Cloud Driven – SLAs – The Keys to Performance

The movement to Cloud delivery provides us with a myriad of new capabilities. The promise of converting capital expense into operating expense, adding resources only when needed and significantly reducing the cycles of IT procurement and cost are hard to ignore. The reality is that the Cloud can meet the business requirements of immediate sense and response, reduce the current complex model of IT delivery and truly offer self service.  Moving to the Cloud will remove the current internal delivery challenges, reset your current operational model and the direct ownership of the resources needed to deliver the capability.   

To limit the exposure and concern that comes with moving to the cloud and upsetting your current delivery model, the best deployments of cloud capability are using Cloud driven SLA’s to drive performance, address risk and meet the performance requirements for Cloud delivery.  

Effective Cloud SLAs must follow the same key principles that have been utilized for years, namely:

  • The Cloud SLA should be measurable, simple to understand and readily available;
  • The Cloud SLA should identify the service to be performed and expectations you have for specific outcomes;
  • The client should be able to identify Key Performance Indicators (KPIs) and the level of acceptable performance;
  • The Cloud SLA must explain how the service be measured – does one bad transaction or missed backup trigger an SLA measurement?
  • The Cloud SLA must define when it will be measured – does this happen daily, monthly, quarterly?
  • How will success be defined – Are you happy with availability of 99.9 or 99.9999%?
  • The Cloud SLA should note the responsibilities of the client and the service provider – who will perform the backup and restore going forward?
  • What are your Cloud reporting requirements – how often do you need to know that the Cloud solution is working?
  • What are the incentives (or penalties) that are needed to meet your expectations for levels of service and quality?

When challenged to make a Cloud procurement decision, there is an opportunity to address the key questions noted above and establish the terms and conditions that are required for Cloud Service Delivery SLAs and clarify the expectations for Service Delivery and Performance Management. 

Service Delivery and Performance Management – Cloud SLAs

One of the best practices we use when identifying Cloud Performance and Service required SLAs is to use the IT Infrastructure Library (ITIL) approach to setup the key Cloud performance areas of:

  • Service Requests;
  • Incident Management & Continuity;
  • Problem Resolution;
  • Change Release;
  • Capacity;
  • Configuration Management;
  • Availability; and
  • Security.

Each performance area is relevant to Cloud delivery and should be examined carefully to understand what will be provided by the Cloud provider.

Once you complete an in-depth look at each Cloud performance area, it is critical to drill down a bit deeper into the types of performance metrics that will really make a difference when signing up for Cloud Delivery. For example, each of us should be taking a deep breath and looking into the answers to the following key questions:

  • Time to Respond – How long does it take for the Service to handle your request?
  • Time to Transact – How much time does it take to complete a transaction?
  • Resolution – What is the time it takes from identifying a service problem to providing resolution?
  • How reliable is the Cloud Solution – When you look at the setup of hardware and software and connections, how reliable is the solution?
  • Availability – What is the uptime of the Cloud Service?

It is also important to keep in mind that the Cloud does not address every aspect of application or infrastructure delivery. The wise user will be able to understand the difference and distinguish the requirements that are unique to network performance, application performance and infrastructure performance. Depending on your specific Cloud solution, you may have all or only portions of IT performance to consider when establishing Cloud SLAs.

The key to really understanding what is needed for Cloud SLAs is to know your internal boundaries and what the Cloud solution will deliver. Be aware of what you will be doing and what the Cloud provider will be doing, once you have moved to production.


HIPAA Compliance in the Cloud

Regulations that govern privacy are here to stay. Any entity, whether it be a hospital, a physician, an attorney or any other business associate has a duty by law to protect information. These interrelated groups rely on each other to be compliant with the regulations. Everyone who has access to patient information must be in compliance with HIPAA.
According to HIPAA, there must be proper controls around patient information, with the patient having a clear understanding as to what information is shared and some agreement from that patient as to what can be shared. Any organization considering Cloud must be able to demonstrate the required controls over their data.
Given the obvious challenges around the protection of personal health information and the associated regulations, what are some of the drivers that motivate businesses to consider the Cloud? There are a number of reasons:
  • Collaboration across business entities with minimal investment
  • Costs involved in continuously refreshing infrastructure – many organizations would like to eliminate the need to invest significant capital resources in on-going technology upgrades
  • Costs involved with hiring skilled resources to support the systems and technologies needed
  • Costs related to comprehensive security monitoring and control – system intrusion protections, data compromises, and encryption are all protections that can be achieved in a cost effective manner with the Cloud
Eventually, most organizations will be faced with a need to leverage Cloud capabilities. A simple approach to evaluate the use of the Cloud to meet HIPAA requirements can be distilled into a series of steps:
  1. Understand the specific control requirements that pertain to your organization. This may involve one, or possibly a series of regulations that require compliance.
  2. Assess the current control environment against the requirements from the regulations, and identify any gaps.
  3. Define the additional controls required to mitigate any gaps in the current environment.
Most organizations, especially hospitals, don’t know how to begin an assessment. Because
many organizations are overwhelmed by the regulation itself, they don’t move from the initial
assessment, gap identification and risk assessment.
So, in order to get beyond initial analysis paralysis, there are a few simple questions to help you get started. These include:
  • Who manages patient information?
  • Where is patient information stored and accessed?
  • Is patient information found on the organization’s laptops, mobile or other portable devices ?
As an organization goes through their assessment, it will be important to start the dialogs with potential Cloud providers to understand how they are addressing HIPAA concerns. All health-oriented businesses that are using, accessing, storing, and sharing patient information must realize the importance of meeting HIPAA/HITECH (Health Information Technology for Economic and Clinical Health) requirements, regardless of the technology they put in place.