CSA CCSK – Understand Cloud Agreements

4. Artifact 1 – Customer Agreement

Hello friends. So welcome to this lecture on cloud service agreements. So in this lecture we’ll study that, okay? Before making a contract or before using any of the cloud service provider services, what kind of expectations we need to set, what all we want that cloud service provider should agree and then only we’ll go ahead and use the services in order to avoid any kind of future completion applications. So let’s study what is there in the cloud service agreement. So one thing which is pretty clear is that on one side, on the left side there is a cloud customer. It may be an individual or maybe an organization. And then on the other side there is a CSP, which we call it as Cloud Service Provider, for which this cloud service provider will be providing services to the customer.

So, in cloud service agreement is a very important document which basically will govern that okay, what kind of relationship is there between the CSP and the CSC? So it will basically define that okay, what are the terms and conditions on which customer will agree and the cloud provider both will agree and then they will sign a kind of a contract that okay, now we’ll go ahead and use the services. So this is a very important document, before procuring or before using any of the cloud service or migrating any of your data to the cloud. One thing we or as our customers need to understand that, okay, all the expectations which customers are having or the cloud customers are having from the service provider, those all needs to be clearly documented in the service agreement.

And it is true on the service provider as well. That okay. What kind of behavior they expected from the cloud customer, like they do not want that. Any kind of a pornographic content a customer should be putting onto their cloud, right? There should be acceptable use policy. That how they will be using the cloud service provider services. It should not be like some hackers, they are using the cloud service provider platform and from there they are launching a DDoS attack. So it is that on the both sides they need to agree on certain terms that okay, this is what we agree on. And then they’ll sign a contract and the customer will start using the cloud service provided by the service provider. So it is very important that they both understand that what has been agreed, so that tomorrow if there is any kind of complication or some kind of penalty is there, right, some kind of breach has happened at the service provider and then who will compensate, what kind of amount CSP will give to the customer? So all these needs to be mentioned in the cloud service agreement.

So, let’s see, a cloud service agreement like we discuss, are primarily written to set clear expectations for services between the cloud service customer and the cloud service provider. And another thing is cloud service agreement is the main document, like we discussed that it is the one of the main document. Let’s say if some kind of breach happened, you want to know. That okay. How customer will this cloud service provider will provide the SLA, how the billing will be charged and SLA backup services. Right. Or you can say how the data confidentiality or privacy will be handled. So it is one of the main document which customer will refer in case of some critical situation and setting out the terms and conditions of the contractual relationship between the provider and the customer. So this is the main document we’ll study in the next lecture. That okay. What are the different things which a customer should think of before signing the contract? That okay.

These all things should be mentioned in the CSA customer service agreement. Or some people do call it as a contract as well. So it is nothing. It is between terms and conditions. That okay. Expectations from the both sides are mentioned and then the document has been signed. We call it as a customer service agreement. So this is it. Friends in this lecture. We’ll meet you in the next. Thank you. Thank you for watching.

5. Artifact 2 – Acceptable Use Policy

Hello friends so welcome to this lecture on acceptable use policy. So this is about the second major artifacts of the customer service agreement. So before digging into the acceptable use policy that okay, what all should be there in case of cloud service agreement. So just to give you a little background about the acceptable policy, that OK. Or sometimes we also call it as fair use of policy or fair use policy. So acceptable use policy in general is a kind of a rule you can say which are generally applied by the owner. Think of Google or the services like Gmail you will be using or any of the websites you’ll be using. So those are the policies which are applied by the owner or creator or you can say administrator of a network or a website or service which will describe or basically restrict the ways in which the network or the services will be used.

Like there may be acceptable use policy by the Google that okay, I will be using the various services provided by the Google. So those are kind of a restriction which you can say the owner expects from you in order to have so that there should not be any issues or customer or some kind of customer may not spread virus or may not use the services for some illegal purpose. So that is in general the acceptable use policy is so again the acceptable use policies is very common in within the CSA because that is what the cloud service provider expect from the cloud service customers, right? So in this case the AUP or the acceptable use policy fear policy prohibits the activities that a CSP considered to be improper or illegal for the use of their service. Just simple example, like you may be using some cloud services, or you have provision servers onto the cloud in case of AWS or zero.

And it is by default that cloud service provider expects that you should not be using their services to hold some kind of pornographic content, or you should not be using the cloud services for any kind of gambling activities, illegal activities which are barred by the government. Or there might be a possibility that this also comes in the acceptable use policy that okay, without informing the cloud service provider, you should not be using the cloud service, you should not perform the penetration testing or some kind of vulnerability scanning onto the cloud service provider network. So this all should be the part of the acceptable use policy and make sure that you, as a customer or as an organization, you can say a stakeholder or a manager.

You understand that? Okay, what are the concerns? And whatever the expectations are set or the rules which are given by the cloud service provider are understood and you agreed on that. And this is again, one area where you’ll find that it is pretty common among the different CSPs and they might slightly vary in case of depending on the model you’ll be using. Let’s say is infrastructure service or software as a service or a platform as a service. So this is all about the acceptable use policy. And like we discussed that. Okay, what are the rules which are set by the cloud service providers and what are the expectations they are having from the customers that they should not be using the or they should be a fair use of the cloud service provider services which are provided by the cloud service provider. So this is it, friends, in this lecture. So thank you for watching this lecture. Meet you in the next lecture.

6. Artifact 3 – Service Level Agreement

Hello friends. So welcome to this lecture on service level agreement. So in this lecture we’ll study that, okay, what is there in the service level agreement and what it is all about. So in service level agreement generally we discuss that, okay, how much downtime is generally expected or you think that okay, you can tolerate. So such kind of things in terms of availability, performance. So all those things needs to be cleared within the service level agreement. And friends, this is again a very important topic in terms of cloud security because this is where in the kind of expectations you are having in terms of availability, in terms of performance from the cloud service provider.

