Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs
1. ConfidentNOW
Global Governance Webinar Series
Cloud Contracts and SLAs
Mastering SLA Governance
Speaker – Dr. Ken Stavinoha, PhD, Cisco
Mr. John Messina, Computer Scientist, NIST
Host – Bhavesh C. Bhagat, EnCrisp - ConfidentGovernance.com
CGEIT, CISM, MBA, BE
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
2. Today’s Presenters
Dr. Ken Stavinoha, PhD, CISM, CISSP
– Cisco
Mr. John Messina, Computer Scientist
-NIST
Bhavesh C. Bhagat, CISM, CGEIT, MBA, BE –
EnCrisp – ConfidentGovernance.com
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
3. is an INC 500 award winning global leader in
providing “business driven” solutions enhancing trust, governance,
cyber security and risk transparency since 2004.
EnCrisp’ s Confident Governance® is award winning
“Governance as a Service®- Cloud Governance™ Company.
2011 Global Entrepreneurship (GEW50) Kauffman 50 Global
Awardee
Governance, Security, Risk, Audit and Social Compliance
Collaboration platform that you access over the Internet and
pay-as-you-go.
AWARDS – INC 500, 2011 Global Entrepreneurship Kauffman 50 Start-Ups, 2011
NVTC, Hot Ticket Hottest Buzz, 2011 GovTek Best Cloud Government Solution,
2010, Business Insurance Risk Technology
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
4. Cloud Contracts And SLA
Governance
i. Intro to Service Level Agreement
ii. Cloud Services Scope and Control
iii. SLA NIST Contracts
iv. Risk Factors Affecting Cloud SLAs
v. Resources and Next Webinar…
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
5. Cloud Services Scope and Control
Source: NIST SP800-144 Draft
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
6. SLA Definition
Service Agreement: known as “Terms of Service” ,“Terms and
Conditions” A
legal document specifying the rules of the
legal contract between the cloud user and the cloud
provider.
Service-Level Agreement: A document stating the
technical performance promises made by the cloud
provider, how disputes are to be discovered and
handled, and any remedies for performance failures.
(NIST SP 800-146)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
7. Cloud Computing Risks
Source: Ernst & Young 2010 Global Information Security Survey
Differences in Scope and Control among Cloud Service Models
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
8. Cloud Risk Mitigation
Source: Ernst & Young 2011 Global Information Security Survey
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
9. What Providers Say:
Cloud Adoption Drivers
Source: 2011 Ponemon Insititute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
10. What Providers Say:
Cloud Security Risk Mitigation
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
11. What Providers Say:
Who is Responsible for Cloud Security
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
12. NIST CC Public Working Groups
NIST’s Goal: Accelerate the federal government’s
adoption of cloud computing
– Lead efforts to develop standards and guidelines in close
consultation and collaboration with standards bodies, the
private sector, and other stakeholders
Voluntary Working Groups with industry, SDOs, USG,
academia (launched Nov. 5, 2010)
• 5 Working Groups (Reference Architecture / Taxonomy,
Security, Standards Roadmap, …)
• 300+ registered members per working group
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
13. Contract/SLA Subgroup
• RATAX working group was asked to identify additional
areas of cloud computing that could be better defined
through the development of appropriate taxonomies
• SLA sub-group focused on identifying if there was any
suitable existing SLA format or guide that could be used
to identify all the key elements that should go into a
Cloud SLA
• Existing contracts and research examined for
commonalities and relationships in form and content
• Collected/formulated definitions pertinent to cloud
contracts and SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
14. Role of Contracts and SLAs
Contracts and service level agreements play a key role in
the procurement of cloud computing services.
The consumer may have an agreement with one provider,
but the service may be delivered via a myriad of
subcontractors or other dependencies who have no
contractual obligation directly with the consumer.
