Cloud Computing – Risk and Rewards Mark Salamasick Director of Center for Internal Auditing For Austin Chapter of the IIA April 14, 2015
Mark Salamasick Over 25 years internal audit and consulting experience Industry experience: Financial Services, Utility, Oil & Gas, Technology, and Education Companies: Central Michigan University, Accenture, Bank of America, and University of Texas at Dallas Published: Most recent book “Auditing Outsourced Functions”
University of Texas at Dallas Founded in 1969, based in Richardson Over 19,000 students and over 7,000 in the business school One of the fastest growing Universities in the US One of the largest graduate Accounting programs with over 750 students and over 900 undergraduate accounting students Largest Graduate Internal Audit program worldwide New cross discipline cybersecurity concentration
Session Overview Cloud computing is changing the way we all look at outsourced technology. This session will help in gaining an understanding and evaluating the rewards that can be gained from the cloud. The reduction of technology costs and immediate availability of technology infrastructure provide alternatives that must be considered. At the same time all cloud based solutions are not the same and your organization must evaluate the risks. Cloud solutions are here to stay and transform the way we do business. Also, come hear the latest guidance provided by COSO in addressing the opportunities, rewards and risk mitigation of doing business in the cloud. Learning Objectives: 1. 1.Understand the opportunities provided by cloud computing Understand the new risks from cloud computing along with risk mitigation techniques Learn the right questions to ask when doing business in the Cloud.
Cloud Computing… *
Dilbert on Cloud Computing
What is Cloud? The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling “…… convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” *
Service Models & Uses Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) OverviewApplications over a network Developer platform with built-in services Rent processing, storage, network capacity and other computing resources Level of Customer Control Does not manage or control the underlying Cloud infrastructure, servers, O/S, network, storage or individual application capabilities (with the exception of user configurable settings) Has control over the deployed applications and possibly the application hosting environment configurations Has control over the operating systems, storage and deployed application *
Deployment Models & Uses Deployment ModelDescription Private CloudOperated solely for an organization May be managed by the organization or a third party May exist on or off premise Public CloudMade available to the general public Owned by an organization selling cloud services Hybrid CloudA composition of two or more clouds (private, public and/or community) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). Community CloudShared by several organizations Supports a specific community that has a shared mission or interest May be managed by the organization or a third party May reside on or off premise *
Gartner Key Players in the Cloud
Examples of Good Uses of Cloud General Business applications E-business hosting Enterprise Applications Cloud native applications Test and development
ISACA Survey
Benefits of Cloud Computing Cost control – Utility model Speed - Immediate provisioning (setting up resources) Focus - Allows company to focus on core competencies Scalability – Ability to dynamically adjust resources according to demand with little to no notice Performance – Utilizing severer load balancing Operational Expertise – Patch management, version updates, data security *
Economic Architectural Strategic Elements of Cloud Computing Value *
Cloud Security—Today Provider transparency –Trust, reliability and viability –SLAs Data protection Malicious insiders—social engineering Cloud-specific attacks Account/service hijacking Physical threats
Cloud Security—Tomorrow Globally compatible legislation Cloud compatibility standards Real-time management Identity management Responding to security incidents Bandwidth Pricing
Controls Virtual firewalls Encryption—as close to the source as possible Network access Secure SAN protocols Regular deletion of unused assets Logs and audit trails Compliance requirements –SOX and (SSAE 16/SAS70)
Public Clouds—Entertainment Tech and media companies are racing to create Internet-video hit programs on the scale of traditional TV –Netflix and Kevin Spacey –Hulu and Kiefer Sutherland –Yahoo, Sony, AOL, YouTube –Consumers are watching more video on Internet TVs and tablet computers video on Internet TVs and tablet computers
State of the Cloud Worldwide
Attributes of BSA Report Card
Right Questions to Ask
Risks Disruptive Force Residing in the same risk ecosystem as the CSP Lack of Transparency Security, Compliance and Data Jurisdiction Reliability, performance, and high-value cyber- attack target Risk of data leakage IT organizational changes Potential vendor lock-in Cloud service provider viability
Cloud Computing Board Oversight Questions? Who in management is responsible for understanding and management the business risks associated with cloud computing? What are competitors doing with cloud solutions? Are cloud computing initiatives aligned with the organization’s risk appetite? Does management have the skills required to understand the complexities associated with cloud computing? How is management mitigating organizational risks resulting from reliance on the activities of a third-party cloud service provider?
Cloud Computing Management Questions? What is management’s stand on outsourcing functions? Does the organization anticipate rapid growth that might require using cloud solutions? Is the organization in a mature market that might require using cloud computing to save costs to remain competitive? How should the organization prepare for cloud computing? Who should be involved in the evaluation process, and who makes the decision? How can the organization manage its risks adequately while operating in a business environment with cloud computing? *
Other Considerations Cloud solution pricing predictability Captive renter Involvement of representatives across the organization Clear definitions of responsibilities and required interactions between the organization and the CSP Evaluation of business continuity requirements Ultimate legal responsibility and liability Relinquishment of direct control of specific technology areas
Key Tasks in the Road to the Cloud Assessing the Cloud Strategy Evaluating Cloud Providers Moving to the Cloud Monitoring the Service Providers *
Conclusions Many benefits to utilizing Cloud technologies Management should have a strategy for adopting Cloud technologies Establish processes for periodically evaluating and monitoring risks Management should ensure costs and benefits are reviewed for long term *
QUESTIONS
Contact Information: Mark Salamasick Jindal School of Management The University of Texas at Dallas (972)
Informational Sources COSO Enterprise Risk Management for Cloud Computing Global Technology Guide 18 Cloud Computing from IIA International Cloud Security Alliance (CSA) –Cloud Controls Matrix –Consensus Assessments Initiative Questionnaire CloudAudit.org Isaca.org cloud computing European Network and Information Security Agency (ENISA) –Cloud Computing: Information Assurance Framework NIST