Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013 Thomas Trappler All Rights Reserved.

Published byAmbrose Curtis Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2013 Thomas Trappler All Rights Reserved."— Presentation transcript:

1 Copyright © 2013 Thomas Trappler All Rights Reserved

2 Internet2 Cloud Proud™ Change Management and transition framework to help accelerate adoption of cloud services in a best practices model. Training modules tailored to different areas of a campus, including: -Overview -Procurement -Legal -IT Integration Network -IT Integration Identity -Security & Privacy Review

3 Cloud Computing Risk Mitigation To Ask Questions Online, Please email: netplus-training@internet2.edu Copyright © 2013 Thomas Trappler All Rights Reserved

4 Cloud Computing Risk Mitigation Transitioning to the Cloud = Paradigm Shift From: Technically Managed “I build it, I maintain it.” To: Contractually Managed “Someone else is doing this for me, how do I ensure they’re doing it right?” Copyright © 2013 Thomas Trappler All Rights Reserved

5 Cloud Computing Risk Mitigation As with the adoption of any IT solution, The adoption of a cloud computing solution comes with both benefits and risks. http://www.flickr.com/photos/61056899@N06/5751301741/sizes/l/in/photostream/ Copyright © 2013 Thomas Trappler All Rights Reserved

6 Cloud Computing Risk Mitigation The question is: How can we most effectively mitigate the risks associated with adopting a cloud computing solution so as to maximize the benefits? http://www.flickr.com/photos/takomabibelot/4373062612/ Copyright © 2013 Thomas Trappler All Rights Reserved

7 Cloud Computing Risk Mitigation Key Ways To Mitigate Risks Contract Negotiation “What do I get?” Vendor Management “How do I ensure that I continue to get it?” If it’s not in the contract, don’t expect to get it. Copyright © 2013 Thomas Trappler All Rights Reserved

8 Cloud Computing Risk Mitigation Internet2 NET+ Agreements Get It In The Contract For You Copyright © 2013 Thomas Trappler All Rights Reserved

9 Cloud Computing Risk Mitigation Multiple Variations = SaaS, IaaS, PaaS Contract Issues Are Similar 1)Infrastructure/Security 2)Service Level Agreements 3)Data Protection, Access & Location 4)Vendor Relationship Copyright © 2013 Thomas Trappler All Rights Reserved

10 Cloud Computing Risk Mitigation Key Factors Data Sensitivity Business Criticality PublicSensitive Downtime = Tolerable Downtime = Business Stops Copyright © 2013 Thomas Trappler All Rights Reserved

11 1) Infrastructure/Security Physical Data Center Behind Every Cloud All Cloud Service Providers Are NOT Created Equally A New and Evolving Market Space Copyright © 2013 Thomas Trappler All Rights Reserved

12 1) Infrastructure/Security How do we ensure we’re getting this… http://www.wired.com/wiredenterprise/2012/10/ff-inside-google-data-center/ Copyright © 2013 Thomas Trappler All Rights Reserved

13 1) Infrastructure/Security …and not this? http://thedrunksysadmin.com/pictures/thedrunksysadminCompressed.jpg Copyright © 2013 Thomas Trappler All Rights Reserved

14 1) Infrastructure/Security Identify Cloud Service Provider’s Infrastructure and Security Practices Copyright © 2013 Thomas Trappler All Rights Reserved

15 How? Ask Questions http://www.flickr.com/photos/colinkinner/2200500024/ Copyright © 2013 Thomas Trappler All Rights Reserved

16 8.10 After the Effective Date, Service Provider shall promptly complete the Cloud Security Alliance GRC Stack Cloud Controls Matrix (“CCM”) spreadsheet and shall promptly provide it to each Enterprise Customer upon execution a Customer Agreement... 1) Infrastructure/Security Copyright © 2013 Thomas Trappler All Rights Reserved

17 Cloud Controls Matrix Information Security Physical Security Operations Management Copyright © 2013 Thomas Trappler All Rights Reserved

