jueves, 7 de febrero de 2013

CLOUD COMPUTING: Regulating the disorder

Abstract:Development of the paper I presented at the itSMF Spain Seventh National Congress, under VISION12 CONFERENCE & EXHIBITION"

There was someone who could not attend to the presentation of this paper live, due to the system of simultaneous rooms as it was such a crowded conference, and asked me if I would publish it on the Internet. For those who realised that I had to use a high level of abstraction because of the usual problems of lack of time for the presentation and  for other "groups of interest" out of the field of itSMF, I have fused my presentation with the notes I prepared it. Thus it is easier to understand it than just with some MS PowerPoint slide.

I have structured the paper in four different sections, although they are clearly related to each other:

·         Chapter 1 and 2. Introduction to Cloud Computing and formalisation of concepts that allow us to understand the other sections.

·         Chapter 3. To me, this chapter is the centrepiece of this paper according to the itSMF itself because it is about the organisational involvement of Cloud Computing in IT Governance and Management.

·         Chapter 4 and 5. Not less significant are the legal aspects from a regulation perspective if we take personal data to the Cloud, as well as the contractual clauses that will control all the cycle of life of the outsourced services.

·         Chapter 6. Final conclusions.



1.1. Index of the paper
1.2. How CLOUD COMPUTING is born?
1.3. Conclusion: ¿Is it a fad?
2.1. Definition of CLOUD COMPUTING
2.2. Key features
2.3. Service models
2.4. Deployment models
2.5. Delivery/payment relationship according to the model
3.1. Functional Decomposition (GOB, GES, OPE, INF)
3.2. IT Governance
3.3. Other analysis of the cross tabulation
3.4. IT Management
3.4.1. PMM or Process Maturity Model
3.4.2. ISO 20000-1:2011
3.4.3. PRM of Cobit 5
3.4.4. ITIL 2011. Supplier Management Process
3.5. Desirable regulation in a CSP
4.1. Spanish legal framework
4.2. Claimants involved according to the Spanish Protection Data Laws: LOPD and RLOPD
4.3. Protection Data Law implications depending on the geographical location of the Data Centre that supports the CLOUD
4.4. Examples of penalties
5.1. According to CSA (Cloud Security Alliance)
5.2. According to Thomas Trappler
5.3. According to ENISA
5.4. Commission Decision 2010/87/UE
5.5. ITIL 2011: Underpinning Contracts


1.1. Index of the paper

1.2. How CLOUD COMPUTING is born?

CLOUD COMPUTING did not occur by spontaneous generation when nobody expected it. Quite the opposite, in fact, it is the slow evolution of a set of social, organisational and technical concepts that have enabled it when converging the maturation of all those concepts from a certain moment on.

To illustrate it, I will use the BMIS of ISACA. The BMIS is a model that analyses any business (people, processes, technology).


·         In the PEOPLE apex, there is an evolution, a change of mind. We are already used to the intangible. If we withdraw some money from a cash machine, we do not press the print button because we trust on the system and on the intern audits of the financial institution. We prefer an 'mp3' song because we can listen to it everywhere, in any device and we can secure it with a backup. We buy books via Internet in PDF format. . . People have evolved and we are ready.

·       In the ORGANIZATION apex, we have realised that there is an evolution of the users of the organization that understand IT as a service delivery business.
From ITILv3 on, everything spins around the service cycle of life. Technology is not the protagonist anymore as long as it fulfils its role. The most important thing is to manage, to the agreed level between IT and the clients (users), the Catalogue of Services.

·         In the TECHNOLOGY apex, we have been noticing its spectacular development.

§  Internet and its geographical coverage and symmetrical broadband accesses; 3G, 4G networks. . .

§  The virtualisation that allows optimising the infrastructure, considering that just one hardware can run simultaneously and in isolation several operating systems.

It allows procuring rapidly VM (Virtual machines) from a template catalogue and the usage of automation and orchestration techniques.

In short, the systems management is simplified and the Data Centre is more flexible because a physical infrastructure made of physical servers, storage arrays and network electronics permits to withstand a wide and adaptable virtual infrastructure.

§  And the so called “Anywhere computing”. With the consumerization, users wish to access to the corporative resources from anywhere, anytime, and using any device, preferably one of their own; this is known nowadays as BYOD (Bring Your Own Device).


