i. The webinar discussed cloud contracts and service level agreements (SLAs) with a focus on governance.
ii. It covered the scope and control of cloud services, SLA definitions, risk factors for cloud SLAs, and what providers say about cloud adoption drivers and security responsibilities.
iii. Key recommendations included examining a provider's subcontractors, forming a committee to develop contract requirements, and reviewing existing controls to identify issues to include in contracts and SLAs.
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
Cloud computing is set of resources and services offered through the Internet. Cloud
services are delivered from data centers located throughout the world. Cloud computing
facilitates its consumers by providing virtual resources via internet. The biggest challenge in
cloud computing is the security and privacy problems caused by its multi-tenancy nature and the
outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting
cloud services for their businesses, measures need to be developed so that organizations can be assured
of security in their businesses and can choose a suitable vendor for their computing needs. Cloud
computing depends on the internet as a medium for users to access the required services at any time on
pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers
from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities
from illegal users have threatened this technology such as data misuse, inflexible access control and
limited monitoring. The occurrence of these threats may result into damaging or illegal access of
critical and confidential data of users. In this paper we identify the most vulnerable security
threats/attacks in cloud computing, which will enable both end users and vendors to know a bout
the k ey security threats associated with cloud computing and propose relevant solution directives to
strengthen security in the Cloud environment. We also propose secure cloud architecture for
organizations to strengthen the security.
BCT4MAS - Blockchain for Multi-Agent Systems - NTN invited talkDavide Calvaresi
This presentation introduces the research direction of blockchain for multi-agent systems (BCT4MAS) with particular emphasis on MAS employing permissioned blockchain employed in the in-house developed prototype. More details? Check out our papers or get in touch!
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
Increase your it agility and cost efficiency with hds cloud solutions webinarHitachi Vantara
Find out how to build and use clouds to support your business objectives. Learn about new HDS cloud solutions and services that help you create clouds for infrastructure, content and information. Simplify and accelerate your transition to clouds.
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
Jambey Clinkscales gave presentation on "The Value of Cloud in the Business Technology Ecosystem" at the 2011 BDPA Technology Conference in Chicago.
Jambey shared his thoughts on the workshop during BDPA iRadio Show interview held on August 28, 2011 --> http://www.blogtalkradio.com/bdpa/2011/08/29/bdpa-iradio-workshop-presenters
Workshop Presenter:
Jambey Clinkscales
Capabilites and Program Manager, HP Enterprise Services
Topic: The Value of the Cloud in the Business Technology Ecology
BDPA New York Chapter
Cloud computing is set of resources and services offered through the Internet. Cloud
services are delivered from data centers located throughout the world. Cloud computing
facilitates its consumers by providing virtual resources via internet. The biggest challenge in
cloud computing is the security and privacy problems caused by its multi-tenancy nature and the
outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting
cloud services for their businesses, measures need to be developed so that organizations can be assured
of security in their businesses and can choose a suitable vendor for their computing needs. Cloud
computing depends on the internet as a medium for users to access the required services at any time on
pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers
from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities
from illegal users have threatened this technology such as data misuse, inflexible access control and
limited monitoring. The occurrence of these threats may result into damaging or illegal access of
critical and confidential data of users. In this paper we identify the most vulnerable security
threats/attacks in cloud computing, which will enable both end users and vendors to know a bout
the k ey security threats associated with cloud computing and propose relevant solution directives to
strengthen security in the Cloud environment. We also propose secure cloud architecture for
organizations to strengthen the security.
BCT4MAS - Blockchain for Multi-Agent Systems - NTN invited talkDavide Calvaresi
This presentation introduces the research direction of blockchain for multi-agent systems (BCT4MAS) with particular emphasis on MAS employing permissioned blockchain employed in the in-house developed prototype. More details? Check out our papers or get in touch!
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
Increase your it agility and cost efficiency with hds cloud solutions webinarHitachi Vantara
Find out how to build and use clouds to support your business objectives. Learn about new HDS cloud solutions and services that help you create clouds for infrastructure, content and information. Simplify and accelerate your transition to clouds.
