Abstract: “Development of the paper I presented at the itSMF Spain Seventh National Congress, under
VISION12 CONFERENCE & EXHIBITION"
There was someone who could not attend to the
presentation of this paper live, due to the system of simultaneous rooms as it
was such a crowded conference, and asked me if I would publish it on the
Internet. For those who realised that I had to use a high level of abstraction
because of the usual problems of lack of time for the presentation and for other "groups of interest" out
of the field of itSMF, I have fused my presentation with the notes I prepared
it. Thus it is easier to understand it than just with some MS PowerPoint slide.
I have structured the paper in four different sections,
although they are clearly related to each other:
·
Chapter 1 and 2. Introduction to Cloud Computing and
formalisation of concepts that allow us to understand the other
sections.
·
Chapter 3. To me, this chapter is the
centrepiece of this paper according to the itSMF itself because it is about the
organisational involvement of Cloud Computing in IT Governance and Management.
·
Chapter 4 and 5. Not less significant are the legal
aspects from a regulation perspective if we take personal data to the Cloud, as
well as the contractual clauses that will control all the cycle of life of the
outsourced services.
·
Chapter 6. Final conclusions.
INDEX
1. INTRODUCTION TO CLOUD COMPUTING
1.1. Index of the paper
1.2. How CLOUD COMPUTING is born?
1.3. Conclusion: ¿Is it a fad?
2. FEATURES, SERVICE AND DEPLOYMENT MODELS
2.1. Definition of CLOUD COMPUTING
2.2. Key features
2.3. Service models
2.4. Deployment models
2.5. Delivery/payment relationship according to the model
3. ORGANISATIONAL IMPLICATIONS IN GOVERNMENT AND MANAGEMENT
3.1. Functional Decomposition (GOB, GES, OPE, INF)
3.2. IT Governance
3.3. Other analysis of the cross tabulation
3.4. IT Management
3.4.1. PMM or Process Maturity Model
3.4.2. ISO 20000-1:2011
3.4.3. PRM of Cobit 5
3.4.4. ITIL 2011. Supplier Management Process
3.5. Desirable regulation in a CSP
4. DATA PROTECTION LEGAL FRAMEWORK
4.1. Spanish legal framework
4.2. Claimants involved according to the Spanish Protection Data Laws: LOPD and RLOPD
4.3. Protection Data Law implications depending on the geographical location of the Data Centre that supports the CLOUD
4.4. Examples of penalties
5. CLOUD CONTRACTUAL CLAUSES
5.1. According to CSA (Cloud Security Alliance)
5.2. According to Thomas Trappler
5.3. According to ENISA
5.4. Commission Decision 2010/87/UE
5.5. ITIL 2011: Underpinning Contracts
6. FINAL CONCLUSIONS
7. COPYRIGHT
1. INTRODUCTION TO CLOUD COMPUTING
1.1. Index of the paper
1.2. How CLOUD COMPUTING is born?
CLOUD COMPUTING did
not occur by spontaneous generation when nobody expected it. Quite the
opposite, in fact, it is the slow evolution of a set of social, organisational
and technical concepts that have enabled it when converging the maturation of
all those concepts from a certain moment on.
To illustrate it, I
will use the BMIS of ISACA. The BMIS is a model that analyses any business
(people, processes, technology).
·
In the PEOPLE apex, there is an evolution,
a change of mind. We are already used to the intangible. If we withdraw
some money from a cash machine, we do not press the print button because we
trust on the system and on the intern audits of the financial institution. We
prefer an 'mp3' song because we can listen to it everywhere, in any device and
we can secure it with a backup. We buy books via Internet in PDF format. . .
People have evolved and we are ready.
·
In the ORGANIZATION apex, we have realised that there is an evolution of the users of the
organization that understand IT as a service delivery business.
From ITILv3 on, everything spins around the service cycle of life.
Technology is not the protagonist anymore as long as it fulfils its role. The
most important thing is to manage, to the agreed level between IT and the
clients (users), the Catalogue of Services.
