The Elephant in the Room: What s the Buzz Around Cloud Computing?

(1)

The Elephant in the Room:

What’s the Buzz Around

Cloud Computing?

Warren W. Stippich, Jr.

Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services

(2)

2011 All Star Conference

October 17 – 19, 2011 / Las Vegas, NV, USA

Learning objectives –

Presentation focus

Today’s presentation

will focus

on the following:

• Understanding primary

outsourced/hosted

cloud computing

options

• Understanding unique

risks

associated with various cloud

computing models

• Practical controls

for securing the Company’s assets when

using cloud computing

• Methods for deciding if cloud computing fulfills the

organization’s business

needs

and

risk appetite

(3)

Agenda

• Introductions

(4)

Introductions

Warren W. Stippich, Jr. – Chicago

• Partner and National Governance, Risk and

Compliance Solution Leader, including Cyber Security Solution, in Grant Thornton's Business Advisory

Services Practice

• Certified Internal Auditor (CIA)

• Certified Public Accountant (CPA IL)

• 20 years practicing internal audit, including 5 years as a CAE for a multi-national public company

(5)

Introductions

Matt Thompson – Raleigh, NC

• Senior Manager in Grant Thornton’s Business Advisory Services Practice

• Certified Information Systems Auditor (CISA)

• A member of the Triad (NC) IIA Board of Governors • 15+ years experience working in the Cyber Security

and IT Internal Audit arenas

(6)

Agenda

• Introductions

• Cloud computing overview

(7)

Cloud computing overview

Why the buzz?

Cloud computing is the future of IT

• A

new

and

flexible

model for deploying

technology

• Extremely

reliable

and infinitely

scalable

• Cost

benefits

and

ease

of ownership

• Allows you to

expand

or

contract

as business needs

dictate

(8)

• What are you hoping to learn from today’s presentation?

• What is your experience with cloud computing? • How does your company utilize cloud computing? • What level of involvement did your Internal Audit

group have with your Company’s cloud computing implementation?

• Has your company’s cloud environment been audited?

(9)

• More than 300 CAEs surveyed responded that

– 77% are at least somewhat familiar with cloud computing

– 69% use cloud computing; many expect cloud computing

use to increase (45%) or stay the same (55%) in the next 12

months

• When asked to describe their view as to the security,

governance, risk and controls implications in moving to a cloud

environment, 43% responded "I haven’t really given it much

thought."

Cloud computing overview

(10)

“ Looking past the current industry hype surrounding all

things Cloud, Forrester believes that

Cloud

computing is a sustainable, long-term IT paradigm

,

and the

successor to previous mainframe,

client/server, and network computing eras

.”

- Forrester Research, Inc.

“The Evolution of Cloud Computing Markets”

Cloud computing overview

(11)

“The cloud is about immediacy,

elasticity, and utility economics”

Mark Shuttleworth, Ubuntu & Canonical

“The cloud is water

vapor

”

Larry Ellison,

Cloud computing overview

(12)

“

Cloud computing is the next stage in the Internet's

evolution, providing the means through which everything

— from computing power to computing infrastructure,

applications, business processes to personal

collaboration — can be delivered to you as a service

wherever and whenever you need.

”

Dummies.com

Cloud computing overview

(13)

The term “Cloud” originated as a metaphor to depict the

public switched telephone system on network diagrams.

Cloud computing overview

(14)

• Network enabled

• Abstraction of infrastructure

• Resource democratization

• Services oriented architecture

• Elasticity/Dynamism of resources

• Utility model of consumption and allocation

Cloud computing overview

(15)

Cloud computing overview

Economic value

(16)

#1 Infrastructure

• Data Center •Processor • Memory • Storage

• Virtualized & Dynamic • Redundant/Hardened

Cloud computing overview

(17)

Infrastructure #2 Platform • Operating System • Web Servers • Database Servers • Operational Services • Virtualized

Cloud computing overview

(18)

