Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Concerns for 2017 Andrew Ysasi, MS, CRM, CIPM, CIPP, FIP, PMP, IGP Executive Director Kent Record Management, Inc. www.kentrecords.com Wyoming ARMA.

Similar presentations


Presentation on theme: "Cloud Concerns for 2017 Andrew Ysasi, MS, CRM, CIPM, CIPP, FIP, PMP, IGP Executive Director Kent Record Management, Inc. www.kentrecords.com Wyoming ARMA."— Presentation transcript:

1 Cloud Concerns for 2017 Andrew Ysasi, MS, CRM, CIPM, CIPP, FIP, PMP, IGP Executive Director Kent Record Management, Inc. Wyoming ARMA March 14th, 2017 Copyrighted Andrew Ysasi.   All Rights Reserved.  2017.

2 disclaimer No endorsements are made by myself and especially Kent Records. Logos and information can be found online at the respective source organization’s website. Information may have changed by the time it was researched. Andrew is currently the Regent for the ICRM Exam Development Committee and a member of the Board of Directors of PRISM International.

3 MY Background 20 year career (10 years at KRM)
Former Adjunct Instructor at Davenport University Global Project Management and Technology Capstone Career Articles published on CIO.com – Search “Ysasi + CIO.com” Founder of myPACT – A Modern Way to Showcase Your Accomplishments! - Launching 2017 ICRM Exam Development Committee – Test writer for Part 3 and authored some part 6 case studies – 2012 – Present Regent of Exam Development – PRISM International Board Member – 2016-Present

4

5 MY Background

6

7 agenda Cloud Trends Impact on RIM and IG What can you do

8 trends Limited Resources Complexity Security Privacy

9 Trends “To me, it is telling that the cloud has become so complex and evolved so quickly that even professional IT workers and CIOs cannot always get their heads around what is possible…” Jonathan Hassell, CIO

10 trends Not enough resources to address growth and the Cloud
Fewer than 1% of enterprises have achieved the highest level of Big Data and analytic usage The amount of data that requires protection is growing faster than the digital universe itself, yet levels of protection are not keeping pace Zettabytes in 2013 and will increase to 44 Zettabytes in 2020 Data managed by an IT pro will quintuple from 2014 to 2020 however IT pros will only grow from 28 million to 36 million

11 Complexity and Reliability Concerns?
Amazon S3 crashed on 2/28/2017 Azure DNS issue on 9/15/2016

12

13

14 trends “Many traditional IT security practices no longer apply in cloud computing environments, and a broader range of IT experts are required to have the knowledge, skills and abilities to ensure data and systems are protected across the entire IT ecosystem.” – Steve Prentice – CloudTweaks.com

15 Trends Cloudops Anything to do with operating systems in public or private clouds. It focuses on security, management, monitoring, and governance, as well as being proactive with how systems run.

16 Trends Containers Companies going “Serverless”
Enterprises don’t really understand what containers are or what containers do -- at least, not yet. The idea is that you build it once and run it anywhere. There are still missing pieces, such as networking and security services, that need to be shored up before this stuff is completely enterprise-ready.  This in turn means you can “leave behind the useless 99.9% VM junk” CoreOS, Docker, Google, Amazon Web Services, and Microsoft have container strategies.

17 Trends

18 trends

19 trends

20 trends

21 trends

22 Trends Privacy – General Data Protection Regulation (GDPR) Preparation by May 25, 2018 in the EU Key Changes listed here: Increased Territorial Scope Penalties Consent Breach Notification Right to Access Right to be Forgotten Data Portability Privacy by Design Notification

23 Trends Privacy – General Data Protection Regulation (GDPR) Preparation by May 25, 2018 in the EU Know the location where cloud apps are processing or storing data.  Take adequate security measures to protect personal data from loss, alteration, or unauthorized processing. Close a data processing agreement with the cloud apps you’re using.  Collect only “necessary” data and limit the processing of “special” data.  Don’t allow cloud apps to use personal data for other purposes.  Ensure that you can erase the data when you stop using the app. 

24 Impact on RIM and IG We’ll see a solidification of cloud computing’s role as a gateway to new things — and not just as the latest IT strategy, or as a cost- containment mechanism.” - Joe McKendrick – Contributor for Forbes

25 Impact on RIM and IG "IT staffs used to hold the keys to the kingdom — controlling what applications and data ran where and on what devices. That's all changed — a lot — with the consumerization of IT and the advent of compute power that in-house developers can spin up on Amazon Web Services and pay for out of petty cash — without IT approval.“ – Barb Darrow – GigaOm

26 Impact on RIM and IG I had access to the full suite of Amazon web services in 1 minute from my desk!

27 Impact on RIM and IG AWS Snowball accelerates moving large amounts of data (Petabytes) into and out of AWS using Amazon-provided secure appliances for transport.