1.3. Conclusion: ¿Is it a fad?

·         What suddenly APPEARS has the same possibilities to DISAPPEAR rapidly, like a fad.

·         What is the result of a long EVOLUTION of different factors, REMAINS.

Therefore, we can state that CLOUD COMPUTING REMAINS.


Not only because of its benefits: FLEXIBILITY (The service matches the demand), speed to SUPPLY (Time to Market), LITTLE INITIAL INVESTMENT (Opex versus Capex). . . But because of the ongoing recession (even if the current situation would improve, it would never be like before) and the difficulties to credit facilities, Cloud Computing is the favourite model of financial directors.

We have to think that it already has financial advantages in the initial stage, when the novelties are more expensive. As the turnover grows and more new clients are incorporated to the Cloud Service Provider (CSP), there will be lower prices and a bigger pressure on IT to migrate (Manage change) to the above mentioned model by CFOs y CEOs.

Inhibitors? According to surveys, information security and data protection are indeed, but is it safer a company who does not know about the ISO 27001 and the ISO 22301?



The NIST (National Institute of Standards and Technology) defines the basis of the CLOUD COMPUTING model in its special publication 800-145.

2.1. Definition of CLOUD COMPUTING

As it has a very long definition, what it is just a chain of features separated by commas; I will analyse the first and the last phrase.

They first say that CLOUD COMPUTING “is a MODEL”. It is not said which model is it, but it is the first time that it is recognised as one. The most important is to understand that CLOUD is not a technological model because it is just built on technology such as any IT field; like IT has been always doing.

Neither is it a business model. Maybe it is from a CSP (Cloud Services Provider) point of view because it earns a living by offering services in the Cloud, but not from the client company point of view who contracts it or migrate its services to the Cloud.

The only definition that can combine both is that it is a service delivery model. Cloud is a MODEL OF SERVICE DELIVERY.

The last phrase says "with minimal service provider interaction”. Specifically, the services must be supplied from a self-service portal.

2.2. Key features

2.3. Service models

According to the NIST, there are 3 basic service models: Iaas, PaaS and SaaS.

·         The IaaS (Infrastructure as a Service), which simplified for the sake of didactics and without neglecting the essence, and I apologise to my Engineer college mates, is like supply an empty server that only includes the OS (Operating System).

·         The PaaS (Platform as a Service) incorporates to the last offer utilities that will be very valuable if they match with the interests of the client: DDB (Database), Web Services, programming utilities, run-times… In IaaS, all this supplements must be installed by the client via Internet.

·         The SaaS (Software as a Service) relies on the previous layers but it already conceptually differs in different aspects. Simplifying it again, it is like to contract an App (Application) or a set of Apps installed in the CLOUD. The client stops worrying about the virtual server, the operating system, the DDB, the installers. He just has to set the parameters of the software and use it.


There are other delivery models, but they are variations of the above three basic models.

To mention some examples:

·         DRaaS (Data Recovery as a Service)  consists in using the CLOD COMPUTING as a disaster recovery solution. Further information on this subject can be found in an article in this blog:

·         BPaaS (Business Process as a Service) consists in taking to the CLOUD all the applications that provide service to a complete BP (Business Process).

·         In that event, if we take all the services or if we take all the IT services to the CLOUD, would that be ITaaS?

If it is, all of us who have a professional connection, at any level, in the IT department of a company -unless we work in a CSP-, will we be fired?

This risky but brave question would be answer by itself later.

2.4. Deployment models

The NIST points out four important deployment models.
I would have said three because I consider that the Community Cloud is a special case of the Private Cloud (shared among a few with some affinity such as the Rectorate of a University and its schools and colleges.)

Essentially we will talk about Private Cloud, Public Cloud and Hybrid Cloud.

The most important is to understand that for being a Private Cloud, the Data Centre must be located necessarily in the premises of the company.

If the HOUSING is used, to rent a space in the Data Centre of a third party (ISP) and to locate there the PRIVATE CLOUD of the company, it would still be a Private Cloud.

It would be private because both the physical and the virtual infrastructures are not shared with anyone. It is of its own exclusive use.