·
In the TECHNOLOGY apex, we have been noticing its spectacular development.
§ Internet and its
geographical coverage and symmetrical broadband accesses; 3G, 4G networks. . .
§ The virtualisation that allows optimising the infrastructure, considering that just one
hardware can run simultaneously and in isolation several operating systems.
It allows procuring rapidly VM (Virtual machines) from
a template catalogue and the usage of automation and orchestration techniques.
In short, the systems management is simplified and the
Data Centre is more flexible because a physical infrastructure made of physical
servers, storage arrays and network electronics permits to withstand a wide and
adaptable virtual infrastructure.
§ And the so called “Anywhere computing”. With
the consumerization, users wish to access to the corporative resources from
anywhere, anytime, and using any device, preferably one of their own; this is
known nowadays as BYOD (Bring Your Own Device).
1.3. Conclusion: ¿Is it a fad?
·
What suddenly
APPEARS has the same possibilities to DISAPPEAR rapidly, like a fad.
·
What is the result
of a long EVOLUTION of different factors, REMAINS.
Therefore, we can
state that CLOUD COMPUTING REMAINS.
Not only because of
its benefits: FLEXIBILITY (The service matches the demand), speed to SUPPLY
(Time to Market), LITTLE INITIAL INVESTMENT (Opex versus Capex). . . But
because of the ongoing recession (even if the current situation would improve,
it would never be like before) and the difficulties to credit facilities, Cloud
Computing is the favourite model of financial directors.
We have to think
that it already has financial advantages in the initial stage, when the
novelties are more expensive. As the turnover grows and more new clients are
incorporated to the Cloud Service Provider (CSP), there will be lower prices
and a bigger pressure on IT to migrate (Manage change) to the above mentioned
model by CFOs y CEOs.
Inhibitors?
According to surveys, information security and data protection are indeed, but
is it safer a company who does not know about the ISO 27001 and the ISO 22301?
2. FEATURES, SERVICE AND DEPLOYMENT
MODELS
The NIST (National
Institute of Standards and Technology) defines the basis of the CLOUD COMPUTING
model in its special publication 800-145.
2.1. Definition of CLOUD COMPUTING
As it has a very
long definition, what it is just a chain of features separated by commas; I
will analyse the first and the last phrase.
They first say that
CLOUD COMPUTING “is a MODEL”. It is not said which model is it, but it is the
first time that it is recognised as one. The most important is to understand
that CLOUD is not a technological model because it is just built on technology
such as any IT field; like IT has been always doing.
Neither is it a
business model. Maybe it is from a CSP (Cloud Services Provider) point of view
because it earns a living by offering services in the Cloud, but not from the
client company point of view who contracts it or migrate its services to the
Cloud.
The only definition
that can combine both is that it is a service delivery model. Cloud is a MODEL OF SERVICE DELIVERY.
The last phrase
says "with minimal service provider interaction”. Specifically, the
services must be supplied from a self-service
portal.
2.2. Key features
2.3. Service models
According to the
NIST, there are 3 basic service models: Iaas, PaaS and SaaS.
·
The IaaS (Infrastructure as a Service),
which simplified for the sake of didactics and without neglecting the essence,
and I apologise to my Engineer college mates, is like supply an empty server
that only includes the OS (Operating System).
·
The PaaS (Platform as a Service)
incorporates to the last offer utilities that will be very valuable if they
match with the interests of the client: DDB (Database), Web Services,
programming utilities, run-times… In IaaS, all this supplements must be
installed by the client via Internet.
·
The SaaS (Software as a Service) relies on
the previous layers but it already conceptually differs in different aspects.
Simplifying it again, it is like to contract an App (Application) or a set of
Apps installed in the CLOUD. The client stops worrying about the virtual
server, the operating system, the DDB, the installers. He just has to set the
parameters of the software and use it.
There are other
delivery models, but they are variations of the above three basic models.
