Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series

ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators

Cloud Contracts and SLAsMastering SLA Governance

Speaker – Dr. Ken Stavinoha, PhD, Cisco Mr. John Messina, Computer Scientist, NIST

Host – Bhavesh C. Bhagat, EnCrisp - ConfidentGovernance.comCGEIT, CISM, MBA, BE

ConfidentNOW Global Governance Webinar Series


Today’s Presenters Dr. Ken Stavinoha, PhD, CISM, CISSP

– Cisco

Mr. John Messina, Computer Scientist

-NIST

Bhavesh C. Bhagat, CISM, CGEIT, MBA, BE – EnCrisp – ConfidentGovernance.com


is an INC 500 award winning global leader in providing “business driven” solutions enhancing trust, governance, cyber security and risk transparency since 2004.

EnCrisp’ s Confident Governance® is award winning “Governance as a Service®- Cloud Governance™ Company. 2011 Global Entrepreneurship (GEW50) Kauffman 50 Global Awardee

Governance, Security, Risk, Audit and Social Compliance Collaboration platform that you access over the Internet and pay-as-you-go.

AWARDS – INC 500, 2011 Global Entrepreneurship Kauffman 50 Start-Ups, 2011 NVTC, Hot Ticket Hottest Buzz, 2011 GovTek Best Cloud Government Solution, 2010, Business Insurance Risk Technology

SAFE Harbor Disclosure CONFIDENT GOVERNANCE AND ENCRISP

http://www.confidentgovernance.com/

http://www.confidentgovernance.com/

http://www.confidentgovernance.com/Pricing


i. Intro to Service Level Agreement

ii. Cloud Services Scope and Control

iii. SLA NIST Contracts

iv. Risk Factors Affecting Cloud SLAs

v. Resources and Next Webinar…

Cloud Contracts And SLA Governance


Cloud Services Scope and Control

Source: NIST SP800-144 Draft


SLA DefinitionService Agreement: known as “Terms of Service” ,“Terms and

Conditions” A legal document specifying the rules of the legal contract between the cloud user and the cloud provider.

Service-Level Agreement: A document stating the technical performance promises made by the cloud provider, how disputes are to be discovered and handled, and any remedies for performance failures. (NIST SP 800-146)


Cloud Computing Risks

Differences in Scope and Control among Cloud Service ModelsSource: Ernst & Young 2010 Global Information Security Survey


Cloud Risk Mitigation

Source: Ernst & Young 2011 Global Information Security Survey


What Providers Say:Cloud Adoption Drivers

Source: 2011 Ponemon Insititute Security of Cloud Computing Providers Study


What Providers Say:Cloud Security Risk Mitigation

Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study


What Providers Say:Who is Responsible for Cloud Security

Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study


NIST CC Public Working Groups

NIST’s Goal: Accelerate the federal government’s adoption of cloud computing

– Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders

Voluntary Working Groups with industry, SDOs, USG, academia (launched Nov. 5, 2010)

• 5 Working Groups (Reference Architecture / Taxonomy, Security, Standards Roadmap, …)

• 300+ registered members per working group


Contract/SLA Subgroup• RATAX working group was asked to identify additional

areas of cloud computing that could be better defined through the development of appropriate taxonomies

• SLA sub-group focused on identifying if there was any suitable existing SLA format or guide that could be used to identify all the key elements that should go into a Cloud SLA

• Existing contracts and research examined for commonalities and relationships in form and content

• Collected/formulated definitions pertinent to cloud contracts and SLAs


Role of Contracts and SLAs Contracts and service level agreements play a key role in

the procurement of cloud computing services.

The consumer may have an agreement with one provider, but the service may be delivered via a myriad of subcontractors or other dependencies who have no contractual obligation directly with the consumer.

Consumer may have no knowledge of these third parties unless the provider chooses, or is otherwise required, to disclose them, and yet these entities may incur risk for which the consumer could ultimately be liable.


Agency Compliance Requirements

• Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]• E-Authentication Guidance for Federal Agencies [OMB M-04-04]• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]• Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]• Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-05]• Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and

Protection [HSPD-7]• Internal Control Systems [OMB Circular A-123]• Management of Federal Information Resources [OMB Circular A-130]• Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]• Privacy Act of 1974 as amended [5 USC 552a]• Protection of Sensitive Agency Information [OMB M-06-16]• Records Management by Federal Agencies [44 USC 31]• Rehabilitation Act of 1973 [Section 508 Amendment]• Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB Circular

A-108, as amended]• Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]• The Federal Risk and Authorization Management Program (FedRAMP)


Four Pillars of SLA Governance

SLA

Contract

Cloud Service Provider

Metrics

LegalLandscape


Cloud MSA Mind Map


Cloud SLA Mind Map


FedRAMP CIS Worksheet


Ongoing Work of NIST CC Contract and SLA Subgroup

• Analyze negotiated SLAs/Contracts• Complete the NIST RA Cloud Contract/SLA

draft document and present for public comment

• Collaboration with the Cloud Metrics team• Participation in the ISO/IET JTC SC38 effort on

cloud SLAs


Look Before You Leap - Consumers need to perform reasonable due diligence in examining cloud providers and their subcontractors

Solicit Input- A committee, rather than one or two individuals, should formulate the requirements for cloud contracts – including SLAs

Don’t Reinvent the Wheel - Organizations should examine existing controls to identify key issues to include in cloud service contracts and SLAs

THREE KEY TAKEAWAYS


www.confidentgovernance.com/confidentnow http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/RATax_Jan20_2012/NIST_CC_WG_ContractSLA_Deliverable_Draft_v1.9.pdf

http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/RATax_CloudMetrics

http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-april-2011.pdf

http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/13th-Global-Information-Security-Survey-2010---Information-technology--friend-or-foe-

http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

http://csrc.nist.gov/publications/PubsSPs.html.

RESOURCES

http://pubs.iids.org/index.php/attachments/single/108

http://pubs.iids.org/index.php/attachments/single/108












Ken E. Stavinoha, PhD

NIST CC RA Contracts/SLA Sub-team Leader

[email protected]

John Messina

Chair, NIST CC RA Working Group

[email protected]

Bhavesh C. Bhagat

Co-Founder, EnCrisp and ConfidentGovernance.com

[email protected]

Questions & CommentsFor additional Information:

mailto:[email protected]




NEXT WEBINAR IN SERIES

Cloud EncryptionDATE: Feb.28, 2013

TIME:11.00-11.45 A.M

Speaker – Dr. Ken Stavinoha, Cisco System Dr. Sarbari Gupta, Electrosoft

Host – Bhavesh C. Bhagat, EnCrisp – ConfidentGovernance.com

Register Now: : http://bit.ly/WyH7R8

http://www.confidentgovernance.com/events/88-webinar

ConfidentNOW Global Governance Webinar Series

http://bit.ly/WyH7R8

http://www.confidentgovernance.com/events/88-webinar


THANK YOU

Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series

Documents

cloud services

federal agencies

cloud provider

john messina

computer scientist

ernst amp

service innovators

pdf http