Copyright © 2015 Thomas Trappler

All Rights Reserved

1

AGENDA
• Overview
• Risk Mitigation Strategies
• Infrastructure/Security
• Service Level Agreements
• Data Access, Protection & Location
• Vendor Relationship
• Next Steps
Let’s Keep It Interactive!
Copyright © 2015 Thomas Trappler
All Rights Reserved

2

http://www.flickr.com/photos/61056899@N06/5751301741/sizes/l/in/photostream/

Cloud Computing Risk Mitigation

As with the adoption of any IT solution,
The adoption of a cloud computing solution
comes with both benefits and risks.

Copyright © 2015 Thomas Trappler
All Rights Reserved

3

Cloud Computing Risk Mitigation

http://www.flickr.com/photos/takomabibelot/4373062612/

The key question for us to explore today is:
How can we most effectively mitigate the
risks associated with adopting a cloud
computing solution so as to maximize the
benefits?

Copyright © 2015 Thomas Trappler
All Rights Reserved

4

Cloud Computing Risk Mitigation
Transitioning to the Cloud = Paradigm Shift
From: Technically Managed
“I build it, I maintain it.”
To: Contractually Managed
“Someone else is doing this for me,
how do I ensure they’re doing it right?”
Copyright © 2015 Thomas Trappler
All Rights Reserved

5

Cloud Computing Risk Mitigation
Key Ways To Mitigate Risks

http://www.flickr.com/photos/mehrant/4079784984

Contract Negotiation
Establish the terms of the relationship
“What do I get?”
Vendor Management
Maintain the relationship
“How do I ensure that I continue to get it?”
If it’s not in the contract, don’t expect to get it.
Copyright © 2015 Thomas Trappler
All Rights Reserved

6

Cloud Computing Risk Mitigation

Standard
Answers

Copyright © 2015 Thomas Trappler
All Rights Reserved

7

http://commons.wikimedia.org/wiki/File:Barn_raising_-_Leckie%27s_barn_completed_in_frame.jpg

Cloud Computing Risk Mitigation
A Framework of Issues to Consider
Each issue should be individually evaluated
Based upon your organization’s unique
needs and tolerance for risk
For each specific use case/project
Copyright © 2015 Thomas Trappler
All Rights Reserved

8

Cloud Computing Risk Mitigation
Key Factors
Data Sensitivity

Public

Sensitive
Business Criticality

Downtime =
Tolerable

Downtime =
Business Stops

Copyright © 2015 Thomas Trappler
All Rights Reserved

9

Cloud Computing Risk Mitigation
Multiple Variations = SaaS, IaaS, PaaS
Contract Issues Are Similar



Infrastructure/Security
Service Level Agreements
Data Protection, Access & Location
Vendor Relationship
Copyright © 2015 Thomas Trappler
All Rights Reserved

10

http://www.flickr.com/photos/lisanolan/503198966
/

Copyright © 2015 Thomas Trappler
All Rights Reserved

11

1) Infrastructure/Security
Physical Data Center Behind Every Cloud
All Cloud Service Vendors
Are NOT
Created Equally
A New and Evolving Market Space
Copyright © 2015 Thomas Trappler
All Rights Reserved

12

1) Infrastructure/Security
http://www.wired.com/wiredenterprise/2012/10/ff-inside-google-data-center/

How do we ensure we’re getting this…

Copyright © 2015 Thomas Trappler
All Rights Reserved

13

1) Infrastructure/Security

http://thedrunksysadmin.com/pictures/thedrunksysadminCompressed.jpg

…and not this?