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
Jambey Clinkscales gave presentation on "The Value of Cloud in the Business Technology Ecosystem" at the 2011 BDPA Technology Conference in Chicago.
Jambey shared his thoughts on the workshop during BDPA iRadio Show interview held on August 28, 2011 --> http://www.blogtalkradio.com/bdpa/2011/08/29/bdpa-iradio-workshop-presenters
Workshop Presenter:
Jambey Clinkscales
Capabilites and Program Manager, HP Enterprise Services
Topic: The Value of the Cloud in the Business Technology Ecology
BDPA New York Chapter
Will your organization or enterprise expand cost-effectively with the power of a managed cloud? We outline 10 key reasons why this strategy will help you improve security, simplify compliance, reduce costs and streamline scalability.
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...Amazon Web Services
Warren Wu, Sr Director, Global Product Marketing, Cloud Security, Fortinet
Organizations are migrating their on-premise data center and application environments to public cloud to accelerate digital business. AWS enables agility and elasticity for digital workloads and DevOps teams, but the expanded digital attack surface across the hybrid cloud needs to be protected in order to ensure secure interactions and data. We discuss best practices for securing hybrid cloud environments, and how AWS and Fortinet are working together to build and integrate trust and security natively into the cloud.
An educational overview of the Cloud Computing Ecosystem or Framework. This presentation is geared toward those who are just beginning to understand Cloud Computing.
Navigating the Cloud: Trends and Technologies Shaping Security and ComplianceUrolime Technologies
Explore the dynamic realm of cloud security and compliance with a focus on AWS Consulting Services. Stay ahead of the curve as we delve into the latest trends and technologies shaping the landscape, ensuring your organization harnesses the full potential of AWS while maintaining robust security and compliance measures.
Unleash the key benefits of Agile Compliance. Gain insights on how Agile tools have an edge over Conventional tools in the dynamically changing Business Landscape, from GRC Leader Bhavesh Bhagat and Industry Expert Jay Crossland.
The first of the four part webinar series on Agile Compliance presented by Confident Governance Chairman Bhavesh Bhagat and Crossland Advisors Founder Jay Crossland. The webinar talks about the significant challenges faced by Compliance officers worldwide.
Confident Governance Chairman and Co-Founder, Bhavesh Bhagat, delivers an awe-inspiring Session titled "Awakening the hidden "Risk" Giant within you : Bigger, Better, Bolder - Re-thinking your Personal Brand ", at the ISACA NCAC Summit 2015. The Summit was spanned across two days, May 26th and May 27th. After the very successful Keynote Session on May 26th, Bhavesh Bhagat, also hosted a Millennials Panel on May 27th. The Session was titled " Millennials Panel - The New Direction of Audit"
Glean insights on where the world is headed in the era of emerging technologies. The keynote was presented by Global Governance expert and Security and risk technology visionary, Confident Governance Founder Bhavesh Bhagat as the IIA/ISACA GRC Opening Keynote. #GRC13
Want to know what all learnings are in waiting for you at #GRC13 ISACA and IIA conference?
Glean some points here and don't forget to catch @bbhagat tom speaking about how GRC needs to adapt new strategies in the emerging technologies world.
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
1. ConfidentNOW
Global Governance Webinar Series
Cloud Contracts and SLAs
Mastering SLA Governance
Speaker – Dr. Ken Stavinoha, PhD, Cisco
Mr. John Messina, Computer Scientist, NIST
Host – Bhavesh C. Bhagat, EnCrisp - ConfidentGovernance.com
CGEIT, CISM, MBA, BE
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
2. Today’s Presenters
Dr. Ken Stavinoha, PhD, CISM, CISSP
– Cisco
Mr. John Messina, Computer Scientist
-NIST
Bhavesh C. Bhagat, CISM, CGEIT, MBA, BE –
EnCrisp – ConfidentGovernance.com
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
3. is an INC 500 award winning global leader in
providing “business driven” solutions enhancing trust, governance,
cyber security and risk transparency since 2004.
EnCrisp’ s Confident Governance® is award winning
“Governance as a Service®- Cloud Governance™ Company.