It is called “ON PREMISE or Internal”, if it is in our Data Centre; and, “OFF PREMISE or External”, if it is in the Data Centre of a third party to profit by a safer place (redundant air-conditioning, redundant power supply secured by a UPS and self-containing generators, high-speed Internet with perimeter security, physical access control and 365 days x 24-hour surveillance. . .).

2.5. Delivery/payment relationship according to the model

The comparative of models of delivery services can be done from two perspectives:

·         The method of payment

·         The flexibility of the delivery


Before discussing the following slide, it is necessary to understand and to differentiate two basic concepts:

·         HOUSING is to rent a space (usually a rack) in the Data Centre of an ISP or a CSP provider to take the physical infrastructure of a client company. If that physical infrastructure is prepared through virtualisation software and configured to support the Cloud model, it is a “PRIVATE CLOUD off premise.”

·         HOSTING consists not only in renting the space in the Data Centre of a service provider, but also the physical servers. When the Cloud Computing did not exist, the Hosting was the way used to externalise the infrastructure; and it is still used.

The service provider can achieve a better price of the hardware through the massive purchase and, as all the units are usually from the same manufacturer, can obtain maintenance and replacement in case of failure.

Like in the previous case, if we set up a Cloud in the rented physical infrastructure by a company, it is also a “PRIVATE CLOUD off premise”.

If we analyse the method of payment, observing the slide from left to right, we can see that both the PRIVATE CLOUD (bought infrastructure) and the classic Data Centre are CapEx (Acquisition Costs). Meanwhile, the PUBLIC CLOUD and the traditional HOSTING are carried out with no cost because they are pay-per-use service; this is called OpEx (Operating Expense).

However, if we analyse the service delivery model from top to bottom, we can see that in the physical environment (classic Data Centre and traditional HOSTING) there is a slowly provisioning while in the Private or Public Cloud there is an self-provisioning almost instantaneous from a portal.


3.1. Functional Decomposition (GOB, GES, OPE, INF)

We will analyse three concepts:

·         The traditional Data Centre in the company (INSOURCING).

·         The OUTSORCING as a externalisation of people in IT.

·         The PUBLIC CLOUD model.


For each of them, there are analysed four aspects from the point of view of who has the responsibility :

·         Governance

·         Management

·         Operations or execution

·         Infrastructure


3.2. IT Governance

The first thing that calls our attention is that the first horizontal raw is coloured in green. The reason why is because the IT Governance is always internal.

To lose the governance means to cede the control, and if it is not controlled it means "free will", we will "lose" the external services.

From a more rigorous approach, to GOVERN means to ASSURE some GOALS based on some RESOURCES. However, it is not pointed out anywhere if the resources must be internal or external. Therefore, in a Cloud Computing environment is the client company who govern the processes and services both internal and external.

3.3. Other analysis of the cross tabulation.

If we analyse the table by columns, we will see that the traditional Data Centre is the simplest case. Governance, Management, Operation and Infrastructure are all an internal responsibility.

In the OUTSOURCING, Governance and Infrastructure are an internal responsibility of the company. The operation in the sub-contracting respect is an external responsibility of the supplier. The Management is usually an internal responsibility (of the client) but in some cases of total outsourcing of the IT, it can be transferred under clear governance guidance or all that we will talk about Public Cloud would be valid. That is why in the amber table.

In the PUBLIC CLOUD, the Governance is internal of the client company. The operation is external of the Data Centre for the service contracting. The infrastructure is external, at least the Data Centre, but in the corporate headquarters still remain the user terminals, the LAN and the communication terminations. Moreover, all the user devices may also be there with the Apps. That is why is painted in red with a narrow green stripe.

If we use the desktop virtualisation (VDI) in the CLOUD simultaneously, the stripe will be narrower.

3.4. IT Management

3.4.1. PMM or Process Maturity Model

To understand what occurs in the Management in the CLOUD COMPUTING model, we should remember that any company that aims the continuous improvement of the quality, must be structured based on the business processes.


In the previous slide, there is a MAP OF PROCESSES of a run-of-the-mill company.

There is the so called PMM (Process Maturity Model) that will be crucial in order to externalise. If we are in low levels of the maturity scale (non-existent, unpredictable, repeatable), it would be very difficult to be successful in their externalisation. If the levels are high (defined, managed, optimised), we will face the migration to Cloud with better guarantees.