To mention some
examples:
·
DRaaS (Data Recovery as a Service) consists in
using the CLOD COMPUTING as a disaster recovery solution. Further information
on this subject can be found in an article in this blog:
·
BPaaS (Business Process as a Service) consists in taking to the CLOUD all the applications
that provide service to a complete BP (Business Process).
·
In that event, if
we take all the services or if we take all the IT services to the CLOUD, would
that be ITaaS?
If it is, all of us who have a professional connection, at any level, in
the IT department of a company -unless we work in a CSP-, will we be fired?
This risky but brave question would be answer by itself later.
2.4. Deployment models
The NIST points out
four important deployment models.
I would have said three because I consider
that the Community Cloud is a special case of the Private Cloud (shared among a
few with some affinity such as the Rectorate of a University and its schools
and colleges.)
Essentially we will
talk about Private Cloud, Public Cloud and Hybrid Cloud.
The most important
is to understand that for being a Private Cloud, the Data Centre must be
located necessarily in the premises of the company.
If the HOUSING is
used, to rent a space in the Data Centre of a third party (ISP) and to locate
there the PRIVATE CLOUD of the company, it would still be a Private Cloud.
It would be private
because both the physical and the virtual infrastructures are not shared with
anyone. It is of its own exclusive use.
It is called “ON
PREMISE or Internal”, if it is in our Data Centre; and, “OFF PREMISE or
External”, if it is in the Data Centre of a third party to profit by a safer
place (redundant air-conditioning, redundant power supply secured by a UPS and
self-containing generators, high-speed Internet with perimeter security,
physical access control and 365 days x 24-hour surveillance. . .).
2.5. Delivery/payment relationship according to the model
The comparative of
models of delivery services can be done from two perspectives:
·
The method of
payment
·
The flexibility of
the delivery
Before discussing
the following slide, it is necessary to understand and to differentiate two
basic concepts:
·
HOUSING is to rent
a space (usually a rack) in the Data Centre of an ISP or a CSP provider to take
the physical infrastructure of a client company. If that physical
infrastructure is prepared through virtualisation software and configured to
support the Cloud model, it is a “PRIVATE CLOUD off premise.”
·
HOSTING consists
not only in renting the space in the Data Centre of a service provider, but also
the physical servers. When the Cloud Computing did not exist, the Hosting was
the way used to externalise the infrastructure; and it is still used.
The service provider can achieve a better price of the hardware through
the massive purchase and, as all the units are usually from the same
manufacturer, can obtain maintenance and replacement in case of failure.
Like in the previous case, if we set up a Cloud in the rented physical
infrastructure by a company, it is also a “PRIVATE CLOUD off premise”.
If we analyse the
method of payment, observing the slide from left to right, we can see that both
the PRIVATE CLOUD (bought infrastructure) and the classic Data Centre are CapEx
(Acquisition Costs). Meanwhile, the PUBLIC CLOUD and the traditional HOSTING
are carried out with no cost because they are pay-per-use service; this is
called OpEx (Operating Expense).
However, if we
analyse the service delivery model from top to bottom, we can see that in the
physical environment (classic Data Centre and traditional HOSTING) there is a
slowly provisioning while in the Private or Public Cloud there is an
self-provisioning almost instantaneous from a portal.
3. ORGANISATIONAL IMPLICATIONS IN GOVERNMENT AND MANAGEMENT
3.1. Functional Decomposition (GOB, GES, OPE, INF)
We will analyse
three concepts:
·
The traditional
Data Centre in the company (INSOURCING).
·
The OUTSORCING as a
externalisation of people in IT.
·
The PUBLIC CLOUD
model.
For each of them,
there are analysed four aspects from the point of view of who has the responsibility
:
·
Governance
·
Management
·
Operations or
execution
·
Infrastructure
3.2. IT Governance
The first thing
that calls our attention is that the first horizontal raw is coloured in green.
The reason why is because the IT Governance is always internal.