2011 Global Entrepreneurship (GEW50) Kauffman 50 Global
Awardee
Governance, Security, Risk, Audit and Social Compliance
Collaboration platform that you access over the Internet and
pay-as-you-go.
AWARDS – INC 500, 2011 Global Entrepreneurship Kauffman 50 Start-Ups, 2011
NVTC, Hot Ticket Hottest Buzz, 2011 GovTek Best Cloud Government Solution,
2010, Business Insurance Risk Technology
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
4. Cloud Contracts And SLA
Governance
i. Intro to Service Level Agreement
ii. Cloud Services Scope and Control
iii. SLA NIST Contracts
iv. Risk Factors Affecting Cloud SLAs
v. Resources and Next Webinar…
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
5. Cloud Services Scope and Control
Source: NIST SP800-144 Draft
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
6. SLA Definition
Service Agreement: known as “Terms of Service” ,“Terms and
Conditions” A
legal document specifying the rules of the
legal contract between the cloud user and the cloud
provider.
Service-Level Agreement: A document stating the
technical performance promises made by the cloud
provider, how disputes are to be discovered and
handled, and any remedies for performance failures.
(NIST SP 800-146)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
7. Cloud Computing Risks
Source: Ernst & Young 2010 Global Information Security Survey
Differences in Scope and Control among Cloud Service Models
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
8. Cloud Risk Mitigation
Source: Ernst & Young 2011 Global Information Security Survey
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
9. What Providers Say:
Cloud Adoption Drivers
Source: 2011 Ponemon Insititute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
10. What Providers Say:
Cloud Security Risk Mitigation
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
11. What Providers Say:
Who is Responsible for Cloud Security
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
12. NIST CC Public Working Groups
NIST’s Goal: Accelerate the federal government’s
adoption of cloud computing
– Lead efforts to develop standards and guidelines in close
consultation and collaboration with standards bodies, the
private sector, and other stakeholders
Voluntary Working Groups with industry, SDOs, USG,
academia (launched Nov. 5, 2010)
• 5 Working Groups (Reference Architecture / Taxonomy,
Security, Standards Roadmap, …)
• 300+ registered members per working group
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
13. Contract/SLA Subgroup
• RATAX working group was asked to identify additional
areas of cloud computing that could be better defined
through the development of appropriate taxonomies
• SLA sub-group focused on identifying if there was any
suitable existing SLA format or guide that could be used
to identify all the key elements that should go into a
Cloud SLA
• Existing contracts and research examined for
commonalities and relationships in form and content
• Collected/formulated definitions pertinent to cloud
contracts and SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
14. Role of Contracts and SLAs
Contracts and service level agreements play a key role in
the procurement of cloud computing services.
The consumer may have an agreement with one provider,
but the service may be delivered via a myriad of
subcontractors or other dependencies who have no
contractual obligation directly with the consumer.
Consumer may have no knowledge of these third parties
unless the provider chooses, or is otherwise required, to
disclose them, and yet these entities may incur risk for
which the consumer could ultimately be liable.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
15. Agency Compliance
Requirements
• Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]
• E-Authentication Guidance for Federal Agencies [OMB M-04-04]
• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
• Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]
• Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-
05]
• Homeland Security Presidential Directive-7, Critical Infrastructure Identification,
Prioritization, and Protection [HSPD-7]
• Internal Control Systems [OMB Circular A-123]
• Management of Federal Information Resources [OMB Circular A-130]
• Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]
• Privacy Act of 1974 as amended [5 USC 552a]
• Protection of Sensitive Agency Information [OMB M-06-16]
• Records Management by Federal Agencies [44 USC 31]
• Rehabilitation Act of 1973 [Section 508 Amendment]
• Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB
Circular A-108, as amended]
• Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]
• The Federal Risk and Authorization Management Program (FedRAMP)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
16. Four Pillars of SLA Governance
Contract
Legal Cloud
Landscape SLA Service
Provider
Metrics
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
