enterprise ready for amazon web services
DESCRIPTION
If you are a company using Amazon Web Services use this service to prepare for selling to Enterprise customers.TRANSCRIPT
Enterprise Ready with
Amazon Web Services
Want to sell your services to larger enterprise and government?
Need to pass enterprise purchasing and procurement rules?
Why should you care about their risk models?
Why are they asking about your business insurance?
What is a cloud services escrow?
What is a cloud supply chain?
A win for selling to big business
Cyber Insurance
In this brief
Cloud Escrow
3
7
2 23/11/13
Introduction
Introduction
If you are a cloud services provider intending to sell to enterprise business or government then this is for you.
Meeting the complex procurement requirements for government and enterprise is more about your business than your technology or service.
With Amazon AWS as your technical pillar, Elescrow will provide you with the best commercial compliance pillar.
The outcome?
Your increased sales.
Enterprise Ready
with Amazon Web Services
3 23/11/13
Solutions
You want to.. there’s a problem.. solved by.. Sell to Enterprise Accounts You cannot pass enterprise
procurement rules because you need to show evidence of your business insurance and provide an escrow of code and data
Smart Business Insurance Cloud Escrow
Sell items online worldwide I could be sued for a supplier’s product causing problems or many other risks
Smart Business Insurance
Enter a joint venture with another organization
You need to track which party contributes intellectual property across the venture
Cloud Escrow
Co-deliver a cloud service with an enterprise partner
Enterprise risk and liability protections could affect you
Smart Business Insurance Cloud Escrow
Hold customer’s personal data
You are concerned about changes to the Privacy Act commencing March 2014
Smart Business Insurance
Bring investors into your company or venture
The investors require fixed and floating charges over the assets of your company – namely your source code
Cloud Escrow
As a cloud services provider…
Enterprise Ready
with Amazon Web Services
4 23/11/13
Insurance
Lets simplify this whole insurance
topic. While there are dozens of
insurance types aimed at specific
risks, most cloud or e-commerce
businesses dealing with enterprise
customers should have the
following insurance types in place:
Public and Product Liability
Professional Indemnity
Cyber Insurance
Consider the above list as a
“smart” baseline of insurance and
here’s why.
Public and Product Liability
This is a broad insurance covering
property damage and personal
injury as a result of your
negligence. Covers you and your
business if found liable to a third
party for death or injury. This can
include loss of profit and
consequential damages suffered
by the third party. These claims
against you can be in the millions
of dollars. Enterprises will look for
you to have this insurance in place
and to provide them with your
current certificate of insurance.
Professional Indemnity
This protects you from legal action
taken against you for losses
incurred as a result of your advice
or service. If you advise your
customers on any aspect of their
business you are exposed to
professional negligence and
errors/omissions claims against you.
Enterprises will look for you to have
this cover and evidence of your
current certificate of insurance.
Cyber Insurance
Cyber insurance protects against
technology related business
interruption. Cyber threats include:
o Hacking (with access to private data)
o Denial of service attacks (against a network or the cloud the company leases)
o Information extortion o Employee or partner mistakes o Software glitches o Outright privacy policy
violations o Lost or stolen laptops o Rogue insiders or consultants o Improper disposal of paper
records o Lost or stolen back ups
Enterprises are beginning to ask for
evidence of cyber insurance
because they know statistically
there is a 70% chance that your
business will be affected by one of
these threats. This could seriously
impact the level of service you can
provide to their enterprise
regardless of your SLA. The
following business are commonly
deemed high-risk:
E-commerce business websites Credit card data collection
and online processing Data storage (online and
traditional shipping of records or back up systems)
House private customer data on laptops
Business partners, consultants that touch customer sensitive data
Provide online content Cloud computing and
outsourced computing Gather, store or process
personal or sensitive data as defined by the Privacy Act.
Cyber insurance is designed for
businesses undertaking these
activities.
Enterprise Ready
with Amazon Web Services
“Elescrow partnered with Smart Business Insurance to provide the
most tailored enterprise ready service for AWS customers..”
Richard Rendell Managing Director, Elescrow
5 23/11/13
Cyber Insurance and the Privacy Act
Privacy Act
Before the introduction in March
2014 of new privacy laws that carry
tough new penalties for data
breaches online businesses that store
client data need to start looking at
their cyber risk management
processes and also consider taking
out some form of Cyber cover.
SMART Business Insurance
recommends that online businesses
review existing procedures and
policies in order to ensure
compliance with the new amended
privacy law before March 2014.
The new Privacy Act will carry data-
breach fines of $1.7 million for
companies or $340,000 for
individuals, further the Privacy
Commissioner, has stated that he will
not shy away from accepting
enforceable undertakings and
seeking civil penalties in the
appropriate cases.