18 1) Infrastructure/Security Determine Which Practices Are Important Codify Them in the Contract Incorporate Responses in Contract Copyright © 2013 Thomas Trappler All Rights Reserved

19 1) Infrastructure/Security 8.3(d) Service Provider has established, and will throughout the Term maintain, the data security policy and practices applicable to the Service Provider Platform as set forth on Exhibit G... throughout the Term, Service Provider will at a minimum abide by data security practices that are at least as protective as the data security practices set forth in the Service Provider Online Information Security Policy… Copyright © 2013 Thomas Trappler All Rights Reserved

20 1) Infrastructure/Security Once You’ve Got Them in the Contract, How Do You Verify These Things? Copyright © 2013 Thomas Trappler All Rights Reserved

21 1) Infrastructure/Security Third Party Certifications No Formal Standard ISO 27001/27002 SSAE 16, SOC 2 & 3 (Replaced SAS 70) FIPS 200/SP 800-53 CSA Open Certification Framework http://www.flickr.com/photos/42106306@N00/4380803535/ Copyright © 2013 Thomas Trappler All Rights Reserved

22 1) Infrastructure/Security 8.3(e) Service Provider represents and warrants that within the past twelve (12) months it has been certified as compliant with Statement on Standards for Attestation Engagements (“SSAE”) No. 16 and ISO 27001 by a reputable independent third- party auditor(s)… Copyright © 2013 Thomas Trappler All Rights Reserved

23 1) Infrastructure/Security Re-Certify – At least annually, and after any reasonably suspected breach Report provision, including timeframe Your organization must thoroughly review Copyright © 2013 Thomas Trappler All Rights Reserved

24 1) Infrastructure/Security 8.3(f) Such audit: (i) will be performed at least annually and will also be performed promptly after the occurrence, if any, of a Security Incident… and (iv) will result in the generation of an audit report… which Service Provider will provide to Internet2 and the Enterprise Customers within thirty (30) days of its completion… Copyright © 2013 Thomas Trappler All Rights Reserved

25 1) Infrastructure/Security Risk = How does a customer know that a cloud service provider is sufficiently prepared to continue to provide the service in the event of a disaster? Mitigation = Require the cloud service provider to have a disaster recovery/business continuity plan. http://www.flickr.com/photos/redcross_bayarea/3990473293 Copyright © 2013 Thomas Trappler All Rights Reserved

26 1) Infrastructure/Security 8.3(d) …(iii) a business continuity plan that details Service Provider’s disaster recovery processes, policies and procedures, including the use of geographic redundancy, data backup/recovery, disaster recovery plan testing, and utilization of uninterruptible power supplies and backup generators, so that Service Provider shall be able to continue to fulfill its obligations under this Agreement in the event… of any disaster... Copyright © 2013 Thomas Trappler All Rights Reserved

27 2) Service Level Agreements Software as a Service Infrastructure as a Service Platform as a Service The key thing in common is “Service”. Copyright © 2013 Thomas Trappler All Rights Reserved

28 2) Service Level Agreements Risk = How does a customer know that key elements of a cloud service provider’s service will be available at the appropriate levels when needed? Mitigation = Establish SLAs for pertinent parameters of the service. Copyright © 2013 Thomas Trappler All Rights Reserved

29 2) Service Level Agreements Exhibit B, NET+ Box agreement - SLA for the following parameters of the service: Availability Support Error Correction Copyright © 2013 Thomas Trappler All Rights Reserved

30 2) Service Level Agreements Risk = Is the cloud service provider appropriately measuring their performance of the service? Risk = How does a customer incentivize a cloud service provider to ensure that the appropriate level of service is maintained? Mitigation = Establish quantitative and unambiguous metrics for measuring SLA performance. Establish remedies for when the cloud service provider doesn’t meet the SLA. Copyright © 2013 Thomas Trappler All Rights Reserved

