Managing a service level agreement (SLA) is a continuous process and should be constantly monitored, updated, and improved to meet the business needs of the manufacturing organization.
A service level agreement (SLA) with a cloud service provider (CSP) is a live document that must be well-understood and negotiated between the cloud service customer (CSC) and the CSP so the manufacturing organization (CSC) can manage and satisfy all security and regulatory compliance requirements in the cloud. When the manufacturing organization signs the SLA as a legally binding agreement with the CSP, it should not stop here because things are not done. They are actually never done.
Managing an SLA is a continuous process and should be constantly monitored, updated, and improved to meet the business needs of the manufacturing organization. This is a critically important process because it provides many opportunities for continuous improvements in satisfying statutory, regulatory, and contractual obligations for the manufacturing organization.
When we talk about sensitive business data and software applications in the cloud in terms of SLA, please keep in mind the manufacturing organization possesses the legal ownership and has full control of data assets stored in the cloud regardless of the physical location in which they are hosted. Furthermore, the CSP typically is not provided with access to the data at all. Most CSPs actually claim they don’t even know what data the manufacturing organization has stored in the cloud.
On the other hand, the CSP is legally responsible to protect any hosted data assets that are owned by their customers (i.e. manufacturing organizations) based on SLA, so the CSP cannot delete, modify, copy, or even sell customer data without the customer’s knowledge.
How the CSP handles sensitive data and software applications can vary. This is something the manufacturing organization needs to investigate to help ensure provided functions meet particular business interests in terms of security and regulatory compliance.
For example, one of the things that the manufacturing organization must determine is whether data is encrypted when it is being transmitted to and from the cloud (data in transit), whatever data is encrypted when it is used by software applications (data in use), but also whether data is encrypted when it is stored in the cloud (data at rest).
Regulatory requirements can influence configurations for, and the selection of, an appropriate cloud computing environment. Depending on the industry sectors, one of the regulatory requirements for manufacturing organizations can be that manufacturer’s data must be within national boundaries.
Physical location of stored data
However, the CSP might not be able to determine exactly where the data are physically stored particularly when redundant cloud infrastructures are implemented. The physical locations of the servers that are used to store and process manufacturer’s data can become a critical contractual issue. In other words, one of the biggest questions that seems to arise when it comes to cloud computing is where exactly manufacturer’s data is physically located. It might be stored on a data center server in a different country.
That could be a sticky issue because depending on the industry and what organization is storing in the cloud, the manufacturing organization might have many security or legal reasons for ensuring the data is stored in a data center within national borders, and being operated by citizens of a particular country, domestically.
So it really depends on what the manufacturing organization is doing in the cloud and what type of business the manufacturing organization is in. At very least, requirements for the physical location of the stored data must be clearly defined under the SLA between the CSP and the manufacturing organization. For successful adoption of cloud computing services, a manufacturing organization needs assurance the CSP is trustworthy and is taking all possible precautions to reduce vulnerabilities and protect critical assets. This assurance often comes in the form of industry-recognized security certifications (for example, ISO 27001) obtained by the CSP, confirming they comply with certain standards and regulations, and providing the manufacturing organization access to audit reports.
An effective and trusted cloud environment is implemented through a combination of effective risk management and compliance with regulatory requirements (including legal responsibilities and standards). Both parties-CSP and CSC-are required to satisfy legal requirements and standards, but this must be considered from two different views.
From the CSP perspective, they have to satisfy the laws and regulations governing their own business, as well as the legal obligations defined by the SLA. For example, the CSP cannot make multiple copies of data outside of its own national borders if this is not legally permitted, and it cannot sell data to someone else to make a profit.
On the other hand, the CSC must satisfy regulatory requirements with the organizations and regulatory bodies they do business with.
In terms of standards, this is primarily related to CSPs, since they want to attract manufacturing organizations to do business with. For example, one of the basic standards that every CSP should follow is ISO 27001.
However, the manufacturing organization does not need to be ISO 27001 certified because there are so many elements in ISO 27001 and other standards, recommendations and best practices that manufacturing organizations can use to secure its data and software applications while satisfying regulatory compliance requirements.
Goran Novkovic, MESA International. This article originally appeared on MESA International’s blog. MESA International is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, [email protected].
ONLINE extra
See additional articles from the author linked below.