Copyright © 2015 Thomas Trappler
All Rights Reserved

14

1) Infrastructure/Security
Identify Cloud Vendor’s
Infrastructure and Security Practices

Copyright © 2015 Thomas Trappler
All Rights Reserved

15

http://www.flickr.com/photos/colinkinner/2200500024/

How?
Ask Questions
Copyright © 2015 Thomas Trappler
All Rights Reserved

16

Consensus Assessments
Initiative Questionnaire
&
Cloud Controls Matrix

Standard
Information
Gathering
Questionnaire
Copyright © 2015 Thomas Trappler
All Rights Reserved

17

1) Infrastructure/Security
Areas To Evaluate Include:
• Information Security
• Physical Security
• Operations Management
Copyright © 2015 Thomas Trappler
All Rights Reserved

18

1) Infrastructure/Security
Determine Which Practices Are Important
Codify Them in the Contract
as Minimum Requirements
Incorporate Responses in Contract
Copyright © 2015 Thomas Trappler
All Rights Reserved

19

1) Infrastructure/Security

Once You’ve Got Them in the Contract,
How Do You Verify These Things?

Copyright © 2015 Thomas Trappler
All Rights Reserved

20

1) Infrastructure/Security
Third Party Certifications

http://www.flickr.com/photos/42106306@N00/4380803535/

No Formal Standard



ISO/IEC 27001/27002
SOC 2&3, AT Sec. 101 (Replaced SAS 70)
FIPS 200/SP 800-53
CSA Open Certification Framework
Reports S/B Provided To You
Copyright © 2015 Thomas Trappler
All Rights Reserved

21

http://www.flickr.com/photos/lisanolan/503198966
/

Copyright © 2015 Thomas Trappler
All Rights Reserved

22

2) Service Level Agreements
Software as a Service
Infrastructure as a Service
Platform as a Service
The key thing in common is “Service”.

Copyright © 2015 Thomas Trappler
All Rights Reserved

23

2) Service Level Agreements
SLA Parameters



Availability
Performance/Response Time
Error Correction Time
Latency
Limit to 8-10 SLAs
Copyright © 2015 Thomas Trappler
All Rights Reserved

24

2) Service Level Agreements
SLA Metrics and Minimum Levels
Quantitative and Unambiguous
Describe Data Sources & Fields,
Collection Times & Frequency,
Responsibility for Collection
Relevant to Business Outcomes,
Not Technical Parameters
Copyright © 2015 Thomas Trappler
All Rights Reserved

25

2) Service Level Agreements
SLA Remedies
Corrections
Penalties
Copyright © 2015 Thomas Trappler
All Rights Reserved

26

2) Service Level Agreements
SLA Remedies
If You Do Include Financial Penalties…
Client Notification or Vendor Self-Audit?
Codify When/How Credit is Provided
Against Current Payment, Or Renewal
Copyright © 2015 Thomas Trappler
All Rights Reserved

27

2) Service Level Agreements
SLA Remedies

Goal is Good Service, Not Credits

Copyright © 2015 Thomas Trappler
All Rights Reserved

28

2) Service Level Agreements
SLA Remedies
Reputational Penalties
Disqualification From Future Contract Bids
Rewards For Exceeding Service Levels
What Remedies Meet Your Needs?
Copyright © 2015 Thomas Trappler
All Rights Reserved

29

http://www.flickr.com/photos/lisanolan/503198966
/

Copyright © 2015 Thomas Trappler
All Rights Reserved

30

3) Data Protection, Access & Location
Ownership of Data
Good News = More Vendors Including
This in Standard Contract

http://www.flickr.com/photos/ian-s/2152798588/

Vendors Are Willing to Listen
Your Organization Owns the Results
of Any Processing of Your Data
Copyright © 2015 Thomas Trappler
All Rights Reserved

31

3) Data Protection, Access & Location
To Avoid Vendor Lock-In
Plan In Advance
How You Will Switch
To A Different Solution
Copyright © 2015 Thomas Trappler
All Rights Reserved

32

3) Data Protection, Access & Location
Data Access/Disposition
• Process
• Timeframe
• Format
• Cost (Egress Fees?)
• Destruction
Copyright © 2015 Thomas Trappler
All Rights Reserved

33

3) Data Protection, Access & Location
Data Breaches

http://www.flickr.com/photos/nostalgicglass/1188551383/

Repercussions Vary
According to Data Type
Know In Advance
What Type of Data You’ll Be Processing/Storing
Copyright © 2015 Thomas Trappler
All Rights Reserved