31 2) Service Level Agreements Uptime Achieved (Calculated each Month) Credit/Refund Available (against fees attributable to such month Less than 99.9% but more than 99.8% 10% Less than 99.8% but more than 99.7% 20% Less than 99.7% but more than 99.6% 30% Less than 99.6% but more than 99.5% 40% Less than 99.5% but more than 99.4% 50% Less than 99.4% but more than 99.3% 60% Less than 99.3% but more than 99.2% 70% Less than 99.2% but more than 99.1% 80% Less than 99.1% but more than 99.0% 90% Less than 99.0%100% Exhibit B Net+ Box agreement - “availability” SLA metrics and remedies: Copyright © 2013 Thomas Trappler All Rights Reserved

32 2) Service Level Agreements SLA Definitions May Further Reduce Total Uptime May Exclude Scheduled Maintenance Does Scheduled Downtime Align With Your Needs? Copyright © 2013 Thomas Trappler All Rights Reserved

33 2) Service Level Agreements Exhibit B Net+ Box agreement: Downtime refers to any periods within the Scheduled Available Time… during which the applications, systems and networks used to offer the Box Service are unavailable because of any outage that is unplanned. Box will provide Enterprise Customer with at least seventy-two (72) hours prior written notice of scheduled downtime for planned upgrades and maintenance (“Scheduled Downtime”). The Scheduled Downtime shall be limited to a maximum of four (4) hours, and wherever possible, the Scheduled Downtime will be targeted for Sundays or off-peak hours. Copyright © 2013 Thomas Trappler All Rights Reserved

34 3) Data Protection, Access & Location http://www.flickr.com/photos/ian-s/2152798588 / / Risk = How does a customer ensure that it retains ownership of its data in the cloud? Mitigation = Clearly affirm customer ownership of its data in the contract. Copyright © 2013 Thomas Trappler All Rights Reserved

35 3) Data Protection, Access & Location 8.1(a) …all rights, including all Proprietary Rights, in and to Enterprise Customer Data shall remain at all times the exclusive property of such Enterprise Customer. This Agreement does not grant Service Provider any right… except for the limited right to process, transfer, store and archive Enterprise Customer Data as expressly stated in this Agreement solely to the extent necessary for Service Provider to fulfill its obligations under this Agreement. Copyright © 2013 Thomas Trappler All Rights Reserved

36 3) Data Protection, Access & Location http://www.flickr.com/photos/nostalgicglass/1188551383/ Risk = Will the cloud service provider will assume appropriate responsibility in the event a data breach of provider’s infrastructure allows inappropriate access to customer’s data? Mitigation = Codify the cloud service provider’s data breach responsibilities in the contract. Copyright © 2013 Thomas Trappler All Rights Reserved

37 3) Data Protection, Access & Location Section 8.6 …(i) promptly notify Internet2 and all impacted or potentially impacted Enterprise Customers of the Security Incident in a timely manner to meet the breach notification requirements under Applicable Law; (ii) promptly investigate the Security Incident and promptly provide Internet2 and all impacted or potentially impacted Enterprise Customers with detailed information about the Security Incident; and… Copyright © 2013 Thomas Trappler All Rights Reserved

38 3) Data Protection, Access & Location Section 8.6 (iii) promptly take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Following the occurrence of a Security Incident, Service Provider will take prompt and appropriate corrective action aimed at preventing the reoccurrence of a similar Security Incident in the future. Copyright © 2013 Thomas Trappler All Rights Reserved

39 3) Data Protection, Access & Location Location of Data Different Laws Which Law Applies to My Data? Identify Data Center Location(s) http://commons.wikimedia.org/wiki/File:Worldmap_LandAndPolitical.jpg Copyright © 2013 Thomas Trappler All Rights Reserved

40 3) Data Protection, Access & Location 8.2(d) All servers that will store Enterprise Customer Data will be located by Service Provider in production and disaster recovery datacenters only in the continental United States. Service Provider may only store Enterprise Customer Data outside of the continental United States with the prior express written permission of the applicable Enterprise Customer, and then only in such territory(ies) or country(ies) as identified in any such prior express written permission. Copyright © 2013 Thomas Trappler All Rights Reserved

