Cloud How to Get In and How to Get Out

Contract provisions
Steve Nichols
Georgia Technology Authority
Sept. 18, 2014
Cloud Ts & Cs Best Practice Guide
http://www.govtech.com/cdg/
Service Models
Data
Breach Notification
Security
Audits
Operations
Cloud Trends in Georgia State
Government
Small apps going to cloud
Large apps, apps with regulated data staying
in state data center
Primarily software as a service (SaaS)
Driven by business
Contracts
Contracts will be mostly silent on the things
Im going to tell you about
Compliance information and operational
processes will likely be on website
Security details will be in SSAE 16 SOC report
Put your reading glasses on
Contracts, continued
Infrastructure as a service (IaaS), Software as a
service (SaaS), Platform as a service (PaaS), or
cloud broker?
SaaS contracts are usually too small in dollars
to negotiate (much): prepare to be
disappointed
We always do this vs. We promise to do
this
Expect multiple layers of vendors
Getting In
Ownership of data
Location of data
Security
And Getting Out
Import/Export of Data
Termination/Suspension
Getting In: Data Ownership
The public jurisdiction owns all of its data.
The service provider will not access the data
except as needed to do the work of the
contract.
The public jurisdiction owns all data obtained
by the service provider in the performance of
this contract.
(applies to SaaS and IaaS)
Getting In: Data Location
Data at rest: the service provider will not store any of the
public jurisdictions data outside the U.S.
Laptops and USB drives: the service provider will not allow its
personnel or contractors to store public jurisdiction data on
portable devices, except for devices that are used and kept
only at its U.S. data centers.
Remote access: the service provider shall permit its personnel
and contractors to access public jurisdiction data remotely
only as required to provide technical support.
(applies to SaaS and IaaS)
Getting In: Security
The service provider will perform background checks
on staff, including subcontractors.
The service provider shall perform an independent
audit of its data centers at least annually.
That the service provider will make a version of that
audit available to you (probably as a SSAE 16 SOC 2
report)
Subcontractors!
(applies to SaaS and IaaS)
Getting Out: Why It Matters
Orderly retreat or rout?
Gartner: about 25% of the top 100 IT service
providers in the infrastructure space won't be around
by 2015
Nirvanix as a cautionary tale
Cloud storage provider (public, private, and hybrid),
founded in 2007
Notified customers to get their data on Sept. 16
th
, 2013
Deactivated website on Sept. 28
th
, filed for Chapter 11
bankruptcy on October 1
st
.
Getting Out: Import/Export of Data
The public jurisdiction can import or export its
data whenever needed.
Termination for convenience: be prepared for
30 days
Getting Out: Termination/Suspension
The service provider will not erase the public
jurisdictions data in the event of a suspension
or when the contract is terminated.
Specific time periods are established where
data will be preserved by the service provider.
The service provider will destroy data using a
NIST-approved method when requested by
the public jurisdiction.
Cloud Ts & Cs Best Practice Guide
http://www.govtech.com/cdg/