Computing in the clouds while

wearing a good service level

agreement

By
Cade Zvavanjanja
CISO
Gainf
ul
Infor
matio
 “Cloud Computing” can
mean different things
 SaaS, PaaS, IaaS
 Public Definitions:
 NIST
 Berkeley
 ABA Legal Tech
Resource
 Center
Service & Deployment
Models:
 Private, Public, Hybrid
STORED AT
IRON
MOUNTAIN?

Acces s


Data Location


Custody
Greater
and
Control
Differentiation
 Multi-Tenancy
Capability
 Location issues
 Operation issues
 Legislative/Regulator y
issues
 3rd par ty contractual
limitations
 Security/Privacy issues
 Litig ation/Investig ative
issues
 Authentic ity/Ad missib il
ity issues
 WHEN BAD
EVIDENCE

 General Considerations
 Potential Liability for
Spoliation
 Minimize Risk by

Addressing Up Front
the Need to
Preserve and
 Produce ESI
Remedies for Spoliation
FORENSIC
EXAMINATION THE
CLOUD?
SERVICE LEVEL
AGREEMENT
CONSIDERATIONS
 Use of data/Security
 Location of data
 No change of terms
 Destruction
 Ownership
(assignment)
 Subpoena response
 Regulatory
requirements
 Insurance/In
 demnity
Audits
SLA should contain:

 the provider will deliver and a complete definition

The list of
services of each
 service.
Metrics to determine whether the provider is delivering the
service as promised
 Auditing mechanism to monitor the service.
 Responsibilities of the provider and the consumer
 Remedies available to both provider and client if the terms of the
SLA are not met.
 A description of how the SLA will change over time.
 (SLA)
 Security: Client and CSP must understand security requirements.
 Data encryption: Data must be encrypted while it is in motion and while it is at
rest. The details of the encryption algorithms and access control policies should
be specified.
 Privacy: Basic privacy concerns are addressed by requirements such as data
encryption, retention, and deletion. An SLA should make it clear how the cloud
provider isolates data and applications in a multi-tenant environment.

Data retention/deletion: How does CSP prove they comply with retention laws
and deletion policies?
 Hardware erasure/ destruction: Same as #4.

Regulatory compliance: If regulations must be enforced because of the type of
data, CSP must be able to prove compliance.
 Transparency: For critical data and applications CSP must be proactive in
notifying client when the terms of the SLA are breached including
infrastructure issues like outages and performance problems as well as
security incidents.
 Certification: CSP should be responsible for proving required certification
and keeping it current.
 Performance definitions: Defining terminology such as uptime and other
contractual metric terms (i.e. – uptime could mean all servers on continent
are available or only one designated server is available.)
 Monitoring: Responsible party for monitoring including identification of any
third-party organization designated to monitor performance of the provider.
 Audit Rights: To monitor for any data breaches including loss of data and
availability issues. SLA should clarify when and how the audits will take
place.
of
 Metrics: to be monitored in real-time and audited after occurence. Metrics
an SLA must be objectively and unambiguously defined.
 Human interaction: On-demand self-service is one of the basic
characteristics of cloud computing, but SLA should provide customer

Review and summary of cloud service level agreements, From "Cloud Computing Use Cases
Whitepaper" Version 4.0,
 Currently, the standard contracts offered by cloud
computing providers are one-sided and service
provider-friendly, with little opportunity to change
terms.
 Few offer meaningful service levels or assume any
responsibility for legal compliance, security or data
protection. Many permit suspension of service or
unilateral termination, and disclaim all or most of the
provider's potential liability.
 In addition, some cloud computing providers
emphasize low cost offerings, which leave little
room for robust contractual commitments or
customer requirements.
Security & Control
 No uniform standard for security and compliance

among cloud providers. This may be bad - if you

have evolved mature security and control discipline;
or it may be a good thing, if you are looking for an
external provider to help you with best practices.
 Cloud is not, per se, either secure or insecure. You

simply need to set your own standards, be aware of

what your cloud provider can and cannot deliver,
and choose according to your desired level of risk.
Por tability & Compatibility
 Not all cloud providers are able to provide the same
level of portability and compatibility.
 Extracting and restoring data may be a slow manual
p
r
o
c

e
compatible with storage in a non-specific location that
s
changes in case of emergency.
s
 Be aware of your use cases, and make sure your
d
recovery
u plan allows for the mobility of data the cloud
will
e enable.
t
o
A
P
I
Longevity & Accessibility
 Consider and verify the longevity of CSP
to ensure data will be accessible when and
how, needed before committing to CSP as
sole source for data recovery.

During an analyst keynote speech at the
2010 CA InfoXchange event in Malaysia,
the speaker estimated that a substantial
number of current cloud providers will
be out of business within 2 years.
 CSPs talked about 99.999 per cent
uptime, or the equivalent of five minutes'
downtime per year. This is the Holy Grail of
cloud computing but achieving it requires
multi million-dollar investments in redundant
 CLOUD!”
Where does your data
 reside?
EU Data Privacy Concerns
 Which laws apply, country of origin or
country where data resides?
 Realtime feed from data intrusion detection systems to
permit monitoring of the security systems performance.

 Performance standards mandating maximum downtime

and platform stability.

 Auditing rights – access to monitoring dashboard to see metrics

on function of the system. Also onsite visits to provider.

 Remediation power – including monetary penalties for

downtime, termination in the event of security violations and
notice of any
breach.
 Freedom to Move – contract must make it clear that the
data owner retains all ownership of the data as well as
access to the data. There should be a defined time frame
for giving back all the data once request has been made as
well as definition of the format for the data if it is to be
moved or returned to the client to avoid any additional cost
to reformat data to be moved to a new provider.

 Preservation of metadata – what metadata will be

maintained and any impact of the system upon that
metadata.
 Access to information for e-discovery – how accessible
the data will be including time to extract.
 Thank You

Tel: +236 733 782 490

+263 773 796 365
+263 -4- 733 117

Eml: info@gis.co.zw
cade@gis.co.zw

Web: www.gis.co.zw