gt - georgia dgs presentation - cloud - how to get and how to get out - s nichols
TRANSCRIPT
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
1/14
Cloud How to Get In and How to Get Out
Contract provisions
Steve Nichols
Georgia Technology Authority
Sept. 18, 2014
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
2/14
Cloud Ts & Cs Best Practice Guide
http://www.govtech.com/cdg/
Service Models
Data
Breach Notification
Security
Audits
Operations
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
3/14
Cloud Trends in Georgia State
Government
Small apps going to cloud
Large apps, apps with regulated data staying
in state data center Primarily software as a service (SaaS)
Driven by business
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
4/14
Contracts
Contracts will be mostly silent on the things
Im going to tell you about
Compliance information and operational
processes will likely be on website
Security details will be in SSAE 16 SOC report
Put your reading glasses on
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
5/14
Contracts, continued
Infrastructure as a service (IaaS), Software as aservice (SaaS), Platform as a service (PaaS), orcloud broker?
SaaS contracts are usually too small in dollarsto negotiate (much): prepare to bedisappointed
We always do this vs. We promise to dothis
Expect multiple layers of vendors
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
6/14
Getting In
Ownership of data
Location of data
Security
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
7/14
And Getting Out
Import/Export of Data
Termination/Suspension
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
8/14
Getting In: Data Ownership
The public jurisdiction owns all of its data.
The service provider will not access the data
except as needed to do the work of the
contract.
The public jurisdiction owns all data obtained
by the service provider in the performance of
this contract.
(applies to SaaS and IaaS)
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
9/14
Getting In: Data Location
Data at rest: the service provider will not store any of the
public jurisdictions data outside the U.S.
Laptops and USB drives: the service provider will not allow its
personnel or contractors to store public jurisdiction data on
portable devices, except for devices that are used and kept
only at its U.S. data centers.
Remote access: the service provider shall permit its personnel
and contractors to access public jurisdiction data remotely
only as required to provide technical support.
(applies to SaaS and IaaS)
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
10/14
Getting In: Security
The service provider will perform background checks
on staff, including subcontractors.
The service provider shall perform an independent
audit of its data centers at least annually. That the service provider will make a version of that
audit available to you (probably as a SSAE 16 SOC 2
report)
Subcontractors!
(applies to SaaS and IaaS)
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
11/14
Getting Out: Why It Matters
Orderly retreat or rout?
Gartner: about 25% of the top 100 IT service
providers in the infrastructure space won't be around
by 2015 Nirvanix as a cautionary tale
Cloud storage provider (public, private, and hybrid),
founded in 2007
Notified customers to get their data on Sept. 16th, 2013
Deactivated website on Sept. 28th, filed for Chapter 11
bankruptcy on October 1st.
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
12/14
Getting Out: Import/Export of Data
The public jurisdiction can import or export its
data whenever needed.
Termination for convenience: be prepared for
30 days
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
13/14
Getting Out: Termination/Suspension
The service provider will not erase the public
jurisdictions data in the event of a suspension
or when the contract is terminated.
Specific time periods are established where
data will be preserved by the service provider.
The service provider will destroy data using a
NIST-approved method when requested by
the public jurisdiction.
-
8/11/2019 GT - Georgia DGS Presentation - Cloud - How to Get and How to Get Out - S Nichols
14/14
Cloud Ts & Cs Best Practice Guide
http://www.govtech.com/cdg/