- - PowerPoint PPT Presentation

Practical Guide to Cloud Service Agreements, Version 2.0

http://cloud-council.org/resource-hub.htm#practical-guide-to-cloud-service- agreements-version-2

June, 2015

2

The Cloud Standards Customer Council

THE Customer’s Voice for Cloud Standards!

• Provide customer-lead guidance to

multiple cloud standards-defining bodies

• Establishing criteria for open

standards based cloud computing 500+

Organizations participating

2011/2012 Deliverables

• Practical Guide to Cloud Computing
• Practical Guide to Cloud SLAs
• Security for Cloud Computing
• Impact of Cloud Computing on Healthcare

2013/2014 Deliverables

• Convergence of SoMoClo
• Analysis of Public Cloud SLAs
• Cloud Security Standards
• Migrating Apps to Public Cloud

http://cloud-council.org

2015 Projects (partial)

• Update to Security for Cloud Computing whitepaper
• Update to Practical Guide to Cloud Service Agreements
• Practical Guide to Privacy for the Public Sector
• Practical Guide to PaaS
• Social Business in the Cloud
• Big Data in the Cloud
• PGCC Version 2
• Migrating Apps: Performance Rqmnts
• Cloud Interoperability/Portability

3

Practical Guide to Cloud Service Agreements, Version 2

Revision Highlights

• Terminology changes have been

made - SLA replaced by CSA

• The Current CSA Landscape section

updated to reflect current market dynamics

• All ten steps in the Guide for

Evaluating Cloud Service Agreements section have been updated to reflect current best practices

• References to cloud computing

standards have been updated

• References added to published

CSCC whitepapers

4

Cloud Service Agreements: Current Landscape

Current Landscape

• CSA is comprised of three major artifacts:
• Customer Agreement
• Acceptable Use Policy
• Service Level Agreement
• Customers must pay close attention to CSA language and clauses
• Mismatch between expectations and service terms common
• Service level guarantees for IaaS better defined than SaaS or PaaS
• Service levels more flexible and negotiable for private cloud than

public cloud

• Size matters
• Larger customers have more power to negotiate favorable

terms

• Over time, changes imposed by larger customers will trickle

down to all customers

5

CSCC Practical Guide to Cloud Service Agreements

A reference to help enterprise IT & business decision

makers as they analyze and compare service agreements from different cloud service providers. 10 Steps to Evaluate Cloud Service Agreements 1.

Understand roles and responsibilities

2.

Evaluate business level policies

3.

Understand service and deployment model differences

4.

Identify critical performance objectives

5.

Evaluate security and privacy requirements

6.

Identify service management requirements

7.

Prepare for service failure management

8.

Understand the disaster recovery plan

9.

Define an effective governance process

• 10. Understand the exit process

"Cloud service agreements are important to clearly set expectations for service between cloud consumers and

• providers. Providing guidance

to decision makers on what to expect and what to be aware of as they evaluate and compare SLAs from cloud computing providers is critical since standard terminology and values for cloud SLAs are emerging but currently do not exist.“ Melvin Greer, Senior Fellow and Chief Strategist, Cloud Computing, Lockheed Martin

6

Step 1: Understand roles and responsibilities

Considerations

• Full understanding of

responsibilities between the cloud service customer and the cloud service provider is critical

• Ensure CSA makes clear

statements about activities and responsibilities of the various customer and provider subroles

• Responsibility for detecting

and reporting incidents should be clearly stated in the CSA

Cloud Service Customer Cloud Service Provider Cloud Service Partner

Cloud service user Cloud service administrator Cloud service integrator Cloud service business manager cloud service administrator cloud service

• perations

manager cloud service business manager cloud service security & risk manager cloud service deployment manager network provider customer support & care representative inter-cloud provider Cloud service developer Cloud auditor Cloud service broker

Source: ISO/IEC 17789

7

Step 2: Evaluate Business-Level Policies

Business Policies

• Guarantees
• Acceptable Use Policy (AUP)
• List of Services Not Covered
• Excess Usage Billing
• Service Activation
• Payment Terms and Penalties
• Governance
• Change Notification and Management
• Support, Prioritization, Escalation
• Definition of Business Hours / Prime Time
• Planned Maintenance
• Renewals
• Transferability
• Subcontracted Services
• Licensed Software
• Industry-Specific Standards (HIPAA…)
• Country-Specific Laws & Regulations

Data Policies

• Preservation and Redundancy
• Data Location
• Data Residency
• Notification of Relocation
• Data Seizure by Law Enforcement
• Data Privacy
• Also see Step 5
• Data Availability

The concern here is the alignment of the policies expressed (or implied) in the CSA with those of the customer

8

Step 3: Understand Service & Deployment Model Differences

Deployment Model

• Private (on premises)
• IT department needs to establish a

service agreement with internal users

• Private (outsourced)
• Similar to traditional IT outsourcing
• Public
• Stronger requirements to make

multitenancy safe and effective

• Hybrid
• Same as public but with added

integration requirements between internal and external resources

• Community
• Similar to public

CSA contents will vary according to the choice of service model and deployment model

Service Model

• IaaS
• Similar to IT outsourcing
• Metrics focused on availability and

performance of the servers, network and data storage

• PaaS
• Distinguish “integrated solutions”

and “deploy-based solutions”

• Consider requiring compliance with

standards like OASIS’ TOSCA

• SaaS
• Focus on the end-to-end

performance of the application

• Very dependent on the specific app

9

Step 4: Identify Critical Performance Objectives

• Adopt standard definitions (e.g., from IEEE) of availability and response

times

• Consider not just the computing hardware, but also the facility (backup,

power, etc.)

