communications Security 0 1 1 0


56 Systems Acquisition, Development and Maintenance

0 1 0 0

57 Supplier Relationships 0 0 0 0

58 Information Security Incident Management 0 1 1 0

59 Business Continuity Management 0 1 0 0

60 Compliance 0 1 0 0 61

Personal Data

Protection SLOs (PDP)

Consent and choice 0 0 0 0

62 Purpose legitimacy and specification 0 0 0 0

63 Collection limitation 0 0 0 0 64 Data minimization 0 0 0 0

65 Use, retention and disclosure limitation 0 0 0 0

66 Accuracy and quality 0 0 0 0

67 Openness, transparency and notice

0 0 0 0

68 Individual participation and access 0 1 0 0

69 Accountability 0 0 0 0 70 Privacy compliance 0 1 0 0

Figure26representsthereadinessindexoftheSLAsforthefourself-assessedCSPsgiven

theglobalscoreatthehighestleveloftheCRM.Aswecansee,thistimeitisCSP7thatstands out overCSP8 andCSP6 in this order. Far behind them it isCSP9. Again, thisprovides just a global score and does not allow us to know how well or bad these

providersbehaveforeverygroupoftheCRM.

Figure26.Comparisonofself-assessedCSPs:readinessindexgiventheglobalscore

Toobtainamoredetailed comparisonwehavecarriedouta comparisonof these four

providers at the group level. The results aredepicted in Figure27. In general, the four


CSPsbehavequitesimilarinmostofthegroups.JustCSP7standsoutinthespecificationofSLOsandMetrics(SL).WecanalsoseeinFigure27thereasonforthelowglobalscore

of CSP9 as it does not provide information about 4 out of the 8 groups evaluated.

Furthermore, it isworthnoticing that thegroups"Credits" (CR)and"Changes" (CH)are

giving a score of 0 for all the CSPs. The reason is that they are not detailing such

information in the self-assessment report stored in the STAR repository andno further

detailsaregiveninthepublicinformationthatcanbeextractedfromtheirwebsites(or

atleastwehavenotbeenabletofindit).

Figure27.Comparisonofself-assessedCSPsatthegrouplevel

AdeeperanalysisoftheSLA&MetricgroupexplainsthehighscoreofCSP7andthelowscoreofCSP6forthatgroup.Figure28representsthescoresofthefourprovidersintheSLO&Metricgroup.Thisanalysistakesintoconsiderationthevaluesofeverycomponent

atthelowestlevelofthehierarchy.Wecanseethat,onlyCSP7detailsinformationabout

5 out of the 7 elements of the SLO&Metrics group. This explains the high score that

CSP7hasforthisgroupinFigure27.WecanalsoseethatCSP8isonlyprovidingvaluesforSecuritySLOs(asitcanbeseeninTable35).

Figure28.Comparisonofself-assessedCSPsatthe"SLO&Metrics"grouplevel


As a result, the evaluationmethodologies, such asQHP, combinedwith the SLA-Ready

CRMprovideswithapowerful toolnotonly toevaluateandcompareCSPs,butalso to

discovertheaspectsinwhichtherespectiveCSPsarestrongerorweakerthanothers.For

example,thisoffersanopportunityforCSPstoknowinwhataspectstoimprove.


Summarytakeaways

• The CRM, as added value, can additionally be used to compare across the CSPs or

comparingtheCSPsagainstcustomers’requirements.Thiscanbedonebycalculating

theSLA-Readinessindex.

• The SLA-Readiness index can be obtained by using different types of input. In SLA-

Readywehaveused:(i)informationtakenfromCSPsthatansweredtoasurveybased

on the CRM (see Annex B) or (ii) public information (available inWeb sites or SLA

repositories)thathasbeenmappedtotheCRM.

• The SLA-Readiness index is obtained by applying an assessment methodology

developedbyTUDA:TheQuantitativeHierarchyProcess(QHP).

• QHPallowstoperformcomparisonsatanyleveloftheCRMhierarchy,dependingon

thelevelofgranularityrequested.


8. ConclusionsThisreportdescribesandvalidatestheSLA-Ready'sCommonReferenceModelbasedon

theanalysisoftherequirementselicitedinD2.1andD2.2andontheinitialanalysisdone

inD2.3.D2.4reportsacomprehensiveanalysisofdifferentdomains(standards,industry)

withrespecttotheCRM.

Fromtheanalysisofthestandardizationdomainwehaveupdatedtheevaluationofthe

standards and best practices analysed in D2.3. Furthermore, we have extended the

evaluation by adding to additional best practices taken from the SLALOM project. The

outcomeofthisassessmentisthatmostofthestandardsprovideagoodcoverageofthe

technicalelementsoftheCRM(namelySLOeitherforsecurity,privacyandperformance).

However, the coverage of categories such as general and economic aspects is quite

limited.OnlytheETSICloudSLAtemplatehasabettercoverageofnon-technicalaspects.

The SLALOM specification for SLAs is alsomainly focused on technical aspects. On the

contrary, the SLALOM specification for contracts is mainly focused on legal and

administrativeaspects,whiletechnicalaspectsareavoided.

For theanalysisof the industrialdomain,wehaveextendedtheevaluationof theCRM

withadditional19usecasesfromdifferentdomainsandextendedthe4usecasesstudied

in D2.3. We have also extended the template to evaluate use cases with information

about the level of expertise required by the CSPs to implement such use case and the

stageofthelifecyclewheretheusecasesareapplied.

We have used this additional information to propose a recommendationmethodology

based on the CRM that uses machine learning techniques. The recommendation

methodology receives as input a high-level description of a business case (such as the

type of cloud service provided and the stage of the life cycle) and returns information

aboutthelevelofimportanceofeveryCRMelement,whichwillbethemostsuitableone

forthecharacteristicsofthebusinesscase.

Finally, we have also proposed a technique to obtain the readiness index of SLAs by

evaluatingtheSLAsofseveralCSPswithrespect totheCRM.Ontheoneside,wehave

analysedmorethan100CSPswiththeinformationthatispublicityavailable.Ontheother

side,wehavereceivedsurveysfromseveralCSPswhichhaveself-assessedtheirSLAswith

respect to the CRM. We have used that information to compare (by using cloud

assessmentmethodologies)severalCSPsintermsoftheCRM.

Theoutcomesof thevalidationof theCRMcarriedout inD2.4canbeusedto leverage

the creation of tools that integrate the calculation of the readiness index and the

recommendationmethodology.


References[1] Cloud Standards Customer Council. Practical Guide to Cloud Service Agreements –

Version 2.0. [Online]. Available: http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf,2015.

[2] CSIG – Cloud Service Level Agreement Standardisation Guidelines. [Online]. Available:https://ec.europa.eu/digital-single-market/en/news/cloud-service-level-agreement-standardisation-guidelines,2014

[3] European Commission, "Standards terms and performance criteria in service levelagreements for cloud computing services", [Online]. Available:https://ec.europa.eu/digital-single-market/en/news/study-report-standards-terms-and-performances-criteria-service-level-agreements-cloud-computing,2015

[4] ETSI,TR.103125V1.1.1:"CLOUD."SLAsforCloudservices(2012).[5] International Organization for Standardization (ISO/IEC), "ISO/IEC 19086, Information

Technology – cloud computing – Service level agreement (SLA) framework andterminology(Draft),"2014.�

[6] ETSI. "Cloud Standards Coordination. Final Report". 2013. [Online]. Available:http://csc.etsi.org/resources/CSC-Phase-1/CSC-Deliverable-008-Final_Report-V1_0.pdf.2013.

[7] ENISA. "Security Framework for Governmental Clouds". [Online]. Available:https://www.enisa.europa.eu/publications/security-framework-for-governmental-clouds,2015.