To lose the governance
means to cede the control, and if it is not controlled it means "free
will", we will "lose" the external services.
From a more rigorous
approach, to GOVERN means to ASSURE some GOALS based on some RESOURCES.
However, it is not pointed out anywhere if the resources must be internal or
external. Therefore, in a Cloud Computing environment is the client company who
govern the processes and services both internal and external.
3.3. Other analysis of the cross
tabulation.
If we analyse the
table by columns, we will see that the traditional Data Centre is the simplest
case. Governance, Management, Operation and Infrastructure are all an internal
responsibility.
In the OUTSOURCING,
Governance and Infrastructure are an internal responsibility of the company.
The operation in the sub-contracting respect is an external responsibility of
the supplier. The Management is usually an internal responsibility (of the
client) but in some cases of total outsourcing of the IT, it can be transferred
under clear governance guidance or all that we will talk about Public Cloud
would be valid. That is why in the amber table.
In the PUBLIC
CLOUD, the Governance is internal of the client company. The operation is
external of the Data Centre for the service contracting. The infrastructure is
external, at least the Data Centre, but in the corporate headquarters still
remain the user terminals, the LAN and the communication terminations.
Moreover, all the user devices may also be there with the Apps. That is why is
painted in red with a narrow green stripe.
If we use the
desktop virtualisation (VDI) in the CLOUD simultaneously, the stripe will be
narrower.
3.4. IT Management
3.4.1. PMM or Process Maturity Model
To understand what occurs
in the Management in the CLOUD COMPUTING model, we should remember that any
company that aims the continuous improvement of the quality, must be structured
based on the business processes.
In the previous
slide, there is a MAP OF PROCESSES of a run-of-the-mill company.
There is the so
called PMM (Process Maturity Model) that will be crucial in order to
externalise. If we are in low levels of the maturity scale (non-existent,
unpredictable, repeatable), it would be very difficult to be successful in
their externalisation. If the levels are high (defined, managed, optimised), we
will face the migration to Cloud with better guarantees.
And what we are
talking for the business in general, it is also for IT. Both must be well
aligned, so their maturity level must be similar.
If we try to take
services to the Cloud with a low maturity level in the processes that support
it, it is likely to the popular Spanish idiom of the pre-industrial era to be
accomplished:
“To start like a horse and to stop like a donkey.”
What criticise the
lack of planning if you start any business with energy and enthusiasm and,
then, you give it up and it remains unfinished.
It is very
difficult to externalise services to the Cloud if IT does not have a
"Service Catalogue" available. If you do not know the services
offered or the ones you can offer to your users, how will you decide which ones
would you take to the CLOUD?
Therefore it is
very advisable to IT to be managed under the best practices of ITIL or
protected under a certification in service management (ISO 20000-1).
In the
"end-to-end" management, in which there will be “relationships of
trust” between the internal management of the client and the external
management of the provider, it must be established communication channels to
monitor the outsourced processes.
By
means of a SCORECARD or “control panel”, the client will be able to analyse the
KPIs (Key Performance Indicators) of the outsourced processes and the LOGS
created. Many Data Centres have already a standard control panel which its
display facilitates the management when providing transparency.
When one manages a Cloud service, we have to remember that several IT
processes support it. Sometimes some are exclusive and others are shared with
other services. The exclusive ones are "transferred”, but the shared ones
must be managed “related”.
3.4.2. ISO 20000-1:2011
The ISO
20000-1:2011 deals about the governance of “processes” ran by third parties.
That introduction
takes into account the progress of the CLOUD model about outsourcing services
and IT processes.
3.4.3. PRM of Cobit 5
If we observe the
PRM (Process Reference Model) of Cobit5, we will see 5 different sections and
one of them will be analysed later:
·
Evaluate, Direct
and Monitor
·
Align, Plan and Organize
·
Build, Acquire and
implement
·
Deliver, Service
and Support
·
Monitor, Evaluate
and Assess
Specifically the
“Align, Plan and Organize” point is the one that will always prevail in the
Management, even if the company transfers some of their IT services to the
Cloud.