Consumer may have no knowledge of these third parties
unless the provider chooses, or is otherwise required, to
disclose them, and yet these entities may incur risk for
which the consumer could ultimately be liable.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
15. Agency Compliance
Requirements
• Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]
• E-Authentication Guidance for Federal Agencies [OMB M-04-04]
• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
• Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]
• Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-
05]
• Homeland Security Presidential Directive-7, Critical Infrastructure Identification,
Prioritization, and Protection [HSPD-7]
• Internal Control Systems [OMB Circular A-123]
• Management of Federal Information Resources [OMB Circular A-130]
• Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]
• Privacy Act of 1974 as amended [5 USC 552a]
• Protection of Sensitive Agency Information [OMB M-06-16]
• Records Management by Federal Agencies [44 USC 31]
• Rehabilitation Act of 1973 [Section 508 Amendment]
• Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB
Circular A-108, as amended]
• Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]
• The Federal Risk and Authorization Management Program (FedRAMP)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
16. Four Pillars of SLA Governance
Contract
Legal Cloud
Landscape SLA Service
Provider
Metrics
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
17. Cloud MSA Mind Map
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
18. Cloud SLA Mind Map
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
20. Ongoing Work of NIST CC
Contract and SLA Subgroup
• Analyze negotiated SLAs/Contracts
• Complete the NIST RA Cloud Contract/SLA
draft document and present for public
comment
• Collaboration with the Cloud Metrics team
• Participation in the ISO/IET JTC SC38 effort on
cloud SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
21. THREE KEY TAKEAWAYS
Look Before You Leap - Consumers need to
perform reasonable due diligence in examining
cloud providers and their subcontractors
Solicit Input- A committee, rather than one or two
individuals, should formulate the requirements for
cloud contracts – including SLAs
Don’t Reinvent the Wheel - Organizations
should examine existing controls to identify key
issues to include in cloud service contracts and
SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
22. RESOURCES
www.confidentgovernance.com/confidentnow
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
http://collaborate.nist.gov/twiki-cloud-
computing/pub/CloudComputing/RATax_Jan20_2012/NIST_CC_WG_ContractSLA_Deliverable_Dra
ft_v1.9.pdf
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/RATax_CloudMetrics
http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-
april-2011.pdf
http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/13th-Global-Information-
Security-Survey-2010---Information-technology--friend-or-foe-
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
http://csrc.nist.gov/publications/PubsSPs.html.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
23. Questions & Comments
For additional Information:
Ken E. Stavinoha, PhD
NIST CC RA Contracts/SLA Sub-team Leader
kstavino@mail.com
John Messina
Chair, NIST CC RA Working Group
John.messina@nist.gov
Bhavesh C. Bhagat
Co-Founder, EnCrisp and ConfidentGovernance.com
bb@encrisp.com
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
24. ConfidentNOW
Global Governance Webinar Series
NEXT WEBINAR IN SERIES
Cloud Encryption
DATE: Feb.28, 2013
TIME:11.00-11.45 A.M
Speaker – Dr. Ken Stavinoha, Cisco System
Dr. Sarbari Gupta, Electrosoft
Host – Bhavesh C. Bhagat, EnCrisp – ConfidentGovernance.com
Register Now: : http://bit.ly/WyH7R8
http://www.confidentgovernance.com/events/88-webinar
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
Bhavesh to introduce Speakers and Thank EnCrisp and CG for hosting this series of webinars.
EnCrisp CG Safe Harbor Disclosure
Bhavesh to layout Agenda and discuss why Service Level Agreements and controls around them are something every executive in IT and Governance needs to be concerned about especially in Subscription Economy.
Q for Ken – SO Ken - What we are seeing is tremendous amounts of market interest in moving towards the Cloud. can you please describe in a layman's term what these concepts mean before we dig too deep and why SLA is important in Cloud?And how do you define these terms for business executive who is not a lawyer.
Ken – That’s excellent now from a risk point of view why are SLA and governance around it so important what is he risk perspective around this. And I know we will get into some risk mitigation approaches later, but lets discuss the overall scenario here.
Ken
Ken – This is good but what are Cloud provoiders saying about this SLA and metrics. Are they providing enough tracking for SLAs to be able to track and measure. We are working with Carnegie Mellon University whwre we are doing some exciting reasearch in automating this and we will dicuss this in future webinars.
ken
Bhavesh - It appears that SLAs and its importance only increses as you move down the stack I Cloud from SAAS to IAAS so vendor metric and transparency are key. Can you provide some thoughts around this.
Bhavesh and John: Introduce NIST and the Sub Groups around Governance of Cloud.
John
John
Bhavesh Q – for John – So John this is great and thank to you and your team for continuing to push forward in this regards can you please describe some immediate tangible reasons why SLA are so important seems to me that most people think this is options , but its not so flexible, some of the regulations mandate that we have to think of this now?
John So John what the key risk areas to look at when we see SLA Governance and what are some of the tools NIST has developed to assist in helping in this regards.
Bhavesh – This seems very unique in its approach, can you please describe the usefulness of Mind Maps in Governance. How deep should one go when we build these for an organization
John
Ken – So Ken how does one monitor this. We will be doing a special Automating FedRAMP CIS seminar in March where we will discuss the tool also, but from SLA point of view what do we need to think of in terms of documenting the process.
John
Bhavesh So Ken and John if you were to Summarize what are the three key points that we need to remember.