Cloud Computing Bill of Rights

From Cloud Computing Community Wiki

See also: Cloud Computing Manifesto

Contents 1 User rights 1.1 Auditing 1.2 Billing 1.3 Backups 1.4 Data 1.5 Interfaces 1.6 Legal 1.7 Location 1.8 Security 1.9 Service 1.10 Standards 2 Acknowledgements 3 References

User rights

Auditing

1. Events must be securely recorded for a period disclosed to and depending on the needs of the user
2. Logs must be made available by download in a transparent format and optionally online
3. Monitoring should not exceed that required for service delivery, or must be optional

Billing

1. Itemised Invoices must be made available with sufficient information so as to validate the providers' claims
2. Limits must be able to be enforced so as to prevent runaway costs
3. Rates must be transparent, in that a user should be able to calculate and anticipate usage
4. Usage Data (both current and historical) must be available to enable users to monitor usage trends

Backups

1. Bulk Access shall be provided to all user data (including metadata and configuration data)
2. Frequency of access shall not be unreasonably limited (eg >30 days^[1])
3. Redundancy should be built into the systems such that user data is protected against loss

Data

1. Encryption of data shall be facilitated where feasible and never unnecessarily hindered
2. Integrity data integrity expectations will be clearly defined
3. Licensing as necessary for delivery of services (eg hosting) is acceptable with explicit permission
4. Metadata and configuration data (eg settings) is included
5. Ownership is retained by the user along with all associated rights (eg copyright)^[2]
6. Subusers' data is included (eg Google Apps users have multiple accounts, SalesForce users have customer accounts)

Interfaces

1. Application Programming Interfacess (APIs) shall be maintained for accessing and manipulating data
2. Change control shall allow for all API changes to be notified well in advance
3. Documentation shall be made available online in open standard formats
4. Superseded versions of APIs shall be available for a reasonable period

Legal

1. Conflicts of interest shall be revealed to the user (eg where sponsorship has affected platform choice)
2. Contracts shall use clear and easy to understand contract language, striving for the fewest surprises
3. Notice of changes (most notably service shutdown) must be given well in advance (ideally months)
4. Termination of service agreements without penalty must be possible in the event that Terms of Service changes are not acceptable to the User
5. Warrants shall be defended and notified to the user according to a set of published policies, except where forbidden

Location

1. Location of systems and data shall be made available to users, but need not be provided beyond the smallest significant jurisdictional boundary (eg state, country, union of states)
2. Selection of an appropriate location based on user preferences shall be provided where feasible (price may vary according to local conditions)^[3]
3. Entry points (eg URLs) shall be owned by the user to facilitate transition between providers

Security

1. Access to systems must be available in a secure fashion (eg appropriate authentication and transport layer security with appropriate ciphers)
2. Administrative Requests be handled using secure processes resistent to social engineering (eg identity verification, proof of control of domain^[4])
3. Change management shall be enforced and users shall be notified of changes which affect them in advance (ideally with the option to reject)
4. Confidentiality of user data must be strictly maintained
5. Multitenancy be strictly enforced such that no user can access or modify the data of any concurrent, former or future user
6. Purging of data shall be facilitated as required, including immediate, permanent and secure purging if necessary

Service

1. Marketing shall match service levels and price points (eg never advertise a high service level at a low price point and demand a premium)
2. Availability shall be maintained to a suitably high level for the application (typically at least 'three nines': 99.9%)
3. Expectations shall be met whether explicit or implied; service delivered shall match expectations and providers (who bear the expense in full) will spare no expense in meeting them
4. Service Level Agreements shall be clear, concise and backed by financial penalties where they are offered, and alternatives should be offered
5. Support shall be provided in a timely fashion, typically 24x7 with 1hr response for severity 0 (however subusers may or may not be assisted by provider)

Standards

1. Existing standards shall be used where possible in preference to creating new standards
2. Open Standards should be used where appropriate standards are available (eg REST)
3. Proprietary Standards shall not be used or supported in a fashion that could impair innovation
4. Transparent data formats shall be used, except where the user explicitly stores opaque data (eg by uploading a proprietary document)

Acknowledgements

• Sam Johnston prepared this document based on existing efforts and contributed to it
• James Urquhart refined a draft document over a number of blog posts^[5][6]
• Rich Wellner contributed a pre-prepared draft document for incorporation

References

1. ↑ DreamHost Newsletter – July 2008
2. ↑ wesabe: Data Bill of Rights
3. ↑ Amazon S3 Storage Now Available In Europe
4. ↑ Google Apps Domain Verification
5. ↑ The Cloud Computing Bill of Rights
6. ↑ Update: The Cloud Computing Bill of Rights