Utility #3 Application • Google Apps • Salesforce • Mobile Me Platform

Cloud computing overview

(19)

Cloud computing overview

Types and models

Types of Clouds

• Public

- Shared computer

resources provided by an off-site third-party provider

• Private

- Dedicated computer

resources provided by an off-site third party or use of cloud technologies on a private internal network

• Hybrid

Models of Cloud:

• Software as a Service

(SaaS) - Software applications delivered

over the Internet

• Platform as a Service

(PaaS) - Full or partial operating

system/development environment delivered over the Internet

(20)

Cloud computing overview

Grant Thornton technology model

Grant Thornton Technology Model

• A

tool

for IT Internal Auditing

• SaaS

relates to the application and

data management layers.

• PaaS

relates to the operating

system layer for servers.

(21)

Cloud computing overview

(22)

Cloud computing overview

(23)

• Software as a Service (SaaS)

– The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

• Platform as a Service (PaaS)

– Consumer has control over the deployed applications and possibly application hosting environment configurations.

• Infrastructure as a Service (IaaS)

– Consumer has control over operating systems, storage, deployed applications, and possibly select networking components (e.g.,

(24)

Cloud computing overview

(25)

• Interoperability Across Platform Owners

– User to Application or Hardware Resource – Application to Application

– Hardware Resource to Hardware Resource

• Cost Effective and Higher Utilization of Resources

– Dynamic Allocation As Needed

– Dynamically De-Provision when Not Needed

• Speed to Market

– Enable Faster Delivery of Applications & Upgrades

(26)

Cloud computing overview

(27)

Agenda

• Introductions

• Cloud computing overview

• Risks and audit strategies

(28)

"A

widespread failure

in Amazon.com’s Web services

business affected many Internet sites, highlighting the risks

involved when companies rely on so-called cloud computing.

The problems affected sites including Quora.com,

Reddit.com, GroupMe.com and Scvngr.com, which all posted

messages to their visitors about the issue.

Most of the sites

have been inaccessible for hours

, and others were only

partly operational…"

- NYTimes.com

April 21, 2011

Risks and audit strategies

(29)

"A

data breach

at one of the

world's largest providers

of

marketing email services may have enabled unauthorized

people to access the

names and email addresses for

customers

of major financial-services, retailing and other

companies."

- WSJ.com

(30)

• What are the physical components of the “Clouds”?

– Data Centers – self-hosted, third-party, both, etc.?

– Network circuits and firewalls – who’s managing, who’s watching, etc.? – Disaster preparedness and recoverability – is there a plan, is it tested, etc.? – Who is aware of and managing vendor SLAs and are they adequate?

• Where’s the data and how is it protected?

– In-flight, standing still/at-rest, etc.? – Archives and back-up?

– Unintended uses?

– Data privacy and compliance?

• What is the tone at the top?

– Stakeholder knowledge of attributes and risks – Have internal controls evolved effectively?

– Who is monitoring internal use of public cloud services?

(31)

• When outsourcing parts of their business (including cloud

computing), companies are still responsible for the data, processing

and/or services provided by the outsourcing company (service

organization).

• As a result, many companies (and their auditors) desire or require

their service organizations to obtain an independent assessment of

their security, availability, processing integrity, confidentiality and

privacy practices

.

Risks and audit strategies

(32)

• SSAE No. 16, Reporting on Controls at a Service Organization, superseded SAS 70 on June 15, 2011.

• There are several reporting options for service auditors examining controls at service organizations. Financial Reporting Risks Nonfinancial Reporting Risks SOC 1 SOC 2 SOC 3 With testing details "Pass" with a seal display SSAE 16

Risks and audit strategies

(33)

Risks and audit strategies

Six additional risk areas

(34)

Risks and audit strategies

1. Security - risks

• The cloud provider’s security policies are not as strong as the Company’s data security

requirements

• Cloud systems which store Company data are not updated or patched when necessary

• Security vulnerability assessments or

penetration tests are not performed to ensure logical and physical security controls are in place

(35)

Risks and audit strategies

1. Security – audit strategy

• Determine if the cloud provider meets or exceeds the Company’s security

requirements

• Determine if the cloud provider’s security

posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.)

