http cloud council org resource hub htm practical guide
play

- PowerPoint PPT Presentation

Practical Guide to Cloud Service Agreements, Version 2.0 http://cloud-council.org/resource-hub.htm#practical-guide-to-cloud-service- agreements-version-2 June, 2015 The Cloud Standards Customer Council THE Customers Voice for Cloud Standards!


  1. Practical Guide to Cloud Service Agreements, Version 2.0 http://cloud-council.org/resource-hub.htm#practical-guide-to-cloud-service- agreements-version-2 June, 2015

  2. The Cloud Standards Customer Council THE Customer’s Voice for Cloud Standards! • Provide customer-lead guidance to multiple cloud standards-defining bodies • Establishing criteria for open Organizations standards based cloud computing 500+ participating 2011/2012 Deliverables  Practical Guide to Cloud Computing  Practical Guide to Cloud SLAs  Security for Cloud Computing  Impact of Cloud Computing on Healthcare  Social Business in the Cloud 2013/2014 Deliverables  Big Data in the Cloud  Convergence of SoMoClo  PGCC Version 2  Analysis of Public Cloud SLAs  Migrating Apps: Performance Rqmnts  Cloud Security Standards  Cloud Interoperability/Portability  Migrating Apps to Public Cloud 2015 Projects (partial)  Update to Security for Cloud Computing whitepaper  Update to Practical Guide to Cloud Service Agreements http://cloud-council.org  Practical Guide to Privacy for the Public Sector  Practical Guide to PaaS 2

  3. Practical Guide to Cloud Service Agreements, Version 2 Revision Highlights  Terminology changes have been made - SLA replaced by CSA  The Current CSA Landscape section updated to reflect current market dynamics  All ten steps in the Guide for Evaluating Cloud Service Agreements section have been updated to reflect current best practices  References to cloud computing standards have been updated  References added to published CSCC whitepapers 3

  4. Cloud Service Agreements: Current Landscape Current Landscape  CSA is comprised of three major artifacts: • Customer Agreement • Acceptable Use Policy • Service Level Agreement  Customers must pay close attention to CSA language and clauses • Mismatch between expectations and service terms common  Service level guarantees for IaaS better defined than SaaS or PaaS  Service levels more flexible and negotiable for private cloud than public cloud  Size matters • Larger customers have more power to negotiate favorable terms • Over time, changes imposed by larger customers will trickle down to all customers 4

  5. CSCC Practical Guide to Cloud Service Agreements A reference to help enterprise IT & business decision makers as they analyze and compare service agreements from different cloud service providers. " Cloud service agreements are 10 Steps to Evaluate Cloud Service Agreements important to clearly set 1. expectations for service Understand roles and responsibilities between cloud consumers and 2. Evaluate business level policies providers. Providing guidance to decision makers on what to 3. Understand service and deployment model differences expect and what to be aware of 4. Identify critical performance objectives as they evaluate and compare SLAs from cloud computing 5. Evaluate security and privacy requirements providers is critical since 6. Identify service management requirements standard terminology and values for cloud SLAs are 7. Prepare for service failure management emerging but currently do not exist. “ Melvin Greer, Senior 8. Understand the disaster recovery plan Fellow and Chief Strategist, 9. Define an effective governance process Cloud Computing, Lockheed Martin 10. Understand the exit process 5

  6. Step 1: Understand roles and responsibilities Considerations  Full understanding of responsibilities between the Cloud Service Customer Cloud Service cloud service customer and Partner Cloud Cloud Cloud service Cloud service service business service the cloud service provider is user administrator manager integrator critical Cloud service developer Cloud Service Provider  Ensure CSA makes clear statements about activities cloud Cloud cloud service cloud service cloud service auditor operations deployment service and responsibilities of the business manager manager administrator manager various customer and Cloud provider subroles customer cloud service inter-cloud network service support & care security & risk provider provider broker representative manager  Responsibility for detecting and reporting incidents should be clearly stated in the CSA Source: ISO/IEC 17789 6

  7. Step 2: Evaluate Business-Level Policies The concern here is the alignment of Business Policies the policies expressed (or implied) in  Guarantees the CSA with those of the customer  Acceptable Use Policy (AUP)  List of Services Not Covered  Excess Usage Billing  Service Activation  Payment Terms and Penalties Data Policies  Governance  Change Notification and Management  Preservation and Redundancy  Support, Prioritization, Escalation  Data Location  Definition of Business Hours / Prime Time • Data Residency  Planned Maintenance  • Renewals Notification of Relocation  Transferability  Data Seizure by Law Enforcement  Subcontracted Services  Data Privacy  Licensed Software •  Industry- Specific Standards (HIPAA…) Also see Step 5  Country-Specific Laws & Regulations  Data Availability 7

  8. Step 3: Understand Service & Deployment Model Differences CSA contents will vary according to the choice of service model and deployment model Deployment Model Service Model   IaaS Private (on premises) • • Similar to IT outsourcing IT department needs to establish a service agreement with internal users • Metrics focused on availability and  performance of the servers, Private (outsourced) network and data storage • Similar to traditional IT outsourcing  PaaS  Public • Distinguish “integrated solutions” • Stronger requirements to make and “deploy - based solutions” multitenancy safe and effective • Consider requiring compliance with  Hybrid standards like OASIS’ TOSCA • Same as public but with added  SaaS integration requirements between • Focus on the end-to-end internal and external resources performance of the application  Community • Very dependent on the specific app • Similar to public 8

  9. Step 4: Identify Critical Performance Objectives  Adopt standard definitions (e.g., from IEEE) of availability and response times  Consider not just the computing hardware, but also the facility (backup, power, etc.)  Identify critical metrics based on business needs  The guide provides a sample set of CSA content: • Availability and response time metrics • Constraints • Collection methods and frequency • Usage in Service Level Agreement (e.g., to calculate penalties for violations) 9

  10. Step 5: Evaluate Security and Privacy Requirements a) Security Evaluate Security  The key difference with  Asset sensitivity traditional IT environments is the  Understand the legal and regulatory extra level of concern among requirements, especially on data breaches stakeholders, due in particular to multitenancy  Establish security metrics  Implement policies and procedures against  Need to secure all assets: the unauthorized use of data information and applications • Including technical measures such  Define (if it doesn’t yet exist) and as IP range blocking, etc. apply a security classification  Assess provider security capabilities scheme for all assets  Assess provider governance   The Cloud Security Alliance Assess provider security compliance (CSA) provides useful guidance 10

  11. Step 5: Evaluate Security and Privacy Requirements (cont’d) b) Privacy Evaluate Privacy  PII = Personally Identifiable  Assess the presence and characteristics of PII Information (name, DOB, address, • What PII is being stored? national ID no., etc.) • Where is it being stored?  Tangled web of national, • Where is the customer based? international, industry and local • Where is the provider based? regulations… • Where are the users of the data located? •  … that are evolving rapidly What are the nationalities of the people whose data is being stored?  Data may fall under different  Based on all this, which laws and regulations jurisdictions over time or even at apply? the same time  Are they addressed in the CSA?  Moving data for backup and load  What are the rules about data movement, balancing purposes may have backup, and retention? privacy implications, and this is  Do these processes risk violating the laws and less predictable in the cloud regulations? 11

  12. Step 6: Identify service management requirements Considerations  Organizations must monitor and manage the cloud services they use  Aspects contributing to service management • Auditing • is the provider’s management system adequate? • Monitoring and reporting • visibility of service performance • Measurement & metering • are you getting what you’re paying for? • Provisioning • can you change resources quickly? • Change management • transparent process for changes • Upgrades & patching 12

Recommend


More recommend