Cloud Computing Risk and Rewards

Cloud Computing 

Cloud Computing 

–

_–

Risk and 

_Risk and 

Rewards

Rewards

John Lazarine John Lazarine Vice President and Chief Audit Executive Vice President and Chief Audit Executive Mark Salamasick Mark Salamasick Director of Center for Internal Auditing Director of Center for Internal Auditing

John Lazarine

John Lazarine

•

25 years of Internal Audit experience

•

Industry experience: Retail, Financial Services, Oil & 

Gas, Telecommunications, Aerospace & Defense, 

Construction and Technology Services

•

Companies: JCPenney, Mobil Oil, Alcatel, Raytheon, 

Centex and Rackspace

*

Rackspace

Rackspace

•

Founded in 1998, based in San Antonio

•

Service leader in Cloud Computing

•

180,000+ customers, 4,300 employees

•

8 Data Centers based in the US, UK and HK

•

Key Products: Cloud Hosting, Managed Hosting 

and Email & Apps all backed by Fanatical 

Support.

Mark Salamasick

Mark Salamasick

•

Over 25 years internal audit  and consulting experience

•

Industry experience: Financial Services, Utility, Oil & 

Gas, Technology, and Education

•

Companies: Central Michigan University, Accenture, 

Bank of America, and University of Texas at Dallas

•

Published: Most recent book “Auditing Outsourced 

Functions”

University of Texas at Dallas

University of Texas at Dallas

•

Founded in 1969, based in Richardson

•

Over 19,000 students and over 6,300 in the 

business school

•

_{One of the fastest growing Universities in the US}

•

_{One of the largest graduate Accounting programs} 

with over 850 students

•

Largest Graduate Internal Audit program 

worldwide

Session Overview

Session Overview

ƒ Cloud computing is changing the way we all look at outsourced technology.  This session  will help in gaining an understanding and evaluating the rewards that can be gained from  the cloud.  The reduction of technology costs and immediate availability of technology  infrastructure provide alternatives that must be considered.   At the same time all cloud  based solutions are not the same and your organization must evaluate the risks.  Cloud  solutions are here to stay and transform the way we do business. Also, come hear the  latest guidance provided by COSO in addressing the opportunities, rewards and risk  mitigation of doing business in the cloud. Learning Objectives: 1. Understand the opportunities provided by cloud computing.  2. Understand the new risks from cloud computing along with risk mitigation techniques.  3. Learn the right questions to ask when doing business in the Cloud.

What is Cloud?

What is Cloud?

ƒ The National Institute of Standards and Technology (NIST) defines cloud computing as  a model for enabling “…… convenient, on‐demand network access to a shared pool of  configurable computing resources (e.g., networks, servers, storage, applications and  services) that can be rapidly provisioned and released with minimal management  effort or service provider interaction”

Service Models & Uses

Service Models & Uses

Software as a Service  (SaaS) Platform as a Service  (PaaS) Infrastructure as a  Service (IaaS) Overview Applications over a  network Developer platform  with built‐in services Rent processing,  storage, network  capacity and other  computing resources Level of  Customer  Control Does not manage or  control the underlying  Cloud infrastructure,  servers, O/S, network,  storage or individual  application  capabilities (with the  exception of user  configurable settings) Has control over the  deployed applications  and possibly the  application hosting  environment  configurations Has control over the  operating systems,  storage and deployed  application *

Deployment Models & Uses

Deployment Models & Uses

Deployment Model Description

Private Cloud • Operated solely for an organization

• May be managed by the organization or a third party

• May exist on or off premise

Public Cloud • Made available to the general public

• Owned by an organization selling cloud services

Hybrid Cloud • A composition of two or more clouds (private, public and/or community) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Community Cloud • Shared by several organizations

• Supports a specific community that has a shared mission or interest

• May be managed by the organization or a third party

ISACA Survey

ISACA Survey

Benefits of Cloud Computing

Benefits of Cloud Computing

ƒ

ƒ Cost control _{Cost control} –– Utility modelUtility model ƒ

ƒ SpeedSpeed ‐‐ Immediate provisioning (setting up resources)Immediate provisioning (setting up resources) ƒ