41 3) Data Protection, Access & Location http://www.flickr.com/photos/kenmccown/3917497679/sizes/l/in/photostream/ Legal Requests for Access to Data Notification of Requests Before They Provide Access To Your Data Cooperate in Managing Release Copyright © 2013 Thomas Trappler All Rights Reserved

42 3) Data Protection, Access & Location 8.5 Upon receipt of valid legal process (the “Legal Request”), Service Provider will attempt to redirect the requesting third party to the applicable Enterprise Customer to acquire any Enterprise Customer Data. If Service Provider’s redirecting efforts are unsuccessful, and provided Service Provider is not prohibited by law from doing so, Service Provider will, prior to disclosure, provide as much advance notice as possible, but at least thirty (30) days advance notice if at all possible to the applicable Enterprise Customer of the Legal Request, which notice will include, to the extent permitted by law, a copy of the Legal Request received by Service Provider from the third party. Copyright © 2013 Thomas Trappler All Rights Reserved

43 4) Vendor Relationship Cost of Change = Significant Contractually Codify in Advance Costs to Continue Using Terms to Terminate/Change Copyright © 2013 Thomas Trappler All Rights Reserved

44 4) Vendor Relationship Cost to Continue Using Renewal Price Caps as the Lesser of: Consumer Price Index (CPI) A Set Percentage (3%, 5%, etc.) What Others Pay Going Forward For As Long As Possible http://www.flickr.com/photos/banky177/1664346876/ Copyright © 2013 Thomas Trappler All Rights Reserved

45 4) Vendor Relationship Exhibit E, 1(a) Service Provider will not increase the rate charged to Internet2 in connection with the Services to any Enterprise Customer by more than five percent (5%) per Contract Year… Exhibit E, 1(b) …the Fees set forth on this Exhibit E are at least ten percent (10%) below Service Provider’s then- current list price for such Service. Copyright © 2013 Thomas Trappler All Rights Reserved

46 4) Vendor Relationship Termination Keep Decision Within Your Control Restrict to Triggering Events Include Customer Opportunity to Cure http://www.flickr.com/photos/mwichary/2356651346/ Copyright © 2013 Thomas Trappler All Rights Reserved

47 4) Vendor Relationship 3.5 Service Provider shall have the right to suspend a User’s or an Enterprise Customer’s access to the Services, in whole or in part, only: (a) if Service Provider reasonably believes that a User’s or an Enterprise Customer’s use of the Services represents a direct or indirect threat to Service Provider’s network operation or integrity or any Person’s use of the Services; (b) if reasonably necessary to prevent unauthorized access to Enterprise Customer Data; or (c) to the extent necessary to comply with legal requirements… Copyright © 2013 Thomas Trappler All Rights Reserved

48 4) Vendor Relationship 3.5 …Service Provider will (i) use reasonable efforts to suspend only the minimum portion of the Services necessary to address the issues giving rise to the suspension; (ii) suspend the provision of the Services to only the Users whose actions necessitated the suspension… if at all practicable; and (iii) provide Internet 2 and any applicable Enterprise Customer with advance notice of any suspension and an opportunity to discuss the matter with Service Provider before such suspension occurs… Copyright © 2013 Thomas Trappler All Rights Reserved

49 4) Vendor Relationship Mergers and Acquisitions Due Diligence None of Us Can Predict the Future Evolving Market Space Terms Binding on Successors/Assigns http://www.flickr.com/photos/wokka/3585254925/sizes/l/in/photostream/ Copyright © 2013 Thomas Trappler All Rights Reserved

50 4) Vendor Relationship 9.9 …each Party shall have the right to assign or transfer all of its rights and obligations under this Agreement… provided that in the event of assignment under either (a) or (b), such assignee/transferee agrees to be bound by the terms and conditions of this Agreement (and or the avoidance of doubt any assignment by Service Provider to a Person must include an assignment to such Person of all of Service Provider’s responsibilities, obligations, etc…. Copyright © 2013 Thomas Trappler All Rights Reserved

