Compliant Cloud Computing

Okay, great.
Well first off we just
wanna welcome everyone for
coming to our session today.
Thank you very much.
My name is Dennis Garcia, I'm
an Assistant General Counsel for
Microsoft.
I'm based in Chicago.
I lead Microsoft's legal
support function to our
US Central Region Enterprise and
partner group team.
We're gonna have a conversation
today about compliant cloud
computing.
I will let my fellow panelists
introduce themself individually.
Edward.
>> I am Edward Efkeman,
I am with Fed-Ex.
I am a director of compliance
within the legal department.
So we have a compliance
department but
it is within
the legal department.
My responsibility is somewhat
outward facing customers and
data privacy.
Data protection is within
my area of responsibility.
>> Hi, I'm Darryl Hobbs.
I'm also at Microsoft.
I support what's known as
Microsoft's mid market business.
So I like to think of it like
we have our top customers, and
then our mid market,
which is everything else,
about 6 million customers
that we sell to.
So it's a breath business,
I sell across almost
every industry.
So I see a lot of different
things on a daily basis,
and happy to be here.
>> My name is Jude Soundar.
I work for
the Army General Counsel.
I'm an ethics attorney and
my profile includes financial
disclosure and social media I'm
also the program manager for
Financial Disclosure and
Management.
It's the main application
that DOD uses for
financial disclosure.
Basically all senior
officials in DOD and actually
government must disclose their
assets and liabilities so
we can do a conflict analysis
to make sure that there's no
conflicts with the DOD and
the work that they are doing.
I'm also an Army reservist,
a major in the Army Reserve.
And I'm a JAG attorney also and
I do work around
conflict minerals and
other issues like that.
>> Well, great, thank you very
much guys, I appreciate it.
So in terms of a format today,
we thought what we'd do is,
recognizing that folks may
have different degrees of
understanding as to what
cloud computing is all about.
We wanted to take a step
back and provide a basic
overview of cloud computing,
what I call a Cloud 101.
So I'll provide a 10 to 12
minutes overview of the cloud,
if you will.
And then we'll switch gears and
we'll open it up to various
questions to the panelists.
And we want this to be
highly participatory.
So to the extent that
folks have any questions,
don't be shy in answer,
asking your questions.
We're here to address any
questions that you have.
So feel free to chime in.
So what I'm gonna give
is sort of a layperson's
overview of the cloud.
Of course I'm a lawyer,
I'm not an engineer,
so I'm not gonna get into
the tactical details per say.
So this is gonna be more
of a cloud computing for
compliance professionals.
And I think a great place to
start when you're thinking
about the cloud is to realize
that whether we like it or
not, whether we realize it or
not we're all using the cloud
each and every day as part of
our personal lives, right?
After all, many of us have
been using web hosted email
since the late 1990s, right?
To send message use to
friends and family.
I know when I started using web
hosted email Was it was through
an AOL.com account,
I moved to a Yahoo account.
Of course now I'm
working at Microsoft,
I have a live.com account.
But all of us are sending
emails each and everyday, and
that is largely powered
by cloud computing.
So many of us have smart
phones nowadays, right?
I know I have a smart phone,
I use my smartphone
probably too much.
A lot of that data which is
generated though our phone is
stored in the cloud and
of course,
many of us are using
social media.
Each and every day.
I'm a big fan of Facebook,
I use LinkedIn.
I'm a big fan of Twitter.
Social media is largely
powered by the cloud.
So the cloud really
isn't anything so new.
And it's become more and
more a ubiquitous part
of our everyday lives.
In terms of a definition
of the cloud.
Like a lot of technologies,
there's no one uniform
definition of cloud computing.
There's a variety of definitions
but the National Institute of
Standards and Technology which
is part of the Department of
Commerce, and of course they're
only a few blocks away.
Back in 2011 they put together
a white paper with a pretty
involved definition of cloud
computing which has become more
of the defacto industry standard
definition of cloud computing.
I'm not gonna cover
that definition.
It's a pretty involved and
robust definition.
If you wanna look
at the white paper,
by all means take a look at
the citation on my slide.
But I prefer this more
straightforward and simpler
definition of cloud computing,
which I found in a legal ethics
opinion from the state of
Pennsylvania a few years ago.
And in that opinion they talked
about how cloud computing
is really a fancy way of saying
stuff's not on your computer.
And you may say, well Dennis
that's really an over
simplification.
But I think in many respects
this captures the essence
of what the cloud is all about,
because the cloud is really
all about this notion of
off-premises remote computing.
So when I joined Microsoft
back in December of 2002,
the primary way which we
provided our solutions and
our software was through
software licences so that our
software could be downloaded and
then installed on our customer's
servers and work stations and
machines which were on their
on premises environment within
the firewall of their companies.
But the whole notion of moving
to the cloud is that you'll get
services and software on
a remote basis by a third party
cloud services provider.
So it's being provided
remotely and off premise.
The cloud is also all
about the data centers.
A lot of folks think about the
cloud as being something which
is amorphous and
touchy and feely, but
it's really bricks and
mortars at the end of the day.
It's really all about
these data centers.
And of course these data centers
are massive, massive facilities.
They are the size of
football fields and
they contain racks and racks of
servers and computing equipment.
And at Microsoft,
of course we have lots of data
servers throughout the world.
We actually have over
100 data centers in
over 40 different
countries in the world.
Last week we announced
that we're gonna be
having data centers,
effective 2018,
in Africa,
in South Africa actually.
And we're the first major cloud
provider to have a data centers
in the African continent.
So when you think about
the cloud, it's really tangible,
it's really powered by these
massive data center facilities,
which should also be highly
secured environments.
When you think about the cloud,
you're always thinking
the cloud is provided in
three different forms, what I
call the big three of the cloud.
The first part of that Big 3
is something known as software
as a service, where in essence,
software is provided to
you through the Internet.
