Demystifying Cloud Contracts And SLAs

ConfidentNOW
Global Governance Webinar Series

Cloud Contracts and SLAs
Mastering SLA Governance

Speaker – Dr. Ken Stavinoha, PhD, Cisco
Mr. John Messina, Computer Scientist, NIST

Host – Bhavesh C. Bhagat, EnCrisp - ConfidentGovernance.com
CGEIT, CISM, MBA, BE

ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators

Today’s Presenters
Dr. Ken Stavinoha, PhD, CISM, CISSP
– Cisco

Mr. John Messina, Computer Scientist
-NIST

Bhavesh C. Bhagat, CISM, CGEIT, MBA, BE –
EnCrisp – ConfidentGovernance.com


is an INC 500 award winning global leader in
providing “business driven” solutions enhancing trust, governance,
cyber security and risk transparency since 2004.

 EnCrisp’ s Confident Governance® is award winning
“Governance as a Service®- Cloud Governance™ Company.
2011 Global Entrepreneurship (GEW50) Kauffman 50 Global
Awardee
 Governance, Security, Risk, Audit and Social Compliance
Collaboration platform that you access over the Internet and
pay-as-you-go.
 AWARDS – INC 500, 2011 Global Entrepreneurship Kauffman 50 Start-Ups, 2011
NVTC, Hot Ticket Hottest Buzz, 2011 GovTek Best Cloud Government Solution,
2010, Business Insurance Risk Technology

Cloud Contracts And SLA
Governance
i. Intro to Service Level Agreement
ii. Cloud Services Scope and Control
iii. SLA NIST Contracts
iv. Risk Factors Affecting Cloud SLAs
v. Resources and Next Webinar…


Cloud Services Scope and Control

Source: NIST SP800-144 Draft

SLA Definition
Service Agreement: known as “Terms of Service” ,“Terms and
Conditions” A
legal document specifying the rules of the
legal contract between the cloud user and the cloud
provider.

Service-Level Agreement: A document stating the
technical performance promises made by the cloud
provider, how disputes are to be discovered and
handled, and any remedies for performance failures.
(NIST SP 800-146)


Cloud Computing Risks

Source: Ernst & Young 2010 Global Information Security Survey
Differences in Scope and Control among Cloud Service Models

Cloud Risk Mitigation

Source: Ernst & Young 2011 Global Information Security Survey


What Providers Say:
Cloud Adoption Drivers

Source: 2011 Ponemon Insititute Security of Cloud Computing Providers Study


What Providers Say:
Cloud Security Risk Mitigation

Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study


What Providers Say:
Who is Responsible for Cloud Security

Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study


NIST CC Public Working Groups

NIST’s Goal: Accelerate the federal government’s
adoption of cloud computing
– Lead efforts to develop standards and guidelines in close
consultation and collaboration with standards bodies, the
private sector, and other stakeholders
Voluntary Working Groups with industry, SDOs, USG,
academia (launched Nov. 5, 2010)
• 5 Working Groups (Reference Architecture / Taxonomy,
Security, Standards Roadmap, …)
• 300+ registered members per working group


Contract/SLA Subgroup
• RATAX working group was asked to identify additional
areas of cloud computing that could be better defined
through the development of appropriate taxonomies
• SLA sub-group focused on identifying if there was any
suitable existing SLA format or guide that could be used
to identify all the key elements that should go into a
Cloud SLA
• Existing contracts and research examined for
commonalities and relationships in form and content
• Collected/formulated definitions pertinent to cloud
contracts and SLAs


Role of Contracts and SLAs
 Contracts and service level agreements play a key role in
the procurement of cloud computing services.

 The consumer may have an agreement with one provider,
but the service may be delivered via a myriad of
subcontractors or other dependencies who have no
contractual obligation directly with the consumer.

 Consumer may have no knowledge of these third parties
unless the provider chooses, or is otherwise required, to
disclose them, and yet these entities may incur risk for
which the consumer could ultimately be liable.


Agency Compliance
Requirements
• Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]
• E-Authentication Guidance for Federal Agencies [OMB M-04-04]
• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
• Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]
• Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-
05]
• Homeland Security Presidential Directive-7, Critical Infrastructure Identification,
Prioritization, and Protection [HSPD-7]
• Internal Control Systems [OMB Circular A-123]
• Management of Federal Information Resources [OMB Circular A-130]
• Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]
• Privacy Act of 1974 as amended [5 USC 552a]
• Protection of Sensitive Agency Information [OMB M-06-16]
• Records Management by Federal Agencies [44 USC 31]
• Rehabilitation Act of 1973 [Section 508 Amendment]
• Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB
Circular A-108, as amended]
• Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]
• The Federal Risk and Authorization Management Program (FedRAMP)


Four Pillars of SLA Governance

Contract

Legal Cloud
Landscape SLA Service
Provider

Metrics


Cloud MSA Mind Map


Cloud SLA Mind Map


FedRAMP CIS Worksheet


Ongoing Work of NIST CC
Contract and SLA Subgroup
• Analyze negotiated SLAs/Contracts
• Complete the NIST RA Cloud Contract/SLA
draft document and present for public
comment
• Collaboration with the Cloud Metrics team
• Participation in the ISO/IET JTC SC38 effort on
cloud SLAs


THREE KEY TAKEAWAYS
Look Before You Leap - Consumers need to
perform reasonable due diligence in examining
cloud providers and their subcontractors

Solicit Input- A committee, rather than one or two
individuals, should formulate the requirements for
cloud contracts – including SLAs

Don’t Reinvent the Wheel - Organizations
should examine existing controls to identify key
issues to include in cloud service contracts and
SLAs

RESOURCES
www.confidentgovernance.com/confidentnow

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

http://collaborate.nist.gov/twiki-cloud-
computing/pub/CloudComputing/RATax_Jan20_2012/NIST_CC_WG_ContractSLA_Deliverable_Dra
ft_v1.9.pdf

http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/RATax_CloudMetrics

http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-
april-2011.pdf

http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/13th-Global-Information-
Security-Survey-2010---Information-technology--friend-or-foe-

 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

http://csrc.nist.gov/publications/PubsSPs.html.


Questions & Comments
For additional Information:

Ken E. Stavinoha, PhD
NIST CC RA Contracts/SLA Sub-team Leader
kstavino@mail.com

John Messina
Chair, NIST CC RA Working Group
John.messina@nist.gov

Bhavesh C. Bhagat
Co-Founder, EnCrisp and ConfidentGovernance.com
bb@encrisp.com


ConfidentNOW
Global Governance Webinar Series

NEXT WEBINAR IN SERIES
Cloud Encryption
DATE: Feb.28, 2013
TIME:11.00-11.45 A.M

Speaker – Dr. Ken Stavinoha, Cisco System
Dr. Sarbari Gupta, Electrosoft
Host – Bhavesh C. Bhagat, EnCrisp – ConfidentGovernance.com

Register Now: : http://bit.ly/WyH7R8

http://www.confidentgovernance.com/events/88-webinar


Demystifying Cloud Contracts And SLAs

More Related Content

What's hot

Similar to Demystifying Cloud Contracts And SLAs

More from Bhavesh Bhagat, CGEIT, CISM (LION)

Demystifying Cloud Contracts And SLAs

Editor's Notes