[8] Riigi Infosüsteemi Amet. "Estonian Security System Overview". [Online]. Available:https://www.ria.ee/public/ISKE/ISKE_english_2012.pdf.2016

[9] ENISA. "Cloud Security Guide for SMEs". [Online]. Available:https://www.enisa.europa.eu/publications/cloud-security-guide-for-smes,2015.

[10] Ester, Martin, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. "A density-basedalgorithmfordiscoveringclustersinlargespatialdatabaseswithnoise."InKdd,vol.96,no.34,pp.226-231.1996.

[11] MacQueen, James. "Some methods for classification and analysis of multivariateobservations." InProceedings of the fifth Berkeley symposium on mathematicalstatisticsandprobability,vol.1,no.14,pp.281-297.1967.

[12] Johnson,StephenC."Hierarchicalclusteringschemes."Psychometrika32,no.3,241-254.1967

[13] Wang,Wei, Jiong Yang, and RichardMuntz. "STING: A statistical information gridapproachtospatialdatamining."InVLDB,vol.97,pp.186-195.1997.

[14] Fraley, Chris, and Adrian E. Raftery. "MCLUST: Software for model-based clusteranalysis."JournalofClassification16,no.2:297-306.1999

[15] Tung, Anthony KH, Jiawei Han, Laks VS Lakshmanan, and Raymond T. Ng."Constraint-based clustering in large databases." In International Conference onDatabaseTheory,pp.405-419.SpringerBerlinHeidelberg,2001.


[16] Saul, LawrenceK., KilianQ.Weinberger, JihunH.Ham,Fei Sha, andDanielD. Lee."Spectral methods for dimensionality reduction," Semisupervised learning: 293-308.2006

[17] Jolliffe,Ian.Principalcomponentanalysis.JohnWiley&Sons,Ltd,2002.[18] A. Li, X. Yang, S. Kandula, and M. Zhang, "Cloudcmp: Comparing public cloud

providers," IEEE Internet Computing, vol.15, no. 2, pp. 50-53, March/April 2011,doi:10.1109/MIC.2011.36.�

[19] S. K.Garg, S. Versteeg, andR. Buyya, "SMICloud: A framework for comparing andranking cloud services," InUtility and Cloud Computing (UCC), 2011 Fourth IEEEInternationalConferenceon,pp.210-218.IEEE,2011.�

[20] R.Henning, "SecuritySLAs:Quantifiable security for theenterprise?" inProc.ACMWorkshopNewSecurityParadigms,1999,�pp.54–60.��

[21] Cloud Security Alliance. Cloud controls matrix v3. [Online]. Available:https://cloudsecurityalliance.org/research/ccm/,2015.�

[22] A. Taha, R. Trapero, J. Luna, and N. Suri, "AHP-based quantitative approach forassessingandcomparingcloudsecurity,"inProc.IEEEConferenceTrust,SecurityPrivacyinComputingCommunications,2014,�pp.284–291.�

[23] J.Luna,R.Langenberg,andN.Suri,"Benchmarkingcloudsecurity levelagreementsusing quantitative policy trees," in Proc. �ACM Cloud Computing Security Workshop,2012,pp.103–112.�

[24] Cloud Security Alliance, "Consensus Assessments Initiative (CAI) Questionnaire,"2012. [Online]. Available: https://cloudsecurityalliance.org/research/initiatives/consensus-assessments-initiative/,2011.

[25] CloudSecurityAlliance, "The security, trust&Assurance registry (STAR)". [Online].Available:https://cloudsecurityal-liance.org/star/,2012.

[26] V.Casola,R.Preziosi,M.Rak,andL.Troiano,"Areferencemodel forsecurity levelevaluation:Policyandfuzzytechniques,"J.UniversalComputingScience,vol.11,no.1,pp.150–174,2005.�

[27] T. Saaty, "How to make a decision: The analytic hierarchy process," Eur. J.OperationalRes.,vol.48,pp.9–26,1990.�

[28] M.Zeleny,MultipleCriteriaDecisionMaking.NewYork,NY,USA:McGrawHill,1982.[29] C.S.M.I.C.(CSMIC),"SMIFramework,"[Online].Available:

http://betawww.cloudcommons.com/servicemeasurementindex.[30] EUH2020SLALOM,"SLASpecificationandReferenceModel".Online:

http://www.slalom-project.eu2016[31] EUH2020SLALOM,"ModelcontractforCloudComputing".Online:

http://www.slalom-project.eu2016[32] Cloud Computing Use Case Discussion Group. “Cloud Computing Use CasesWhite

Paper”. [Online]. Available: http://www.cloud-council.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf


AnnexA.UseCaseslist(ETSICSC)CloudServicelife-cycle

phase(D2.2)High-levelUseCases UCTitle UCShortDescription Actors13

Acquisition SetupCloudService CreateServiceTemplate

Acloudservicedevelopercreatesatemplateofaservicethatmaylaterbeusedtocreateaninstanceofaservice.

CSP,CloudServicePartner

Acquisition SetupCloudService CreateServiceOffering

Thelifecycleofanewserviceofferingisinitiatedandpublicizedforpotentialsubsequent:•Advertisement•Contractassignment•Provisioning•Monitoring•Update•Consumption•Deletion

CSP

Acquisition SetupCloudService BuildApplicationandPackage

Developerbuildsanapplicationandpackageitfordeploymentonacloud CSP,CloudServicePartner

Acquisition SetupCloudServiceBuildApplicationinCloudandOptionallyPackage

Developanapplicationandoptionallypackageitusinganapplicationdevelopmentenvironmentonthecloud. CSP,CloudService

Partner

13OneormoreofCloudServiceProvider(CSP),CloudServiceCustomer(CSC)orCloudServicePartner.


CloudServicelife-cycle


Acquisition SetupCloudService

Clouddevelopermakesapplicationavailablefromcloudinfrastructure

ISVorapplicationdevelopermakestheirapplicationavailableasaservice,bydeployingtheapplicationonIaaSinfrastructureofacloudserviceprovider


Acquisition SetupCloudServiceDeployapplicationtoaPaaScloudservice

ApplicationdevelopermustpreparetheapplicationcomponentsandassociatedmetadataandenabledeploymenttothePaaSplatformofferedbythecloudserviceprovider



Automatedeploymentoftestenvironmentsforapplications

Applicationdeveloperrequirestotestanapplicationtodeterminethecauseofaproblem-requiresthedeploymentoftheapplicationinanenvironmentthatmatchestheenvironmentinwhichtheproblemwasexperienced

CloudServicePartner


IDEdrivenclouddevelopment,deploymentandoperation

TheIDEdrivenclouddevelopment,deploymentandoperationUseCaseisbasedonthecreationofnewvalue-addedservicesandhowbusinessprocessesareimplementedandadaptedtobedeployedonthecloud.NewservicesbySMEshavetobeeasilyimplementedandadaptedforbenefitingfromtheadvantagesofthecloud.FordevelopingtheValue-AddedService,theServiceDeveloperusestheOPTIMISProgrammingModelandIDEforassistinghim/hertomakeanefficientimplementationforthecloud.Duringthisprocess,theServiceDeveloperimplementstheservice,focusingonthebusinesslogicoftheservicewithoutworryingaboutthecloudissues,andasresultofthisimplementation,he/sheobtaintheServiceManifestandServiceImagesrequiredfordeployingtheserviceinthecloud.ThisinformationisprovidedtotheServiceProviderwhichusestheOPTIMIStoolkittoselectthemostappropriateInfrastructureProvidertodeploytheservice.OncetheValue-addedServiceisdeployed,thefinalusersoftheservicecaninvoketheservice,accessingdirectlytothedeployedserviceVMsasanotherstandardwebservice.