We think a great example
of software as a service is
Microsoft Office 365 Solution,
where you can get anytime,
anywhere access Microsoft Office
suite of products just by having
a connection to the Internet.
A second type of cloud
computing is something known as
infrastructure as a service.
Also really known as
hardware as a service.
So leading provider in this
space is Amazon web services,
Microsoft also has
a competing solution known as
Microsoft Azure.
And the whole basis of
infrastructure as a service is
that you can buy on
a subscription basis,
computing power,
hardware power, server power.
You can store your data
with an infrastructure
as a services provider.
A final mode of cloud computing
It's something known as
platform as a service.
This is generally
geared to developers,
people who are creating
information technology such as
web applications,
mobile applications and
platform as a service provides
you with a virtual sandbox
where you can engage in
development sorts of activities.
Now there's lots of benefits
associated with
moving to the cloud.
One of the benefits we speak to
with our customers is that we
believe that you can save a lot
of money by moving to the cloud.
By moving away from an on
premises environment
because you no longer have to
buy servers or rent servers.
You don't have to power
those servers up,
you don't need to have space for
those servers,
you don't need to have somebody
to maintain those servers.
So there's lots of business,
financial advantages by
moving to the cloud.
It's also highly scalable,
so you can, if
your business is very seasonal
in nature as an example.
If you need more cloud
services you can ramp up or
ramp down depending
upon your need.
We feel it also allows
our customers to
focus on their core business.
So they really get out of
information technology,
let the expert handled that,
and that they can better
serve there customers.
And assuming that your working
with a trusted cloud provider or
a reliable cloud provider.
There's also this perspective
that you could probably be
more secure providing your data
to a trusted cloud provider and
that they could do a better
job at protecting that data
versus what you can do
on premises environment.
In fact,
most cloud providers push out
updates to their solutions and
to their software.
So we saw a few weeks ago
with the Wannacry situation
where various companies did
not upgrade their Windows
operating system.
If you're working with
a cloud services provider,
those updates are pushed
out automatically.
Now some folks have
identified various concerns
in moving to the Cloud.
Some folks believe that the act
of providing their data,
and their customer's data,
and their partner's data,
to a third party can be
inherently unstable and
it can cause maybe
some security concerns.
We hear that, on occasion,
from some of our customers.
There's this perspective that,
perhaps the larger cloud
services providers could be
viewed as a bigger target for
potential cyber criminals and
hackers.
Sometimes, when you're moving to
the cloud you may have to also
migrate data to a cloud
services provider.
There could be time and effort
and cost associated with that.
So folks have also
identified some
potential concerns in
moving to the cloud.
But regardless, we have seen
that over the last few years
that the cloud marketplace
has grown exponentially.
Here is a survey done by
the Forrester Research Group
where they talk about how
the cloud marketplace is gonna
be growing to almost
$250 billion by 2020.
And so it's become big
business cloud computing.
And because of that
there are a number
of cloud services
providers out there.
It's become what I
call sort of a crowded
cloud provider marketplace.
A lot of times,
companies aren't sure which
cloud provider they
should select and choose.
And so
when I look at the marketplace,
I view the marketplace really
being in four categories.
The first category
are the traditional information
technology providers who
are providing cloud solutions.
Companies like my company,
IBM and Oracle.
Then there is this
other category of
providers who like to say
they've been born in the cloud.
I'm not sure what born in
the cloud really means.
But those providers
are the Googles, the Amazons,
the Salesforce.coms.
There's also a third category
of smaller cloud providers which
are out there, some of them
make money, some of them don't.
Some of them maybe
an acquisition for
a target for an acquisition
by another company.
Then I think a fourth category
are these providers who perhaps
were really never in the
information technology space,
but they've re-engineered their
business to get involved in
cloud computing and
offer cloud storage solutions.
Examples of those companies
are the phone companies,
telephony companies.
Companies like AT&T and Verizon.
But a key point and one of the
key takeaways, I think from our
discussion today is if you're
thinking about moving to cloud,
and lots of entities are and
have already moved to the cloud.
It's really important that you
spend your time conducting some
thoughtful due diligence and
ensuring that you can
trust your cloud provider.
Something which our
Microsoft President and
Chief Legal Officer, Brad Smith,
likes to say time and
time again is that in these
uncertain times when we've
seen cyber attack issues, data
loss issues, that companies will
only use technology that
they can truly trust.
So make sure you're spending
your time properly evaluating
cloud services providers.
So when I think of a possible
framework which folks may want
to use in evaluating potential
cloud services providers,
I think a key foundational
element is this whole notion
of compliance.
You wanna work with
a cloud provider who,
hopefully, can help enable you
to meet your compliance needs.
But there's also other key
areas to really hone in on,
such as security.
What do they do to protect
your data in the cloud?
How about privacy and
data control?
What are they doing to ensuring
that you continue to own your
data, that you can get access
to your data even though it's
stored in a cloud
provider's cloud?
And also transparency, you wanna
work with a cloud provider who
hopefully is very clear.
And truly transparent to you
regarding their cloud services,
business practices and
where your data is
located in their cloud.
So, what we'll do now is
change gears a little bit and
we'll have a conversation
about the cloud.
And again, we invite
the audience to ask whatever
questions that they may have.
But let me throw out
a first question.
It's sort of a two
part question.
Who are the key stakeholders
that should be involved
in deciding which cloud
provider to use and
what should be the role of
a compliance professional during
the cloud provider
evaluation stage?
Edward, you may have
some thoughts on that.
>> I do, it's good that's first
question, because Dennis,
when you first asked me to be
on a panel on cloud computing.
My first thought was, well,
that's not my primary focus,
I don't do cloud computing.
But then when you start thinking
about it, there's no one person
in most corporations that,
that's there focus.
It's a team, it's a very
varied team of people
that you need to collect.
And it's not just legal and
InfoSect,
the one's that
first come to mind.
It's not yeah, the infosec or
IT say based on cost savings and
based on efficiency here's
what we want to do and
then the legal is it's
a binary go, no go.