• Determine if the cloud provider has a security assessment performed

(36)

Risks and audit strategies

2. Multi-tenancy – risks

• Company data is not appropriately

segregated on shared hardware resulting in Company data being inappropriately accessed by third parties

• The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit

• The cloud service provider cannot determine the specific location of the Company’s data on its systems

• Company data resides on shared server space which might conflict with regulatory

(37)

Risks and audit strategies

2. Multi-tenancy – audit strategy

• Inquire of the cloud service provider’s method used to secure the Company’s data from being accessed by other customers/third parties

• Review the cloud service provider’s SLA to

determine if the SLA addresses security of the Company’s data

• Review independent audit report(s) related to the Cloud provider’s security posture (i.e.,

(38)

Risks and audit strategies

3. Data location – risks

• The Company is not aware of all of the cloud service provider’s physical location(s)

• The Company does not know where their data is physically or virtually stored

• The Cloud service provider moves company data to another location without informing the Company

• Company data is stored in international

(39)

Risks and audit strategies

3. Data location – audit strategy

• Inquire of the cloud provider the specific physical and virtual location of the Company’s data

• Work with the Company’s legal group to fully understand the impact and potential risks of the Company’s data residing in a foreign country

(40)

Risks and audit strategies

4. Reliability – risks

• The cloud service provider has quality of

service standards which conflict with business requirements

• During peak system activity times, the cloud service provider experiences system

performance issues that result in the following:

- Company employees cannot access the Company’s data when needed

- Customers are unable to use the

(41)

Risks and audit strategies

4. Reliability – audit strategy

• Inquire of the cloud service provider to determine the controls in place to ensure the reliability of the cloud solution

• Obtain an SLA/contract from the cloud service provider which details the specific reliability agreement for the Company. Compare this information to actual performance

(42)

Risks and audit strategies

5. Sustainability – risks

• In the event the cloud service provider goes out of business, the Company might not be able to

retrieve the Company’s data. In addition,

another third party might gain access/control of the Company’s data

• The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster

• The Company’s business continuity plan does not address the cloud’s service offering being unavailable

(43)

Risks and audit strategies

5. Sustainability – audit strategy

• Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the Company’s data even in the event of a disaster

• Review the Company’s business continuity plan and determine if the plan addresses

interruptions with the cloud solution

• Inquire of the cloud service provider to

(44)

Risks and audit strategies

6. Scalability – risks

• The cloud service provider’s systems cannot scale to meet the Company’s anticipated growth, both for a short-term spike and/or to meet a long-term strategy

• If the Company decides to migrate all or part of the Company’s system and/or data back in-house (or to another provider), the cloud

(45)

Risks and audit strategies

6. Scalability – audit strategy

• Determine if the cloud provider’s system can scale to meet the Company’s expected short-term

spikes and/or growth over the next five years • Determine if the Company has a contingency

plan in the event the cloud provider’s systems cannot scale to meet the Company’s needs

• Determine who is the “owner” of the Company’s data

(46)

Risks and audit strategies

Case study

• An energy solutions company is a leading provider of energy solutions with annual revenues in excess of $850 million for a payroll size of 400 employees

• Decision made by Senior Management to

outsource their payroll system to a SaaS vendor cloud solution to allow for increased efficiency and cost savings

• Internal Audit identified payroll as a high-risk area since this was the Company’s first use of a cloud computing solution

(47)

Risks and audit strategies

Case study (cont'd)

• Company's Internal Audit department reviewed the cloud provider's Service

Organization Report and did not note any exceptions

• Internal Audit also used existing user-ids to perform limited audit procedures and

discovered they had access to view and edit another company's payroll information

(48)

Agenda

• Introductions

(49)

(50)