Acquisition SetupCloudService Okeanos(GRNET)

Okeanos is an open-source IaaS cloud software for the deployment ofcloud services. The software is modular, comprising a number ofcomponentsthatcanbedeployedandexploitedindependently.Accesstothe services is through an intuitive user-friendly web interface andcommand line tools. It is currently being tested with beta releaseexpectedinspring2013.Programmatically,itoffersasetofdocumentedproprietaryRESTAPIsandstandardAPIs likeOpenStackCompute(Nova)andOpenStackObjectStorage(swiftcompliant).



FinnishCloudSoftwareProgramme(nationalcloudstrategy)

It creates a new ecosystem that focuses on the most profitable cloudservicesforsustainabledevelopmentwhileensuringinformationsecurity.The programme has applied the agile development methods of thesoftware industry in collaboration with companies and researchinstitutions.Client-centricapproachesenabletherapidcreationofaddedvalue services and flexible models of operation. The programme alsoproposes a set of "standard contract clauses",which canbeoffered forvoluntary adoption for cloud service providers and customers andcompletedafterriskanalysis.





Acquisition SetupCloudService EGIFederatedCloudTaskForce

Develop a ‘blueprint’ for EGI resource centres wishing to securelyfederate and share their local virtualised environments externally withcollaboratorsaspartoftheproductioninfrastructure.Ongoingeffortsarecentredaroundninecorecapabilities requiredofa futureEGI federatedcloud. Implement interoperability across different cloud platforms.The core capabilities are virtual machine management, storage/datamanagement,informationdiscovery,accounting,monitoring,notification,federated authentication& authorisation infrastructure, virtualmachineimage sharing, brokering. The capabilities are currently implemented orbeing tested through resource provider test cases to cover all thenecessaryfunctionalities.EGI'sCloud InfrastructurePlatformisbasedontheuseoftechnicalstandardsdefiningtheinterfacesandexchangepointsbetweentheservicesexposedto thepublic.The followingcloudrelatedstandards are of key importance: OCCI as the universal and extensibleinterface description for the provisioning of virtualised computingresources; CDMI for describing the access interface to generic cloudstorageresources(bothblockandobjectstorageresources)andOVFasadeclarative language for pre-packaged virtual server images andnecessary contextualisation information. Several complementarystandards are used to integratewith EGI's Core Infrastructure Platform:X.509v3-based federated authentication is used for safe and secureidentification for services and end users; the Usage Resource isextensively used to account for resource usage (virtualised computeresources).TheemergingTOSCAlanguageisofinterestforextendingOVFwith a richer deployment language across all cloud deployment levels(IaaS,PaaS,SaaS).





Acquisition Prepare&ProcureService EndUsertoCloudApplicationsrunningonthecloudandaccessedbyendusers CSC

CSP

Acquisition Prepare&ProcureServiceEnterprisetocustomerandemployee

Applicationsrunninginthepubliccloudandaccessedbyemployeesandcustomers CSC

CSP

Acquisition Prepare&ProcureService EnterprisetoCloudCloudapplicationsintegratedwithinternalITcapabilities CSC

CSP

Acquisition Prepare&ProcureService EnterprisetoCloudtoEnterprise

Cloudapplicationsrunninginthepubliccloudandinteroperatingwithpartnerapplications(supplychain)

CSCCSP

Acquisition Prepare&ProcureService PrivateCloudAcloudhostedbyanorganizationinsidethatorganization’sfirewall. CSC

CSP

Acquisition Prepare&ProcureService BrokercoordinatedHybridCloud

Multiplecloudsworktogether,coordinatedbyacloudbrokerthatfederatesdata,applications,useridentity,securityandotherdetails.

CSCCSP

Acquisition Prepare&ProcureService DesktopasaService

End users access the enterprise applications and data hosted in virtualdesktopswhicharecreatedwithinaDaaSserver.Thesalesstaffalsocanviewcustomerinformationandmarketingrecordsontheenterprisewebsite.The DaaS server interacts with traditional enterprise IT facilities toachievemanycontroltasks,forinstance,authenticationviaADenterpriseserver.

CSCCSP

CloudServicePartner

Acquisition Prepare&ProcureService Virtualdesktoppool

Virtualdesktoppoolsupportsthedistributeddeploymentmodelwiththedynamic stretching of resources to consolidate queuing resource anddesktop resources. Unified phone call dispatching and delivery andmaintenanceofthedesktopcanbeachievedinanintensiveway.

CSCCSP

CloudServicePartner




Acquisition Prepare&ProcureServiceMobileCloudAppsdevelopment&deployment

Amobile cloud application can be developed by service partners, or bythecloudprovider,orbythird-partyserviceproviderandcanbestoredinamarketplace.The mobile cloud application sends processing tasks to the cloud andstoresdatainthecloud,andreceivesresultsgeneratedbytheresourcesfromthecloud,includingcomputingresourcesandstoragesources.

CSCCSP

CloudServicePartner

Acquisition Prepare&ProcureService TelcousesCloudfordataanalytics

Large-scaletelecomoperatorsgeneratealotofinformationinthenormalcourseofrunningtheircommunicationnetworks.TypicaldatacomprisesCall Data Records (CDR) and Internet-surfing data records (IDR). Inaddition, the network also generates various signalling data betweenswitches and nodes. We need all the data to complete the telecomservices and bill customers. At the same time, we also need them toanalyse and predict user behaviour, optimize network QoS, filter spammessages,andsoforth.Becauseofthelimitationsofthecurrentsystem,the parallel data inquiry and mining tool, set on the cloud distributedparallel processing systems could be a better solution and achievemassivescalabilityandhigh-speedprocessing.

CSP

CloudServicePartner

Acquisition Prepare&ProcureService

SLAmappingbetweenISB(inter-cloudservicebroker)andCSP

CSP-ISB is the contact point for CSU, and there is SLA (SLA0) betweenthem.CSP-ISB integrates services from multiple CSPs, for instance, storageservicefromCSP-1andcomputingservicefromCSP-2.ThereareB2BlevelSLA between CSP-ISB and CSP-1, CSP-2 respectively (SLA1, SLA2).ForCSP-ISB,inordertoguaranteeSLA0forCSU,itneedstomapSLA0toSLA1andSLA2,becauseSLA0isactuallyimplementedbySLA1andSLA2.

CSP

CloudServicePartner


Contractingguaranteedperformanceregardingdelay

CSP-ISBisthecontactpointforCloudServiceUser(CSU),andthereisSLA(SLA0)betweenthem.CSP-ISBintegratesservicesfrommultipleCSPs,forinstance, storage service fromCSP-1andcomputing service fromCSP-2.ThereareB2BlevelSLAbetweenCSP-ISBandCSP-1,CSP-2

CSPCloudService

Partner




Acquisition Prepare&ProcureService Citizencentricone-stopservice

The e-application service provided by City A has been pre-arranged toallow interaction with other provider’s services (e.g., family registrymanagement service in a municipality cloud, passport managementserviceofthenationalgovernment,etc.)bynegotiatingthemethodsforcoordinatingIDinformationandsecuritymeasures.A citizen in City A applies for his or her passport using the relevant e-application service providedby themunicipality A.Whenhe or she hasenteredrequiredinformation,suchashisorheridentityinformation,theinput data is transferred to other cloud system’s services (e.g., familyregistry management service, passport management service, etc.) toauthenticate, sharing user ID information entered for application, theninformation acquisition and inquiry take place. The results of theinteractedservicesareprovidedtotheconsumer.Thus,theconsumercanreceiveaone-stopservice,whichenhanceshis/herconvenience.