It's not like that or
it shouldn't be like that.
There are a lot of other
factors and considerations
on moving to the cloud and you
need the entire team to do that.
We focus on going
to the business and
figuring out what
the use case is.
What data is being proposed
to put into the cloud.
How it's gonna be used?
Where it's gonna be going?
And then that really informs
the entire decision,
so maybe want to narrow the type
of data you are moving in.
Maybe there is some data
that is too sensitive for
you to put it into the cloud.
Maybe there are others that you
are not comfortable with that
particular proprietor.
There is a lot of different
patterns and variations to go.
But you need to have all
those discussions right from
the beginning, gather all your
team right from the beginning.
I think that is the second
part what is the compliance
professional in my world
of privacy professionals.
Role is to make sure all
of those people have input,
make sure all of
the voices are heard.
And make sure that each concern
is addressed along the way.
>> And just to highlight
a few points which you made.
I think it's when we see this
in our customers when they don't
get the key folks and
stakeholders involved early and
often.
And that's something which
you really need to do.
We've seen time and
time again some of our customers
have signed our cloud computing
contracts, but after they sign
the contract then they wanna
start using our solutions So
we get involved in sort
of a second sales cycle,
a second negotiation
because they haven't had
key decision makers
involved in the front end.
So make sure you group
those folks in very,
very early and often.
I think there's an interesting
role for the compliance
professional to play sort
of a quasi quarterback,
to making sure that the right
folks get involved.
>> Yeah, I would just say, also
from an efficiency standpoint,
I mean, to your point Dennis,
oftentimes people will
sign cloud contracts and
the board of directors have no
idea that things are actually in
the cloud or
that a contract has been signed.
And you wanna get everyone
involved cuz oftentimes
you'll have these really very
valuable security briefings
about the cloud.
And ultimately the right
people are not in the room.
And so when it comes to legal,
when it comes to procurement,
the CMO,
they've had no participation or
no involvement or
buy in on this decision.
So you find yourself
doing it over and
over again trying to
get the right people so
that they will embrace cloud
services, essentially.
>> No doubt and
I would also make another point
that you definitely wanna get
the right stakeholders involved,
but
be sensitive to maybe getting
too many folks involved.
Sometimes at Microsoft we'll get
involved in our cloud contract
negotiations and a customer
will get 25, 30 folks involved.
We can't tell a customer how
many folks they should get
involved.
But I think focus in on the core
stakeholders who can really
provide value,
who could be sort of nimble and
sort of efficient
in the process.
>> Dennis, I just wanna add,
so we have a very structured
DOD acquisition process.
So it's very structured and
every cloud service provider and
cloud server offering must be
certified by the Defense
Information Service Agency.
That being said, we spend
$8.3 billion on IT just for
the Army alone.
So moving to the cloud,
we're looking to reduce cost.
But one thing I wanna point out,
it also harmonizes our security.
So some of this security
risk can be reduced by using
the cloud, since we don't
have so many systems.
The other thing I like to
point out is like we always do
a cost-benefit analysis on the
systems that we wanna move to
the cloud.
Because, in some cases,
moving to the cloud won't
save us money actually.
If it's just a one-off system,
that we not gain efficiency
by moving to the cloud.
>> That's great points,
great points.
Any questions from the audience?
Just pause here for
a second, okay.
So let's move on to
another question.
What are the key criteria that
customers should consider when
evaluating a cloud
services provider?
>> Yeah,
I'll jump in on this one.
So the things that you
had up there before.
It's security, compliance,
transparency, control.
Not everything fits neatly
into those buckets.
But those things tend to be,
again,
the board of director
level involvement.
So when you think
about security,
security is still a big issue.
I think it really depends on
the industry, quite frankly.
I sell to, again,
a broad base of customers.
So security is
a really big issue.
But you have to think about it
from the standpoint that your
cloud providers, the big ones,
it's a core competency security.
So they can do
the patch management,
the virus monitoring,
the firewall, things like that.
Whereas in a lot of smaller
companies it's very
difficult and
not cost-effective to do that.
When you start thinking about
other things like data loss,
I mean, that's a big issue for
people.
But in a public
cloud environment,
it's very very rare for
that to happen,
simply because of the way
the data is stored in the data
centers and we'll probably
get to that in a little bit.
In terms of compliance and
control,
that's another big issue for
customers.
And my advice to people
is to do some research
on your cloud provider.
Make sure that they're using
the data just to provide
the service, and nothing else.
So there should be no targeting
of ads, no data mining,
things like that.
I kind of like to look at it
from a philosophy of that you
should be almost in
no worse position,
because the CSP should be,
in a sense, a custodian.
It's almost like a safe
deposit box, if you will.
You're putting that data
in that safe deposit box,
you control it.
You should have all the legal
benefits as if you had control
of that data yourself.
So if you think about
what that looks like,
an example would be
government access, right?
So does your CSP
have in protocols,
procedures, process that if
government access, if government
comes to request data, that
they're gonna notify you first.
And if they can't notify your
first, what's their procedure?
Are they willing to contest it?
Are they willing to
take it to court?
That's a big control issue.
The compliance aspect of it
is that you can't comply if
your standardized service that
you're using does not comply.
So all cloud providers
should strive to meet
any regulation that applies
to cloud providers.
And that is a situation too
where you need to look at
the history of your
cloud service provider.
Where were they when
ISO 27018 came out?
27001, Safe Harbor,
model clauses.
Did they comply with
those regulations?
And that'll give you sort of a
backdrop as to their history and
their core competencies and
whether they take it
seriously or not.
>> Two things I wanted to add.
The one thing for DOD and
Army, it's very important,
is past performance.
We always look at the past
performances of how
they performed in
other contracts.
And the other thing is the value
add services that they can add.
One thing that's very important
to us is migration support.
So when we're moving that data
from our existing system to
the cloud, that support
is very important to us.