The act is now based around 13
Australian Privacy Principles (APP’s)
which will have significant impact on
all companies holding or processing
data of a personal nature. It will
change the way user databases
can be used for digital marketing
increase consumer rights when
breaches occur.
The Act further extends concepts
of the “controller” and “holder” of
personal information. You may be
required to disclose where your
customer’s data is being “held”
and for example who the IaaS
provider uses as their datacenter
provider.
If any breaches occur by your
providers it will be you that is liable
for the consequences. So while you
can outsource your computing you
cannot outsource your liability.
Costs associated with data
breaches can amount to many
hundreds of thousands for minor
breaches and in some cases
millions of dollars.
According to the Ponemon
Institute’s 2013 Cost of Data Breach
Study, the average cost of a data
breach for Australian companies in
2012 is $3,981,784.
The Ponemon Institute’s Study, also
pointed out that, the cost to
reinstate each record breached in
Australia is on average $133.
A well thought out Cyber Insurance
program can provide for:
Privacy Protection - third party claims from a failure to keep data secure including civil penalties Breach Costs – reimbursement of your own costs when a data breach occurs Cyber Business Interruption - Compensation for lost or reduced revenue Hacker Damage – Reimbursement for costs to repair, replace or restore systems and data as a result of a hack Cyber Extortion – Payment of ransom demands, and specialist consultant fees, where a hacker holds, or threatens to hold your website, intranet, network, programs or data to ransom
Enterprise Ready
with Amazon Web Services
6 23/11/13
Insurance Example
Product and liability risks for online retailers
As an online retailer, the majority of
interaction is virtual. That is, business is
conducted online rather than on a
street front, public liability risk is low.
Product liability cover, on the other
hand, is a critical part of any online
retail business, and is generally
included as part of a Public & Product
Liability insurance policy.
If e-tailers sell items online, such as
electronic equipment, vitamins and
supplements, jewelry, baby clothes, or
even cosmetics, they could be held
responsible for any damage or injury
the products you sell cause.
Just like any traditional retail business,
an online store is subject to the same
laws, regulations and legal liabilities as
if they were trading from a street front
shop. In fact, liability issues for online
retailers are considerably more
complex because online business may
cross multiple legal jurisdictions,
including international jurisdictions
where there are often more onerous
consumer and liability laws than those
in Australia.
Many online retailers are importing
goods from overseas. As an importer
even if they haven’t manufactured
or altered the items, they could be
liable for compensation claims. The
ease of doing business online often
means that product supply chains
are long and international in
nature. Online retailers may be
purchasing a product from a
wholesaler in Hong Kong who buys
from a manufacturer in China,
Taiwan or Indonesia. If an online
retailer can’t identify the
manufacturer or if the
manufacturer has gone out of
business, the online retailer selling
these products could be held
responsible.
Let’s look at a simple example
You are an online retailer
operating from Australia and
import electronic widgets from
China and then on sell the widgets
via an online store to somebody in
Dallas, Texas. The widget
malfunctions, overheats and
causes a fire. Damages occur at
the purchaser’s premises and the
purchaser suffers a personal injury
from burns. Your customer in Dallas
is aggrieved and sues you as the
retailer in a Texas court. – How will
you, the online retailer fund the
defense of the claim in a US Court?
If damages are awarded for the
plaintiff in the US, the plaintiff’s
Dallas lawyer sends the US Court
Orders over to their Australian
office or affiliate who then serves
you with a claim of enforcement of
the orders in Australia. All of a
sudden, a simple, part-time, online
business, could lead you to
personal bankruptcy.
Unfortunately these types of
product claims are being initiated
every day and the consequences
for the unwary and uninsured
online retailer can be devastating.
Don’t forget, even if an online
retailer doesn’t sell products
outside of Australia as an importer
they may be deemed to be liable
for any damages the products
cause.
Enterprise Ready
with Amazon Web Services
7 23/11/13
Enterprise cloud escrow
New age risk
Most enterprises have established
risk management programs. Aside
from business insurance the other
thing you may be asked for is
escrow. Source code escrow is a
common practice in software
purchases especially when the
vendor is a smaller business and
their software is critical to the
enterprise’s business operation.
Traditionally, the vendor places a
copy of the source code with an
independent third-party called an
Escrow Agent who holds the
source code in a vault. Should the
vendor collapse the enterprise will
get access to the source code
giving them some chance at
maintaining the software and
keeping the enterprise going.
This is most common with in-house
installed software but in the cloud
its different because the cloud
service provider holds the
enterprise’s data too.