CSCCSP

Acquisition Prepare&ProcureServiceMarkettransactionsviabrokers

Whenaconsumerwantstousesservicesprovidedbycloudsystems,heorsheneedstocomparehisorherqualityrequirementsfortheserviceswith the SLAs ofmultiple providers, and to select themost appropriateprovider.Forthispurpose,theconsumerprovidesBrokerAwithinformationabouthis or her quality requirements for services. By receiving informationprovidedbyBrokerA,thatProviderBprovidesanSLAthatbestmeetsthequality requirementsof consumer, consumer canuse serviceswithbestfit to his or her quality requirement. The consumer selects a cloudprovider included in the provider list provided by broker, and contractswithProviderB.

CSCCSP

CloudServicePartner

Acquisition Prepare&ProcureService EstablishRelationship

A potential consumer of a cloud-based service establishes their identitywithacloudserviceproviderforuseinfuturetransactions.

CSCCSP




Acquisition Prepare&ProcureService AdministerRelationship

Apotentialconsumerofacloud-basedservicerequestsadministrationofacontract.Administration is distinguished from changing a service becauseadministrationdoesnotaffectthetechnicaldeliveryofaservice.Usually,contract administration involves actions like adding new users orchanging user passwords that are associatedwith an umbrella contract(usuallycalledthe"relationship"),notacontractforaspecificservice.

CSCCSP

Acquisition Prepare&ProcureService EstablishServiceContract

Apotentialconsumerofacloud-basedservicerequestsaservicecontractforacloud-basedservice.

CSCCSP

Acquisition Prepare&ProcureService UpdateServiceContract

Aconsumerofacloudservicecontractandaproviderofacloudservicecontractagreetoupdatethecontract.

CSCCSP

Acquisition Prepare&ProcureService AddSubscriberThe consumer enters into a business relationship with the provider toenableittouseanagreedtosetacloudservice.


Createcloudapplicationwithcomponentsthatrunonmultipleclouds

Anorganizationchoosestodevelopacloudapplicationwithcomponentsthatrunonmultiplecloudssimultaneously. CSP,CloudService

Partner

Acquisition Prepare&ProcureServiceCustomerscan"shoparound"forcloudservices

Customersanddevelopers shopacrosshostedorpublic cloud searchingfor services offering adequate price and the desired level of non-functional properties like performance, security, availability, expressedviaServiceLevelAgreements(SLAs)/certificates.

CSC




Acquisition Prepare&ProcureServiceMaterialDistributiontoAgents

A global insurance company named "ABC" uses manuals and videos toteachthecompany’sagentsandaffiliatesabouttheirnew life insuranceproduct.Thecompanydistributes theeducationalmaterials throughthecompany’s PDAs assigned to every agent considering mobilecharacteristicsof theirwork. Theuse casedescribes technicalprocessesandconsiderationstodistributecompany’seducationalmaterialfornewproduct to their agents. A correct version of thematerial among threedifferent versions shouldbedelivered toagents inaqualifiedVOgroupwithanauditableaccesscontrolmechanismthatenforcesthecompany’ssecuritypolicies.

CSC

Acquisition Prepare&ProcureService cloudstorageasaservice

Customer uses public cloud storage as a service offering to store ever-increasing volumes of data as an alternative to adding to on-premisesstorageinfrastructure

CSC


ProvisionofDatabasecapabilitiesasacloudservice

CustomerwantstouseaDatabaseasaServicecapabilitieswithabilitytouploaddatabaseimagescontainingdataandconfigurationinformation. CSC

Acquisition Prepare&ProcureServiceProvisionofbigdataanalyticsplatform

Cloud serviceproviderprovidesadedicatedHadoopclusterasa serviceplatformforbigdataanalytics CSP




Acquisition Prepare&ProcureService CloudBrokerage

The cloud broker offers cloud service intermediation for services to addvalue-additionandcloudserviceaggregationbringingtwoormorecloudbased services. The Cloud Brokerage use case brings out the followinginnovations/value to the cloudecosystem.A)provide support formulti-cloud deployment B) provide standards-based SLA negotiation andagreementmechanismstoallowthebrokertoperformamatchbetweenthe requirements of the C) Allows the broker to make SP-IP matchesbased on the Trust, risk, eco-efficiency and cost. D) The servicedeploymenttakesintoaccountthelegalboundariesasconstraintsintheservicemanifest. E) The cloud broker provides a framework to providevarietyofvalueaddedservicestotheSP.Sometheexistingvaluedaddedservicesimplementedasasupportfortheserviceincludes,VPNoverlay,IntelligentProtectionsystemandSecuredatastorage.F)Thecloudbrokerallows deployment of service in the non-optimis IP, providinginteroperabilitysupport.

CSC,CSP,CloudServicePartner

Acquisition Prepare&ProcureService goBerlin

The focus of goBerlin is the provisioning of a service marketplacecombiningcommercialservicesandpublicgovernmentalservicestostate-of-the-artapplicationswithpersonalisedSaaSforadministrativematters(e.g. birth, marriage, children). The architecture is a loosely coupledcombination of functional and security related aspects, e.g. accesscontrol,privacy,multi-tenancy. It canbeapplied toother cloudservicesrunninginsimilarcloudinfrastructures,operatedbypublicdatacentres.






Bioinformatics-BLASTandBLATtoolsforsequencemapping

Provide a framework for the seamless execution of widely usedbioinformatics tools in theVENUS-C cloud (IaaS,PaaS), easingmigrationacross target platforms (commercial and non-commercial providers).The aim of the VENUS-C user scenario on bioinformatics (TechnicalUniversityofValencia)wastoaddressthechallengesfacedbybiomedicalresearchers in coping with the exponential growth of annotateddatabases and increases in the throughput of sequencing. The overallobjectivewas towrapdifferentprocessing tools (e.g. for alignment andphylogeny) inauser-friendly framework running in thecloud.Migrationacross target platforms is ensured by implementation of standards, e.g.OGF-BES, OCCI, OVF, CDMI. Cost-effectiveness, flexibility and scalabilityovergridinfrastructureshavebeendemonstrated.


Acquisition Prepare&ProcureServiceWildfire:FireRiskEstimationandFirePropagation

Provideaframeworktoexecutefireriskestimationsandfirepropagationmodels,enablingend-useractors(e.g.fire-fighters,emergencycrewsandcivilprotectionauthorities) to run themodels in thecloudusingauser-friendlyweb-basedgraphicaluserinterface.TheaimoftheVENUS-Cuserscenario,Wildfire(UniversityoftheAegean)was toprovidea tool for calculating fire risk indexes (hourlyandover5days) and the expected propagation, usingweather forecasts (includingthe direction of the wind), topography, vegetation and socio-economicparameters. Itusesahybridcloudapproach(MSAzureandOpenNebulaviatheEngineeringGroup)andhasbeentestedandusedbyfire-fightingcrews inGreece,who can respond todifferentworkload situations; e.g.unpredictable and/or predictable bursting of CPU needs during thesummerperiod.






Radiotherapyplanning(CloudERTpilotdeploymentinSpain)

Provide an eIMRT platformwith remote tools to facilitate physicians indefining cancer treatment plans and verification using Monte Carlosimulations.Generateasinglevirtualclusterforeachrequesttomovethecomputingback-endtothecloud,whichensuresindependentprocessingforeachrequest.TheVENUS-Cpilot,CloudERT, is ledbytheCentreofSupercomputingofGalicia (CESGA). It is aimed at improving hospital planning for cancertreatmentwithapilotdeployment inSpain,whichcurrently involves65usersfrom47hospitals.TheeIRMTplatformhasbeenanalysedfromthepointofviewofSaaS,whichmustscaletothousandsofusersandservicerequestseveryday.Itleveragesthecloudtoovercomethelimitationsoflocal clusters,which increase time-to-solutionanddecreaseQoS,andofthegrid,duetotaskgroupingandthemovementoflargefiles.