ƒ Focus_Focus ‐‐ Allows company to focus on core competenciesAllows company to focus on core competencies ƒ

ƒ Scalability_Scalability –– Ability to dynamically adjust resources according to Ability to dynamically adjust resources according to  demand with little to no notice

demand with little to no notice

ƒ

ƒ Performance_Performance –– Utilizing severer load balancingUtilizing severer load balancing ƒ

ƒ Operational Expertise _{Operational Expertise} –– Patch management, version updates, Patch management, version updates,  data security

Economic Economic Architectura l Strategic

Elements of 

Elements of 

Cloud Computing 

Cloud Computing 

Value

Value

*

Cloud Security

Cloud Security

—

_—

Today

_Today

ƒ

ƒ

Provider transparency

_{Provider transparency}

–

–

Trust , reliability and viability

Trust , reliability and viability

–

–

SLAs

SLAs

ƒ

ƒ

Data protection

_{Data protection}

ƒ

ƒ

Malicious insiders

_{Malicious insiders}

—

—

social engineering

social engineering

ƒ

ƒ

Cloud

_Cloud

‐

‐

specific attacks

specific attacks

ƒ

Cloud Security

Cloud Security

—

_—

Tomorrow

_Tomorrow

ƒ

ƒ

Globally compatible legislation

_{Globally compatible legislation}

ƒ

ƒ

Cloud compatibility standards

_{Cloud compatibility standards}

ƒ

ƒ

Real

_Real

‐

‐

time management

time management

ƒ

ƒ

Identity management

_{Identity management}

ƒ

ƒ

Responding to security incidents

_{Responding to security incidents}

ƒ

ƒ

Bandwidth

_Bandwidth

ƒ

ƒ

Pricing

_Pricing

Controls

Controls

ƒ

ƒ

Virtual firewalls

_{Virtual firewalls}

ƒ

ƒ

Encryption

_Encryption

—

—

as close to the source as possible

as close to the source as possible

ƒ

ƒ

Network access

_{Network access}

ƒ

ƒ

Secure SAN protocols

_{Secure SAN protocols}

ƒ

ƒ

Regular deletion of unused assets

_{Regular deletion of unused assets}

ƒ

ƒ

Logs and audit trails

_{Logs and audit trails}

ƒ

ƒ

Compliance requirements

_{Compliance requirements}

Public Clouds

Public Clouds

—

_—

Entertainment

_{Entertainment}

ƒ

ƒ

Tech and media companies are racing to create 

_{Tech and media companies are racing to create} 

Internet

Internet

‐

‐

video hit programs on the scale of 

video hit programs on the scale of 

traditional TV

traditional TV

–

–

Netflix and Kevin Spacey

Netflix and Kevin Spacey

–

–

Hulu and Kiefer Sutherland

Hulu and Kiefer Sutherland

–

–

Yahoo, Sony, AOL, YouTube

Yahoo, Sony, AOL, YouTube

–

–

Consumers are watching more

Consumers are watching more

video on Internet TVs and tablet computers

video on Internet TVs and tablet computers

Right Questions to Ask

Right Questions to Ask

Risks

Risks

ƒ

ƒ

Disruptive Force

Disruptive Force

ƒ

ƒ

Residing in the same risk ecosystem as the CSP

Residing in the same risk ecosystem as the CSP

ƒ

ƒ

Lack of Transparency

Lack of Transparency

ƒ

ƒ

Security, Compliance and Data Jurisdiction

Security, Compliance and Data Jurisdiction

ƒ

ƒ

Reliability, performance, and high

Reliability, performance, and high

-

-

value cyber

value cyber

-

-attack target

attack target

ƒ

ƒ

Risk of data leakage

Risk of data leakage

ƒ

ƒ

IT organizational changes

IT organizational changes

ƒ

ƒ

Potential vendor lock

Potential vendor lock

-

-

in

in

ƒ

Cloud Computing Board Oversight

Cloud Computing Board Oversight

Questions?

Questions?

ƒ

ƒ Who in management is responsible for understanding and Who in management is responsible for understanding and management the business risks associated with cloud

management the business risks associated with cloud

computing?

computing?

