Copyright © 2013 Thomas Trappler All Rights Reserved.

Copyright © 2013 Thomas Trappler All Rights Reserved

Cloud Proud™ Development: Mitigate Cloud Computing

Risks Using Internet2 NET+ Agreements

Thomas TrapplerDirector, UCLA Software Licensing

Instructor/Advisor – Cloud Computing Risk Mitigation

[email protected]

Internet2 Cloud Proud™ Change Management and transition framework to help accelerate adoption of cloud services in a best practices model.

Training modules tailored to different areas of a campus, including:

- Overview- Procurement- Legal- IT Integration Network- IT Integration Identity - Security & Privacy Review


Cloud Computing Risk Mitigation

To Ask Questions Online, Please email:

[email protected]



Transitioning to the Cloud = Paradigm Shift

From: Technically Managed“I build it, I maintain it.”

To: Contractually Managed“Someone else is doing this for me,

how do I ensure they’re doing it right?”



As with the adoption of any IT solution,

The adoption of a cloud computing solution comes with both benefits and risks.

htt

p:/

/ww

w.fl

ickr.co

m/p

hoto

s/6

10

56

89

9@

N0

6/5

75

13

01

74

1/s

izes/

l/in

/photo

stre

am

/



The question is:

How can we most effectively mitigate the risks associated with adopting a cloud computing solution so as to maximize the benefits?

htt

p:/

/ww

w.fl

ickr.co

m/p

hoto

s/ta

kom

ab

ibelo

t/4

37

30

62

61

2/



Key Ways To Mitigate Risks

Contract Negotiation“What do I get?”

Vendor Management“How do I ensure that I continue to get

it?”

If it’s not in the contract, don’t expect to get it.



Internet2 NET+ AgreementsGet It In The Contract

For You



Multiple Variations = SaaS, IaaS, PaaS

Contract Issues Are Similar

1) Infrastructure/Security2) Service Level Agreements3) Data Protection, Access & Location4) Vendor Relationship



Key Factors

Data Sensitivity

Business Criticality

Public Sensitive

Downtime = Tolerable

Downtime = Business Stops


1) Infrastructure/Security

Physical Data Center Behind Every Cloud

All Cloud Service ProvidersAre NOT

Created Equally

A New and Evolving Market Space


1) Infrastructure/SecurityHow do we ensure we’re getting this…h

ttp

://w

ww

.wir

ed

.com

/wir

ed

en

terp

rise

/20

12

/10

/ff-i

nsi

de-g

oog

le-d

ata

-ce

nte

r/


1) Infrastructure/Security…and not this?

htt

p:/

/th

ed

run

ksy

sad

min

.com

/pic

ture

s/th

ed

run

ksy

sad

min

Com

pre

ssed

.jp

g



Identify Cloud Service Provider’sInfrastructure and Security Practices


How?

Ask Questions

htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/co

lin

kin

ner/

22

00

50

00

24

/


8.10 After the Effective Date, Service Provider shall promptly complete the Cloud Security Alliance GRC Stack Cloud Controls Matrix (“CCM”) spreadsheet and shall promptly provide it to each Enterprise Customer upon execution a Customer Agreement ...



Cloud Controls Matrix

•Information Security

• Physical Security

• Operations Management



Determine Which Practices Are Important

Codify Them in the Contract

Incorporate Responses in Contract



8.3(d) Service Provider has established, and will throughout the Term maintain, the data security policy and practices applicable to the Service Provider Platform as set forth on Exhibit G... throughout the Term, Service Provider will at a minimum abide by data security practices that are at least as protective as the data security practices set forth in the Service Provider Online Information Security Policy…



Once You’ve Got Them in the Contract,

How Do You Verify These Things?


1) Infrastructure/SecurityThird Party Certifications

No Formal Standard

• ISO 27001/27002• SSAE 16, SOC 2 & 3 (Replaced

SAS 70)• FIPS 200/SP 800-53• CSA Open Certification Framework

htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/4

21

06

30

6@

N0

0/4

38

08

03

53

5/



8.3(e) Service Provider represents and warrants that within the past twelve (12) months it has been certified as compliant with Statement on Standards for Attestation Engagements (“SSAE”) No. 16 and ISO 27001 by a reputable independent third-party auditor(s)…



Re-Certify – At least annually,and after any reasonably suspected

breach

Report provision, including timeframe

Your organization must thoroughly review



8.3(f) Such audit: (i) will be performed at least annually and will also be performed promptly after the occurrence, if any, of a Security Incident… and (iv) will result in the generation of an audit report… which Service Provider will provide to Internet2 and the Enterprise Customers within thirty (30) days of its completion…



Risk = How does a customer know that a cloud service provider is sufficiently prepared to continue to provide the service in the event of a disaster? Mitigation = Require the cloud service provider to have a disaster recovery/business continuity plan.

htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/re

dcr

oss

_baya

rea/

39

90

47

32

93



8.3(d) …(iii) a business continuity plan that details Service Provider’s disaster recovery processes, policies and procedures, including the use of geographic redundancy, data backup/recovery, disaster recovery plan testing, and utilization of uninterruptible power supplies and backup generators, so that Service Provider shall be able to continue to fulfill its obligations under this Agreement in the event… of any disaster...