The
three Managament controls, in white, are not specific of Cloud Computing, not
even of IT. Any business activity must be based on them. It is clear to manage
based on the Strategy, based on the Enterprise Architecture and to ensure
quality.
To mention some processes (or management control
goals), you will find them in yellow in the previous slide:
·
AP004 (Manage Innovation). The future IT tendency will be aimed to be more
innovative with new services, while fewer efforts will be made gradually with
regard to operations and Data Centre infrastructures because of the new model
of service delivery.
·
AP005 (Manage Portfolio). It is crucial to manage the overall portfolio of services at the
disposal of the company in mixed environments. Related to them, the service
catalogue can be supported by more than one CSP, apart from the IT area.
·
AP006 (Manage Budget and Costs). In Cloud Computing environments with great facilities
of self-provisioning, if IT does not manage the additional costs of the
services contracted by users; the client company risks to have a high deviation
of the approved budget.
·
AP009 (To manage the SLAs). The SLA
(Service-Level Agreement) Management will be substantial in Cloud Computing
environment to ensure that the contracted service and the offered service are
the same.
·
AP010 (Manage suppliers). The Suppliers Management is essential in the outsourced models. We will
take a closer look later based on ITIL 2011.
·
AP012 and AP013 (Manage risk and Manage Security). Security, based on a risk analysis in the company, is
fundamental in any environment; it will turn even more basic with outsourcing.
The processes must be managed "end-to-end" and be supervised directly
or, what it is more feasible, be supervised by certifications and audits of
accredited third parties.
3.4.4. ITIL 2011. Supplier Management Process
In the book
“Service design” by ITIL 2011, there is a specific chapter devoted to the
Supplier Management. As the said about the ISO 20000-1:2011 Standard, the
reference frameworks keep on adapting to the reality of the outsourced delivery
services according to Cloud Computing.
The “Leitmotif” of
the Supplier Management IT process is to align the contracts with the business
needs and the agreed goals based on a SLA (Service-Level Agreement) dealt from
the SLR (Service-Level Requirements) of the company who contracts.
Depending on the
above, the Supplier Management will be responsible of enforcing the agreed SLA,
in coordination with the Service Level Management process. In other words, the
Supplier Management will be responsible of ensuring the "effective
performance" of the supplier.
Its mission is to agree
and "to manage the contracts” during all its “life cycle”, which will
match with the life cycle of the outsourced service.
ITIL 2011 suggests
to follow a specific policy for suppliers and to maintain a SCMIS
(Supplier and Contract Management Information System).
That information
system for the supplier and contract management will become more popular thanks
to Cloud Computing as the CMDB will not be enough for the new service delivery
model.
As business assets,
not every service has the same value or importance for the company, so their
loss of availability will have a different result, which we will evaluate
according to a risk analysis.
The above mentioned
risk related to the service availability is transferred to the CSP (Cloud
Service Provider). So, it is essential to set a categorisation of the providers
according to the categorisation of the supported services.
ITIL 2011
classifies them in strategic, tactical, operational and “commodity”.
The selection
criteria of the provider that will support the strategic services will be
different from the CSP that will just support a “commodity” service.
It is interesting
to note that, in the representation models of a managed company looking for
quality, ITIL adds a forth element: Providers.
So, it is about
People, Processes, Technology and Providers. It is a growing tendency that
Cloud Computing will be more significant inside the company gradually.
3.6. Desirable regulation in a CSP
As discussed
before, the “end-to-end” management must establish “relationships of trust”
between the company who contracts and the CSP.
The said
relationships must be based on fluid communication channels, access to LOGS and
KPI of the outsourced processes.
The other way is
through control audits. As they are unworkable in practice, since they would
also violate the principle of reserve and security of the Data Centre of the
CSP, the solution is to transfer them to a third accredited company
The formula
consists in requesting to the provider to accredit security and quality
certifications of the services offered to its clients.