And what we are talking for the business in general, it is also for IT. Both must be well aligned, so their maturity level must be similar.

If we try to take services to the Cloud with a low maturity level in the processes that support it, it is likely to the popular Spanish idiom of the pre-industrial era to be accomplished:


“To start like a horse and to stop like a donkey.”


What criticise the lack of planning if you start any business with energy and enthusiasm and, then, you give it up and it remains unfinished.

It is very difficult to externalise services to the Cloud if IT does not have a "Service Catalogue" available. If you do not know the services offered or the ones you can offer to your users, how will you decide which ones would you take to the CLOUD?

Therefore it is very advisable to IT to be managed under the best practices of ITIL or protected under a certification in service management (ISO 20000-1).

In the "end-to-end" management, in which there will be “relationships of trust” between the internal management of the client and the external management of the provider, it must be established communication channels to monitor the outsourced processes.

By means of a SCORECARD or “control panel”, the client will be able to analyse the KPIs (Key Performance Indicators) of the outsourced processes and the LOGS created. Many Data Centres have already a standard control panel which its display facilitates the management when providing transparency.

When one manages a Cloud service, we have to remember that several IT processes support it. Sometimes some are exclusive and others are shared with other services. The exclusive ones are "transferred”, but the shared ones must be managed “related”.

3.4.2. ISO 20000-1:2011

The ISO 20000-1:2011 deals about the governance of “processes” ran by third parties.

That introduction takes into account the progress of the CLOUD model about outsourcing services and IT processes.

3.4.3. PRM of Cobit 5

If we observe the PRM (Process Reference Model) of Cobit5, we will see 5 different sections and one of them will be analysed later:

·         Evaluate, Direct and Monitor

·         Align, Plan and Organize

·         Build, Acquire and implement

·         Deliver, Service and Support

·         Monitor, Evaluate and Assess


Specifically the “Align, Plan and Organize” point is the one that will always prevail in the Management, even if the company transfers some of their IT services to the Cloud.


The three Managament controls, in white, are not specific of Cloud Computing, not even of IT. Any business activity must be based on them. It is clear to manage based on the Strategy, based on the Enterprise Architecture and to ensure quality.
To mention some processes (or management control goals), you will find them in yellow in the previous slide:

·         AP004 (Manage Innovation). The future IT tendency will be aimed to be more innovative with new services, while fewer efforts will be made gradually with regard to operations and Data Centre infrastructures because of the new model of service delivery.

·         AP005 (Manage Portfolio). It is crucial to manage the overall portfolio of services at the disposal of the company in mixed environments. Related to them, the service catalogue can be supported by more than one CSP, apart from the IT area.

·       AP006 (Manage Budget and Costs). In Cloud Computing environments with great facilities of self-provisioning, if IT does not manage the additional costs of the services contracted by users; the client company risks to have a high deviation of the approved budget.

·       AP009 (To manage the SLAs).  The SLA (Service-Level Agreement) Management will be substantial in Cloud Computing environment to ensure that the contracted service and the offered service are the same.

·         AP010 (Manage suppliers). The Suppliers Management is essential in the outsourced models. We will take a closer look later based on ITIL 2011.

·       AP012 and AP013 (Manage risk and Manage Security). Security, based on a risk analysis in the company, is fundamental in any environment; it will turn even more basic with outsourcing. The processes must be managed "end-to-end" and be supervised directly or, what it is more feasible, be supervised by certifications and audits of accredited third parties.

3.4.4. ITIL 2011. Supplier Management Process

In the book “Service design” by ITIL 2011, there is a specific chapter devoted to the Supplier Management. As the said about the ISO 20000-1:2011 Standard, the reference frameworks keep on adapting to the reality of the outsourced delivery services according to Cloud Computing.


The “Leitmotif” of the Supplier Management IT process is to align the contracts with the business needs and the agreed goals based on a SLA (Service-Level Agreement) dealt from the SLR (Service-Level Requirements) of the company who contracts.

Depending on the above, the Supplier Management will be responsible of enforcing the agreed SLA, in coordination with the Service Level Management process. In other words, the Supplier Management will be responsible of ensuring the "effective performance" of the supplier.