And how they can plug in and
help us with that migration.
>> Just a few follow-up points.
For those of you that don't
know what ISO-27018 is,
that's an international standard
regarding how a cloud services
provider needs to protect
data in the cloud.
It was the first
international cloud service
certification compliance
standard, Microsoft was
the first major cloud provider
to achieve certification with
that standard.
But make sure that your
cloud services provider
complies with that
important standard.
One thing which we've seen
with some of our customers,
in terms of the due diligence
in evaluation process is that,
often times they will send us a
detailed security questionnaire
document.
Sometimes they'll send us
a request for proposal documents
asking us a variety of questions
as to how we secure data in
the cloud and what our practices
and our protocols are.
So that may be a practice
which you want to consider.
Yes, ma'am?
>> So with respect
to that [INAUDIBLE]
[INAUDIBLE].
>> Thank you for the question,
it's a great question.
The question is at
the end of the day,
Microsoft talks about its
practices and policies.
Are they willing to step up to
the plate, if you will, and
to provide what I would call
a proactive hold harmless
indemnity provision?
It's a very good question, we
see that from customers time and
time again.
We're gonna be talking about
the allocation of risk.
So at Microsoft, we have what
we think are commercially
reasonable limitational
liability terms and conditions,
whereby we are willing to
protect up to 12 months of fees
paid for the services.
We don't technically have
an indemnity provision built-in
in our standard contracts.
I know we're on video tape here.
But I will say that depending
upon the nature of the customer,
the size of the deal, we have
been willing to provide what
we call a reimbursement of
customer mitigation costs,
if there is a data loss,
a security incident.
But that reimbursement is always
capped by whatever cap on
limitation liability
which we agree to.
So it's not an unlimited
stance vis-a-vis indemnity.
And so we've spent a lot of
time over the years, of course,
benchmarking the standard
contracts of our customers.
So we think that, for
the most part, our terms are
very commercially reasonable.
But I think that's
part of the give and
take of the negotiation
process with the customer.
But that's a terrific question,
thank you very much for it.
>> Let me add one more
consideration that I really
hadn't talked about before and
actually for
the three of us, it probably
doesn't matter as much.
But I heard yesterday from
a gentleman from the FBI and
he was talking about
the potentiality
of future ownership.
So his example was
Amazon Web Services,
which might be a little
bit example too far.
But there are a lot of
smaller cloud providers,
a lot of startups that are.
And his thought was if you go
ahead and put your data with
them and then they get sold to
somebody who's got a beneficial
owner in China or North Korea or
some other state which may not
be as friendly to data privacy
law, what's gonna happen?
I don't know, it's only been 24
hours since I thought about it.
I'm trying to decide whether
that's too paranoid or not but
maybe it's not.
Maybe thinking ahead a little
bit to how that provider's gonna
be and what the likelihood is in
a year or two of the stability
of your data in that cloud
provider, is probably not bad.
>> I think it's a fair point,
and that's something which
you should ask as part of
the due diligence process,
to understand the makeup of
the cloud services provider,
what their reputation has been.
Do they make money or not?
What's the likelihood
of them being a target?
How good are they
doing financially?
If they declare insolvency or
bankruptcy,
what happens to your data?
Also, just sort of as
a corollary point on
the indemnity piece.
There may be some smaller
cloud services providers who
are willing to indemnify you,
and that's all well and good.
But what does that indemnity
really mean at the end of
the day?
So when you're thinking about
indemnity, I would say to you
that indemnity probably means
more from a well capitalized
cloud services provider
versus a smaller provider.
>> Yeah,
one thing I wanna add is also,
we talked about indemnity, but
also the portability
of the data.
If all else fails,
I think it's very important
to have a contract clause
that talks about
the portability of that data and
how it's gonna be exported and
what format that will be.
So that's very important to us.
>> Yeah and I would say for the
indemnity standpoint as well,
our duty to defend.
There are things you should be,
in a sense, made whole.
If you're utilizing
the service and
you're sued as a result of
just using the service, right?
And to your point,for
the FBI example,
I mean you still
have a contract.
You still have breach
of contract remedies.
You also have encryption.
And as cloud services evolve,
there's encryption where you
bring your own key, essentially,
where you have
control of that data.
So if you're using best
industry practices with respect
to encryption,
there is some protection there
even in a cloud service.
>> Yes sir?
>> So on this issue of
portability of data, [INAUDIBLE]
took over [INAUDIBLE] of
the cloud a few years ago,
reacting to
the company's contract,
there's nothing in there
about affordability.
Whether or not they go bankrupt
or whether we decide to split.
So is there
an industry standard,
is there standard terms for
something that we
should have been savvy,
to insist on deployment.
>> Well a few thoughts and
I'll let others jump in.
But I think you should always
make sure that it's part of
your contract,
the cloud provider,
that you always have
access to your data.
That you always very clear
that you retain ownership to
your data.
I know at Microsoft,
in the event that there is
an end of our contract, we
always provide the ability for
our customers to get access to
their data for a period of time.
Or they may want us
to delete their data.
And if they want us
to delete the data,
we're willing to do that too.
So we give options, but
I think that's an important
consideration to include and
to think about in your contract.
You really need to be cognizant
of the so-called exit strategy,
if you will.
>> Right, and one thing I may
add is the migration services.
I think you need to have in that
contract is a period of time.
If this relationship
doesn't work out,
then you have a period of
time where they're gonna help
you migrate that data
off that system.
And then you specify the formats
of that data's gonna be,
I think that should
be in the contract.
>> Yeah, I think also
with GDPR coming out,
there are gonna be some
provisions in there
on data portability and
migration of data.
So if your cloud service
provider provides services to
people in Europe, then they're
gonna have to comply with GDPR.
Or if they have offices
that are based in Europe,
will have to comply with GDPR.
I think it's almost impossible
from a cloud contract standpoint
to say well, how much time
is enough time to migrate
data to the new service, right?
