practical guide to cloud service agreements, version 2 · practical guide to cloud service...
TRANSCRIPT
Practical Guide to Cloud Service
Agreements, Version 2.0
http://cloud-council.org/resource-hub.htm#practical-guide-to-cloud-service-
agreements-version-2
June, 2015
2
The Cloud Standards Customer Council THE Customer’s Voice for Cloud Standards!
• Provide customer-lead guidance to
multiple cloud standards-defining bodies
• Establishing criteria for open
standards based cloud computing 500+ Organizations participating
2011/2012 Deliverables
Practical Guide to Cloud Computing
Practical Guide to Cloud SLAs
Security for Cloud Computing
Impact of Cloud Computing on Healthcare
2013/2014 Deliverables
Convergence of SoMoClo
Analysis of Public Cloud SLAs
Cloud Security Standards
Migrating Apps to Public Cloud
http://cloud-council.org
2015 Projects (partial)
Update to Security for Cloud Computing whitepaper
Update to Practical Guide to Cloud Service Agreements
Practical Guide to Privacy for the Public Sector
Practical Guide to PaaS
Social Business in the Cloud
Big Data in the Cloud
PGCC Version 2
Migrating Apps: Performance Rqmnts
Cloud Interoperability/Portability
3
Practical Guide to Cloud Service Agreements, Version 2
Revision Highlights
Terminology changes have been
made - SLA replaced by CSA
The Current CSA Landscape section
updated to reflect current market
dynamics
All ten steps in the Guide for
Evaluating Cloud Service
Agreements section have been
updated to reflect current best
practices
References to cloud computing
standards have been updated
References added to published
CSCC whitepapers
4
Cloud Service Agreements: Current Landscape
Current Landscape
CSA is comprised of three major artifacts:
• Customer Agreement
• Acceptable Use Policy
• Service Level Agreement
Customers must pay close attention to CSA language and clauses
• Mismatch between expectations and service terms common
Service level guarantees for IaaS better defined than SaaS or PaaS
Service levels more flexible and negotiable for private cloud than
public cloud
Size matters
• Larger customers have more power to negotiate favorable
terms
• Over time, changes imposed by larger customers will trickle
down to all customers
5
CSCC Practical Guide to Cloud Service Agreements
A reference to help enterprise IT & business decision
makers as they analyze and compare service
agreements from different cloud service providers.
10 Steps to Evaluate Cloud Service Agreements
1. Understand roles and responsibilities
2. Evaluate business level policies
3. Understand service and deployment model differences
4. Identify critical performance objectives
5. Evaluate security and privacy requirements
6. Identify service management requirements
7. Prepare for service failure management
8. Understand the disaster recovery plan
9. Define an effective governance process
10. Understand the exit process
"Cloud service agreements are
important to clearly set
expectations for service
between cloud consumers and
providers. Providing guidance
to decision makers on what to
expect and what to be aware of
as they evaluate and compare
SLAs from cloud computing
providers is critical since
standard terminology and
values for cloud SLAs are
emerging but currently do not
exist.“ Melvin Greer, Senior
Fellow and Chief Strategist,
Cloud Computing, Lockheed
Martin
6
Step 1: Understand roles and responsibilities
Considerations
Full understanding of
responsibilities between the
cloud service customer and
the cloud service provider is
critical
Ensure CSA makes clear
statements about activities
and responsibilities of the
various customer and
provider subroles
Responsibility for detecting
and reporting incidents should
be clearly stated in the CSA
Cloud Service Customer
Cloud Service Provider
Cloud
Service
Partner Cloud service
user
Cloud service
administrator
Cloud service
integrator
Cloud servicebusiness manager
cloudservice
administrator
cloud serviceoperationsmanager
cloud service
business manager
cloud servicesecurity & risk
manager
cloud servicedeployment
manager
networkprovider
customer support & care representative
inter-cloudprovider
Cloud servicedeveloper
Cloud auditor
Cloud service broker
Source: ISO/IEC 17789
7
Step 2: Evaluate Business-Level Policies
Business Policies
Guarantees
Acceptable Use Policy (AUP)
List of Services Not Covered
Excess Usage Billing
Service Activation
Payment Terms and Penalties
Governance
Change Notification and Management
Support, Prioritization, Escalation
Definition of Business Hours / Prime Time
Planned Maintenance
Renewals
Transferability
Subcontracted Services
Licensed Software
Industry-Specific Standards (HIPAA…)
Country-Specific Laws & Regulations
Data Policies
Preservation and Redundancy
Data Location
• Data Residency
• Notification of Relocation
Data Seizure by Law Enforcement
Data Privacy
• Also see Step 5
Data Availability
The concern here is the alignment of
the policies expressed (or implied) in
the CSA with those of the customer
8
Step 3: Understand Service & Deployment Model Differences
Deployment Model
Private (on premises)
• IT department needs to establish a
service agreement with internal users
Private (outsourced)
• Similar to traditional IT outsourcing
Public
• Stronger requirements to make
multitenancy safe and effective
Hybrid
• Same as public but with added
integration requirements between
internal and external resources
Community
• Similar to public
CSA contents will vary according to the choice of service model and
deployment model
Service Model
IaaS
• Similar to IT outsourcing
• Metrics focused on availability and
performance of the servers,
network and data storage
PaaS
• Distinguish “integrated solutions”
and “deploy-based solutions”
• Consider requiring compliance with
standards like OASIS’ TOSCA
SaaS
• Focus on the end-to-end
performance of the application
• Very dependent on the specific app
9
Step 4: Identify Critical Performance Objectives
Adopt standard definitions (e.g., from IEEE) of availability and response
times
Consider not just the computing hardware, but also the facility (backup,
power, etc.)
