Cloud Computing – Risk and Rewards John Lazarine Vice President and Chief Audit Executive Mark Salamasick Director of Center for Internal Auditing For Dallas CPA Society – Convergence 2013 May 8, 2013
John Lazarine 25 years of Internal Audit experience Industry experience: Retail, Financial Services, Oil & Gas, Telecommunications, Aerospace & Defense, Construction and Technology Services Companies: JCPenney, Mobil Oil, Alcatel, Raytheon, Centex and Rackspace *
Rackspace Founded in 1998, based in San Antonio Service leader in Cloud Computing 180,000+ customers, 4,300 employees 8 Data Centers based in the US, UK and HK Key Products: Cloud Hosting, Managed Hosting and Email & Apps all backed by Fanatical Support. *
Mark Salamasick Over 25 years internal audit and consulting experience Industry experience: Financial Services, Utility, Oil & Gas, Technology, and Education Companies: Central Michigan University, Accenture, Bank of America, and University of Texas at Dallas Published: Most recent book “Auditing Outsourced Functions”
University of Texas at Dallas Founded in 1969, based in Richardson Over 19,000 students and over 6,300 in the business school One of the fastest growing Universities in the US One of the largest graduate Accounting programs with over 850 students Largest Graduate Internal Audit program worldwide New cross discipline cybersecurity concentration
Session Overview Learning Objectives: Cloud computing is changing the way we all look at outsourced technology. This session will help in gaining an understanding and evaluating the rewards that can be gained from the cloud. The reduction of technology costs and immediate availability of technology infrastructure provide alternatives that must be considered. At the same time all cloud based solutions are not the same and your organization must evaluate the risks. Cloud solutions are here to stay and transform the way we do business. Also, come hear the latest guidance provided by COSO in addressing the opportunities, rewards and risk mitigation of doing business in the cloud. Learning Objectives: Understand the opportunities provided by cloud computing. Understand the new risks from cloud computing along with risk mitigation techniques. Learn the right questions to ask when doing business in the Cloud.
Cloud Computing… *
Dilbert on Cloud Computing
What is Cloud? The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling “…… convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” *
Service Models & Uses Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Overview Applications over a network Developer platform with built-in services Rent processing, storage, network capacity and other computing resources Level of Customer Control Does not manage or control the underlying Cloud infrastructure, servers, O/S, network, storage or individual application capabilities (with the exception of user configurable settings) Has control over the deployed applications and possibly the application hosting environment configurations Has control over the operating systems, storage and deployed application *
Deployment Models & Uses Description Private Cloud Operated solely for an organization May be managed by the organization or a third party May exist on or off premise Public Cloud Made available to the general public Owned by an organization selling cloud services Hybrid Cloud A composition of two or more clouds (private, public and/or community) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). Community Cloud Shared by several organizations Supports a specific community that has a shared mission or interest May reside on or off premise *
ISACA Survey
Benefits of Cloud Computing Cost control – Utility model Speed - Immediate provisioning (setting up resources) Focus - Allows company to focus on core competencies Scalability – Ability to dynamically adjust resources according to demand with little to no notice Performance – Utilizing severer load balancing Operational Expertise – Patch management, version updates, data security *
Elements of Cloud Computing Value Elasticity Utility Pricing Virtual Resources Automation Self-Service Third-Party Owners Managed Operations Economic Strategic Elements of Cloud Computing Value Architectural *
Cloud Security—Today Provider transparency Data protection Trust , reliability and viability SLAs Data protection Malicious insiders—social engineering Cloud-specific attacks Account/service hijacking Physical threats
Cloud Security—Tomorrow Globally compatible legislation Cloud compatibility standards Real-time management Identity management Responding to security incidents Bandwidth Pricing
Controls Virtual firewalls Encryption—as close to the source as possible Network access Secure SAN protocols Regular deletion of unused assets Logs and audit trails Compliance requirements SOX and (SSAE 16/SAS70)
Public Clouds—Entertainment Tech and media companies are racing to create Internet-video hit programs on the scale of traditional TV Netflix and Kevin Spacey Hulu and Kiefer Sutherland Yahoo, Sony, AOL, YouTube Consumers are watching more video on Internet TVs and tablet computers
State of the Cloud Worldwide
Attributes of BSA Report Card
Right Questions to Ask
Risks Disruptive Force Residing in the same risk ecosystem as the CSP Lack of Transparency Security, Compliance and Data Jurisdiction Reliability, performance, and high-value cyber-attack target Risk of data leakage IT organizational changes Potential vendor lock-in Cloud service provider viability
Cloud Computing Board Oversight Questions? Who in management is responsible for understanding and management the business risks associated with cloud computing? What are competitors doing with cloud solutions? Are cloud computing initiatives aligned with the organization’s risk appetite? Does management have the skills required to understand the complexities associated with cloud computing? How is management mitigating organizational risks resulting from reliance on the activities of a third-party cloud service provider?
Cloud Computing Management Questions? What is management’s stand on outsourcing functions? Does the organization anticipate rapid growth that might require using cloud solutions? Is the organization in a mature market that might require using cloud computing to save costs to remain competitive? How should the organization prepare for cloud computing? Who should be involved in the evaluation process, and who makes the decision? How can the organization manage its risks adequately while operating in a business environment with cloud computing? *
Other Considerations Cloud solution pricing predictability Captive renter Involvement of representatives across the organization Clear definitions of responsibilities and required interactions between the organization and the CSP Evaluation of business continuity requirements Ultimate legal responsibility and liability Relinquishment of direct control of specific technology areas
Key Tasks in the Road to the Cloud Assessing the Cloud Strategy Evaluating Cloud Providers Moving to the Cloud Monitoring the Provider *
Conclusions Many benefits to utilizing Cloud technologies Management should have a strategy for adopting Cloud technologies Establish processes for periodically evaluating and monitoring risks Management should ensure costs and benefits are reviewed for long term Internal Audit and Finance should partner with management to help ensure the objectives of utilizing the Cloud is met *
QUESTIONS
Contact Information: John Lazarine Rackspace Hosting (210) 312-3473 John.Lazarine@rackspace.com Contact Information: Mark Salamasick Jindal School of Management The University of Texas at Dallas (972) 883-4729 Mark.Salamasick@utdallas.edu
Informational Sources COSO Enterprise Risk Management for Cloud Computing Global Technology Guide 18 Cloud Computing from IIA International Cloud Security Alliance (CSA) Cloud Controls Matrix Consensus Assessments Initiative Questionnaire CloudAudit.org Isaca.org cloud computing European Network and Information Security Agency (ENISA) Cloud Computing: Information Assurance Framework NIST 800-144