Acquisition Prepare&ProcureServiceDrugDiscoveryservicebyMolplex(SME)

Provide a framework to calculatemolecular virtual profiles that includeshape/docking characteristics and QSAR biological activity predictions.Theshape/dockingcalculationoffersanembarrassinglyparallelexecutionmodel, and has been parallelised with the use of OpenMP threads.Molplex requires regular access to computer resources to calculate thevirtualprofilesofmolecules.TheaimoftheMolplexpilot(CloudAgainstDiseases) in VENUS-C is to boost the performance of the comany'ssystemsand reduce costsby allocating computing resources asneeded.The virtual profiles are calculated using two techniques: shape/dockingprofileandQSARprofile.Thedeploymentof former is supportedby theBarcelonaSupercomputingCenterviatheCOMPSSinterface,whilepartofthe QSAR application is deployed on Azure using a legacy system fromNewcastle University. Being able to solve a higher number of scientificproblems (virtual profiling) gives the SME better market exposure andopportunities,aswellasincreasestaffproductivity.





Acquisition Prepare&ProcureService Cloud4SOA(FP7project)

Interconnectpublicandprivateplatformvendors fordevelopers tohelpcompare, manage and migrate between vendors by offering an open-sourceaddedvaluefeaturesetforPaaScustomers(developersandSaaSproviders).Cloud4SOA interconnects platforms for added-value capabilities such asmulti-platform management, comparative monitoring and applicationportabilityacrosscollaboratingorcompetingofferings.ItpreparesforthewiderpotentialasthePaaSsegmentofcloudcomputingevolves,pointingtowards concepts such as federation of multiple platforms andmanagement between hybrid use cases of public and private PaaS. ItleveragesexistingPaaSAPIsandbringsaharmonisedlayerandadaptersto support its advanced features. Standardisation focuses on basicmanagement protocols to enable platforms to focus on innovativeconceptsandecosystem-empoweredcapabilities.


Operation OperateService-Manage

Guaranteeingperformanceagainstanabruptincreaseoftheload

•ACSPguarantees its serviceperformance,evenwhenanunexpectedsurgeofaccesstotheservicearises,byusingcloudresourcesprovidedbyotherCSPsonatemporarybasis.•Network connections among interworking CSPs are instantaneouslyestablishedor reconfigured.Then service-relateddata includinguser ID,userdata, andapplicationdata are transferred from theoriginal CSP totheCSPthatisleasingtheresources.•AccessfromCSUsisappropriatelychangedtotheinterworkingCSPssoas to achieve load distribution, and thus mitigate the overload of theoriginalCSP.

CSPCloudService

Partner





Guaranteeingavailabilityintheeventofadisasteroralarge-scalefailure

•CSPscontinuetheirserviceofferingbytheresourcesleasedfromeachother, even when systems in one CSP are damaged due to naturaldisastersorlarge-scalefailures.• Available resources in other CSPs are autonomously discovered andreservedthroughtheinter-cloudfederation.• The services with a high priority are only recovered if availableresources are not enough to recover all services. In examining theavailabilityof theresourcesgivenfromotherCSPs, theguaranteed levelofqualityoftheresourcesistakenintoaccount.• The services requiring early recovery are recovered using availableresources on a best-effort basis even if their quality requirements arepartlysatisfied.• Network connections among interworking CSPs are instantaneouslyestablished or reconfigured. The lead CSP, which is preconfigured andgovernstherecoveryprocedure,managestherolesofavailableCSPsandinstructsservicecontinuationbasedontheoriginalCSPdata.•AccessfromCSUsisappropriatelydistributedtotheinterworkingCSPsso as to achieve the disaster recovery, and thus mitigate the servicediscontinuity.

CSPCloudService

Partner




Operation OperateService-Manage Servicecontinuity

• A CSP continues its service offering by the collaboration with otherCSPs,evenwhentheoriginalCSPterminatesitsbusiness.•AvailableresourcesinCSPsotherthantheservice-terminatingCSParediscoveredandreservedinadvance.• Network connections among interworking CSPs are established orreconfigured.Thenservice-relateddata includinguser ID,userdataand,applicationdataaretransferredfromtheoriginalCSPtonewCSPs.•AccessfromCSUsisappropriatelychangedtotheinterworkingCSPssothatthesameserviceiscontinuouslyoffered.•Ifthecapabilities(VMandapplications)attheoriginalCSPmigratetootherCSPs,theCSU,whokeepsthesameuserID,cancontinuouslyaccesstheserviceatthesamelevelofperformancesasbefore.

CSPCloudService

Partner


Markettransactionsviabrokers

•TheCSPwithanISBrole(CSP-ISB)mediatesbetweenCSPsmeetingtheCSU’squality requirementsandprovides the listof selectedCSPs to theCSU.•TheCSP-ISBcoordinatesmultipleservicesofferedbyotherCSPs

CSPCloudService

Partner


Guaranteedend-to-endqualityofserviceGuaranteedperformance

Use case of guaranteeing performance against a abrupt increase of theload CSP

CloudServicePartner


Guaranteedend-to-endqualityofserviceGuaranteedavailability

Usecaseofguaranteeingavailabilityintheeventofadisasteroralarge-scalefailure CSP

CloudServicePartner





Servicecontinuitybypre-configurationofalternativeservices

Normally,ifthebusinessofProviderAissuspended,theconsumersneedto re-register with similar services that are provided by differentproviders.To avoid a situation above, resources, applications, and consumer’s IDdatafortheservicesprovidedbyProviderAaretransferredtothecloudsystems of Providers B and C in advance. Then, in the situation of thebusiness suspension of Provider A, its consumers can continue to usesimilarservicesprovidedbyProvidersBandC.Thisarrangementcanalsobe applied when a service consumer requests a transfer of his or herservicetoanotherprovider.

CSPCloudService

Partner

Operation OperateService-Manage ContractBilling

A cloud service provider issues an invoice for contracted or consumedservices.

CSPCloudService

Partner


ChangeResourceCapacity

A cloud service consumer adds or changes the capacity or resourcesassociated with a service instance, which is an instance of a servicetemplate. This can include adding or removing whole resources, orexpandingorcontractingresourcelimitsassociatedwiththeservice.

CSPCloudService

Partner

Operation OperateService-Manage Hibernate/Resume

Puts a running application into hibernation. Resume a hibernatingapplication. CSC

Operation OperateService-Manage Stop/Restart

Stop a running application and create a "snapshot". Resume from asnapshot. CSC

Operation OperateService-Manage Patch

Patch(update)oneormorecomponentsinanapplicationtemplate.CSC




Operation OperateService-Manage CreateNetwork

The cloud consumerwishes to create a new instanceof a "network". Anetwork isanabstractionofa layer2broadcastdomain.Anytwonodes(machines, volumes,etc.)attached to the samenetworkcanconnect tooneanother.Toconnecttoanodeonanothernetworkaroutemustbecreated between the source network and the destination network. Acommonreasonforcreatingnetworksistoisolatemachinesandvolumesintoprotectedsub-domainsforsecurityandadministrationpurposes.

CSPCloudService

Partner


Cloudapplicationworkloadrequiresuseofmultipleclouds(cloudburst)

Sometimesreferredtoasacloudburstscenario,theapplicationnormallyrunningon-premisesorinaprivatecloudneedstoelasticallyrunonotherclouds in the cases of short-term, significant increase in user demandload. Cloud tenants can use both their own private clouds as well ashosted/publiccloudsastheworkloadmayrequire.VMsandapplicationscan migrate between private cloud and public/hosted clouds and canseamlesslybemanagedfromeithersideregardlessoftheirlocation.

CSPCloudService

Partner


Documentreleasetowardsanadministration

An Electronic Document Storage (EDS) is a secure storage for officialdocumentsprovidedasSaaS.Governmental institutionsorotherpartiessuchasemployerscanaccesstheEDStoenterdocuments(suchasofficialnotifications, certificates of salary, rental contracts, insurance policies,etc.) fortheowneroftheEDS,andaccessthosedocuments ifnecessaryto perform an administrative procedure. The use case describes how apublicadministrationrequestsadocumentfromacitizeninthecourseofanadministrativeprocess.