51 4) Vendor Relationship Service Provider Outsourcing Increases Complexity Service Provider to Identify Third Parties Service Provider Remains Responsible Copyright © 2013 Thomas Trappler All Rights Reserved

52 4) Vendor Relationship 9.20 All actions of Service Provider Contractor/Agents in connection with this Agreement or any Customer Agreement are attributable to Service Provider for all purposes under this Agreement... Service Provider shall include in all of its agreements with Service Provider Contractor/Agents the obligations, representations, covenants, warranties and agreements contained in the Sections of this Agreement… to ensure Service Provider Contractor/Agents compliance with such matters to the same extent that Service Provider must comply with and agree to such matters under this Agreement. Copyright © 2013 Thomas Trappler All Rights Reserved

53 What’s a campus to do? Start now! Create a campus strategy for internal & external cloud services. Create a “cloud first” culture by partnering with your legal and procurement teams, and other key stakeholders. Restructure internal processes and policies with cloud in mind. Develop positions that focus on Cloud Product Management: Create new or reposition existing positions to get started.

54 What’s a campus to do? Start now! Develop a campus identity solution built on open standards. Join the 300+ campuses in InCommon.org. Support competition for services so there are choices—but constrained, not unlimited choices. Evaluate Internet2 NET+ opportunities. Examine your own portfolios and consider which projects could benefit from NET+ scale, attend NET+ webinars.

55 How Can I Learn More? To learn more about Internet2 NET+ agreements http://www.internet2.edu/netplus/ netplus@internet2.edu

56 How Can I Learn More? To learn more about general cloud risk mitigation issues “Cloud Computing Risk Mitigation Via Contract Negotiation and Vendor Management” SAM Summit 2013 June 25, 2013, Chicago, IL To register, please go to: www.ThomasTrappler.com Copyright © 2013 Thomas Trappler All Rights Reserved

57 Internet2 Cloud Proud™

58 http://www.flickr.com/photos/lisanolan/503198966/

Download ppt "Copyright © 2013 Thomas Trappler All Rights Reserved."

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.
SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.

© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.
Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.

Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.
IMPORTANT READ CAREFULLY BEFORE USING THIS PRODUCT LICENSE AGREEMENT AND LIMITED WARRANTY BY INSTALLING OR USING THE SOFTWARE, FILES OR OTHER ELECTRONIC.

IMPORTANT READ CAREFULLY BEFORE USING THIS PRODUCT LICENSE AGREEMENT AND LIMITED WARRANTY BY INSTALLING OR USING THE SOFTWARE, FILES OR OTHER ELECTRONIC.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Maximizing Uptime and Your Firm's Bottom Line: Understanding risk and budget when evaluating business continuity & disaster recovery protocols Michael.

Maximizing Uptime and Your Firm's Bottom Line: Understanding risk and budget when evaluating business continuity & disaster recovery protocols Michael.
Welcome to the Asian Jewellery Seminar. Copyright - The Birmingham Assay Office 2012 Average Gold price 1973 to 2011.

Welcome to the Asian Jewellery Seminar. Copyright - The Birmingham Assay Office 2012 Average Gold price 1973 to 2011.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
WORKSHOP SLA SPECIFICATION BY ETIENNE WERY Lawyer at the Paris & Brussels Bar, Partner ULYS IT OUTSOURCING SUMMIT 27/11/2003.

WORKSHOP SLA SPECIFICATION BY ETIENNE WERY Lawyer at the Paris & Brussels Bar, Partner ULYS IT OUTSOURCING SUMMIT 27/11/2003.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Legal Issues in SaaS SwANH InfoXchange 2007 Legal Issues in SaaS SwANH InfoXchange 2007 Claire R. Howard, Esq. Getman, Stacey, Schulthess & Steere, P.A.

Legal Issues in SaaS SwANH InfoXchange 2007 Legal Issues in SaaS SwANH InfoXchange 2007 Claire R. Howard, Esq. Getman, Stacey, Schulthess & Steere, P.A.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Similar presentations

Ads by Google