• Identify critical metrics based on business needs
• The guide provides a sample set of CSA content:
• Availability and response time metrics
• Constraints
• Collection methods and frequency
• Usage in Service Level Agreement (e.g., to calculate penalties for

violations)

10

Step 5: Evaluate Security and Privacy Requirements

Evaluate Security

• Asset sensitivity
• Understand the legal and regulatory

requirements, especially on data breaches

• Establish security metrics
• Implement policies and procedures against

the unauthorized use of data

• Including technical measures such

as IP range blocking, etc.

• Assess provider security capabilities
• Assess provider governance
• Assess provider security compliance

a) Security

• The key difference with

traditional IT environments is the extra level of concern among stakeholders, due in particular to multitenancy

• Need to secure all assets:

information and applications

• Define (if it doesn’t yet exist) and

apply a security classification scheme for all assets

• The Cloud Security Alliance

(CSA) provides useful guidance

11

Step 5: Evaluate Security and Privacy Requirements (cont’d)

Evaluate Privacy

• Assess the presence and characteristics of PII
• What PII is being stored?
• Where is it being stored?
• Where is the customer based?
• Where is the provider based?
• Where are the users of the data located?
• What are the nationalities of the people

whose data is being stored?

• Based on all this, which laws and regulations

apply?

• Are they addressed in the CSA?
• What are the rules about data movement,

backup, and retention?

• Do these processes risk violating the laws and

regulations?

b) Privacy

• PII = Personally Identifiable

Information (name, DOB, address, national ID no., etc.)

• Tangled web of national,

international, industry and local regulations…

• … that are evolving rapidly
• Data may fall under different

jurisdictions over time or even at the same time

• Moving data for backup and load

balancing purposes may have privacy implications, and this is less predictable in the cloud

12

Step 6: Identify service management requirements

Considerations

• Organizations must monitor and manage the cloud

services they use

• Aspects contributing to service management
• Auditing
• is the provider’s management system adequate?
• Monitoring and reporting
• visibility of service performance
• Measurement & metering
• are you getting what you’re paying for?
• Provisioning
• can you change resources quickly?
• Change management
• transparent process for changes
• Upgrades & patching

13

Step 7: Prepare for service failure management

Considerations

• Process that happens when cloud service fails to

meet expected behavior

• complete failure
• performance issues
• Detection & alerting
• may need customer-side monitoring
• provider-side monitoring & notification if

available

• Reporting processes for customer detected failures
• Provider processes for dealing with failures
• Remedies for failures
• Limitations

14

Step 8: Understand the disaster recovery plan

Considerations

• Part of of business continuity
• recover applications, data, communications in

face of disaster

• Clear responsibilities:
• provider disaster recovery?
• customer disaster recovery?
• Techniques:
• multiple redundant data centers
• replicated data stores
• multiple redundant networks
• multiple app instances
• automated failover
• Failure of the cloud service provider?

15

Step 9: Define an effective governance policy

Considerations

• Governance complicated by responsibility split

between customer and provider

• control and oversight
• elements controlled by provider
• Key elements:
• periodic assessment – service levels,

compliance

• reports – key indicators, service failures
• problem reporting & status
• change notifications
• request processing
• user satisfaction
• Escalation process
• upto & including termination of service

agreement

16

Step 10: Understand the exit process

Considerations

• Exit process should be part of any CSA
• Customer exit plan
• procedures
• provider assistance
• fees
• retrieval of customer data
• business continuity during exit
• Requirement for provider to delete / make

inaccessible copies of customer data

• Requirement for provider to cleanse log &

audit data

• retention of records for specified

periods may be required by law

17

Summary

• Develop a strong business case and strategy for

cloud computing environment

• Assess provider’s CSA against functional and

non-functional requirements

• Determine how to monitor CSA performance
• Ensure an adequate disaster recovery plan can

be defined and executed

• Ensure support for an efficient exit process

• Join the CSCC Now!

– To have an impact on customer use case based standards requirements – To learn about all Cloud Standards within one organization – To help define the CSCC’s future roadmap – Membership is free & easy: http://www.cloud-council.org/application

• Get Involved!

– Join one or more of the CSCC Working Groups

• http://www.cloud-council.org/workinggroups.htm

Call to Action

16

19

Additional Resources

• Customer Cloud Architecture for Mobile
• http://bit.ly/1cGs5Xj
• Practical Guide to Cloud Service Agreements, V2
• http://bit.ly/1IQxrdg
• Public Cloud Service Agreements: What to Expect & What to Negotiate
• http://bit.ly/1GKbI8O
• Practical Guide to Cloud Computing, V2
• http://bit.ly/1MwD9mZ
• Security for Cloud Computing: 10 Steps to Ensure Success, V2
• http://bit.ly/1L3D9gZ
• Cloud Security Standards: What to Expect & What to Negotiate
• http://bit.ly/18fZFl3
• Interoperability and Portability for Cloud Computing: A Guide
• http://bit.ly/1Fg7lkk
• Migrating Applications to Public Cloud Services: Roadmap for Success
• http://bit.ly/1B9YGJy
• Web Application Hosting Cloud Solution Architecture
• http://bit.ly/1DbOszm
• Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success
• http://bit.ly/1EDTe9o
• Impact of Cloud Computing on Healthcare
• http://bit.ly/1B9ZP42

20

Thank You