34

3) Data Protection, Access & Location
Data Breaches
• Notification (incl. timeframe)
• Details (circumstances, type of data, etc.)
• Corrective Action
• Indemnification

Copyright © 2015 Thomas Trappler
All Rights Reserved

35

3) Data Protection, Access & Location
Location of Data

http://commons.wikimedia.org/wiki/File:Worldmap_LandAndPolitical.jpg

Different Laws
Which Law Applies to My Data?
Identify/Restrict Data Center Location(s)
Copyright © 2015 Thomas Trappler
All Rights Reserved

36

3) Data Protection, Access & Location

http://www.flickr.com/photos/kenmccown/3917497679/sizes/l/in/photostream/

Legal Requests for Access to Data
Notification of Requests
Before They Provide Access To Your Data
Cooperate in Managing Release
Limit Any Release to the Extent Possible, and to
the Minimum Required by Law
Copyright © 2015 Thomas Trappler
All Rights Reserved

37

http://www.flickr.com/photos/lisanolan/503198966
/

Copyright © 2015 Thomas Trappler
All Rights Reserved

38

4) Vendor Relationship
Issues Not Unique to Cloud Computing,
but Essential
Most Leverage = Before Signing/Paying
Cost of Change = Significant

Copyright © 2015 Thomas Trappler
All Rights Reserved

39

4) Vendor Relationship
Contractually Codify in Advance
Terms to Continue Using
Terms to Terminate/Change

Copyright © 2015 Thomas Trappler
All Rights Reserved

40

4) Vendor Relationship
Cost to Continue Using

http://www.flickr.com/photos/banky177/1664346876/

Renewal Price Caps as the Lesser of:



Consumer Price Index (CPI)
A Set Percentage (0%, 3%, 5%, etc.)
Cloud Vendor’s “List Price”
What Others Pay

Going Forward For As Long As Possible
Copyright © 2015 Thomas Trappler
All Rights Reserved

41

4) Vendor Relationship
Termination
Keep Decision Within Your Control
Restrict to Triggering Events
Include Customer Opportunity to Cure
Exclude Legitimate Payment Disputes
Copyright © 2015 Thomas Trappler
All Rights Reserved

42

4) Vendor Relationship
Mergers and Acquisitions

http://www.flickr.com/photos/wokka/3585254925/sizes/l/in/photostream/

Due Diligence
None of Us Can Predict the Future
Evolving Market Space
Terms Binding on Successors/Assigns
Copyright © 2015 Thomas Trappler
All Rights Reserved

43

4) Vendor Relationship
Vendor Outsourcing

http://commons.wikimedia.org/wiki/File:Connected-world.jpg

Increases Complexity
Vendor to Identify Third Parties
Vendor Remains Responsible
Copyright © 2015 Thomas Trappler
All Rights Reserved

44

http://www.flickr.com/photos/lisanolan/503198966
/

Copyright © 2015 Thomas Trappler
All Rights Reserved

45

Next Steps

http://www.flickr.com/photos/kleinz/3552012856/

Cloud Computing is Big

Copyright © 2015 Thomas Trappler
All Rights Reserved

46

Next Steps
Broad Set of Implications
From Meeting Business Needs
To Compliance With Policy/Law
Beyond Responsibilities of One Position
Copyright © 2015 Thomas Trappler
All Rights Reserved

47

Next Steps

commons.wikimedia.org/wiki/File:RockIslandIndependentsTeamPhoto1919.jpg

So Don’t Go It Alone







Business Process Owner
IT Vendor Management
IT - Technical
IT - Security/Policy
Procurement
Legal Affairs
Risk Management
Audit/Compliance/Governance/Privacy
Copyright © 2015 Thomas Trappler
All Rights Reserved

48

Next Steps
Working Together
Effectively Manage
Develop Guidelines/Best Practices
Re: Appropriate Acquisition/Use
Copyright © 2015 Thomas Trappler
All Rights Reserved

49

http://www.flickr.com/photos/lisanolan/503198966
/

Copyright © 2015 Thomas Trappler
All Rights Reserved

50

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.