9 hours 29 minutes

Video Transcription

in this video, we're gonna talk about different tools for managing cloud governance, specifically contracts, compliance assessments and audit reporting.
The first tool at your disposal is the contract.
The contract is the primary tool for the cloud user to extend governance in their relationship with the cloud provider.
In fact, it may be, and it probably is the only way to guarantee any sort of level of service. So when there's outages on the product or the cloud services, and then subsequently that affects your customers or your internal customers, your external customers,
this contract is going to be the kind of thing you really want to look at because it's going to define service level agreements in it.
It's also going to define the roles that help you figure out where in that shared responsibilities model that we were talking about, where the gaps, where the things that you need to fill right the government gaps just cause there's gaps. That doesn't mean you can't use a particular cloud provider, but it's very important to have this contract
so that you know when to adjust your own processes
and close those gaps.
It's very rare for cloud providers to create custom contracts with the individual cloud users.
The big thing you have to keep in mind is they need to achieve economies of scale, so they're gonna have lots of different users and, as they do have more, more cloud users, their ability to tailor operations and make individual guarantees or
tune and refine their procedures to meet with one person's need versus another
is really going to be impeded from allowing them to have that economies of scale have that consistency in their process and in the way they perform those operations
we often think about contracts is one big old document. But the reality is these contracts are going to span multiple documents. You're gonna have terms and conditions the T and C's you're gonna have acceptable use policies. These were the things that saying, Here's what you can and cannot do from the cloud providers perspective. Using their services,
service level agreements. That's what's defining those service levels SLS
and will be a variety of other clauses. So it's very important that you look at these all holistically and understand that these as an aggregate build that contract, from which you are able to extend your governance and understand the relationship.
Next up, we have provider assessments. These are gonna be combined with the contractual terms, and they're going to ensure that your cloud provider meets certain standards and is complying with them. For example, Honest 853 is a standard for managing risks. I. E. C
is a another information and risk security management standard. And to 7017 has been particularly tailored to work with cloud providers. Other standards that you're going to be interested PC I compliance if you're interested in storing
credit card information or doing some sort of a payment processing HIPPA if you are
managing health care information.
But regardless of the specific standards, you are the most concerned about thes air. Wanting to be implemented through third party asked test stations and at test station is a legal statement made by 1/3 party as well as the cloud provider, asserting that they will do this. And if they're not
meeting that statement, if it proves to be inaccurate, they're in breach of the contract. Additional items may include financial viability of the company itself,
provisions to describe what happens. And what is the company's obligation in the sense that they're going toe shut down or they're gonna have to give the data back to? Or can they just pull the plug and walk away additional things to to meet and ensure that there remains solvent and they have necessary cash to keep on operations?
That really could be a lot of ways that you can
structure this and do this, and ultimately it's going to be about that balance of how important this is to your company and what you're using this cloud provider to do. What is the role in how critical is it to your operations and how important and sensitive is the information this cloud providers gonna hold?
And then rounding out our tools is compliance reporting.
So these are built out of audits. So an audit is a little different than assessment in the audit is where 1/3 party is going to come in and they're going to say to that cloud provider proved to me, you are doing these things proved to me you are following these processes,
for example, proved to me that you are doing an access control review every month.
Show me the meeting minutes where you looked at all these different people proved to me that you are doing vulnerability management in a way that aligns with I E. C 27017 standard Show me That data is being encrypted to an extent that meets with the PC I requirements or temper requirements that you've
asserted in your assessment you are compliant with very rarely will be your own company. Performing these audits typically is going to be third parties. So in the same way, accounting companies audit the financials of large corporations and examined how they do their books,
these parties are going to come in. And they're going to make sure that the operations and policies and procedures by this cloud provider are aligned and meet with standards that they themselves are asserting their compliant with. Of course, not all auditing third parties of the same.
In the early two thousands, Enron was making record amounts of money,
their stock was stopped soaring and Arthur Andersen was the company responsible for auditing their financials. Unfortunately, Arthur Andersen didn't recognize Enron was not following generally accepted accounting principles. So while their profit and loss looked really nice and their balance sheets looked really nice.
There were some real funny shenanigans going on, and when people started recognizing this
and Enron started running short on cash, their stock imploded. Employees lost their jobs. Employees lost retirement funds.
Investors lost dramatic amounts of money as their shares went to zero and the company went bankrupt. Arthur Andersen eventually went out of business themselves and went away. So the point of that story is that just because it is audited doesn't mean the auditor is good. So you're also want to take a look at that.
Ideally, this auditor understand some of the nuances of cloud
and even has people with city CSK designations on their own team also have noticed that if you do want to access and review the audit results of a particular cloud provider, it will often be provided to you under nd a a non disclosure agreement. These audits
can carry some very sensitive information about how the cloud provider performs its internal operations,
and oftentimes that's a secret sauce of the cloud provider, or it may expose them to vulnerabilities. So the N D. A's give the cloud providers some confidence that you're not gonna take potentially very sensitive information described in these are the results and communicate them outside the immediate circle
while it was on Lee three items. What? It was three important items and that does it for this video duct about contracts, compliant assessments and autumn reporting. We described each of those three items and we also discussed the relationships between the three items.

Up Next


This course prepares you to take the CCSK exam certification by covering material included in the exam. It explains how the exam can be taken and how the certification process works.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott