Copyright © 2013 Thomas Trappler All Rights Reserved.
-
Upload
ambrose-curtis -
Category
Documents
-
view
214 -
download
1
Transcript of Copyright © 2013 Thomas Trappler All Rights Reserved.
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Proud™ Development: Mitigate Cloud Computing
Risks Using Internet2 NET+ Agreements
Thomas TrapplerDirector, UCLA Software Licensing
Instructor/Advisor – Cloud Computing Risk Mitigation
Internet2 Cloud Proud™ Change Management and transition framework to help accelerate adoption of cloud services in a best practices model.
Training modules tailored to different areas of a campus, including:
- Overview- Procurement- Legal- IT Integration Network- IT Integration Identity - Security & Privacy Review
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
To Ask Questions Online, Please email:
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
Transitioning to the Cloud = Paradigm Shift
From: Technically Managed“I build it, I maintain it.”
To: Contractually Managed“Someone else is doing this for me,
how do I ensure they’re doing it right?”
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
As with the adoption of any IT solution,
The adoption of a cloud computing solution comes with both benefits and risks.
htt
p:/
/ww
w.fl
ickr.co
m/p
hoto
s/6
10
56
89
9@
N0
6/5
75
13
01
74
1/s
izes/
l/in
/photo
stre
am
/
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
The question is:
How can we most effectively mitigate the risks associated with adopting a cloud computing solution so as to maximize the benefits?
htt
p:/
/ww
w.fl
ickr.co
m/p
hoto
s/ta
kom
ab
ibelo
t/4
37
30
62
61
2/
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
Key Ways To Mitigate Risks
Contract Negotiation“What do I get?”
Vendor Management“How do I ensure that I continue to get
it?”
If it’s not in the contract, don’t expect to get it.
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
Internet2 NET+ AgreementsGet It In The Contract
For You
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
Multiple Variations = SaaS, IaaS, PaaS
Contract Issues Are Similar
1) Infrastructure/Security2) Service Level Agreements3) Data Protection, Access & Location4) Vendor Relationship
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Computing Risk Mitigation
Key Factors
Data Sensitivity
Business Criticality
Public Sensitive
Downtime = Tolerable
Downtime = Business Stops
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
Physical Data Center Behind Every Cloud
All Cloud Service ProvidersAre NOT
Created Equally
A New and Evolving Market Space
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/SecurityHow do we ensure we’re getting this…h
ttp
://w
ww
.wir
ed
.com
/wir
ed
en
terp
rise
/20
12
/10
/ff-i
nsi
de-g
oog
le-d
ata
-ce
nte
r/
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security…and not this?
htt
p:/
/th
ed
run
ksy
sad
min
.com
/pic
ture
s/th
ed
run
ksy
sad
min
Com
pre
ssed
.jp
g
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
Identify Cloud Service Provider’sInfrastructure and Security Practices
Copyright © 2013 Thomas Trappler All Rights Reserved
How?
Ask Questions
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/co
lin
kin
ner/
22
00
50
00
24
/
Copyright © 2013 Thomas Trappler All Rights Reserved
8.10 After the Effective Date, Service Provider shall promptly complete the Cloud Security Alliance GRC Stack Cloud Controls Matrix (“CCM”) spreadsheet and shall promptly provide it to each Enterprise Customer upon execution a Customer Agreement ...
1) Infrastructure/Security
Copyright © 2013 Thomas Trappler All Rights Reserved
Cloud Controls Matrix
•Information Security
• Physical Security
• Operations Management
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
Determine Which Practices Are Important
Codify Them in the Contract
Incorporate Responses in Contract
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
8.3(d) Service Provider has established, and will throughout the Term maintain, the data security policy and practices applicable to the Service Provider Platform as set forth on Exhibit G... throughout the Term, Service Provider will at a minimum abide by data security practices that are at least as protective as the data security practices set forth in the Service Provider Online Information Security Policy…
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
Once You’ve Got Them in the Contract,
How Do You Verify These Things?
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/SecurityThird Party Certifications
No Formal Standard
• ISO 27001/27002• SSAE 16, SOC 2 & 3 (Replaced
SAS 70)• FIPS 200/SP 800-53• CSA Open Certification Framework
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/4
21
06
30
6@
N0
0/4
38
08
03
53
5/
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
8.3(e) Service Provider represents and warrants that within the past twelve (12) months it has been certified as compliant with Statement on Standards for Attestation Engagements (“SSAE”) No. 16 and ISO 27001 by a reputable independent third-party auditor(s)…
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
Re-Certify – At least annually,and after any reasonably suspected
breach
Report provision, including timeframe
Your organization must thoroughly review
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
8.3(f) Such audit: (i) will be performed at least annually and will also be performed promptly after the occurrence, if any, of a Security Incident… and (iv) will result in the generation of an audit report… which Service Provider will provide to Internet2 and the Enterprise Customers within thirty (30) days of its completion…
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
Risk = How does a customer know that a cloud service provider is sufficiently prepared to continue to provide the service in the event of a disaster? Mitigation = Require the cloud service provider to have a disaster recovery/business continuity plan.