Identify critical metrics based on business needs
The guide provides a sample set of CSA content:
• Availability and response time metrics
• Constraints
• Collection methods and frequency
• Usage in Service Level Agreement (e.g., to calculate penalties for
violations)
10
Step 5: Evaluate Security and Privacy Requirements
Evaluate Security
Asset sensitivity
Understand the legal and regulatory
requirements, especially on data breaches
Establish security metrics
Implement policies and procedures against
the unauthorized use of data
• Including technical measures such
as IP range blocking, etc.
Assess provider security capabilities
Assess provider governance
Assess provider security compliance
a) Security
The key difference with
traditional IT environments is the
extra level of concern among
stakeholders, due in particular to
multitenancy
Need to secure all assets:
information and applications
Define (if it doesn’t yet exist) and
apply a security classification
scheme for all assets
The Cloud Security Alliance
(CSA) provides useful guidance
11
Step 5: Evaluate Security and Privacy Requirements (cont’d)
Evaluate Privacy
Assess the presence and characteristics of PII
• What PII is being stored?
• Where is it being stored?
• Where is the customer based?
• Where is the provider based?
• Where are the users of the data located?
• What are the nationalities of the people
whose data is being stored?
Based on all this, which laws and regulations
apply?
Are they addressed in the CSA?
What are the rules about data movement,
backup, and retention?
Do these processes risk violating the laws and
regulations?
b) Privacy
PII = Personally Identifiable
Information (name, DOB, address,
national ID no., etc.)
Tangled web of national,
international, industry and local
regulations…
… that are evolving rapidly
Data may fall under different
jurisdictions over time or even at
the same time
Moving data for backup and load
balancing purposes may have
privacy implications, and this is
less predictable in the cloud
12
Step 6: Identify service management requirements
Considerations
Organizations must monitor and manage the cloud
services they use
Aspects contributing to service management
• Auditing
• is the provider’s management system adequate?
• Monitoring and reporting
• visibility of service performance
• Measurement & metering
• are you getting what you’re paying for?
• Provisioning
• can you change resources quickly?
• Change management
• transparent process for changes
• Upgrades & patching
13
Step 7: Prepare for service failure management
Considerations
Process that happens when cloud service fails to
meet expected behavior
• complete failure
• performance issues
Detection & alerting
• may need customer-side monitoring
• provider-side monitoring & notification if
available
Reporting processes for customer detected failures
Provider processes for dealing with failures
Remedies for failures
Limitations
14
Step 8: Understand the disaster recovery plan
Considerations
Part of of business continuity
• recover applications, data, communications in
face of disaster
Clear responsibilities:
• provider disaster recovery?
• customer disaster recovery?
Techniques:
• multiple redundant data centers
• replicated data stores
• multiple redundant networks
• multiple app instances
• automated failover
Failure of the cloud service provider?
15
Step 9: Define an effective governance policy
Considerations
Governance complicated by responsibility split
between customer and provider
• control and oversight
• elements controlled by provider
Key elements:
• periodic assessment – service levels,
compliance
• reports – key indicators, service failures
• problem reporting & status
• change notifications
• request processing
• user satisfaction
Escalation process
• upto & including termination of service
agreement
16
Step 10: Understand the exit process
Considerations
Exit process should be part of any CSA
Customer exit plan
• procedures
• provider assistance
• fees
• retrieval of customer data
• business continuity during exit
Requirement for provider to delete / make
inaccessible copies of customer data
Requirement for provider to cleanse log &
audit data
• retention of records for specified
periods may be required by law
17
Summary
Develop a strong business case and strategy for
cloud computing environment
Assess provider’s CSA against functional and
non-functional requirements
Determine how to monitor CSA performance
Ensure an adequate disaster recovery plan can
be defined and executed
Ensure support for an efficient exit process
Join the CSCC Now!
– To have an impact on customer use case based standards requirements
– To learn about all Cloud Standards within one organization
– To help define the CSCC’s future roadmap
– Membership is free & easy: http://www.cloud-council.org/application
Get Involved!
– Join one or more of the CSCC Working Groups
• http://www.cloud-council.org/workinggroups.htm
Call to Action
16
19
Additional Resources Customer Cloud Architecture for Mobile
http://bit.ly/1cGs5Xj
Practical Guide to Cloud Service Agreements, V2
http://bit.ly/1IQxrdg
Public Cloud Service Agreements: What to Expect & What to Negotiate
http://bit.ly/1GKbI8O
Practical Guide to Cloud Computing, V2
http://bit.ly/1MwD9mZ
Security for Cloud Computing: 10 Steps to Ensure Success, V2
http://bit.ly/1L3D9gZ
Cloud Security Standards: What to Expect & What to Negotiate
http://bit.ly/18fZFl3
Interoperability and Portability for Cloud Computing: A Guide
http://bit.ly/1Fg7lkk
Migrating Applications to Public Cloud Services: Roadmap for Success
http://bit.ly/1B9YGJy
Web Application Hosting Cloud Solution Architecture
http://bit.ly/1DbOszm
Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success
http://bit.ly/1EDTe9o
Impact of Cloud Computing on Healthcare
http://bit.ly/1B9ZP42
20
Thank You