28 Impact on RIM and IG AWS Snowmobile enables you to move 1 Exabyte of information to the Cloud. For 1 Exabyte of data using a 10 gig connection would take 26 years…with 10 Snowmobiles it would take 6 months per Amazon.

29 Impact on RIM and IG Business Privacy & Security
What is the current and expected value of the data? What does the business expect? Outside investors? Privacy & Security Who has access to the data, where is it, what will be collected? Encryption and data protection options?

30 Impact on RIM and IG IT Legal RIM
When is the application going into production and who is maintaining it? Insourcing or Outsourcing? Is there an information security and privacy strategy? Legal Intellectual property or ownership concerns? Is there a cloud agreement? Vendor compliance tracking? RIM Is existing data being replaced? Will legacy systems be created?

31 Impact on RIM and IG Service Level Agreements (SLAs)
Amazon AWS S3 as of 9/16/2015 Microsoft Azure Services as of 9/2016 (Active Directory Listed Below)

32 Impact on RIM and IG Service Level Agreements (SLAs)
Spend $10,000 per month with Amazon/Microsoft and have <99% uptime Credit of $2,500

33 Impact on RIM and IG Amazon Shared Responsibility Model
While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.

34 Impact on RIM and IG

35 Impact on RIM and IG Microsoft explanation of HIPAA and HITECH Act
Microsoft offers qualified companies or their suppliers a BAA that covers in- scope Microsoft services. Can Microsoft modify my organization’s BAA? Microsoft cannot modify the HIPAA BAA, because Microsoft services are consistent for all customers and so must follow the same procedures for everyone. However, to create the BAA for Microsoft’s HIPAA-regulated customers and its services, Microsoft collaborated with some of the leading US medical schools and their HIPAA privacy counsel, as well as other public- and private-sector HIPAA-covered entities. But…their BAA states 6.a - BAAs; Waiver. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events. NOT LEGAL ADVICE – I JUST KNOW HOW TO READ

36 What can you do? Get buy-in to be involved Determine expectations
If you don’t get buy-in…this is a great opportunity to explain why you should be involved. Determine expectations What is the Cloud or product strategy/timeline? Collect data Ask questions and ask to SEE what is going on Prepare action items for each stakeholder Privacy, Security, IT, RIM, Legal, the Business, AND Accounting have a stake

37 What can you do? Find out what type of cloud environment is being used to find additional risks and rewards.

38 What can you do Learn Cloud training? Project Management? IG elements?
Work with what you get If you are the driver…drive If you are an influencer…influence If you are ignored…speak out Be a persistent sharer Knowledge is still power Share what you find and ask others to do the same Rinse and Repeat Stress goals for the Cloud strategy or initiative

39 What you can do Information Governance, Data Management, Data Governance, Information Management, Knowledge Management, Records Management, Information Security, Information Privacy, Data Privacy, Data Security, etc. – Don’t get caught up in terms. Who, What, Where, When, How, Why – Don’t forget the basics. IG – In some ways already exists in IT (COBIT), but the business needs non-IT people to have a say. No silver bullet or magic wand to tackle IG. All hands on deck approach is what is needed to move the needle. Find a methodology or framework that works for your organization, and promote the benefits IF it does truly work. Lead by example.

40 What can you do? Data Security and Privacy Program Do they have a formal data security and privacy program? Verifiable security awareness training? Is it required? How do they stay current? How do they validate and self-assess the effectiveness of their programs? Security staffing? On boarding and background checking? Specialized training and credentials? Kept current? Technology and Infrastructure What technology are they using to protect you? Where is the data stored? What happens if you leave? Is data going outside US? How and what do they encrypt? Vendor Policies Notification conflicts with yours? How soon before they notify you? Special reporting requirements? Will they share it? Vendor policies, acceptable use of equipment, confidentiality and privacy, mobile device and BYOD, end-point controls how do they watch people with the keys? What about subcontractors? Is risk management framework in place? Information life cycle, data ownership, and what happens when contracts go bad? Any suggestions on better way to present this?