CSC

Operation OperateService-Manage BurstCapacity

Asystemorservicerunsinadefined"source"location,andburstsintoanalternatelocationorcloudenvironmentsuchasasharedorpubliccloud(target) to obtain additional resources to accommodate business peakprocessingrequirements.Requireslicenseflexibility,andsufficientnetworkandsecuritycontrols.

CSPCloudService

Partner





Integrationofon-premiseresourceswithpubliccloudresources

CloudservicecustomermakesuseofpubliccloudIaaSresourcesforsomeworkloads but still has other workloads retained on-premises, with theneedtolinktheon-premisesworkloadsandthepubliccloudworkloads CSC

Operation OperateService-Provision/Configure/Administer

ProvisionResources(fromacontractedpool)

Within the context of an existing contract, an administrator allocatesresourcesfromthecontractedpool.Theresourcescouldbeofawidevariety,suchasvirtualsystemplatformsor a preconfigured mini data centre that contains virtual systems andvirtualstorage,connectedviaavirtualnetwork.

CSC


DeployServiceTemplate

A cloud service consumer deploys a parameterized service template inthecontextofaserviceoffering. CSC


ProvisionNewAdministrationDomain(orProvisionNewTenant)

Subscriber administrator is provisioned with a new administrationdomain.

CSC


Add/Change/DeleteUser

Acloudconsumeradministratoraddsorremoveduser,orchangestheirprivileges. CSC


InstallApplicationComponent

Anewapplicationcomponentisuploadedandinstalledtothecloud.CSC


DeployApplication(alsoUndeploy)

Todeployapackagecomprisingalltherequiredapplicationcomponentstoanexecutiondomain. CSC

Operation OperateService-Provision/Configure/Administer Startanapplication

Tostartexecutinganapplicationsuchthatend-usermaystartinteractingwiththehostedapplications. CSC





UploadMachineImage

The cloud user or third party software provider has a local copy of a"machine image" (a snapshot of a stack of softwarewhichmay includeoperating systems, virtual machine runtimes, database servers,applicationservers,applications,etc.)thattheywishtomakeavailablefordeploymentonanIaaScloud.

CSC


DeployMachineImage

The cloud consumerwishes to create a new instanceof a "machine" (alogical instance of one or more CPUs connected to local memory and,optionally, local data storage) with software loaded from a machineimage.

CSC


CaptureExistingMachineInstance

Thecloudconsumerwishestocreateanewmachineimagethatcapturesthestateofanexistingvirtualmachineinstance. CSC


CreatePersistentStorageVolume

The cloud consumerwishes to createanew storagevolume image thatcapturestheinformationstoredonanexistingvolumeinstance. CSC


LoadImageontoStorageVolume

Thecloudconsumerwishestoloada"volumeimage"(e.g.anISOimage)ontoanexistingpersistentstoragevolume. CSC


AttachStorageVolumetoMachine

The cloud consumer wishes to attach a persistent storage volume to amachine instance.Onceattached, thevolume isaccessiblebyprocessesresident on that machine instance, usually as a local device (e.g./dev/sd2).

CSC


CaptureStorageImage

Thecloudconsumerwishestocreateanewstorageimagethatcapturestheinformationstoredonanexistingstorageimage. CSC


DetachStorageVolumefromMachine

The Cloud User wishes to detach a persistent storage volume from amachine instance.Oncedetached,thevolumeisno longeraccessiblebytheprocessesresidentonthatmachine.

CSC





AttachMachinetoNetwork

Thecloudconsumerwishestoattachamachinetoanetwork.Thehigherlevelgoalistoallowthismachinetoconnecttooneormoreoftheothermachinesorvolumesonthetargetnetworkand/ortoallowoneormoremachinesonthetargetnetworktoconnecttothismachine.

CSC


DetachMachinefromNetwork

The Cloud User wishes to detach a machine from a network. This isusually a step in a higher-level network management process such as"attach this machine to the back-end, database network and detach itfromthedefaultnetwork".

CSC


AttachStorageVolumetoNetwork

TheCloudUserwishestoattachavolumetoanetwork.Thehigherlevelgoal is to allow this volume to be attached to one or more of themachinesonthetargetnetwork(seeAttachStorageVolumetoMachine).

CSC


DetachStorageVolumefromNetwork

The cloud consumerwishes todetacha volume fromanetwork. This isusually a step in a higher-level network management process such as"attachthisvolumetotheback-end,databasenetworkanddetachitfromthedefaultnetwork".

CSC


OnboardingforVEM

Onboardingofacustomer'sapplicationstoIaaSserviceCSC

Operation OperateService-Monitor SLAReporting

A cloud service consumer requests and receives a report about anestablishedservicecontract.

CSCCSP

CloudServicePartner

Operation OperateService-Monitor

MonitorServiceResources

A cloud consumer configures amonitor for a deployed service instanceand resources that support the service instance. Amonitormay collectdata(forexample,resourceconsumption,throughput,responsetimes,oravailability)orestablishanexceptionthreshold.

CSCCSP

CloudServicePartner





NotificationofServiceConditionorEvent

A servicehasbeenconfiguredand is inoperation.Certain conditionsorruntime operational events have been identified or detected that aresignificantenoughtodemandimmediatenotificationoftheconditionoreventtotheservicecustomer.Anexampleisthedetectionofanintrusionoranunexpectedconfigurationchange.

CSCCSP

CloudServicePartner


Monitoring&managementofdeployedsoftware

Monitor the health of infrastructure & perform capacity planning forfutureneeds

CSCCSP

CloudServicePartner

Operation OperateService-Migrate

ChangingCloudVendors

Anorganizationusingcloudservicesdecidestoswitchcloudprovidersorworkwithadditionalproviders.

CSPCloudService

Partner


Movethree-tierapplicationfromon-premisestocloud

An organization moves a three-tier application (front-end web server,back-enddatabase, andmiddle-tierbusiness logic) fromanon-premisesdatacentretoacloudinfrastructureproviderthatwillruntheapplicationoff-premises.Platformservicesfordata,identityandaccessareconsideredavailableforsource and target clouds but not addressed in this case.Thisusecaserepresentsthemostcommontypeofweb-basedapplicationdeployedbothinenterprisesandmid-sizedcompanies

CSPCloudService

Partner


Movethree-tiercloudapplicationtoanothercloud

An organization moves a three-tier application from one cloudinfrastructureprovidertoanother.

CSPCloudService

Partner


Movepartofon-premisesapplicationtocloudtocreate"hybrid"application

Anorganizationmovesoneormoreparts–ortiers–ofanon-premisesapplication to the cloud, in order to separate data storage fromprocessing, for example. This creates a cloud that is a hybrid of bothpublic(off-premises)andprivate(on-premises)clouds.

CSPCloudService

Partner





Hybridcloudapplicationthatusesplatformservices

Anorganizationmovesoneormoreparts–ortiers–ofanon-premisesapplicationtothecloudandchoosestoimplementcloudcomponentsofa hybrid application using platform services available from the cloudplatform provider, such as structured or unstructured cloud storage oridentityandaccesscontrolservices.

CSPCloudService

Partner


Portcloudapplicationthatusesplatformservicestoanothercloud

Portinganapplication thatusesservicesprovidedby thecloudplatformto another cloud platform implies these requirements: 1) bulkimport/export of customer data, and 2) Semantic cloud applicationmanagementprotocol.