ƒ

ƒ What are competitors doing with cloud solutions?What are competitors doing with cloud solutions? ƒ

ƒ Are cloud computing initiatives aligned with the Are cloud computing initiatives aligned with the organization

organization’’s risk appetite?s risk appetite? ƒ

ƒ Does management have the skills required to understand Does management have the skills required to understand the complexities associated with cloud computing?

the complexities associated with cloud computing?

ƒ

Cloud Computing Management

Cloud Computing Management

Questions?

Questions?

ƒ

ƒ What is managementWhat is management’’s stand on outsourcing functions?s stand on outsourcing functions? ƒ

ƒ Does the organization anticipate rapid growth that might Does the organization anticipate rapid growth that might require using cloud solutions?

require using cloud solutions?

ƒ

ƒ Is the organization in a mature market that might require Is the organization in a mature market that might require using cloud computing to save costs to remain

using cloud computing to save costs to remain

competitive?

competitive?

ƒ

ƒ How should the organization prepare for cloud computing?How should the organization prepare for cloud computing? ƒ

ƒ Who should be involved in the evaluation process, and Who should be involved in the evaluation process, and who makes the decision?

who makes the decision?

ƒ

ƒ How can the organization manage its risks adequately How can the organization manage its risks adequately while operating in a business environment with cloud

while operating in a business environment with cloud

computing?

computing?

Other Considerations

Other Considerations

ƒ

ƒ Cloud solution pricing predictabilityCloud solution pricing predictability ƒ

ƒ Captive renterCaptive renter ƒ

ƒ Involvement of representatives across the organizationInvolvement of representatives across the organization ƒ

ƒ Clear definitions of responsibilities and required Clear definitions of responsibilities and required interactions between the organization and the CSP

interactions between the organization and the CSP

ƒ

ƒ Evaluation of business continuity requirementsEvaluation of business continuity requirements ƒ

Key Tasks in the Road to the Cloud

•

Assessing the Cloud Strategy

•

_{Evaluating Cloud Providers}

•

Moving to the Cloud

•

Monitoring the Provider

*

Conclusions

Conclusions

ƒ

ƒ

Many benefits to utilizing Cloud technologies

_{Many benefits to utilizing Cloud technologies}

ƒ

ƒ

Management should have a strategy for adopting 

_{Management should have a strategy for adopting} 

Cloud technologies

Cloud technologies

ƒ

ƒ

Establish processes for periodically evaluating and 

_{Establish processes for periodically evaluating and} 

monitoring risks

monitoring risks

ƒ

ƒ

Management should ensure costs and benefits are 

Management should ensure costs and benefits are 

reviewed for long term 

reviewed for long term 

ƒ

ƒ

Internal Audit and Finance should partner with 

_{Internal Audit and Finance should partner with} 

management to help ensure the objectives of utilizing 

management to help ensure the objectives of utilizing 

the Cloud is met

the Cloud is met

Contact Information:

Contact Information:

John

John LazarineLazarine Rackspace

Rackspace HostingHosting (210) 312 (210) 312--34733473 [email protected] [email protected] Contact Information: Mark Salamasick

Jindal School of Management The University of Texas at Dallas

Informational Sources

Informational Sources

ƒ ƒ COSO Enterprise Risk Management for Cloud Computing_{COSO Enterprise Risk Management for Cloud Computing} ƒ ƒ Global Technology Guide 18 Cloud Computing from IIA _{Global Technology Guide 18 Cloud Computing from IIA}  International International ƒ ƒ Cloud Security Alliance (CSA)_{Cloud Security Alliance (CSA)} – – Cloud Controls MatrixCloud Controls Matrix – – Consensus Assessments Initiative Questionnaire Consensus Assessments Initiative Questionnaire  ƒ ƒ CloudAudit.org_{CloudAudit.org} ƒ

ƒ Isaca.org_Isaca.org cloud computingcloud computing ƒ ƒ European Network and Information Security Agency (ENISA)_{European Network and Information Security Agency (ENISA)} – – Cloud Computing: Information Assurance Framework Cloud Computing: Information Assurance Framework  ƒ ƒ NIST 800_NIST 800‐‐144144