17. Cloud MSA Mind Map
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
18. Cloud SLA Mind Map
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
20. Ongoing Work of NIST CC
Contract and SLA Subgroup
• Analyze negotiated SLAs/Contracts
• Complete the NIST RA Cloud Contract/SLA
draft document and present for public
comment
• Collaboration with the Cloud Metrics team
• Participation in the ISO/IET JTC SC38 effort on
cloud SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
21. THREE KEY TAKEAWAYS
Look Before You Leap - Consumers need to
perform reasonable due diligence in examining
cloud providers and their subcontractors
Solicit Input- A committee, rather than one or two
individuals, should formulate the requirements for
cloud contracts – including SLAs
Don’t Reinvent the Wheel - Organizations
should examine existing controls to identify key
issues to include in cloud service contracts and
SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
22. RESOURCES
www.confidentgovernance.com/confidentnow
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
http://collaborate.nist.gov/twiki-cloud-
computing/pub/CloudComputing/RATax_Jan20_2012/NIST_CC_WG_ContractSLA_Deliverable_Dra
ft_v1.9.pdf
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/RATax_CloudMetrics
http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-
april-2011.pdf
http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/13th-Global-Information-
Security-Survey-2010---Information-technology--friend-or-foe-
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
http://csrc.nist.gov/publications/PubsSPs.html.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
23. Questions & Comments
For additional Information:
Ken E. Stavinoha, PhD
NIST CC RA Contracts/SLA Sub-team Leader
kstavino@mail.com
John Messina
Chair, NIST CC RA Working Group
John.messina@nist.gov
Bhavesh C. Bhagat
Co-Founder, EnCrisp and ConfidentGovernance.com
bb@encrisp.com
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
24. ConfidentNOW
Global Governance Webinar Series
NEXT WEBINAR IN SERIES
Cloud Encryption
DATE: Feb.28, 2013
TIME:11.00-11.45 A.M
Speaker – Dr. Ken Stavinoha, Cisco System
Dr. Sarbari Gupta, Electrosoft
Host – Bhavesh C. Bhagat, EnCrisp – ConfidentGovernance.com
Register Now: : http://bit.ly/WyH7R8
http://www.confidentgovernance.com/events/88-webinar
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
Bhavesh to introduce Speakers and Thank EnCrisp and CG for hosting this series of webinars.
EnCrisp CG Safe Harbor Disclosure
Bhavesh to layout Agenda and discuss why Service Level Agreements and controls around them are something every executive in IT and Governance needs to be concerned about especially in Subscription Economy.
Q for Ken – SO Ken - What we are seeing is tremendous amounts of market interest in moving towards the Cloud. can you please describe in a layman's term what these concepts mean before we dig too deep and why SLA is important in Cloud?And how do you define these terms for business executive who is not a lawyer.
Ken – That’s excellent now from a risk point of view why are SLA and governance around it so important what is he risk perspective around this. And I know we will get into some risk mitigation approaches later, but lets discuss the overall scenario here.
Ken
Ken – This is good but what are Cloud provoiders saying about this SLA and metrics. Are they providing enough tracking for SLAs to be able to track and measure. We are working with Carnegie Mellon University whwre we are doing some exciting reasearch in automating this and we will dicuss this in future webinars.
ken
Bhavesh - It appears that SLAs and its importance only increses as you move down the stack I Cloud from SAAS to IAAS so vendor metric and transparency are key. Can you provide some thoughts around this.
Bhavesh and John: Introduce NIST and the Sub Groups around Governance of Cloud.
John
John
Bhavesh Q – for John – So John this is great and thank to you and your team for continuing to push forward in this regards can you please describe some immediate tangible reasons why SLA are so important seems to me that most people think this is options , but its not so flexible, some of the regulations mandate that we have to think of this now?
John So John what the key risk areas to look at when we see SLA Governance and what are some of the tools NIST has developed to assist in helping in this regards.
Bhavesh – This seems very unique in its approach, can you please describe the usefulness of Mind Maps in Governance. How deep should one go when we build these for an organization
John
Ken – So Ken how does one monitor this. We will be doing a special Automating FedRAMP CIS seminar in March where we will discuss the tool also, but from SLA point of view what do we need to think of in terms of documenting the process.
John
Bhavesh So Ken and John if you were to Summarize what are the three key points that we need to remember.