Most cloud contracts
will say 90 days,
that that's their
responsibility.
And that's
a standardized service,
keeping in mind that you have
literally tens of thousands,
hundreds of thousands
of customers, right?
So you're standardizing
that service, so
what happens if it takes
you longer than 90 days?
And so that's something that you
can talk about with your cloud
service provider, but
there should be a plan in
place to migrate the data.
And as long as you're paying for
it, by the way,
they have to maintain it.
So even if the contract says 90
days, if you still have a valid
contract and you're going
month to month, for example,
they're still providing
the service and
you could be planning to migrate
that data as you move along.
Just food for thought.
>> Just a point on the acronym
GDPR, that stands for
the General Data
Protection Regulation.
It's a new law which will come
into effect about a year or
so from now.
And it's gonna be if you
have a personal identifiable
information of folks in the EU,
or companies in the EU,
if you do business in the EU,
you're gonna wanna make sure
you comply with this new law.
It contains a number of
different requirements
from a legal perspective,
I think there was a session
yesterday on the GDPR.
And if you don't
comply with the GDPR,
you stand to be responsible for
up to, I believe,
4% of your revenues if you're
in violation of the GDPR.
So make sure that as you're
moving to the cloud,
give some thought as to how
do you become GDPR ready.
I'll just give one more plug,
if you don't mind, for a second.
Tomorrow there's gonna
be a webcast with our
Microsoft President and
Chief Legal Officer, Brad Smith,
and our Chief Privacy Officer,
Brendon Lynch, where they're
gonna talk about what Microsoft
does from a GDR perspective.
It starts at 9 AM Eastern
time tomorrow morning.
I know all of us will be still
here at Compliance Week, but
you can still listen to it on
demand as your schedule permits.
Yes ma'am?
>> Yeah,
I am coming at this from
the GDPR perspective.
And we're trying to
engage a lot of new
SaaS services for
security purposes.
And I'm trying to make sure that
we are GDPR compliment now, so
that I don't have
to do it next year.
And get the right privacy
clauses in a contract.
And try to get our works
council approval for
these sorts of new services.
And every single provider
I talk to acts like
I'm the first one that's
ever asked and so
the responsibility is falling
on me to draft those clauses.
And to put together
presentations and materials for
works councils to convince
them that this is a good idea.
And I feel it's not sustainable
and it can't be the right way
cuz I don't know anything
about SaaS services [LAUGH].
I'm not the best person
to be doing this.
And so I'm wondering, am I
talking to the wrong people?
How can this process
go more smoothly?
It feels like I must be
doing something wrong.
>> Well, first of all,
it's a great question.
And I don't think you're
doing anything wrong.
I think you're asking the right
questions at this point in time,
cuz it's really
important to gear up for
GDPR because it's
a pretty involved law.
At Microsoft, at our Microsoft
Trust Center we have a number of
resources which you
can take a look at,
which provide some advice,
some sorta rules of the road if
you will,
as to how to become GDPR ready.
At Microsoft also we're
the first major cloud services
provider which is offering GDPR
contract terms as part of our
cloud contract.
So also make sure that your
cloud provider isn't just
talking about GDPR,
if you will, but
they're willing to back it up in
terms of actual commitments in
their cloud contracts.
I'll also say that we've
been seeing more and
more of our
sophisticated customers,
asking about what are you
doing vis-à-vis GDPR.
So you're asking the absolute
right questions.
And I do think you're
probably gonna see more.
At Microsoft, we like to feel
that we sort of set the tone for
the industry, if you will.
I think you're
gonna see more and
more cloud providers
have a conversation and
talking about what they
are doing to comply with GDPR.
But definitely ask
those questions,
drill down in more detail.
>> [INAUDIBLE] Does
this [INAUDIBLE],
is there typically someone
internally who has this in mind.
We want our service to be
used by this company, so
we're going to help this
company convince its work
councils that-
>> People within the cloud
providers business bascially.
>> [INAUDIBLE] People, or?
>> We don't have folks who,
I would say directly would
advocate on your behalf in front
of those regulatory authorities.
But we have a bunch of lawyers,
regulatory folks who constantly
interact with these folks.
And we've been getting
our house in order,
to make sure that
we're GDPR ready.
So you wanna work with
a cloud provider who has
resources available.
Which then you can show to
these regulators to say,
hey we've selected this provider
because they really know what
they're doing there
with GDPR readiness.
>> So
I'm asking the same questions,
I'm in the same boat as you.
>> It's like why am
I putting together
a presentation on crowdstrike,
I don't know anything about-
>> I do understand.
And I have not found that
person in any cloud providers.
That one person that is like,
yeah, here's the deck we use for
the works council
on our last client.
I mean, we don't have that.
But on the works council, I will
say it's not apples and oranges,
but there are separate issues.
And each company's
works councils, and
actually each country's work
council within that company,
do have different tolerances.
So I do from that side.
I can understand
why a Microsoft, or
it doesn't say here's our
works council presentation,
cuz it does differ.
But you're right, you do
need to ask those questions.
First of your HR, this gets
back to our first point.
Get with your HR and say,
what are your worse councils and
you're going to be looking for.
What sorts of information
do I need to gather
about this new solution?
So from the provider, and from
the business and from IT, so
we can package it all and go
to the works councils and say,
here, this is what
we plan on doing.
But it's not an easy answer.
Especially if you're
an American company and
you're dealing with a US cloud
provider, a lot of times, you're
gonna hear from them, we don't
have anything to do with GDPR.
We don't wanna deal with it.
That's not the right answer.
And they'll find that
out in about 369 days.
>> [LAUGH]
>> But it's evolving.
>> It's the answer for army,
all our systems, right?
>> [LAUGH]
>> So I'll give a plug,
microsoft.com/gdpr has
a lot of materials on it.
There's a whole industry
popping up around this as well.
They estimate it's
about a 4 to $5 billion
industry in terms of helping
companies prepare for GDPR.
