• United States



by Adam Braunstein

SLAs for ASPs

Aug 28, 20008 mins
CSO and CISOData and Information Security

RFG believes businesses evaluating solutions from application service providers (ASPs) need to ensure that those providers can economically deliver acceptable service levels. IT executives should demand service level agreements (SLAs) that guarantee uptime from the user’s perspective, provide meaningful credits for downtime and can be terminated for failure to meet SLA guarantees.

Business Imperatives:

  • Although most top-tier ASPs are offering SLAs guaranteeing uptime of from 99.5 to 99.9 percent, providers often exclude planned downtime and will not guarantee the availability of their third-party partners. IT executives should ascertain the availability they are currently receiving from in-house applications to determine if obtaining the same level of service or better from an ASPs is technically and economically feasible.
  • Latency and downtime can occur as a result of problems anywhere within an ASP’s hardware, software and networking infrastructure, and effective SLAs should guarantee uptime across the entire infrastructure and backbone. ASPs should continually measure and provide IT executives with key metrics and reports on all of these performance levels using proactive monitoring tools.
  • An effective SLA must clearly define and guarantee service uptime and response times, the regular delivery of metrics, response times for support issues, emergency and escalation procedures, migration strategy and provide an out clause. Since an SLA cannot stand on its own, IT executives should carefully review the infrastructure and business model of a chosen ASP to determine if it can provide the required financial stability, availability and redundancy for outsourced applications.

The promise of the ASP model allows corporations to rent applications from specialized providers rather than incurring significant capital expenditures on hardware and software procurement, staffing, and expensive and lengthy implementations. Outsourcers benefit from economies of scale thanks to both specialization and bulk purchasing. However, the task of making remotely hosted applications available is a difficult one, which some are better suited to accomplishing than others.

The ASP scene is still clouded with a variety of organizations that run the gamut in the terms of the applications they are hosting, the services they provide, and the infrastructure they utilize. [See The State of ASPs] The market will continue to witness multiple types of organizations claiming this nomenclature, then demonstrating that they have little legitimate claim to it. During the next 18 to 36 months, the ASP market will undergo a shake-up similar to what is currently wreaking havoc in the e-commerce space and IT executives should verify that any existing contract will remain in force in the event of an ASP merger or direct sale.

CIOs should therefore select their outsourced providers with appropriate skepticism and scrutiny and view ASPs more as trusted partners than simply as vendors due to the critical nature of the relationship. IT executives that have determined that an ASP solution is best fit in their enterprise should put solutions from larger, more established providers with experience in the data center at the top of their list. Others may be less experienced, but are nonetheless competitive alternatives with major financial backers. Since most ASPs are heavily in the red, IT executives will need to discuss and understand an ASP partner’s business model, financial stability, growth strategy, disaster plan and investor commitment when choosing an alternative.

Some vendors offer 99.5 percent to 99.9 percent availability guarantees in their respective SLAs. While these levels may be sufficient for many business applications, many ASPs do not count short outages, such as a reconfiguration or the rebooting of a machine, which may only take 10 minutes. These outages may occur several times a month, resulting in hours of downtime, without any notification sent to customers. Further, ASPs often do not include planned downtime or items they outsource to third parties when quoting uptime figures. As a result, corporations may observe more than one hour per week of additional downtime for just planned system maintenance. One last point to consider is how the availability is tracked and verified by both the customer and the ASP. This process must be well defined and included in the SLA terms and conditions.

ASPs are often able to write contracts that exceed 99.9 percent availability and charge significantly for the increased requirements. In cases where the outsourced application is mission-critical, requires substantial integration or customization, and where better than 99.9 percent availability is needed, IT executives may see the cost of an ASPs solution rise out of the range of affordability. An availability guarantee should explicitly detail exactly which parts of the infrastructure are covered. IT executives should discard any providers that do not or will not commit to availability for the entire infrastructure.

IT executives should demand that ASPs support their claims of availability by proactively monitoring for latency and downtime, and offering credits when performance falls below agreed upon levels. Further, SLAs should specify credit amounts for outages and poor performance, which should become more stringent over the life of the contract and should be tied to business revenue losses for mission-critical applications. Finally, the enterprise should demand access to any monitoring tools available in order to maintain close visibility on ASP performance and commitments.

ASPs should commit to paying stiff fines based on monthly availability. Some, however, try to avoid penalty payment by measuring performance over several months. For less critical applications, a day’s credit for a 15-minute outage or for latency observed in excess of an hour may be sufficient. While credits tied to lost revenue are valuable talking points, IT executives should not be optimistic that such clauses will make it into the final contract.

IT executives should make sure that their chosen provider proactively notifies customers of downtime, especially when the outsourced application requires mission-critical levels of availability. ASPs that offer higher levels service but do not notify customers of outages and latency are likely not delivering on their

availability claims. Another telltale sign of false promises is in cases where an uptime guarantee exceeds the capabilities of an application. IT executives should beware of ASPs that view SLAs as marketing tools or statements of general direction rather than gospel. Such executives can mitigate the potential for downtime by choosing a provider that employs virtual private networks (VPNs) and/or dedicated lines.

The best way for IT executives to determine whether an ASP will be able to meet its SLA commitments is to verify system, application and network availability. IT executives should request a copy of the system architecture and network design to ensure the presence of sufficient bandwidth and redundancy on an end-to-end basis. Ideally, a member of the IT technical staff should take the time to visit the ASP site to verify the presence of and get a feel for the level of equipment, personnel, redundancy and disaster protection. Corporations should require ASPs to include escalation policies and contacts, migration strategies and cancellation terms for failure to deliver guaranteed service levels as a part of the overall contract terms and conditions. IT executives should require a quarterly performance review, at their location, with members of the ASP executive management team as an integral part of the contract.

Criteria for SLA Selection

  • Performance: latency, consistency
  • Availability: scheduled and unscheduled downtime; prime time versus off-hours
  • Security: network, authorization, physical, etc.
  • Scalability: network, servers, applications, databases
  • Redundancy: network, servers, applications, databases, routers/switches, sites
  • Maintenance: backups, logging, restore, updates
  • Problem resolution commitments by severity level
  • Helpdesk or call center coverage
  • Reporting: metrics, frequency and type
  • Escalation procedures
  • Pricing options and tiers
  • Rebates/credits offered for failure to perform by outage duration and type

No matter what levels of availability are specified in the contract, ASPs should provide monthly availability metrics and reports for the system, application, and network as part of the contract. Ideally, the ASP should be able to provide latency and downtime statistics that measure performance across the entire infrastructure.

This task is especially difficult for providers that outsource their network and even harder for those that also outsource their data centers. IT executives should require ASPs to back up availability claims by providing them with real-time access to performance measurement tools across the entire infrastructure.

RFG believesIT executives have the right and corporate responsibility to demand stringent, detailed SLAs from ASPs that provide lucid availability guarantees for the entire ASP infrastructure. Further, best of breed ASPs will proactively monitor system, network, and application performance, and provide IT executives with essential metrics and notifications of each failure and latency. IT executives should negotiate enforceable short-term contracts, agreed to credits for downtime and non-performance, and reserve the right to cancel service if SLA guarantees are not meet for two consecutive months.

© 2000 Robert Frances Group. All rights reserved.

Adam Braunstein is the Robert Frances Group’s Senior Research Analyst. He can be reached at 203-291-6900