demystifying cloud contracts and slas- confidentnow webinar series
DESCRIPTION
Do you have an agreement, or are you considering one, with a cloud service provider (CSP)? Did you know that in a December 2012 article, a Gartner analyst called the SLAs offered by two large cloud providers “worthless”? Are you aware that many off-the-shelf contracts with cloud providers leave the consumer accepting the majority of the risks and liabilities? This Cloud Webinar provides key information on cloud contracts and service level agreements in findings from the National Institute of Standards and Technology (NIST) Cloud Computing Working Group.TRANSCRIPT
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Contracts and SLAsMastering SLA Governance
Speaker – Dr. Ken Stavinoha, PhD, Cisco Mr. John Messina, Computer Scientist, NIST
Host – Bhavesh C. Bhagat, EnCrisp - ConfidentGovernance.comCGEIT, CISM, MBA, BE
ConfidentNOW Global Governance Webinar Series
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Today’s Presenters Dr. Ken Stavinoha, PhD, CISM, CISSP
– Cisco
Mr. John Messina, Computer Scientist
-NIST
Bhavesh C. Bhagat, CISM, CGEIT, MBA, BE – EnCrisp – ConfidentGovernance.com
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
is an INC 500 award winning global leader in providing “business driven” solutions enhancing trust, governance, cyber security and risk transparency since 2004.
EnCrisp’ s Confident Governance® is award winning “Governance as a Service®- Cloud Governance™ Company. 2011 Global Entrepreneurship (GEW50) Kauffman 50 Global Awardee
Governance, Security, Risk, Audit and Social Compliance Collaboration platform that you access over the Internet and pay-as-you-go.
AWARDS – INC 500, 2011 Global Entrepreneurship Kauffman 50 Start-Ups, 2011 NVTC, Hot Ticket Hottest Buzz, 2011 GovTek Best Cloud Government Solution, 2010, Business Insurance Risk Technology
SAFE Harbor Disclosure CONFIDENT GOVERNANCE AND ENCRISP
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
i. Intro to Service Level Agreement
ii. Cloud Services Scope and Control
iii. SLA NIST Contracts
iv. Risk Factors Affecting Cloud SLAs
v. Resources and Next Webinar…
Cloud Contracts And SLA Governance
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Services Scope and Control
Source: NIST SP800-144 Draft
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
SLA DefinitionService Agreement: known as “Terms of Service” ,“Terms and
Conditions” A legal document specifying the rules of the legal contract between the cloud user and the cloud provider.
Service-Level Agreement: A document stating the technical performance promises made by the cloud provider, how disputes are to be discovered and handled, and any remedies for performance failures. (NIST SP 800-146)
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Computing Risks
Differences in Scope and Control among Cloud Service ModelsSource: Ernst & Young 2010 Global Information Security Survey
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Risk Mitigation
Source: Ernst & Young 2011 Global Information Security Survey
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
What Providers Say:Cloud Adoption Drivers
Source: 2011 Ponemon Insititute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
What Providers Say:Cloud Security Risk Mitigation
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
What Providers Say:Who is Responsible for Cloud Security
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
NIST CC Public Working Groups
NIST’s Goal: Accelerate the federal government’s adoption of cloud computing
– Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders
Voluntary Working Groups with industry, SDOs, USG, academia (launched Nov. 5, 2010)
• 5 Working Groups (Reference Architecture / Taxonomy, Security, Standards Roadmap, …)
• 300+ registered members per working group
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Contract/SLA Subgroup• RATAX working group was asked to identify additional
areas of cloud computing that could be better defined through the development of appropriate taxonomies
• SLA sub-group focused on identifying if there was any suitable existing SLA format or guide that could be used to identify all the key elements that should go into a Cloud SLA
• Existing contracts and research examined for commonalities and relationships in form and content
• Collected/formulated definitions pertinent to cloud contracts and SLAs
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Role of Contracts and SLAs Contracts and service level agreements play a key role in
the procurement of cloud computing services.
The consumer may have an agreement with one provider, but the service may be delivered via a myriad of subcontractors or other dependencies who have no contractual obligation directly with the consumer.
Consumer may have no knowledge of these third parties unless the provider chooses, or is otherwise required, to disclose them, and yet these entities may incur risk for which the consumer could ultimately be liable.
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Agency Compliance Requirements
• Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]• E-Authentication Guidance for Federal Agencies [OMB M-04-04]• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]• Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]• Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-05]• Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and
Protection [HSPD-7]• Internal Control Systems [OMB Circular A-123]• Management of Federal Information Resources [OMB Circular A-130]• Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]• Privacy Act of 1974 as amended [5 USC 552a]• Protection of Sensitive Agency Information [OMB M-06-16]• Records Management by Federal Agencies [44 USC 31]• Rehabilitation Act of 1973 [Section 508 Amendment]• Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB Circular
A-108, as amended]• Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]• The Federal Risk and Authorization Management Program (FedRAMP)
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Four Pillars of SLA Governance
SLA
Contract
Cloud Service Provider
Metrics
LegalLandscape
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud MSA Mind Map
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud SLA Mind Map
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
FedRAMP CIS Worksheet
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Ongoing Work of NIST CC Contract and SLA Subgroup
• Analyze negotiated SLAs/Contracts• Complete the NIST RA Cloud Contract/SLA
draft document and present for public comment
• Collaboration with the Cloud Metrics team• Participation in the ISO/IET JTC SC38 effort on
cloud SLAs
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Look Before You Leap - Consumers need to perform reasonable due diligence in examining cloud providers and their subcontractors
Solicit Input- A committee, rather than one or two individuals, should formulate the requirements for cloud contracts – including SLAs
Don’t Reinvent the Wheel - Organizations should examine existing controls to identify key issues to include in cloud service contracts and SLAs
THREE KEY TAKEAWAYS
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
www.confidentgovernance.com/confidentnow http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/RATax_Jan20_2012/NIST_CC_WG_ContractSLA_Deliverable_Draft_v1.9.pdf
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/RATax_CloudMetrics
http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-april-2011.pdf
http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/13th-Global-Information-Security-Survey-2010---Information-technology--friend-or-foe-
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
http://csrc.nist.gov/publications/PubsSPs.html.
RESOURCES
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Ken E. Stavinoha, PhD
NIST CC RA Contracts/SLA Sub-team Leader
John Messina
Chair, NIST CC RA Working Group
Bhavesh C. Bhagat
Co-Founder, EnCrisp and ConfidentGovernance.com
Questions & CommentsFor additional Information:
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
NEXT WEBINAR IN SERIES
Cloud EncryptionDATE: Feb.28, 2013
TIME:11.00-11.45 A.M
Speaker – Dr. Ken Stavinoha, Cisco System Dr. Sarbari Gupta, Electrosoft
Host – Bhavesh C. Bhagat, EnCrisp – ConfidentGovernance.com
Register Now: : http://bit.ly/WyH7R8
http://www.confidentgovernance.com/events/88-webinar
ConfidentNOW Global Governance Webinar Series
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
THANK YOU