So there are a lot of people
out there who are doing this.
Microsoft has a lot of partners
who help our customers
in this format as well.
So there's stuff out there, but
certainly willing to talk with
you more about it if
you have questions.
>> Yes, ma'am?
>> [INAUDIBLE].
And they've been very helpful
in going through agreements.
And put in clauses
[INAUDIBLE] for
the providers to need
to comply with GDRP.
So I would have no idea.
But if you get a [INAUDIBLE]
they should be up to speed
with it.
>> [INAUDIBLE]
>> So
yeah, and keep in mind too
that it's a partnership with
your cloud service
provider on this as well.
Obviously the cloud service
provider has a lot of things
that it needs to do, to make
sure that it complies with GDPR.
And it's a huge,
huge engineering commitment.
I mean very expensive to do.
But on the flip side,
you've also got a lot of things
that you have to do as well.
I mean,
if you have loyalty programs,
all kinds of things where you're
collecting personal information,
you've gotta ensure
that you're complying
with GDPR also in how you
collect that information.
So it's not as simple as just
dumping it in the cloud,
problem solved.
I mean, there's a lot of work
to be done on both parties' end,
to make sure that
you're successful.
>> So I'll just make one
point about Microsoft.
So I'll be happy to talk more
offline, but Microsoft stands
ready to help you navigate
through those issues as needed,
so, okay?
Any other questions?
Okay, well,
let's move to another question.
>> I think we had
one over there.
>> I'm sorry, yes ma'am.
>> You mentioned
earlier about
[INAUDIBLE].
>> Well, we're transparent
as to where our customers,
where their data is
located in our cloud.
So as an example, let's say you
provision, you are what we call
a tenant, or a data center
in North America, or the US.
We say that your data,
at rest, will remain in US or
North America.
I'm assuming we will make
similar commitments vis-a-vis
Africa and maybe the Middle East
& Africa region, if you will.
>> Yeah, I would just say that
that's correct as I understand
it, that we can keep, the way
we engineer our services,
we can keep your data
in a particular region.
There is some redundancy,
so it's something that we
can talk about with our
technical specialist to ensure
that you have data where
you think it should be.
The other thing that I
would say is important for
a CSP is to ensure that wherever
the data rests, the laws
of that particular jurisdiction
will apply to the data.
And that might sound sort
of counter intuitive.
But you don't want some foreign
government coming in and
issuing a subpoena, trying
to get access to your data,
because it's in the US, or
some other place, or whatever.
So again, look at your CSPs
track record in defending that.
I mean,
are they willing to stand up.
I can tell you, and this is
not a plug for Microsoft, but
we've sued the US
government over this.
So right now it's, I guess,
in the Appeals Court.
We won the last round but it may
go higher, depending on one of
the the government decides to
appeal or not, but anyway.
>> Not just the data, but
it's also how [INAUDIBLE].
>> Absolutely, it's all
really important for sure.
And that's the other thing.
It comes back to control,
which there's a whole bunch
of questions we probably will
not have time to get to.
But that's part of control, and
who has access, and is it
logged, that kind of thing.
And the physical security
aspect of the data,
while it resides with your CSP,
is extremely important as well.
So when you have that
conversation, I think that's
an important aspect of
the conversation to have.
And how do they control
the data, what's the physical
control, and who has access,
and how is that logged in third
party access, subcontractors,
all kinds of things.
I think those are discussions
that you will need to have.
>> Critical question,
okay, well,
let's move on to
another question.
So what other trends do you
guys see in the space of cloud
computing?
>> So a big thing for
Army and DoD is SaaS.
So we're Service as a Service.
That is Software as a service.
That's a huge thing for us.
And it looks like we can move
many of our applications to
the cloud, using SaaS,
especially around
the office environment.
>> Yeah, I'd say for
me the biggest trend seen across
various industries, is just
embracing of the cloud, right?
So three or four years ago,
a lot of companies would have
never put sensitive
workloads into the cloud.
Not only are they doing that,
but they're doing it a public
cloud format, taking advantage
of the huge economies of scale.
So I think public cloud,
there was a survey by LinkedIn,
their information
security community,
which spans across seven or
eight different industries.
And this survey is
about two years old.
But 71% were either
in the cloud or
actively planning
to go in the cloud.
So I would say that it's not
only where you are today in
terms of your planning, but
where will you be in a year from
now vis-à-vis your competitors.
And if you're not in the cloud,
is that gonna put you or
your company,
at a competitive disadvantage.
So I mean those are the big
things that I see.
And it used to be number
one conversation, security,
security, security.
Now the number one conversation
is about privacy and control.
And security's still important,
don't get me wrong.
It's still a big thing,
but most people have done a lot
of research now about cloud and
they feel a lot more
comfortable about security.
And I've heard a lot
of CIOs say this.
That the fact of the matter
is that the major
cloud pro vendors can
protect their data,
better than they can do
it in-house themselves.
And that, again,
is because of the monitoring.
We spend over a $1 billion
a year, just in security alone.
So it's now a core competency
of all of your major cloud
providers.
>> I think the other thing is
having your data at one cloud,
is you can do big data analysis.
So when all your data is
residing at one system, allows
many big data analysis that
wouldn't be available before.
So it's a huge
business analytic.
>> The other point I would
just make before going to
the question, is that we've been
seeing customers atop what is
known as a hybrid approach.
There are some customers who
don't wanna go all in the cloud,
and so they keep some of
their data on-premises,
maybe some of the more
sensitive data.
And they move other workloads
and data to a cloud.
Yes sir, you had a question.
>> I do, thank you, and I wanna
turn back to the indemnification
issue, if I could, as we were
talking about data security.
In our situation, we're actually
taking our customer data, and
then we would be putting
it on the clouds.
So there's an expectation
from our customer,
that we will be
safeguarding that data,
to the extent that the 12
month subscription cap exists.