Despite there are
specific ISO standards for Cloud Computing (ISO 27017 e ISO27018), they are
still at draft stage and, therefore, we cannot take them now into account.
The wide known
Standards are:
·
The ISO 27001:2013 which certifies a ISMS or Information Security Management System.
·
The ISO 22301:2012 which certifies a BCMS or Business Continuity Management System.
·
The ISO 20000-1:2011 which certifies a SMS or Service Management System.
If a CSP is
certified by the previous three standards, it guarantees a optimum safety level
and the client company can trust on the information, the processes and services
that has transferred.
It is very
important to find out the SCOPE of the certifications. For example: a company
can be certified according to the ISO 20000-1 but only in one service, such as
the e-mail. Therefore, it must be read carefully the scope of the CSP
certification.
It is either the
same to manage the services and security under an ISO Standard than to have our
Management Systems certified by an accredited company. In the first case, it is
supposed; in the second one, there is a full guarantee because of the annual
review audits and the recertification every three years.
All of the
foregoing without detriment of the internal review audits.
EDITOR'S NOTE. Furthen information about audits can be found in this
blog:
4. DATA PROTECTION LEGAL FRAMEWORK
4.1. Spanish legal framework
There are many
legislations which affect the information security and, more specifically, the
personal data protection.
The generalisation
of the delivery service model in the Cloud, with the possibility to transfer
data beyond our borders, makes us be more careful when deciding the contracting
of a Cloud Computing model in order to not breach the legislation and deal with
financial penalties, and losing our prestige when that are made public.
In Spain, we are
under the protection of the following laws:
·
Organic Law
15/1999, of December 13, better known as the LOPD.
·
Together with the
LOPD there is the Royal Decree 1720/2007 of December 21, known as RLOPD,
because it is the implementing regulation.
·
If, summarised very
briefly, we use a website for electronic commerce and/or the e-mail for
advertising purposes, there is the Law 34/2002 of July 11, known as LSSI-CE
(Services Information Society and Electronic Commerce).
·
The European Union
Directive 95/46/CE of October 24.
·
As the personal
data protection is a fundamental right of any person, the Penal Code according
to the Organic Law 10/1995 of November 23 referred to them in articles 197, 198
and 199.
·
In the case of the
Public Administrations with relation to the information security and to regulate
it, there is the ENS (National Security Framework) and the ENI (National
Interoperability Framework).
4.2. Claimants involved according to the Spanish Protection Data Laws: LOPD and RLOPD
The LOPD and the
RLOPD consider the following agents regarding the personal data protection:
In relation to
CLOUD COMPUTING, the company that contracts the services is the “Data
Controller” and the CSP (Cloud Service Provider) is the “Data Processor”.
It is important to
highlight the last paragraph of the slide, in which it is shown that IN ANY
CASE that there is a someone who manages data under the responsibility of a “Data
Controller” by a third “Data Processor”, there must be a binding contract which
defines the sphere of activity of the outsourced.
4.3. Protection Data Law implications depending on the geographical location of the Data Centre that supports the CLOUD
As known, the data
taken to the Cloud are not floating among the clouds but in Data Centres on
land, in any physical place of the globe.
That means that
they would be subjected, on one hand, to the legislation of the country where
the company that has contracted the Cloud services is located and, on the other
hand, to the legislation of the country where the CSP Data Centre is located.
To sum up, there
will be an analysis about how affects a “Data Controller” or Spanish company
that contract Cloud services to the location of the Data Centre which will
contain personal data:
·
If the CPD of the
Cloud is located in Spain and there exists a data access contract, you do not
have to do anything.
·
If the CPD of the
Cloud is located in the EEA (European Economic Area) and there also exists a
data access contract, you do not have to do anything either.
·
If the CPD of the
Cloud is located in a third country where the security level is accepted by the
EU and the Spanish Data Protection Agency (AEPD), apart from signing the proper
contract to data access, the AEPD must be informed about the international data
transfer, but that is all.
