Organizations are depending more and more on services provided by cloud service providers. The benefits of using the cloud are well-documented, including the ability to scale capacity in a manner that is impossible with conventional data centers. Cloud service providers also allow organizations to outsource email, document management and even human resource services, thus focusing on their core expertise.
However, it is worth being mindful of the famous quote (by Leslie Lamport) that 'A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable.' In the case of an organization using cloud services, the failure of a computer you didn't even know existed and isn't under your control and may not even be in the same country as you can render your business inoperable. This has occurred recently with the well-publicized Amazon outages. How can an organization control against this happening?
This question leads back to why a service-level agreement (SLA) is critical. A reader may ask 'Don't cloud service providers have SLAs?' It is true that most have SLAs. However, it also must be noted that cloud service providers are more open to negotiating SLAs with larger organizations. In the case of small-to-medium-sized businesses they are more likely to simply cite performance metrics, as opposed to committing to a SLA.
It's also worth noting that even when a cloud service provider provides an SLA - the coverage may be inadequate. As a result, organizations (with or without SLAs) are often in a position where they have to trust the cloud service provider's metrics and billing information.
This approach raises many questions. For example, can an organization independently verify if the information provided by the cloud service provider regarding usage and uptime is accurate? Or in the event of a billing dispute with a cloud service provider, how does an organization provide an independent audit trail of the services they have used? For example, if a cloud service provider has a service lapse at 4:00am, will an organization have independent evidence of this situation? Or will the organization have to depend on the cloud service provider, or in the worst case scenario, its customers who tweet the outage, to inform them of an outage? Access to this type of independent information is critical and is especially important in any discussions of that need to be resolved via legal means.