gt - georgia dgs presentation - cloud - how to get and how to get out - s nichols

8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols

1/14

Cloud How to Get In and How to Get Out

Contract provisions

Steve Nichols

Georgia Technology Authority

Sept. 18, 2014


2/14

Cloud Ts & Cs Best Practice Guide

http://www.govtech.com/cdg/

Service Models

Data

Breach Notification

Security

Audits

Operations


3/14

Cloud Trends in Georgia State

Government

Small apps going to cloud

Large apps, apps with regulated data staying

in state data center Primarily software as a service (SaaS)

Driven by business


4/14

Contracts

Contracts will be mostly silent on the things

Im going to tell you about

Compliance information and operational

processes will likely be on website

Security details will be in SSAE 16 SOC report

Put your reading glasses on


5/14

Contracts, continued

Infrastructure as a service (IaaS), Software as aservice (SaaS), Platform as a service (PaaS), orcloud broker?

SaaS contracts are usually too small in dollarsto negotiate (much): prepare to bedisappointed

We always do this vs. We promise to dothis

Expect multiple layers of vendors


6/14

Getting In

Ownership of data

Location of data

Security


7/14

And Getting Out

Import/Export of Data

Termination/Suspension


8/14

Getting In: Data Ownership

The public jurisdiction owns all of its data.

The service provider will not access the data

except as needed to do the work of the

contract.

The public jurisdiction owns all data obtained

by the service provider in the performance of

this contract.

(applies to SaaS and IaaS)


9/14

Getting In: Data Location

Data at rest: the service provider will not store any of the

public jurisdictions data outside the U.S.

Laptops and USB drives: the service provider will not allow its

personnel or contractors to store public jurisdiction data on

portable devices, except for devices that are used and kept

only at its U.S. data centers.

Remote access: the service provider shall permit its personnel

and contractors to access public jurisdiction data remotely

only as required to provide technical support.



10/14

Getting In: Security

The service provider will perform background checks

on staff, including subcontractors.

The service provider shall perform an independent

audit of its data centers at least annually. That the service provider will make a version of that

audit available to you (probably as a SSAE 16 SOC 2

report)

Subcontractors!



11/14

Getting Out: Why It Matters

Orderly retreat or rout?

Gartner: about 25% of the top 100 IT service

providers in the infrastructure space won't be around

by 2015 Nirvanix as a cautionary tale

Cloud storage provider (public, private, and hybrid),

founded in 2007

Notified customers to get their data on Sept. 16th, 2013

Deactivated website on Sept. 28th, filed for Chapter 11

bankruptcy on October 1st.


12/14

Getting Out: Import/Export of Data

The public jurisdiction can import or export its

data whenever needed.

Termination for convenience: be prepared for

30 days


13/14

Getting Out: Termination/Suspension

The service provider will not erase the public

jurisdictions data in the event of a suspension

or when the contract is terminated.

Specific time periods are established where

data will be preserved by the service provider.

The service provider will destroy data using a

NIST-approved method when requested by

the public jurisdiction.


14/14

Cloud Ts & Cs Best Practice Guide

http://www.govtech.com/cdg/

gt - georgia dgs presentation - cloud - how to get and how to get out - s nichols

Documents