41 What you can do ARMA IG Maturity Model
Level 1 (Sub-Standard): ad hoc IG Level 2 (In Development): IG and RM have an impact on the organization Level 3 (Essential): must meet minimum organizational legal, regulatory, and business requirements Level 4 (Proactive): proactive IG with continuous improvement Level 5 (Transformational): compliance is routine across the organization Source: Generally Accepted Recordkeeping Principles – Information Governance Maturity Model

42 @andrewysasi @kentrecords @admovio @my_pact www.kentrecords.com
Questions? Grand Rapids - Lansing – Muskegon – Benton Harbor

43 Sources Amazon Web Services Site and Cloud Trends – Nov – Cloud Computing Concerns – URL: Cloud Trends – Oct – 2015 – The Importance of Practical Experience – URL: The Cloud and the EU GDPR: Six Steps to Compliance – URL: InfoWorld – Dec – 2015 – 3 Key Cloud Trends for 2016 – URL: InfoWorld – Jan – 2015 – One container technology does not fit all enterprises – URL: can-be-great-for-enterprises-or-a-waste-of-effort.html ZDNet – Aug – 2014 – What is Docker and why is it so darn popular? – URL: Forbes – Dec – 2015 – My One Big Fat Cloud Computing Prediction For 2016 – URL: cloud-computing-prediction-for-2016/#2715e4857a0b639f63e8230a GigaOm Site - Gartner to IT: Get a Grip on Cloud Services, or Else – URL: Guideline for Record Storage in the Cloud - ARMA International, 2010 Hybrid Cloud for Dummies – Judith Hurwitz, Marcia Kaufman, Daniel Kirsch – 2015 Microsoft Azure Site and The Guardian - surveillance?CMP=Share_iOSApp_Other Wikipedia – Explaining the 9’s ZDNet – URL:

44 Appendix: vendor meeting prep info
This appendix includes information a vendor may be preparing to ask their client or prospective client. This gives you a sneak peak into what they may ask and how to prepare.

45 Appendix: Before Meeting
Before the Meeting: Preliminary Questions (send in advance) What does data protection mean to you? How much time and data was required for eDiscovery requests last year? Do you use tape, disk-to-disk, or both for backup? Do they have a retention schedule? Quarterly or annual data growth rate? Is their current method for backup and archiving effective? How do they manage their data growth and protection costs? Are their backups encrypted? Do they have a recovery time objective? What type of platform do they run? (e.g. Microsoft, Linux, Mac) Do they use virtual servers and what platform? (VMware, Hyper-V, Citrix) Service Level Agreement (SLA) concerns Tip: You may not get this information without an NDA, or the answers may come in the meeting. Be prepared to dive deeper or bring assistance with you to the meeting.

46 Appendix: Before Meeting
Before the Meeting Checklist What businesses purchase the product you offer? How does your product and team fit in organizations like the one you are meeting? Know software and features…if you don’t know, bring someone with you who does Don’t assume you have the perfect software Plan for a short meeting; plan to address process, and key responses to preliminary questions to ensure you can build your proposal Prepare for objections to “price per unit” or “price per GB storage” or “price per KB for transmission” Leverage fear with sources Risk management – HIPAA fines (privacyrights.org) Cost management – Cheap storage may mean more data is at risk Consider Non-Disclosure Agreement (NDA) that is mutual to protect both client and your company Find out their corporate strategy and leverage your product to it

47 Appendix: In Meeting In Meeting Checklist
Who: Know who you are meeting with and qualify their knowledge of data protection and technology early on. Project Management: What is the approval process and average turn around for IT projects? Disaster Recovery/Business Continuity: Is it a priority for the organization? How do they feel about data growth? What is the software procurement process?

48 Appendix: In Meeting In Meeting Checklist (continued)
Discuss your successes with your solution Show a proposed project outline (scope, budget, and schedule) Discuss how you support your product Next step is a “demo” (i.e. prototype, proof-of-concept, pilot) depending on their need and culture Determine how communication will occur and for what (e.g. who discusses pricing, technical issues) Determine who makes the decision

49 Appendix: Post Meeting
Tech information for demo Proposal Content Summary Scope, Budget, Schedule, Statement of Work “SOW” Quarterly reviews to go over reports/invoices Contracts Service and/or storage, software, acceptable use agreements Customer Survey/Referral

50 Appendix: ARMA Checklists
Cloud Technology Checklist Legal Issues Checklist Vendor Concerns Questionnaire Source: Guideline for Record Storage in the Cloud - ARMA International, 2010


Download ppt "Cloud Concerns for 2017 Andrew Ysasi, MS, CRM, CIPM, CIPP, FIP, PMP, IGP Executive Director Kent Record Management, Inc. www.kentrecords.com Wyoming ARMA."

Similar presentations


Ads by Google