Its mission is to agree and "to manage the contracts” during all its “life cycle”, which will match with the life cycle of the outsourced service.


ITIL 2011 suggests to follow a specific policy for suppliers and to maintain a SCMIS (Supplier and Contract Management Information System).

That information system for the supplier and contract management will become more popular thanks to Cloud Computing as the CMDB will not be enough for the new service delivery model.

As business assets, not every service has the same value or importance for the company, so their loss of availability will have a different result, which we will evaluate according to a risk analysis.


The above mentioned risk related to the service availability is transferred to the CSP (Cloud Service Provider). So, it is essential to set a categorisation of the providers according to the categorisation of the supported services.

ITIL 2011 classifies them in strategic, tactical, operational and “commodity”.

The selection criteria of the provider that will support the strategic services will be different from the CSP that will just support a “commodity” service.

It is interesting to note that, in the representation models of a managed company looking for quality, ITIL adds a forth element: Providers.

So, it is about People, Processes, Technology and Providers. It is a growing tendency that Cloud Computing will be more significant inside the company gradually.


3.6. Desirable regulation in a CSP
As discussed before, the “end-to-end” management must establish “relationships of trust” between the company who contracts and the CSP.

The said relationships must be based on fluid communication channels, access to LOGS and KPI of the outsourced processes.

The other way is through control audits. As they are unworkable in practice, since they would also violate the principle of reserve and security of the Data Centre of the CSP, the solution is to transfer them to a third accredited company

The formula consists in requesting to the provider to accredit security and quality certifications of the services offered to its clients.


Despite there are specific ISO standards for Cloud Computing (ISO 27017 e ISO27018), they are still at draft stage and, therefore, we cannot take them now into account.

The wide known Standards are:

·         The ISO 27001:2013 which certifies a ISMS or Information Security Management System.

·         The ISO 22301:2012 which certifies a BCMS or Business Continuity Management System.

·         The ISO 20000-1:2011 which certifies a SMS or Service Management System.


If a CSP is certified by the previous three standards, it guarantees a optimum safety level and the client company can trust on the information, the processes and services that has transferred.

It is very important to find out the SCOPE of the certifications. For example: a company can be certified according to the ISO 20000-1 but only in one service, such as the e-mail. Therefore, it must be read carefully the scope of the CSP certification.

It is either the same to manage the services and security under an ISO Standard than to have our Management Systems certified by an accredited company. In the first case, it is supposed; in the second one, there is a full guarantee because of the annual review audits and the recertification every three years.

All of the foregoing without detriment of the internal review audits.

EDITOR'S NOTE. Furthen information about audits can be found in this blog:



4.1. Spanish legal framework

There are many legislations which affect the information security and, more specifically, the personal data protection.

The generalisation of the delivery service model in the Cloud, with the possibility to transfer data beyond our borders, makes us be more careful when deciding the contracting of a Cloud Computing model in order to not breach the legislation and deal with financial penalties, and losing our prestige when that are made public.

In Spain, we are under the protection of the following laws:

·         Organic Law 15/1999, of December 13, better known as the LOPD.

·         Together with the LOPD there is the Royal Decree 1720/2007 of December 21, known as RLOPD, because it is the implementing regulation.

·         If, summarised very briefly, we use a website for electronic commerce and/or the e-mail for advertising purposes, there is the Law 34/2002 of July 11, known as LSSI-CE (Services Information Society and Electronic Commerce).

·         The European Union Directive 95/46/CE of October 24.

·         As the personal data protection is a fundamental right of any person, the Penal Code according to the Organic Law 10/1995 of November 23 referred to them in articles 197, 198 and 199.

·         In the case of the Public Administrations with relation to the information security and to regulate it, there is the ENS (National Security Framework) and the ENI (National Interoperability Framework).


4.2. Claimants involved according to the Spanish Protection Data Laws: LOPD and RLOPD

The LOPD and the RLOPD consider the following agents regarding the personal data protection:


In relation to CLOUD COMPUTING, the company that contracts the services is the “Data Controller” and the CSP (Cloud Service Provider) is the “Data Processor”.

It is important to highlight the last paragraph of the slide, in which it is shown that IN ANY CASE that there is a someone who manages data under the responsibility of a “Data Controller” by a third “Data Processor”, there must be a binding contract which defines the sphere of activity of the outsourced.