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/re
dcr
oss
_baya
rea/
39
90
47
32
93
Copyright © 2013 Thomas Trappler All Rights Reserved
1) Infrastructure/Security
8.3(d) …(iii) a business continuity plan that details Service Provider’s disaster recovery processes, policies and procedures, including the use of geographic redundancy, data backup/recovery, disaster recovery plan testing, and utilization of uninterruptible power supplies and backup generators, so that Service Provider shall be able to continue to fulfill its obligations under this Agreement in the event… of any disaster...
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level Agreements
Software as a ServiceInfrastructure as a Service
Platform as a Service
The key thing in common is “Service”.
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level Agreements
Risk = How does a customer know that key elements of a cloud service provider’s service will be available at the appropriate levels when needed? Mitigation = Establish SLAs for pertinent parameters of the service.
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level Agreements
Exhibit B, NET+ Box agreement - SLA for the following parameters of the service:
• Availability• Support • Error Correction
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level Agreements
Risk = Is the cloud service provider appropriately measuring their performance of the service?
Risk = How does a customer incentivize a cloud service provider to ensure that the appropriate level of service is maintained?
Mitigation = Establish quantitative and unambiguous metrics for measuring SLA performance. Establish remedies for when the cloud service provider doesn’t meet the SLA.
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level Agreements
Uptime Achieved (Calculated eachMonth)
Credit/Refund Available(against fees attributable to such month
Less than 99.9% but more than99.8%
10%
Less than 99.8% but more than99.7%
20%
Less than 99.7% but more than99.6%
30%
Less than 99.6% but more than99.5%
40%
Less than 99.5% but more than99.4%
50%
Less than 99.4% but more than99.3%
60%
Less than 99.3% but more than99.2%
70%
Less than 99.2% but more than99.1%
80%
Less than 99.1% but more than99.0%
90%
Less than 99.0% 100%
Exhibit B Net+ Box agreement - “availability” SLA metrics and remedies:
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level AgreementsSLA Definitions
May Further Reduce Total Uptime
May Exclude Scheduled Maintenance
Does Scheduled Downtime Align With Your Needs?
Copyright © 2013 Thomas Trappler All Rights Reserved
2) Service Level Agreements
Exhibit B Net+ Box agreement:Downtime refers to any periods within the Scheduled Available Time… during which the applications, systems and networks used to offer the Box Service are unavailable because of any outage that is unplanned. Box will provide Enterprise Customer with at least seventy-two (72) hours prior written notice of scheduled downtime for planned upgrades and maintenance (“Scheduled Downtime”). The Scheduled Downtime shall be limited to a maximum of four (4) hours, and wherever possible, the Scheduled Downtime will be targeted for Sundays or off-peak hours.
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/ia
n-s
/21
52
79
85
88
/
Risk = How does a customer ensure that it retains ownership of its data in the cloud? Mitigation = Clearly affirm customer ownership of its data in the contract.
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
8.1(a) …all rights, including all Proprietary Rights, in and to Enterprise Customer Data shall remain at all times the exclusive property of such Enterprise Customer. This Agreement does not grant Service Provider any right… except for the limited right to process, transfer, store and archive Enterprise Customer Data as expressly stated in this Agreement solely to the extent necessary for Service Provider to fulfill its obligations under this Agreement.
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/n
ost
alg
icg
lass
/11
88
55
13
83
/
Risk = Will the cloud service provider will assume appropriate responsibility in the event a data breach of provider’s infrastructure allows inappropriate access to customer’s data? Mitigation = Codify the cloud service provider’s data breach responsibilities in the contract.
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
Section 8.6 …(i) promptly notify Internet2 and all impacted or potentially impacted Enterprise Customers of the Security Incident in a timely manner to meet the breach notification requirements under Applicable Law; (ii) promptly investigate the Security Incident and promptly provide Internet2 and all impacted or potentially impacted Enterprise Customers with detailed information about the Security Incident; and…
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
Section 8.6 (iii) promptly take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Following the occurrence of a Security Incident, Service Provider will take prompt and appropriate corrective action aimed at preventing the reoccurrence of a similar Security Incident in the future.
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
Location of Data
Different Laws
Which Law Applies to My Data?
Identify Data Center Location(s)
htt
p:/
/com
mon
s.w
ikim
ed
ia.o
rg/w
iki/
File:W
orl
dm
ap
_Lan
dA
nd
Politi
cal.jp
g
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
8.2(d) All servers that will store Enterprise Customer Data will be located by Service Provider in production and disaster recovery datacenters only in the continental United States. Service Provider may only store Enterprise Customer Data outside of the continental United States with the prior express written permission of the applicable Enterprise Customer, and then only in such territory(ies) or country(ies) as identified in any such prior express written permission.