That's not cutting it
with our customers.
They want a more absolute
commitment from us.
How do you suggest
we bridge the gap?
Because I have seen over
the last five or eight years,
where the 12 month subscription
value, becomes the standard.
But it's wholly inadequate in
terms of the potential liability
that we could expect.
How do we bridge that gap?
>> Well, we see that come up
many times as part of our
discussions with our customers.
And I think at the end of
the day, from my viewpoint,
it's ultimately a business
risk financial issue, right?
Depending upon the economics
of the deal, the nature of
the customer, we may be
willing to elevate that cap.
But it's all really based
upon the financial aspects of
the deal.
It has come up time and
time again too.
>> I'll be honest with you.
I mean I very rarely rarely not
see a deal not happen because of
limitation of liability,
or because of indemnity.
Normally, the parties are able
to get to a point where they're
both comfortable.
And it takes a while
to get there.
I mean many times there's
security briefings,
understanding what the service
is, and how we store the data,
how it's encrypted.
So if the issue is
data being stolen,
some companies get more
comfortable when they
understand how we store
the data, how it's encrypted.
How your data's not
gonna reside on one box.
It's gonna be stored across the
data center on many different
servers.
So hypothetically, if a server
were penetrated, not only is it
encrypted, but it's only gonna
be a piece of your information.
It doesn't answer your question.
I think there's flexibility
there among cloud
providers, right?
So yeah, I've often heard,
this cloud provider will take
uncapped liability and
that sort of thing.
I would just tell you to read
the fine print on those.
Because it's not really true in
what some cloud providers say
about uncapped liability, and
what they're willing to provide.
I think at the end of the day,
there's no cloud provider that's
willing to bet their
entire company.
Because essentially,
it's not gonna be one
customer that's hit.
It's gonna be a multiple,
across hundreds,
thousands, tens of thousands
of customers potentially.
So there's gotta be some
reasonable cap on liability.
What that is, I think you'll
have to get comfortable with
your cloud service provider.
But those are one of the things
that, quite frankly,
a cloud service provider
can negotiate with you.
There's certain things that,
because of the way the service
is engineered, I can't
change even if I wanted to.
But indemnity, limitation, and
liability, my commitment to
you or your cloud services
provider's commitment to you.
Those are things that,
quite frankly, I believe can be
negotiated where you can
get to a level of comfort.
>> Well,
it's a risk analysis, right?
And you have to look
at the alternative.
So I don't know what
your situation is, but I
mean there is a lot of companies
that are starting out, and they
don't have very sophisticated
IT resources themselves.
So while you might say, look,
we wanna go into the cloud but
we want protection.
But from your customer
standpoint, and even from your
board of director's standpoint,
what's the alternative?
You are to maintain it inside,
on premises,
what protections are you
affording there?
I mean, what would be
your exposure there?
You might not be increasing your
exposure dramatically to go into
the cloud, either from
a security standpoint, or
from a financial standpoint.
So it's not a simple math
>> [INAUDIBLE]
>> Yeah.
>> [INAUDIBLE]
>> Yes sir.
>> You talk about [INAUDIBLE].
>> What are the cloud providers
doing to ensure that their
component pieces comply with
data protection requirements?
>> Well, I'll throw
a possible answer there, and
feel free to chime in.
At Microsoft, we use a number
of subcontractors as part of our
provision of cloud services.
We use these subcontractors, cuz
quite frankly, it's a way for
us to provide competitive costs,
associated with our cloud.
But we take responsibility on
behalf of those subcontractors.
We put that into our contract,
that we're responsible on
behalf of our subcontractors.
We also notify you and tell you
when our Microsoft Trust Center
site, who our subcontractors
are, so you're aware of it.
So we flow down a number
of those terms and
conditions, which we're signing
up to with our customer, through
our sub-contract agreements
with our subcontractors.
>> I'm sorry,
just the question's are you more
concerned with ensuring that
we're keeping up with rules and
regulations with respect to our
hardware, that it's
best of breed?
Maybe I didn't understand
the question fully,
so if you can either drill down.
I'm sorry about that.
>> No problem, no problem.
I work a lot with
component systems, right?
My job is to go in and
look at them, and
make sure that they meet the
data protection requirements.
But dealing in
the digital world, right,
it's a combination of a lot of
different pieces glued together
to make the cloud.
>> Gotcha, okay.
>> What I wanna know is,
what is the focus of
the cloud service providers?
What is their due
diligence focus right now,
on ensuring that one of
those components, or
all of those components, meet
data protection requirements?
Is the focus just
on the software,
is the focus on the hardware?
Cuz we talk a lot
about security and
how impenetrable a network is.
But do we also
look at whether or
not each component of that
cloud system, the hardware and
the software, meets the data
protection requirements?
>> Yeah, so I would just say
that we're building data centers
around the world.
Some of them we own outright,
we construct.
We build some of them.
Our list but
we stand behind our SLA.
So we're looking at
the entire system.
We're ensuring that your
hardware specifically, I think
we take our useful service
out of life every two and
a half to three years.
They're shredded, broken into
pieces, new servers replaced.
So, we try to ensure that we're
using best of breed services,
hardware.
Again, there's penetration
testing, all types of patching,
things like that that go on
on a daily basis to ensure
that we're meeting our
SLA requirements and
that we stand
behind our service.
We say that we're going
to comply with all laws.
So it comes to any cloud service
provider not just Microsoft,
but you want to make sure
that they're putting these
things into their SLAs,
into their contract and
if not then it's a breach,
right?
So you want to make sure that
they have some skin in the game,
with respect to these things.
>> I'll just add a few
other points too.
It's my understanding that as
part of our contract terms we
have a robust definition of
Microsoft Online Services.
So it's really the combination
of our services,
which go into our
cloud services.
It's a combination of items
basically, if you will, and
we stand behind
all of our terms,
stand behind that definition
of Microsoft Online Services.