4.3. Protection Data Law implications depending on the geographical location of the Data Centre that supports the CLOUD

As known, the data taken to the Cloud are not floating among the clouds but in Data Centres on land, in any physical place of the globe.

That means that they would be subjected, on one hand, to the legislation of the country where the company that has contracted the Cloud services is located and, on the other hand, to the legislation of the country where the CSP Data Centre is located.


To sum up, there will be an analysis about how affects a “Data Controller” or Spanish company that contract Cloud services to the location of the Data Centre which will contain personal data:

·         If the CPD of the Cloud is located in Spain and there exists a data access contract, you do not have to do anything.

·         If the CPD of the Cloud is located in the EEA (European Economic Area) and there also exists a data access contract, you do not have to do anything either.

·         If the CPD of the Cloud is located in a third country where the security level is accepted by the EU and the Spanish Data Protection Agency (AEPD), apart from signing the proper contract to data access, the AEPD must be informed about the international data transfer, but that is all.

·         If the CPD of the Cloud is located in any other country, apart from signing the proper contract to data access, previously one must request permission for the international data transfer to the AEPD director, with uncertain outcome.

We should distinguish between the Registered Name of the CSP, which can be located in any country around the globe, and the Data Centre -it may have more than one- in which the client company chooses to locate their data. An example can be a company from the USA that has a CPD in Germany, so the client is the one who chooses.  In that case, it would be regarded a data transfer to the EU instead of an international data transfer to the USA.


4.4. Examples of penalties
The AEPD has a system of penalties that help the Agency to enforce the fundamental right of people to protect their personal data.

There are three penalties: slight, serious and very serious.

To mention:


The fact that the information in the Cloud is sent and stored in encrypted form, it does not exempt us to comply with the legislation in force about data protections.

EDITOR'S NOTE. Further information about the legislation can be found in the following article in this blog:



CLOUD COMPUTING represents a change from the traditional model of IT delivery services. One important part of the success of the migration to Cloud Computing is the formalisation of the contract or contracts (provision of services, personal data access, etc.) between the CSP (Cloud Services Provider) and the client company.

The said contract will be in force during all the life cycle of the service or services migrated to the Cloud.

5.1. According to CSA (Cloud Security Alliance)

5.1.1. Confidentiality
That clause ensures that just people authorised by the client company will be able to access to the information taken to the CLOUD. Prevent that our information spreads worlwide.

5.1.2. Intellectual property
It ensures that everything that the client company takes to the CLOUD, it is its exclusive property. The CSP or Cloud Service Provider has no right over it, even if it is using its platform. Upon termination of the contract, it must be returned to the client in a preset standard format and, for a certain amount of time, it must be available for the client to transfer it to another CSP, to a private Cloud or wherever he likes.

5.1.3. Liability
The client company must ensure that the CSP does not exclude its liability when a divergence appears between the contracted service and the offered one.

5.1.4. Early termination
That clause will allow the client to terminate the signed contract with the CSP when any of the contractual commitments or the SLA is breached repeatedly.

5.1.5. Privacy and Data Protection
The CSP must be reported that the client company will take personal data to the Cloud in order that the Cloud Service Provider implement safety measures suitable to the applicable legislation.

5.1.6. Applicable law and jurisdiction
The Data Centres where our information is stored in the Cloud are not floating among the clouds but on land, within countries borders. The registered offices of the CSP are also on land. That means that the data and the contracts will be subjected to different legislations. In case of divergence, it must be clear in which courts will be settle.

5.1.7. Auditabilily.
There is legislation about data protection, such as the Spanish legislation which obliges to Data Controller to ensure that the Data Processor complies with the applicable safety measures by the implementing Regulation.
In some cases the geographical remotness is unworkable. Then, attempts should be made to get a certificate issued by an accredited third-part certifier ensuring that it meets all the information safety measures.

5.1.8. Security.
The aim of this clause is to guarantee the performance of the three basic attributes of information:

·         AVAILABILITY: To guarantee that the information will be available and ready to use when need it.

·         CONFIDENTIALITY: To guarantee that the information will be only available for authorised people.

·         INTEGRITY: To guarantee that the information is complete, accurate and protected from non-authorised changes.

