Copyright 2014 Thomas Trappler All Rights Reserved

Transcription

1 1

2 Cloud Computing Risk Mitigation 2

3 Cloud Computing Risk Mitigation As with the adoption of any IT solution, The adoption of a cloud computing solution comes with both benefits and risks. 3

4 Cloud Computing Risk Mitigation The key question for us to explore today is: How can we most effectively mitigate the risks associated with adopting a cloud computing solution so as to maximize the benefits? 4

5 Cloud Computing Risk Mitigation Transitioning to the Cloud = Paradigm Shift From: Technically Managed I build it, I maintain it. To: Contractually Managed Someone else is doing this for me, how do I ensure they re doing it right? 5

6 Cloud Computing Risk Mitigation Key Ways To Mitigate Risks Contract Negotiation Establish the terms of the relationship What do I get? Vendor Management Maintain the relationship How do I ensure that I continue to get it? If it s not in the contract, don t expect to get it. 6

7 Cloud Computing Risk Mitigation Standard Answers 7

8 Cloud Computing Risk Mitigation A Framework of Issues to Consider Each issue should be individually evaluated Based upon your organization s unique needs and tolerance for risk For each specific use case/project 8

9 Cloud Computing Risk Mitigation Key Factors Public Data Sensitivity Sensitive Downtime = Tolerable Business Criticality Downtime = Business Stops 9

10 Cloud Computing Risk Mitigation Multiple Variations = SaaS, IaaS, PaaS Contract Issues Are Similar Infrastructure/Security Service Level Agreements Data Protection, Access & Location Vendor Relationship 10

11 1) Infrastructure/Security Physical Data Center Behind Every Cloud All Cloud Service Vendors Are NOT Created Equally A New and Evolving Market Space 11

12 1) Infrastructure/Security How do we ensure we re getting this 12

13 1) Infrastructure/Security and not this? 13

14 1) Infrastructure/Security Identify Cloud Vendor s Infrastructure and Security Practices 14

15 How? Ask Questions 15

16 Consensus Assessments Initiative Questionnaire & Cloud Controls Matrix Standard Information Gathering Questionnaire 16

17 1) Infrastructure/Security Areas To Evaluate Include: Information Security Physical Security Operations Management 17

18 1) Infrastructure/Security Determine Which Practices Are Important Codify Them in the Contract as Minimum Requirements Incorporate Responses in Contract 18

19 1) Infrastructure/Security Once You ve Got Them in the Contract, How Do You Verify These Things? 19

20 1) Infrastructure/Security Third Party Certifications No Formal Standard ISO/IEC 27001/27002 SOC 2&3, AT Sec. 101 (Replaced SAS 70) FIPS 200/SP CSA Open Certification Framework Reports S/B Provided To You 20

21 1) Infrastructure/Security Re-Certify At least annually, and after any reasonably suspected breach Report provision, including timeframe Your organization must thoroughly review Correction or cause for breach 21

22 2) Service Level Agreements Software as a Service Infrastructure as a Service Platform as a Service The key thing in common is Service. 22

23 2) Service Level Agreements SLA Parameters Availability Performance/Response Time Error Correction Time Latency 23

24 2) Service Level Agreements SLA Metrics Quantitative and Unambiguous Describe Data Sources & Fields, Collection Times & Frequency, Responsibility for Collection Relevant to Business Outcomes, Not Technical Parameters Limit to 8-10 SLAs 24

25 2) Service Level Agreements SLA Remedies Corrections Penalties 25

26 2) Service Level Agreements SLA Remedies If You Do Include Financial Penalties Codify When/How Credit is Provided Client Notification or Vendor Self-Audit? Against Current Payment, Or Renewal 26

27 2) Service Level Agreements SLA Remedies Goal is Good Service, Not Credits 27

28 2) Service Level Agreements SLA Remedies Reputational Penalties Disqualification From Future Contract Bids Rewards For Exceeding Service Levels What Remedies Meet Your Needs? 28

29 3) Data Protection, Access & Location Ownership of Data Good News = More Vendors Including This in Standard Contract Vendors Are Willing to Listen Your Organization Owns the Results of Any Processing of Your Data 29

30 3) Data Protection, Access & Location To Avoid Vendor Lock-In Plan In Advance How You Will Switch To A Different Solution 30

31 3) Data Protection, Access & Location Data Access/Disposition Process Timeframe Format Cost (Egress Fees?) Destruction 31

32 3) Data Protection, Access & Location Data Breaches Repercussions Vary According to Data Type Know In Advance What Type of Data You ll Be Processing/Storing 32

33 3) Data Protection, Access & Location Data Breaches Notification (incl. timeframe) Details (circumstances, type of data, etc.) Corrective Action Indemnification 33

34 3) Data Protection, Access & Location Location of Data Different Laws Which Law Applies to My Data? Identify/Restrict Data Center Location(s) 34

35 3) Data Protection, Access & Location Legal Requests for Access to Data Notification of Requests Before They Provide Access To Your Data Cooperate in Managing Release Limit Any Release to the Extent Possible, and to the Minimum Required by Law 35

36 4) Vendor Relationship Issues Not Unique to Cloud Computing, but Essential Most Leverage = Before Signing/Paying Cost of Change = Significant 36

37 4) Vendor Relationship Contractually Codify in Advance Terms to Continue Using Terms to Terminate/Change 37

38 4) Vendor Relationship Cost to Continue Using Renewal Price Caps as the Lesser of: Consumer Price Index (CPI) A Set Percentage (3%, 5%, etc.) Cloud Vendor s List Price What Others Pay Going Forward For As Long As Possible 38

39 4) Vendor Relationship Termination Keep Decision Within Your Control Restrict to Triggering Events Include Customer Opportunity to Cure Exclude Legitimate Payment Disputes 39

40 4) Vendor Relationship Mergers and Acquisitions Due Diligence None of Us Can Predict the Future Evolving Market Space Terms Binding on Successors/Assigns 40

41 4) Vendor Relationship Vendor Outsourcing Increases Complexity Vendor to Identify Third Parties Vendor Remains Responsible 41

42 Next Steps Cloud Computing is Big 42

43 Next Steps Broad Set of Implications From Meeting Business Needs To Compliance With Policy/Law Beyond Responsibilities of One Position 43

44 Next Steps So Don t Go It Alone commons.wikimedia.org/wiki/file:rockislandindependentsteamphoto1919.jpg Business Process Owner IT Vendor Management Procurement IT - Technical IT - Security/Policy Legal Affairs Risk Management Audit/Compliance/Governance/Privacy 44

45 Next Steps Working Together Effectively Manage Develop Guidelines/Best Practices Re: Appropriate Acquisition/Use 45

46 How Can I Learn More? Cloud Computing Risk Mitigation Via Contract Negotiation & Vendor Management seminar --- October 20, Chicago, IL To register, please go to: CSA-IAPP discount ($100) Use Code CSA-IAPP 46