·
If the CPD of the
Cloud is located in any other country, apart from signing the proper contract
to data access, previously one must request permission for the international
data transfer to the AEPD director, with uncertain outcome.
We should
distinguish between the Registered Name of the CSP, which can be located in any
country around the globe, and the Data Centre -it may have more than one- in
which the client company chooses to locate their data. An example can be a
company from the USA that has a CPD in Germany, so the client is the one who
chooses. In that case, it would be
regarded a data transfer to the EU instead of an international data transfer to
the USA.
4.4. Examples of penalties
The AEPD has a system of penalties that help the Agency to enforce the fundamental right of people to protect their personal data.
There are three
penalties: slight, serious and very serious.
To mention:
The fact that the
information in the Cloud is sent and stored in encrypted form, it does not
exempt us to comply with the legislation in force about data protections.
EDITOR'S
NOTE. Further information about the legislation can be found in the following
article in this blog:
CLOUD COMPUTING AND
PERSONAL DATA PROTECTION5. CLOUD CONTRACTUAL CLAUSES
CLOUD COMPUTING represents a change from the traditional model of IT delivery services. One important part of the success of the migration to Cloud Computing is the formalisation of the contract or contracts (provision of services, personal data access, etc.) between the CSP (Cloud Services Provider) and the client company.
The said contract
will be in force during all the life cycle of the service or services migrated
to the Cloud.
5.1. According to CSA (Cloud Security Alliance)
5.1.1. Confidentiality
That clause
ensures that just people authorised by the client company will be able to
access to the information taken to the CLOUD. Prevent that our information
spreads worlwide.
5.1.2. Intellectual property
It ensures
that everything that the client company takes to the CLOUD, it is its exclusive
property. The CSP or Cloud Service Provider has no right over it, even if it is
using its platform. Upon termination of the contract, it must be returned to
the client in a preset standard format and, for a certain amount of time, it
must be available for the client to transfer it to another CSP, to a private
Cloud or wherever he likes.
5.1.3. Liability
The client
company must ensure that the CSP does not exclude its liability when a
divergence appears between the contracted service and the offered one.
5.1.4. Early termination
That clause
will allow the client to terminate the signed contract with the CSP when any of
the contractual commitments or the SLA is breached repeatedly.
5.1.5. Privacy and Data Protection
The CSP must
be reported that the client company will take personal data to the Cloud in
order that the Cloud Service Provider implement safety measures suitable to the
applicable legislation.
5.1.6. Applicable law and jurisdiction
The Data
Centres where our information is stored in the Cloud are not floating among the
clouds but on land, within countries borders. The registered offices of the CSP
are also on land. That means that the data and the contracts will be subjected
to different legislations. In case of divergence, it must be clear in which
courts will be settle.
5.1.7. Auditabilily.
There is
legislation about data protection, such as the Spanish legislation which
obliges to Data Controller to ensure that the Data Processor complies with the
applicable safety measures by the implementing Regulation.In some cases the geographical remotness is unworkable. Then, attempts should be made to get a certificate issued by an accredited third-part certifier ensuring that it meets all the information safety measures.
5.1.8. Security.
The aim of
this clause is to guarantee the performance of the three basic attributes of
information:
·
AVAILABILITY:
To guarantee that the information will be available and ready to use when need
it.
·
CONFIDENTIALITY:
To guarantee that the information will be only available for authorised people.
·
INTEGRITY: To
guarantee that the information is complete, accurate and protected from
non-authorised changes.
5.1.9. Service-Level Agreement (SLA).
They are usually annexed to
the contract and tend to be one for each service migrated to the Cloud. 5.2. According to Thomas Trappler
5.2.1. Change of Control
Thomas
Trappler, an expert at contracting in Cloud Computing environments, apart from
agreeing with the other clauses, adds a new one about the Change of Control.
It is about
foreseeing the possibility of the CSP being bought, taken over, merged or a
change in the company Management. In that case, this clause must guarantee us
that the new manager will maintain the same conditions or will let us cancel
the contract.