2) Service Level Agreements

Software as a ServiceInfrastructure as a Service

Platform as a Service

The key thing in common is “Service”.



Risk = How does a customer know that key elements of a cloud service provider’s service will be available at the appropriate levels when needed? Mitigation = Establish SLAs for pertinent parameters of the service.



Exhibit B, NET+ Box agreement - SLA for the following parameters of the service:

• Availability• Support • Error Correction



Risk = Is the cloud service provider appropriately measuring their performance of the service?

Risk = How does a customer incentivize a cloud service provider to ensure that the appropriate level of service is maintained?

Mitigation = Establish quantitative and unambiguous metrics for measuring SLA performance. Establish remedies for when the cloud service provider doesn’t meet the SLA.



Uptime Achieved (Calculated eachMonth)

Credit/Refund Available(against fees attributable to such month

Less than 99.9% but more than99.8%

10%


20%


30%


40%


50%


60%


70%


80%


90%

Less than 99.0% 100%

Exhibit B Net+ Box agreement - “availability” SLA metrics and remedies:


2) Service Level AgreementsSLA Definitions

May Further Reduce Total Uptime

May Exclude Scheduled Maintenance

Does Scheduled Downtime Align With Your Needs?



Exhibit B Net+ Box agreement:Downtime refers to any periods within the Scheduled Available Time… during which the applications, systems and networks used to offer the Box Service are unavailable because of any outage that is unplanned. Box will provide Enterprise Customer with at least seventy-two (72) hours prior written notice of scheduled downtime for planned upgrades and maintenance (“Scheduled Downtime”). The Scheduled Downtime shall be limited to a maximum of four (4) hours, and wherever possible, the Scheduled Downtime will be targeted for Sundays or off-peak hours.


3) Data Protection, Access & Location

htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/ia

n-s

/21

52

79

85

88

/

Risk = How does a customer ensure that it retains ownership of its data in the cloud? Mitigation = Clearly affirm customer ownership of its data in the contract.

http://www.flickr.com/photos/ian-s/2152798588/



8.1(a) …all rights, including all Proprietary Rights, in and to Enterprise Customer Data shall remain at all times the exclusive property of such Enterprise Customer. This Agreement does not grant Service Provider any right… except for the limited right to process, transfer, store and archive Enterprise Customer Data as expressly stated in this Agreement solely to the extent necessary for Service Provider to fulfill its obligations under this Agreement.



htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/n

ost

alg

icg

lass

/11

88

55

13

83

/

Risk = Will the cloud service provider will assume appropriate responsibility in the event a data breach of provider’s infrastructure allows inappropriate access to customer’s data? Mitigation = Codify the cloud service provider’s data breach responsibilities in the contract.



Section 8.6 …(i) promptly notify Internet2 and all impacted or potentially impacted Enterprise Customers of the Security Incident in a timely manner to meet the breach notification requirements under Applicable Law; (ii) promptly investigate the Security Incident and promptly provide Internet2 and all impacted or potentially impacted Enterprise Customers with detailed information about the Security Incident; and…



Section 8.6 (iii) promptly take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Following the occurrence of a Security Incident, Service Provider will take prompt and appropriate corrective action aimed at preventing the reoccurrence of a similar Security Incident in the future.



Location of Data

Different Laws

Which Law Applies to My Data?

Identify Data Center Location(s)

htt

p:/

/com

mon

s.w

ikim

ed

ia.o

rg/w

iki/

File:W

orl

dm

ap

_Lan

dA

nd

Politi

cal.jp

g



8.2(d) All servers that will store Enterprise Customer Data will be located by Service Provider in production and disaster recovery datacenters only in the continental United States. Service Provider may only store Enterprise Customer Data outside of the continental United States with the prior express written permission of the applicable Enterprise Customer, and then only in such territory(ies) or country(ies) as identified in any such prior express written permission.



htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/ken

mcc

ow

n/3

91

74

97

67

9/s

izes/

l/in

/p

hoto

stre

am

/

Legal Requests for Access to Data

Notification of RequestsBefore They Provide Access To Your Data

Cooperate in Managing Release



8.5 Upon receipt of valid legal process (the “Legal Request”), Service Provider will attempt to redirect the requesting third party to the applicable Enterprise Customer to acquire any Enterprise Customer Data. If Service Provider’s redirecting efforts are unsuccessful, and provided Service Provider is not prohibited by law from doing so, Service Provider will, prior to disclosure, provide as much advance notice as possible, but at least thirty (30) days advance notice if at all possible to the applicable Enterprise Customer of the Legal Request, which notice will include, to the extent permitted by law, a copy of the Legal Request received by Service Provider from the third party.