So all these things you need to make sure that all your expectations are met in terms of availability, performance, right? So in terms of BCPD or activities, we will also have a different lecture, we’ll try to mention that, okay, what all major things other customers should think of, that these should be the part of SLA. So those are not the finalists, but those the customers can think of and would be a good starting point. So let’s have a general overview of the service in terms of customer service agreement, like this is the third major artifact. Think of SLA as a kind of a third party governance because ultimately you will be using the cloud services or you’ll be hosting your data onto the cloud.

So it is like SLA will help you to have a better governance in terms of using the cloud services, in terms of performance, in terms of availability, all these things, what the customers expect from the cloud service provider. So SLA will help to have a better governance. So just to give you in terms of ITL terminology, right, so SLR is as a kind of a document which is prepared by the customer first that these are the different services or service level requirements which the customer expects from the cloud service provider. And then it is given to the and then you can say cloud service provider or service provider prepares an SLA, that okay, this is what or this is what the provider is agreed upon to that. And then the SLA is being prepared or service level agreement is being prepared.

Now in order to make sure the effectiveness that whatever has been agreed or mentioned between the SLA, whether it is being maintained or not, for example, let’s say the cloud service provider says or a customer expected to have a 99. 99 availability. So how you will validate or customer will validate that okay, this is there or the KPIs is there. So in that case, whatever the customer has expected from the SLA, so customer provider will provide the SLR, which we call it as a service level report and adjust to make sure that whatever has been mentioned within the SLA is provided by the service provider. Like the customer might need access to the cloud resources. 100% access to the cloud resources all the time.

So it is the duty of the customer again to make sure that whatever he needs in terms of availability, service availability or performance that is there in the SLA. It is the SLA which provides the threshold, or you can say financial penalties in case the provider is unable to provide the agreements as mentioned in the service level agreement. So this is just an overview or high level overview about the service level agreement. So in the next lecture we’ll go through, because it is an important topic in terms of cloud security, so that customers can avoid the future implications or there should not be any kind of penalties. So we’ll have a different lecture. We’ll try to mention that, okay, some of the starting points that okay. Or a customer should think of that okay. This should be there and at least should be there in the SLA. So this is it. Friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture.

7. Cloud SLA – What all needs to be Covered

Hello, friends. So welcome to this lecture on cloud SLA. Like what all needs to be covered in the in the cloud SLA or the when you’ll be signing that cloud service agreement. This is about the third major artifact about the service agreement. So in the last lecture, we just had a general overview that okay, what is cloud or what is service level all about? When a customer sends the service level requirements and then SLA is being prepared, and then the service level agreement reports are there, which are generally used to check the effectiveness. But let’s study that. Okay, before you sign the contract, in terms of service availability or in terms of service level agreement, what all you should mention or think of as a starting point, or you can think of as a checklist which should be there to avoid or have any kind of future implications.

So in terms of performance definition, all the different terminologies like uptime, uptime, downtime, high availability right. And then fault tolerance, all these things should be clearly mentioned. Make sure that they have mentioned and you understood those like mentioned, that the part of monitoring is covered. That okay. Who will be doing monitoring, what needs to be monitored, what all services will be monitored, and in case there would be an incident, who will notify the customer or who will notify the authorities that incident has happened. Make sure that point about the audit is covered. The SLA will clarify that when and how the audits will perform, who will perform the audit and when the reports will be shared. So all these things should be mentioned in the SLA. Yeah. Another very important point is the business continuing disaster recovery activities.

It is the SLA will clarify that what is expected, what kind of results are expected from the Bcc’d activities and who will trigger the Bcpdr activities and with whom the results will be shared, what are the different roles and responsibilities in terms of BCP coordinator and all those things? So all those things should be mentioned in the SLA. And then another good point is the certifications. It is the responsibility of the CSP to provide the various certifications or industry certifications, because in the cloud, we cannot go ahead the way the cloud is structured or the services are provided, because it is in the different regions, like we have already discussed in the different countries, they are having the data centers. It is not feasible for the customer to go ahead and audit the cloud service provider.

So in that case, it is the CSP that they’ll make sure that whatever the industry certifications, they are required, let’s say in terms of facilities, in terms of data centers, in terms of Cabling and all those things. And similar is the case with the compliance certifications. Whatever the customer needs are, make sure that CSP will provide, and it is the responsibility of the CSP that they are current and available and apart from these points. And make sure that when the different points are mentioned in terms of availability, in terms of network storage, so it is clearly mentioned in the SLA, that, okay, what kind of compensation the cloud service provider will provide. You can think of a users in SLA in terms of network availability.

Let’s say if the network is not available or is less than 99. 5, a 20% discount will be applied for the entire day’s network charges. So make sure these clauses are there so that you can get a benefit in case there is any downtime or if there is a service and availability. Similarly, in terms of storage availability, let’s say storage is not available for is less than 99. 50%, discount will be applied for the entire day storage charges. So similarly in case of response time, so let’s say for given our response times are stated or not met, whatever have been agreed.

So all the services for that type during that will be processed at no charge. So, SLA again is a very important document in terms when this service agreement or the contract will be signed, because in this SLA, the customer is having some expectations in terms of service availability, in terms of performance. All these expectations, a customer need to assess that, okay, those expectations are met and those are mentioned in the service level agreement about the penalties, about the compensation in terms of service and availability. So this is it friends, in the cloud SLA, that all the points which you can think of or you can make as a starting point. So thank you friends. Thank you for watching this lecture. Meet you in the next lecture.