CSPCloudService

Partner


CaptureAggregateAssembly

Thecloudconsumerwishestocaptureanaggregateassemblyconsistingofzeroormoremachineinstances,zeroormorevolumeinstances,zeroor more network instances, and the attachments/connections betweenthese entities. The artefacts generated by this capture operation (the"assemblypackage")canbeusedtodeploy"acopy"oftheassemblyontothisorsomeothercloud.

CSC


UploadAggregateAssembly

Thecloudconsumeror thirdpartysoftwareproviderhasa localcopyofanassemblypackagewhichincludeszeroormoremachineimagesalongwithmetadatathatdescribesthemachinesonwhichtheseimagesmustbe deployed, zero or more volume images along with metadata thatdescribesthevolumesonwhichtheseimagesmustbedeployed,zeroormore descriptions of network instances, and a map of theattachments/connectionsbetweentheseentities.TheCloudconsumerorthirdpartysoftwareproviderwishestomakethisassemblyavailablefordeploymentonanIaaScloud.

CSC





DeployAggregateAssembly

Thecloudconsumerwishestodeployanaggregateassemblyconsistingofzeroormoremachineinstances,zeroormorevolumeinstances,zeroormore network instances, and the attachments/connections betweenthese entities for the purposes of re-creating the system that wascapturedinIR01.25(CaptureAggregateAssembly).

CSC


Movethree-tierapplicationfromon-premisestocloud

An organization (customer) moves a three-tier application from an on-premises datacenter to a cloud infrastructure provider thatwill run theapplicationoff-premises.Thedataassociatedwiththeapplicationissensitiveandconfidentialanditisnecessarytoassureitsintegrity.Issues to be considered include:•suitableSLA/certificate,•responsibilityfortheprovisionandapplicationofencryption,•keymanagementprocesses•datavalidation•etc.…

CSPCloudService

Partner


Movethree-tiercloudapplicationtoanothercloud

Anorganization(customer)movesathree-tierapplicationfromonecloudinfrastructureprovider1toanotherprovider2.

CSPCloudService

Partner


Movepartofon-premisesapplicationtocloudtocreate"hybrid"application

Anorganization(customer)movesoneormoreparts–ortiers–ofanon-premisesapplicationtothecloud,inordertoseparatedatastoragefromprocessing, for example. This creates a cloud that is a hybrid of bothpublic(off-premises)andprivate(on-premises)clouds.

CSPCloudService

Partner





HybridapplicationwithshareduserIDandaccessservices

This use case is the same as the use case "Move part of on-premisesapplication to cloud to create 'hybrid' application" with the addedcondition that user ID and access are shared between on-premises andcloud components. This requires a common user ID and access controlmethodology between components based on either on-premisesdirectoryaccessoridentityfederation.

CSPCloudService

Partner


Movehybridapplicationtoanothercloudwithcommoninfrastructures

An organization (customer) moves the cloud portions of a hybridapplication from cloud A to cloud B, both of which support commoninfrastructuresandVMpackages.

CSPCloudService

Partner


Hybridcloudapplicationthatusesplatformservices

This use case is similar to the use case "Move part of on-premisesapplication to cloud to create 'hybrid' application" except the cloudapplication developer in this case chooses to implement cloudcomponentsofahybridapplicationusingplatformservicesavailablefromthe cloud platform provider, such as structured or unstructured cloudstorageoridentityandaccesscontrolservices.

CSPCloudService

Partner


Portcloudapplicationthatusesplatformservicestoanothercloud

Portinganapplication thatusesservicesprovidedby thecloudplatformtoanothercloudplatform implies thesamerequirementsas for theusecase"Hybridcloudapplicationthatusesplatformservices".

CSPCloudService

Partner




Operation OperateService-Migrate CloudBurst

An Electronic Document Storage (EDS) is a secure storage for officialdocumentsprovidedasSaaS.Governmental institutionsorotherpartiessuchasemployerscanaccesstheEDStoenterdocuments(suchasofficialnotifications, certificates of salary, rental contracts, insurance policies,etc.) fortheowneroftheEDS,andaccessthosedocuments ifnecessaryto perform an administrative procedure. To reduce its own operationalcosts,theEDSproviderdecidestoacceptanIaaSofferfromanothercloudprovideranduseitsvirtualizedresourcedtoprovidetheEDSservice.

CSPCloudService

Partner


DocumentMigration

An Electronic Document Storage (EDS) is a secure storage for officialdocumentsprovidedasSaaS.Governmental institutionsorotherpartiessuchasemployerscanaccesstheEDStoenterdocuments(suchasofficialnotifications, certificates of salary, rental contracts, insurance policies,etc.) fortheowneroftheEDS,andaccessthosedocuments ifnecessaryto perform an administrative procedure. The use case describes how apublicadministrationrequestsadocumentfromacitizeninthecourseofanadministrativeprocess.Theusecasedescribes themigrationprocessofdocumentsfromoneEDS(EDS1)hostedbyEDSspaceproviderAintoanotherone(EDS2)(hostedbyproviderB):

CSPCloudService

Partner

Operation OperateService-Migrate ProjectCapacity

Temporarycapacityfromanalternatecloud(publicorsharedprivate)tosupportshortterminitiatives

CSPCloudService

Partner

Termination OperateService-Terminate

TerminateServiceContract

Aconsumerofacloudservicecontractandaproviderofacloudservicecontractagreetoterminateacloudservicecontract.

CSCCSP




Termination OperateService-Terminate

Terminatingcloudcontract

Anorganization(cloudservicecustomer)obtainingacloudservicefromacloud service provider directly or via a cloud service partner (a broker)wouldliketoterminateitscontract.Therecanbemanyreasonsfordoingso, for example the organization would like to changing cloud serviceproviderofpartnerorwantsexiting thecloudandmove toanon-cloudenvironment.Theuse case is focusingon the termsandconditions thatshouldbe inaSLA,andtheenforceabilityofthosetermsandconditionstodoso.

CSCCSP

CloudServicePartner

Operation AssureQuality-AuditService Independentthirdpartyassurance

Establishing an independent third party assurance (a regulator) to buildtrust whereby European SME's and other organizations (cloud servicecustomers) will use cloud computing services moreAn independent third party assurance can contribute to building trustwhereby European SME's and other organizations will use cloudcomputing services more. The idea is to establish a kind of active andproactiveescrowservice(aregulatorrole)byathirdpartyinsuchawaythat this party can assure a seamless takeover of the cloud operationsthat provider A executes for a user to cloud provider B. This shouldtherefore includethe(functionalityofthe)software,theusers’dataandthecurrentstateoftransactions.

CloudServicePartner


AnnexB.CRMquestionnaireforCSPs:CRMassessmentCSPname:

Webpage: CoveredSLAservice:

Group NameofCRMelement Explanation/AssessmentQuestion CSPSelf-assessment Comments

General

SLAURL Is there a publicly (online) availableversionofyourcloudSLA?

0=No,1=Yes(pleaseprovideURL)

Findable How can customers find the SLAonyourwebsite?

0=n/a,1=Externalsearchengine,2=

Internalsearchengine,3=Homepagelink

Choiceoflaw Is the SLA specific to a particularjurisdictionorgeographicalarea? 0=n/aorNo,1=Yes

Rolesandresponsibilities

Does your SLA contain a cleardefinition of roles andresponsibilities?

0=n/aorNo,1=Yes

CloudSLAdefinitions

Does your SLA contain relevantdefinitionsusedinthetext? 0=n/aorNo,1=Yes

Freshness

Revisiondate DoesyourSLAspecifythedateofitslastrevision? 0=n/aorNo,1=Yes

UpdateFrequency

DoesyourSLAspecifythefrequencyof performed updates based on areported"LastUpdate"value?

0=n/aorNo,1=Yes


Previousversionsandrevisions

ArethepublicavailablethepreviousversionsoftheSLA? 0=n/aorNo,1=Yes

SLAduration DoesyourSLAcontainaclearspecificationofitsvalidityperiod? 0=n/aorNo,1=Yes

Readability

SLAlanguage Is your SLA specified in more thanonelanguage? 0=n/aorNo,1=Yes

Machine-readableformat

Is your SLA available in machine-readableformat? 0=n/aorNo,1=Yes

Nr.ofpagesWhat is the number of pages onyour SLA? Only applies to SLAs inPDF/documentformat.

0=n/aorNo,1=Pleasespecifythe

numberofSLApages

Support

ContactdetailsDoesyourSLAcontainareferencetothe helpdesk number or otherdetailstocontactsupport?

0=n/aorNo,1=Yes

Contactavailability

Does your SLA contain informationaboutcontactavailability, specifyingdays of the week and workinghours?

0=n/aorNo,1=Yes

Credits

ServiceCreditDoesyourSLAhasaclearspecificationoftheservicecreditsprovidedtotheCSC?

0=n/aorNo,1=Yes

Servicecreditsassignment

DoesyourSLAspecifytheconditionswhether a service credit shall beprovidedornottothecustomer?

0=n/aorNo,1=Yes



Does your SLA describe how muchdoes the can CSP credit (Euros) tothecustomer?

0=n/aorNo,1=Yes

Changes

SLAchangenotifications

Does your SLA specify of how theCSP notifies customers about SLAchanges?

0=n/aorNo,1=Yes

Unilateralchange

DoesyourSLAdescribe if theCSP isentitledtounilaterallychangeit? 0=n/aorNo,1=Yes

Reporting

ServiceLevelsreporting

Does your SLA describe if reportsabout achieved Service Levels areprovidedtothecustomer?

0=n/aorNo,1=Yes

ServiceLevelscontinuousreporting

Does your SLA explain if/how theservice level reports arecontinuouslyupdated?

0=n/aorNo,1=Yes

Feasibilityofspecials&customisations

Does your SLA clearly define any"specials"/exceptions and otherpossiblecustomisations?

0=n/aorNo,1=Yes

GeneralCarveouts

Does your SLA clearly define CSPassumptions, exclusions, scope offorcemajeure,andothercarveoutsto the negotiated cloud services,SLOsandSLA?

0=n/aorNo,1=Yes

SLOs&Metrics SpecifiedSLOmetrics

DoesyourSLAclearlyandunambiguouslyspecifiesmetricsrelatedtotheSLOsdefinedintheSLA?

0=n/aorNo,1=Yes


GeneralSLOs

Does your SLA specify SLOs relatedto aspects like service monitoring,accessibility,availability,terminationof service, applicable certifications,andgovernance?

0=n/aorNo,1=Yes

CloudServicePerformanceSLOs

Does your SLA specify SLOs relatedto aspects like response time,capacity,andelasticity?

0=n/aorNo,1=Yes

ServiceReliabilitySLOs

Does your SLA specify SLOs relatedto aspects like service resilience,disaster recovery, and customer’sdatabackup/restore?

0=n/aorNo,1=Yes

DataManagementSLOs

Does your SLA specify SLOs relatedto aspects like IPR, CSC/CSP data,derived data, account data,portability, datadeletion/location/examination, andlaw enforcement access to CSCdata?

0=n/aorNo,1=Yes

SecuritySLOs

Does your SLA specify SLOs relatedto aspects like cryptography,physical/operational/communicationsecurity, incident management,compliance, and businesscontinuity?

0=n/aorNo,1=Yes


PersonalDataProtectionSLOs

Does your SLA specify SLOs relatedto aspects like consent and choice,limitation, accountability, PIIcollection/use/retention/disclosurelimitation,andprivacycompliance?

0=n/aorNo,1=Yes


AnnexC.CRMquestionnaireforCSPs:ConsentandGeneralDataDoyouneedtosignaCloudSLA&youwanttofindeverythingyouneed, intheone

place to make sure what you sign has the right: vocabularies, SLO

metrics/measurements,andcompliancewithstandards/bestpractices?WellthisMay2016,theEuropeanprojectSLA-Ready14hasdevelopedpreciselyallofthesefeaturesin

itsCommonReferenceModel (akaCRM). ThisCRMhopes tomakeEuropean SMEs’

life easier in sifting through time-consuming legal contracts for the uptake of cloud

computing.

InordertovalidatethedevelopedCRM15fromyourperspective,wekindlyaskyouto

answerthefollowingsetofquestions.

1. Informationabouttheparticipant’sprofile:a) WhichoneofthefollowingrolesbestdescribesyourCloudcomputingactivity?

(Pleasetickjustoneanswer)[]CloudServiceProviderorCSP(e.g.CxO,R&D,etc).

[]CloudServicePartner(e.g.securityauditor,Cloudbroker,developer)

b) Whichindustrialsectorisyourmaincloudservicecustomer?[]SmallandMedium-sizedEnterprise(SME,privatesector)

[]Non-SME(privatesector)

[]Publicsector

c) Whichmarketverticalbestdescribesyourcloudservicecustomerbase?(Pleasetickjustoneanswer)

14Pleaserefertohttp://www.sla-ready.eu/

15CRMfollowsa3-levelhierarchicalstructure:thetoplevelcontainseight(8)groups,organizethirty(30)elements that include the main notions that can be mapped to the different aspects of cloud SLAs.

FollowingtheISO/IECterminology,thelowestlevelcomprisesthecomponentsthatarepartoftheservicelevelobjectives(SLO)relatedelementsoftheCRM.


[]Education

[]FinancialServices

[]Government

[]InformationTechnology(IT)&Telecommunications

[]Other(pleasespecify):______________________________________

d) Howwellthefollowinghigh-levelusecases16describetheinterestsofyourcloudservicecustomers?(Pleaserankfrom1(better)to5(worst))[ ]ApplicationonaCloud.AnEnterprisedevelopsanApponaCloudService for

theirendusers.

[ ] Cloud bursting. Describes the scenario where workloads are migrated on-

demandtoapublicCSPasneededbythecloudcustomer.

[ ] Processing sensitive data. An enterprise wants to use an online cloud

application (SaaS) to process sensitive data, including Personally Identifiable

Information(PII).

[]Dataintegrity.Acustomermovesathree-tierapplicationfromanon-premises

datacentertoanIaaSCSPthatwillruntheapplicationoff-premises.

[]Highavailability.ThroughtheuseofoneofmoreCSPsanorganizationprovides

highavailabilityintheeventofadisasteroralarge-scalefailure.

e) InwhichaspectsoftheCloudservicelifecycleareyourcloudservicecustomersinterested?(Pleaserankfrom1(highinterest)to3(lowinterest))[]TheyareinterestedonhowtoacquireCloudservices(e.g.,choosingaCSP).

[ ]Theyare interestedontheactualoperationalstageoftheCloudservice(e.g.,

monitoring)

[ ] They are interested on the termination process of the Cloud service (e.g.,

understandingdataretentionclauses)

2. Based on your offered Service Level Agreement, please perform its self-assessment

16 Categorization based on ETSI’s “Cloud Standards Coordination – Final Report”. Available online:

http://csc.etsi.org/resources/CSC-Phase-1/CSC-Deliverable-008-Final_Report-V1_0.pdf


basedonthecriteriapresentedontheattachedspreadsheet(seebelow)

3. From your point of view, is the CRMmissing critical groups/elements/componentsthatcouldcontributetoimprovethewaySMEsdealwithcloudservices?

4. Doyouagreetomakepubliclyavailable intheSLA-Readywebsitetheprovidedself-assessment?¨ Yes,Iagree¨ No,Idon’tagree.Pleasespecifyareason:

5. Would youbewilling toparticipate in a follow-updiscussionon this subject? If yespleaseprovideyournameandacontactemailaddress:

· to this end, sla-ready has created a common reference model (crm) that helps towards the common...

Documents