Cloud supplier chains
Enterprises are concerned about
the location and accessibility of
their data held by cloud services
providers. It is among their biggest
risks. This is not about you having a
good backup - its about your
business holding their enterprise
data.
Risk increases exponentially if you
are in a cloud supply chain eg
standing on top of services from
other cloud providers that
represents a complex relationship
many enterprises call the cloud
liability chain. Each provider in the
chain behind you has its own
liabilities and risks that are difficult if
not impossible to control by your
enterprise customer. Think SaaS-
PaaS-IaaS each provided by
different companies, even worse
you may be leveraging many of
these chains and integrating them.
AWS makes it easier
Escrow can be used to reduce risks in
cloud supply chains and this is
especially true if all providers in the
chain are on AWS.
Using AWS features like IAM, Security
Token Services and CloudFormation
can provide dedicated access to an
Escrow Agent allowing them to copy
specific servers and data belonging
to your enterprise customer into an
escrow account on AWS.
Better than old source code escrow
With complete production copies of
the development servers and data,
the enterprise could have a working
service in just a couple of days by
switching to the escrow copy. It’s
even better risk protection than the
traditional source code escrows
because nobody has to prepare
and build the often incomplete and
out of date source code deposit.
8 23/11/13
Verification
Escrow servers and data can be
verified by Elescrow to predefined
tests and certifications provided to
your enterprise customers as part
of the Elescrow Enterprise Ready
with AWS service. Each time a
server or storage asset is copied to
your escrow account the
verification process is commenced.
Advantages of AWS again
The regional model of AWS
provides a higher decoupling of risk
factors and potential cost benefits
if Elescrow holds your escrow
copies in an alternate AWS region.
Enterprise deals at lowest cost
Risk management is a funding
balancing act. Nobody wants to
commit more budget than
necessary to risk mitigation and
compliance. Through smart use of
the right business insurances and
escrow management you can
meet the procurement mandates
of enterprise customers and win
their business.
Consolidated Budgeting
Each business unit can be cross-
charged to a single budget pool
managed by the commercial or
vendor management group. Many
enterprises have found this method
immensely effective for escrow
management and cost
containment.
Intellectual
Property
Protection
Investors
If you are a smaller business or
perhaps a Start-up, your investors
may require a fixed and floating
charge over the assets in your
company including source
code. Escrow is the best method to
meet their needs.
Joint Ventures
If you are embarking on a joint
venture where intellectual property
will be co-developed then its
important to track contributions
from each entity. Using AWS we
can track the owners of the
background IP and track the
individual inputs from each party as
a series of secure digital archives on
AWS.
Real-time shadow backup
Almost any digital asset can be
placed in a “live escrow” service
allowing a complete working
shadow of your software
development environment giving
added protection for your IP.
Enterprise Ready
with Amazon Web Services
9 23/11/13
Insurance Packs
Insurance packages for AWS customers
Years in Business
Employees Annual Turnover
Public Liability
Professional Indemnity
Cyber Insurance
Excess
Less than 5 Less than 10 < $500K $10M $5M $5M $5K
Less than 5 Less than 10 < $500K $20M $10M $10M $10K
5 to 10 Up to 20 Up to $5M $20M $10M $20M $10K 5 to 10 Up to 20 Up to $5M $20M $10M $20M $10K
Over 10 Up to 50 Up to $10M $20M $10M $20M $10K
Over 10 Up to 100 Up to $50M $20M $10M $20M $10K
Over 10 Up to 500 Over $100M $20M+ $10M+ $20M+ $10K
Business Function
HOSTED SOFTWARE SERVICE PROVIDER - Develop and deliver software applications, data storage and processing services for delivery over the internet. Application integration and IT consultancy may also be offered.
Enterprise Ready
with Amazon Web Services
10 23/11/13
Enterprise Ready
with Amazon Web Services
Service Summary
Cloud escrow packages for AWS customers
ESCROW SERVICES Item Escrow Type Acquisition Method Update Frequency / yr Verification Type Verification
Frequency 1 Static Point-in-Time Snapshot Copy 4 None Nil 2 Static Point-in-Time Snapshot Copy 12 None Nil 3 Static Point-in-Time Snapshot Copy 12 Basic Monthly 4 Live Custom Continuous Near Real-time Basic Monthly 5 Live Custom Continuous Near Real-time Full Monthly 6 Live Custom Continuous Near Real-time Full Weekly
VERIFICATION SERVICES Item Verification Type Verification Method
1 Basic Startup instance and O/S login 2 Full Startup and run Application, run licensee acceptance
tests
BACKUP SERVICES Item Backup Type Backup Method Access Method
1 Static Point-in-Time Snapshot Copy Replica of Escrow Snapshot 2 Live Custom Warm failover