5.3. According to ENISA
5.3.1.
Subcontrating chains.
Apart from
agreeing with the other clauses, ENISA deals with the subcontrating chains and
their implication in the personal data protection.
Subcontracting
occurs when a CSP subcontrats another one and so on constituing a
subcontracting chain in which from a
certain moment onwards, our data can be out of the European Union, even though
we contracted a European provider, with the consequent legal breach.A perfect example is to contract SaaS to a software developer CSP and, in the absence of structure, the CSO would subcontract it to another CSP as IaaS or PaaS.
EDITOR'S
NOTE.
Full and detailed information about the significance and implications of each
one of the different contractual clauses can be found in this blog in the
article named:
CONTRACTUAL CLAUSES
IN A CLOUD COMPUTING ENVIRONMENT5.4. Commission Decision 2010/87/UE
On February 5, it was published the Commission Decision 2010/87/UE in the Official Journal of the European Union concerning standard contractual clauses for the personal data transfer to the “Data processors” (such as CSPs) established in other countries under the Directive 95/46/CE of the European Parliament and of the Council.
This decision contains:
· Definitions
· Details of the transfer
· Third-part beneficiary clause
· Obligations of the data exporter
· Obligations of the data importer
· Liability
· Mediation and jurisdiction
· Cooperation with the Supervisory Authority
· Applicable legislation
· Variation of the contract
· Sub-processing of data
· Obligations once the delivery of the personal data processing services is finished.
5.5. ITIL 2011: Underpinning Contracts
In the page 210 of the book “Service Design” by ITIL 2011, in the section
of “Supplier Management”, in “Underpinning Contracts and agreements”, there is
a list of contractual clauses, that even they are part of the general use of
any provide, are very interesting.
It draws attention a highlighted small box at the bottom of the page, in
which one can read:
“Get legal advice when formalising agreements with external suppliers.”
6. FINAL CONCLUSIONS
·
The GOVERNANCE and the MANAGEMENT remain under the responsibility of the client
company, although it would transferred most of its business services or
processes to the Cloud.
·
About OPERATIONS AND INFRASTRUCTURE, I would not dare to say the same. As the
implementation of the Cloud model grows, it appears that they will lose scope.
·
The maturity level of the IT processes will be decisive to assure a successful migration to
the service delivery model based on Cloud Computing.
So, if the company uses the ITIL 2011 “best practices”
of a Cobit 5 Governance or if the company is certified in service management
with the Standard ISO 20000-1:2011, that would be a guarantee of maturity and,
therefore, successful.
·
To demand certifications to the CSP is a guarantee that our data, processes and
transferred services to the Cloud are safe. The standards ISO 27001:2008, ISO
22301:2012 and ISO 20000-1:2011 can be helpful with their mandatory follow-up
audits.
·
The personal data protection must be taken into account because there is much
legislation applicable on the fundamental right of the people who protects. The
geographical location of the Data Centre of the Cloud service provider will be
essential.
·
The Contractual Clauses will be there during all the life cycle of the service transferred to
the Cloud. They will be our only guarantee if anytime there is a divergence with
the contracted service.
·
A proper contracting has three different documents:
o
The contract for
the provision of services with the clauses.
o
The contract for
access to personal data.
o
An annex consisted
of the different SLAs, if possible pointing out the important KPIs by the CSP
with also their agreed values.
And as I did during
the presentation of my paper, I will do it also here with a sailor's rule:
“Respect the sea,
but never fear it; because it can bring you a hundred opportunities."
You just have to substitute
the word “sea” for “Cloud Computing”.
I thank Margarita Pardo de Santayana C.,
who encouraged me to present this paper in the National Congress of itSMF, and
I also thank the Organisation that selected it.
7.
COPYRIGHT
It is strictly forbidden to disclose any slide, even if it is dissociate
it from the others, for commercial use.
The images are under 123RF International license.
Twittear
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.