Upload
joella-cummings
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Roundtable: Best Practice for Cloud Sourcing
Daniel Shap, Managing Counsel CIBCDr Sam De Silva, Partner, Penningtons Manches LLP
Workload risk profile
Deployment model
Contractual framework
Cost savings / efficiencies
Lower
Private
Robust
Less
Higher
More
“Boilerplate”
Public
x - axis = risk-reward spectrum
number of workloads moved to cloud
typical public cloud contract
y - axis = total number of workloads
19th Annual Canadian IT Law Association Conference, Toronto, 26-27 October 2015
Roundtable: Best Practice for Cloud Sourcing
Dr Sam De Silva, Partner, Head of the IT & Outsourcing Group,Penningtons Manches LLP, Oxford, UK
Procurement approach Understanding service categories / deployment
methods Best practice for due diligence Enterprise cloud strategy Key legal and commercial issues EU Expert Group: Cloud Service Level Agreement
Standardisation Guidelines
Outline
“Negotiating” approach Standard commoditised offering, therefore limited
flexibility or ability to change– focus on key areas of risk – “devil is in the detail”– contract evaluation should be a key part of provider
selection
Risk assessment exercise is crucial– need to ensure proper contract evaluation is carried out – evaluation needs to be documented/audit trail– where risk is identified – how has that risk been mitigated/
managed?
Role of Integrators
Procurement Approach
Service categories– Saas– IaaS– PaaS– XaaS?
Deployment models– Public– Community– Private– Hybrid
Service Categories / Deployment Modes
Financial, Commercial & Legal
Technology and Operations Customer Interviews
Risk management:• past disputes, investigation,
litigation and security breaches• legal and regulatory compliance• evaluation of internal controls• review of business continuity plan• analysis of third-party and other
exposure• review of client prioritization• insurance coverage
General capability overview:• security, intrusion detection and
prevention systems• systems management• help desk
Commercial management:• overall vendor review Achievement
of related IT goals• approach to contract negotiation• transition planning and
effectiveness• pricing transparency
Project capability overview:• capacity expansion/allocation
requirements (present and future)• proposed expansion actions• detailed review of transition
planning
Service management:• efficiency of knowledge, skills• reporting timeliness and efficiency• existence and frequency of service
credits
Security• who owns and controls infrastructure• deployment and delivery methods• security controls in place• physical location of infrastructure
elements• reliability reports
Service delivery:• overall ability to meet SLAs• results of customer satisfaction
surveys• SLA achievement during transition• Ability to meet disaster recovery
and business continuity requirements
Best Practice For Due Diligence
Enterprise Cloud Strategy
Limited supplier obligations Limitations and exclusions of liability Suspension and termination clauses Supplier lock-in and transitioning Regulatory compliance Service level agreements Supply chain / subcontracting
Risk assessment - Key contractual and legal issues (1)
Typical obligations, warranties or other safeguards of sourcing or hosting contracts are not included in cloud computing contracts Due to their commoditised approach, cloud computing contracts typically contain less onerous obligations on the supplier Undertake “gap” analysis
Limited Supplier Obligations
Limiting liability of cloud provider to a level that is not in line with the potential risk
Risk with limiting the liability of the cloud provider to the amount paid
Issues include:– almost total exclusion of liability– limited financial cap– exclusion of certain types of loss (e.g. direct losses (US
contracts) indirect loss and/or data loss)– force majeure definition
Liability
“Hair” triggers for service provider suspension and termination rights
Pitfalls of suspension clauses– impact on continuity– low barrier for suspension of services/unplanned
interruptions– minor non-compliance may lead to significant remedy for
the supplier
Termination for convenience by the supplier– notice period– exit obligations
Suspension or Termination (1)
Termination for convenience by the customer– typically cloud computing contracts allow for easy exit for
the customer– check contracts for termination for convenience because
not always the case or such exit does not come cheap
Risk of cloud provider going out of business or restructuring its service portfolio – data escrow
Suspension or Termination (2)
Usefulness of termination for convenience No implied obligation to assist in data transfer and disengagement Everything depends on your contractual agreement Pricing
Supplier lock-in and transition
Regulatory Compliance
Often not part of standard offering SLA without “teeth”/targets Points of attention:
– definition of availability– how is the availability calculated by the provider?
e.g. 10 outages of six minutes versus 1 outage of 1 hour
– service measurement period
Service Level Agreements
Complex supply chain Limited visibility/control Lack of due diligence Prior written approval for “key” subcontractors /
change of subcontractors Scope of services Right to “step-in”/direct contract with subcontractors
Supply Chain / Subcontracting
European Cloud Computing Strategy – State of Play
Identification of safe and fair contract terms for consumers and small firms
Consideration of best market practices and Data Protection Directive
Improving legal framework for cloud computing contracts in order to strengthen confidence
Working papers:
http://ec.europa.eu/justice/contract/cloud-computing/expert-group/index_en.htm
Objectives of Expert Group on Cloud Computing Contracts
Cloud Select Industry Group – Service Level Agreements (C-SIG-SLA)
Over 100 industry participants Published guidelines in June 2014 available:
http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines
To be tested with users, particularly SMEs To be discussed with Expert Group on Cloud Computing
Contracts Feeding into efforts of international groups - ISO
Cloud Service Level Agreement Standardisation Guidelines (1)
Overview of concepts/definitions Series of service level objectives
– performance– security– data management– personal data protection
Limitations/challenges– guidelines only– recommendations from EU– no clear thresholds
Cloud Service Level Agreement Standardisation Guidelines (2)
Questions?