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/ken
mcc
ow
n/3
91
74
97
67
9/s
izes/
l/in
/p
hoto
stre
am
/
Legal Requests for Access to Data
Notification of RequestsBefore They Provide Access To Your Data
Cooperate in Managing Release
Copyright © 2013 Thomas Trappler All Rights Reserved
3) Data Protection, Access & Location
8.5 Upon receipt of valid legal process (the “Legal Request”), Service Provider will attempt to redirect the requesting third party to the applicable Enterprise Customer to acquire any Enterprise Customer Data. If Service Provider’s redirecting efforts are unsuccessful, and provided Service Provider is not prohibited by law from doing so, Service Provider will, prior to disclosure, provide as much advance notice as possible, but at least thirty (30) days advance notice if at all possible to the applicable Enterprise Customer of the Legal Request, which notice will include, to the extent permitted by law, a copy of the Legal Request received by Service Provider from the third party.
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship
Cost of Change = Significant
Contractually Codify in Advance
Costs to Continue Using
Terms to Terminate/Change
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship
Cost to Continue Using
Renewal Price Caps as the Lesser of:• Consumer Price Index (CPI)• A Set Percentage (3%, 5%, etc.)• What Others Pay
Going Forward For As Long As Possible
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/b
an
ky1
77
/16
64
34
68
76
/
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor RelationshipExhibit E, 1(a) Service Provider will not increase the rate charged to Internet2 in connection with the Services to any Enterprise Customer by more than five percent (5%) per Contract Year…
Exhibit E, 1(b) …the Fees set forth on this Exhibit E are at least ten percent (10%) below Service Provider’s then-current list price for such Service.
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor RelationshipTermination
Keep Decision Within Your Control
Restrict to Triggering Events
Include Customer Opportunity to Cure
htt
p:/
/ww
w.fl
ickr.co
m/p
hoto
s/m
wic
hary
/23
56
65
13
46
/
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship
3.5 Service Provider shall have the right to suspend a User’s or an Enterprise Customer’s access to the Services, in whole or in part, only: (a) if Service Provider reasonably believes that a User’s or an Enterprise Customer’s use of the Services represents a direct or indirect threat to Service Provider’s network operation or integrity or any Person’s use of the Services; (b) if reasonably necessary to prevent unauthorized access to Enterprise Customer Data; or (c) to the extent necessary to comply with legal requirements…
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship3.5 …Service Provider will (i) use reasonable efforts to suspend only the minimum portion of the Services necessary to address the issues giving rise to the suspension; (ii) suspend the provision of the Services to only the Users whose actions necessitated the suspension… if at all practicable; and (iii) provide Internet 2 and any applicable Enterprise Customer with advance notice of any suspension and an opportunity to discuss the matter with Service Provider before such suspension occurs…
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor RelationshipMergers and Acquisitions
Due Diligence
None of Us Can Predict the Future
Evolving Market Space
Terms Binding on Successors/Assigns
htt
p:/
/ww
w.fl
ickr.
com
/ph
oto
s/w
okka/3
58
52
54
92
5/s
izes/
l/in
/ph
oto
stre
am
/
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship
9.9 …each Party shall have the right to assign or transfer all of its rights and obligations under this Agreement… provided that in the event of assignment under either (a) or (b), such assignee/transferee agrees to be bound by the terms and conditions of this Agreement (and or the avoidance of doubt any assignment by Service Provider to a Person must include an assignment to such Person of all of Service Provider’s responsibilities, obligations, etc….
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship
Service Provider Outsourcing
Increases Complexity
Service Provider to Identify Third Parties
Service Provider Remains Responsible
Copyright © 2013 Thomas Trappler All Rights Reserved
4) Vendor Relationship9.20 All actions of Service Provider Contractor/Agents in connection with this Agreement or any Customer Agreement are attributable to Service Provider for all purposes under this Agreement... Service Provider shall include in all of its agreements with Service Provider Contractor/Agents the obligations, representations, covenants, warranties and agreements contained in the Sections of this Agreement… to ensure Service Provider Contractor/Agents compliance with such matters to the same extent that Service Provider must comply with and agree to such matters under this Agreement.
What’s a campus to do? Start now!
1
2
3
Create a campus strategy for internal & external cloud services.
Create a “cloud first” culture by partnering with your legal and procurement teams, and other key stakeholders. Restructure internal processes and policies with cloud in mind.
Develop positions that focus on Cloud Product Management: Create new or reposition existing positions to get started.
What’s a campus to do? Start now!
4
5
6
Develop a campus identity solution built on open standards. Join the 300+ campuses in InCommon.org.
Support competition for services so there are
choices—but constrained, not unlimited choices.Evaluate Internet2 NET+ opportunities. Examine your own portfolios and consider which projects could benefit from NET+ scale, attend NET+ webinars.
How Can I Learn More?
To learn more about Internet2 NET+ agreements
http://www.internet2.edu/netplus/
Copyright © 2013 Thomas Trappler All Rights Reserved
How Can I Learn More? To learn more about
general cloud risk mitigation issues
“Cloud Computing Risk Mitigation Via Contract Negotiation and Vendor Management”
SAM Summit 2013June 25, 2013, Chicago, IL
To register, please go to: www.ThomasTrappler.com
Internet2 Cloud Proud™
Questions?
Cloud Proud™ Development
htt
p:/
/ww
w.fl
ickr.co
m/p
hoto
s/lis
anola
n/5
03
19
89
66
/