4) Vendor Relationship

Cost of Change = Significant

Contractually Codify in Advance

Costs to Continue Using

Terms to Terminate/Change



Cost to Continue Using

Renewal Price Caps as the Lesser of:• Consumer Price Index (CPI)• A Set Percentage (3%, 5%, etc.)• What Others Pay

Going Forward For As Long As Possible

htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/b

an

ky1

77

/16

64

34

68

76

/


4) Vendor RelationshipExhibit E, 1(a) Service Provider will not increase the rate charged to Internet2 in connection with the Services to any Enterprise Customer by more than five percent (5%) per Contract Year…

Exhibit E, 1(b) …the Fees set forth on this Exhibit E are at least ten percent (10%) below Service Provider’s then-current list price for such Service.


4) Vendor RelationshipTermination

Keep Decision Within Your Control

Restrict to Triggering Events

Include Customer Opportunity to Cure

htt

p:/

/ww

w.fl

ickr.co

m/p

hoto

s/m

wic

hary

/23

56

65

13

46

/



3.5 Service Provider shall have the right to suspend a User’s or an Enterprise Customer’s access to the Services, in whole or in part, only: (a) if Service Provider reasonably believes that a User’s or an Enterprise Customer’s use of the Services represents a direct or indirect threat to Service Provider’s network operation or integrity or any Person’s use of the Services; (b) if reasonably necessary to prevent unauthorized access to Enterprise Customer Data; or (c) to the extent necessary to comply with legal requirements…


4) Vendor Relationship3.5 …Service Provider will (i) use reasonable efforts to suspend only the minimum portion of the Services necessary to address the issues giving rise to the suspension; (ii) suspend the provision of the Services to only the Users whose actions necessitated the suspension… if at all practicable; and (iii) provide Internet 2 and any applicable Enterprise Customer with advance notice of any suspension and an opportunity to discuss the matter with Service Provider before such suspension occurs…


4) Vendor RelationshipMergers and Acquisitions

Due Diligence

None of Us Can Predict the Future

Evolving Market Space

Terms Binding on Successors/Assigns

htt

p:/

/ww

w.fl

ickr.

com

/ph

oto

s/w

okka/3

58

52

54

92

5/s

izes/

l/in

/ph

oto

stre

am

/



9.9 …each Party shall have the right to assign or transfer all of its rights and obligations under this Agreement… provided that in the event of assignment under either (a) or (b), such assignee/transferee agrees to be bound by the terms and conditions of this Agreement (and or the avoidance of doubt any assignment by Service Provider to a Person must include an assignment to such Person of all of Service Provider’s responsibilities, obligations, etc….



Service Provider Outsourcing

Increases Complexity

Service Provider to Identify Third Parties

Service Provider Remains Responsible


4) Vendor Relationship9.20 All actions of Service Provider Contractor/Agents in connection with this Agreement or any Customer Agreement are attributable to Service Provider for all purposes under this Agreement... Service Provider shall include in all of its agreements with Service Provider Contractor/Agents the obligations, representations, covenants, warranties and agreements contained in the Sections of this Agreement… to ensure Service Provider Contractor/Agents compliance with such matters to the same extent that Service Provider must comply with and agree to such matters under this Agreement.

What’s a campus to do? Start now!

1

2

3

Create a campus strategy for internal & external cloud services.

Create a “cloud first” culture by partnering with your legal and procurement teams, and other key stakeholders. Restructure internal processes and policies with cloud in mind.

Develop positions that focus on Cloud Product Management: Create new or reposition existing positions to get started.

What’s a campus to do? Start now!

4

5

6

Develop a campus identity solution built on open standards. Join the 300+ campuses in InCommon.org.

Support competition for services so there are

choices—but constrained, not unlimited choices.Evaluate Internet2 NET+ opportunities. Examine your own portfolios and consider which projects could benefit from NET+ scale, attend NET+ webinars.

How Can I Learn More?

To learn more about Internet2 NET+ agreements

http://www.internet2.edu/netplus/

[email protected]


How Can I Learn More? To learn more about

general cloud risk mitigation issues

“Cloud Computing Risk Mitigation Via Contract Negotiation and Vendor Management”

SAM Summit 2013June 25, 2013, Chicago, IL

To register, please go to: www.ThomasTrappler.com

Internet2 Cloud Proud™

Questions?

[email protected]

Cloud Proud™ Development

htt

p:/

/ww

w.fl

ickr.co

m/p

hoto

s/lis

anola

n/5

03

19

89

66

/

Copyright © 2013 Thomas Trappler All Rights Reserved.

Documents

Transcript of Copyright © 2013 Thomas Trappler All Rights Reserved.