5.1.9. Service-Level Agreement (SLA).
They are usually annexed to the contract and tend to be one for each service migrated to the Cloud.

5.2. According to Thomas Trappler

5.2.1. Change of Control

Thomas Trappler, an expert at contracting in Cloud Computing environments, apart from agreeing with the other clauses, adds a new one about the Change of Control.

It is about foreseeing the possibility of the CSP being bought, taken over, merged or a change in the company Management. In that case, this clause must guarantee us that the new manager will maintain the same conditions or will let us cancel the contract.

5.3. According to ENISA

5.3.1. Subcontrating chains.

Apart from agreeing with the other clauses, ENISA deals with the subcontrating chains and their implication in the personal data protection.
Subcontracting occurs when a CSP subcontrats another one and so on constituing a subcontracting chain in which  from a certain moment onwards, our data can be out of the European Union, even though we contracted a European provider, with the consequent legal breach.

A perfect example is to contract SaaS to a software developer CSP and, in the absence of structure, the CSO would subcontract it to another CSP as IaaS or PaaS.

EDITOR'S NOTE. Full and detailed information about the significance and implications of each one of the different contractual clauses can be found in this blog in the article named:

5.4. Commission Decision 2010/87/UE
On February 5, it was published the Commission Decision 2010/87/UE in the Official Journal of the European Union concerning standard contractual clauses for the personal data transfer to the “Data processors” (such as CSPs) established in other countries under the Directive 95/46/CE of the European Parliament and of the Council.
This decision contains:

·         Definitions
·         Details of the transfer
·         Third-part beneficiary clause
·         Obligations of the data exporter
·         Obligations of the data importer
·         Liability
·         Mediation and jurisdiction
·         Cooperation with the Supervisory Authority
·         Applicable legislation
·         Variation of the contract
·         Sub-processing of data
·         Obligations once the delivery of the personal data processing services is finished.

5.5. ITIL 2011: Underpinning Contracts

In the page 210 of the book “Service Design” by ITIL 2011, in the section of “Supplier Management”, in “Underpinning Contracts and agreements”, there is a list of contractual clauses, that even they are part of the general use of any provide, are very interesting.


It draws attention a highlighted small box at the bottom of the page, in which one can read:

“Get legal advice when formalising agreements with external suppliers.”

It is a good tip from “best practices” of ITIL.


·         The GOVERNANCE and the MANAGEMENT remain under the responsibility of the client company, although it would transferred most of its business services or processes to the Cloud.

·         About OPERATIONS AND INFRASTRUCTURE, I would not dare to say the same. As the implementation of the Cloud model grows, it appears that they will lose scope.

·         The maturity level of the IT processes will be decisive to assure a successful migration to the service delivery model based on Cloud Computing.

So, if the company uses the ITIL 2011 “best practices” of a Cobit 5 Governance or if the company is certified in service management with the Standard ISO 20000-1:2011, that would be a guarantee of maturity and, therefore, successful.

·         To demand certifications to the CSP is a guarantee that our data, processes and transferred services to the Cloud are safe. The standards ISO 27001:2008, ISO 22301:2012 and ISO 20000-1:2011 can be helpful with their mandatory follow-up audits.

·         The personal data protection must be taken into account because there is much legislation applicable on the fundamental right of the people who protects. The geographical location of the Data Centre of the Cloud service provider will be essential.

·         The Contractual Clauses will be there during all the life cycle of the service transferred to the Cloud. They will be our only guarantee if anytime there is a divergence with the contracted service.

·         A proper contracting has three different documents:

o   The contract for the provision of services with the clauses.

o   The contract for access to personal data.

o   An annex consisted of the different SLAs, if possible pointing out the important KPIs by the CSP with also their agreed values.

And as I did during the presentation of my paper, I will do it also here with a sailor's rule:

“Respect the sea, but never fear it; because it can bring you a hundred opportunities."
You just have to substitute the word “sea” for “Cloud Computing”.

I thank Margarita Pardo de Santayana C., who encouraged me to present this paper in the National Congress of itSMF, and I also thank the Organisation that selected it.


It is strictly forbidden to disclose any slide, even if it is dissociate it from the others, for commercial use.
The images are under 123RF International license.

No hay comentarios:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.