I also think, I believe that
it's part of the servers which
we have in our data
center environment.
I think we design the
blueprints, if you will, as to
how these servers are supposed
to be architected if you will.
And then we have our providers
package their servers
appropriately.
>> So one of the riskiest
elements that we see and
we look out for
is that human element.
So that insider attack is
the other thing that we're
very much concerned
about at DOD.
So we have very strict
requirements on security
clearances on the contractors
that work on our system,
so that's the other risk
factor is that human element.
>> Just a question,
I know we touched upon
this a little bit is how
about thoughts about
third party or
law enforcement access
to data issues?
Any perspective on that?
>> Yes,
I deal with it all the time.
My system is financial
disclosure of management and
there's a formal protocol to
request every senior leader
in DOD or actually in the
government needs to file what's
called the office of
government ethics 278 form.
And there's a formal process
where that can be requested and
so we provide that
data as requested.
We've also provided bulk data
to researchers, anonymized data,
so that they could do big data
analysis on the data that's
in our systems actually.
To match the assets to see what
DOD officials or what assets
they hold and in aggregate
>> Any thoughts about that?
>> Other then making sure that
your CSP has a process in place
with respect to
government request.
I mean, make sure that there
is transparency around that.
Make sure that, for example,
the results are published so
you know how many
requests there have been.
How many times your CSP has
actually had to turn over data.
Is your CSP,
is there a built in process?
I mean,
when I talked earlier about
the safe deposit box analogy, I
mean our position is that you're
in a better position than your
CSP to decide what complies with
a third party requested data.
So, our position is that
we will always, and
this is engineered in, we will
always redirect any request for
data to the owner of that data.
And if we're not permitted to
do that we will contest it.
And so I would encourage you
whatever CSP that you look at to
make surethey have
a process in place.
And make sure they have
a demonstrated history
of doing that.
Have they ever sued the
government with respect to this?
Or are they just saying?
You can write anything
in a contract?
But do you or are you
willing to stand behind it?
>> As a customer we
absolutely expect that.
If we're putting data and
assets into the cloud
then we are looking at it like
a safe deposit box too and
we expect the cloud
provider to protect it and
defend it against all requests
as we would ourselves.
>> And another question.
I know we touched upon parts
of this question earlier, but
with regard to limitation and
liability and indemnity but,
how much contract negotiation
changes should a cloud provider
be willing to entertain and
or accommodate,
in terms of a sometimes
we see with our customers
a proverbial battle
of the forums.
Microsoft has got a standard
cloud services contract.
Sometimes our
customers come back,
and they have a specialized
exhibit with regards to their
security protocols and
practices.
So, any thoughts on that?
>> Yeah, I have a comment
it goes to the question
over here about the GDPR and
new.
A lot of times you are not
negotiating against your cloud
service provider, you are
negotiating with them to ensure
that the contract that the two
of you put together is going to
be satisfactory to a regulator,
or to whoever looks at it later.
Or to a work's counsel.
Sometimes there is some
work's counsel think
about Germany in particular
that can sometimes get so
detailed they actually
want to see contracts.
So they want to see
the protections are in there.
So you need that discussion with
your cloud service provider is
not necessarily adversarially,
it's not.
I want two years worth
of fees instead of one.
It's not that sort of thing.
IS what do we need to add
to this contract so that
the regulators from data privacy
perspective believe that we're
both protecting the individual
data that we put into it?
So sometimes it takes
a little getting used to
from a negotiation standpoint.
But if it's done right, it's
not as painful as it could be.
>> Okay, great.
Another question.
Are there any third party
resources out there which you
would encourage folks
to take a look at?
I'll just do a quick
answer to that question.
I think a great resource is
this organization known as
the Cloud Security Alliance.
They've become more of a leading
think tank in the area of cloud
services, so check out their
websites and their resources.
Another terrific organization is
the International Association of
Privacy Professionals.
IAPP and they have got some
great information about data
security privacy, especially
as it relates to the cloud.
But any other
research you wanna-
>> Yeah except for the DOD.
There is the Defense Information
Services all of our cloud
are related there in
the public domain.
I'd say for the private sector,
feel free to leverage what we
have there, it's all available
in the public domain.
>> Okay, okay.
Just maybe one last question
I'll throw out there.
So once your cloud
contract is signed,
how important is it to
consider managing and
monitoring your contract in
this ever changing environment?
>> Yeah, I think at
the end of the day, again,
it's a partnership, right?
So I think you have to do that.
I mean there's a whole industry
that's sort of sprung up around
that today.
To be honest with you,
we're struggling to keep
up with it because we're
really trying to have some
consistency around the process.
So, I can tell you what we do.
We publish a lot things,
we republish the results
of our audit.
We republish the results of
log enforcement requests.
We try to get everything out as
much as possible on our website
so that our customers
can look at it.
Our challenge is
when you have so
many customers, how do you have
a standardized process for
them to evaluate cloud
service after the fact?
And this industry that's
sprung up around it.
You get these security
questionnaires from
existing customers, and
they're all different.
And so from a cost to sales
perspective it's extremely
difficult to reply to every
single security questionnaire.
So we try to have
a standardized response.
For some customers, quite
frankly, that's acceptable.
For some customers, it's not.
So, I'll be honest.
For us,
it's a real challenge right
now in how to do that because
our prior model much like most
of the old line companies
was to deliver software, and
you sort of maintained it.
Now we're doing that.
And so there is that continuing
partnership that you
go through the life of the
contract that you have today.
>> I would just consider, really
to encourage you guys once you
sign a cloud computing contract,
actively manage and
monitor that contract.
Especially with regard to
the service level agreement SLA
commitment.
You want to make sure that
you keep your cloud services
provider honest in that area.
So I think we're right up
against time or so, but
do any folks have
any other questions?
Okay, seeing that there's
no other questions,
we again really appreciate
your attention and for
joining our session today.
Thank you very much.
>> Thank you.
>> [APPLAUSE]