Cloud Computing – Risk and Rewards
John LazarineVice President and Chief Audit Executive
Mark Salamasick
Director of Center for Internal Auditing
For Dallas CPA Society – Convergence 2013May 8, 2013
John Lazarine
• 25 years of Internal Audit experience
• Industry experience: Retail, Financial Services, Oil & Gas, Telecommunications, Aerospace & Defense, Construction and Technology Services
• Companies: JCPenney, Mobil Oil, Alcatel, Raytheon, Centex and Rackspace
*
Rackspace
• Founded in 1998, based in San Antonio• Service leader in Cloud Computing• 180,000+ customers, 4,300 employees• 8 Data Centers based in the US, UK and HK• Key Products: Cloud Hosting, Managed Hosting
and Email & Apps all backed by Fanatical Support.
*
Mark Salamasick
• Over 25 years internal audit and consulting experience
• Industry experience: Financial Services, Utility, Oil & Gas, Technology, and Education
• Companies: Central Michigan University, Accenture, Bank of America, and University of Texas at Dallas
• Published: Most recent book “Auditing Outsourced Functions”
University of Texas at Dallas
• Founded in 1969, based in Richardson• Over 19,000 students and over 6,300 in the
business school• One of the fastest growing Universities in the US• One of the largest graduate Accounting programs
with over 850 students• Largest Graduate Internal Audit program
worldwide• New cross discipline cybersecurity concentration
Session OverviewCloud computing is changing the way we all look at outsourced technology. This session will help in gaining an understanding and evaluating the rewards that can be gained from the cloud. The reduction of technology costs and immediate availability of technology infrastructure provide alternatives that must be considered. At the same time all cloud based solutions are not the same and your organization must evaluate the risks. Cloud solutions are here to stay and transform the way we do business. Also, come hear the latest guidance provided by COSO in addressing the opportunities, rewards and risk mitigation of doing business in the cloud.
Learning Objectives:1. Understand the opportunities provided by cloud computing. 2. Understand the new risks from cloud computing along with risk mitigation techniques. 3. Learn the right questions to ask when doing business in the Cloud.
What is Cloud?
The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling “…… convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”
*
Service Models & UsesSoftware as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Overview Applications over a network
Developer platform with built-in services
Rent processing, storage, network capacity and other computing resources
Level of Customer Control
Does not manage or control the underlying Cloud infrastructure, servers, O/S, network, storage or individual application capabilities (with the exception of user configurable settings)
Has control over the deployed applications and possibly the application hosting environment configurations
Has control over the operating systems, storage and deployed application
*
Deployment Models & UsesDeployment Model Description
Private Cloud • Operated solely for an organization• May be managed by the organization or a third party• May exist on or off premise
Public Cloud • Made available to the general public• Owned by an organization selling cloud services
Hybrid Cloud • A composition of two or more clouds (private, public and/or community) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Community Cloud • Shared by several organizations• Supports a specific community that has a shared mission or
interest• May be managed by the organization or a third party• May reside on or off premise
*
Benefits of Cloud Computing Cost control – Utility model
Speed - Immediate provisioning (setting up resources)
Focus - Allows company to focus on core competencies
Scalability – Ability to dynamically adjust resources according to demand with little to no notice
Performance – Utilizing severer load balancing
Operational Expertise – Patch management, version updates, data security
*
Elasticity
Utility Pricing
Virtual Resource
s
Automation
Self-Service
Third-Party
Owners
Managed Operations
Economic
Architectural
StrategicElements of
Cloud Computing Value
*
Cloud Security—Today Provider transparency
– Trust , reliability and viability– SLAs
Data protection Malicious insiders—social engineering Cloud-specific attacks Account/service hijacking Physical threats
Cloud Security—Tomorrow Globally compatible legislation Cloud compatibility standards Real-time management Identity management Responding to security incidents Bandwidth Pricing
Controls Virtual firewalls Encryption—as close to the source as possible Network access Secure SAN protocols Regular deletion of unused assets Logs and audit trails Compliance requirements
– SOX and (SSAE 16/SAS70)
Public Clouds—Entertainment Tech and media companies are racing to create
Internet-video hit programs on the scale of traditional TV– Netflix and Kevin Spacey– Hulu and Kiefer Sutherland– Yahoo, Sony, AOL, YouTube– Consumers are watching more
video on Internet TVs and tablet computers
Risks Disruptive Force Residing in the same risk ecosystem as the CSP Lack of Transparency Security, Compliance and Data Jurisdiction Reliability, performance, and high-value cyber-
attack target Risk of data leakage IT organizational changes Potential vendor lock-in Cloud service provider viability
Cloud Computing Board Oversight Questions?
Who in management is responsible for understanding and management the business risks associated with cloud computing?
What are competitors doing with cloud solutions? Are cloud computing initiatives aligned with the
organization’s risk appetite? Does management have the skills required to understand
the complexities associated with cloud computing? How is management mitigating organizational risks
resulting from reliance on the activities of a third-party cloud service provider?
Cloud Computing Management Questions?
What is management’s stand on outsourcing functions? Does the organization anticipate rapid growth that might
require using cloud solutions? Is the organization in a mature market that might require
using cloud computing to save costs to remain competitive?
How should the organization prepare for cloud computing? Who should be involved in the evaluation process, and who
makes the decision? How can the organization manage its risks adequately
while operating in a business environment with cloud computing?
*
Other Considerations
Cloud solution pricing predictability Captive renter Involvement of representatives across the organization Clear definitions of responsibilities and required
interactions between the organization and the CSP Evaluation of business continuity requirements Ultimate legal responsibility and liability Relinquishment of direct control of specific technology
areas
Key Tasks in the Road to the Cloud
• Assessing the Cloud Strategy• Evaluating Cloud Providers• Moving to the Cloud• Monitoring the Provider
*
Conclusions Many benefits to utilizing Cloud technologies Management should have a strategy for adopting Cloud
technologies Establish processes for periodically evaluating and
monitoring risks Management should ensure costs and benefits are
reviewed for long term Internal Audit and Finance should partner with
management to help ensure the objectives of utilizing the Cloud is met
*
Contact Information:John LazarineRackspace Hosting(210) [email protected]
Contact Information:Mark SalamasickJindal School of ManagementThe University of Texas at
Dallas(972) [email protected]
Informational Sources COSO Enterprise Risk Management for Cloud Computing Global Technology Guide 18 Cloud Computing from IIA
International Cloud Security Alliance (CSA)
– Cloud Controls Matrix– Consensus Assessments Initiative Questionnaire
CloudAudit.org Isaca.org cloud computing European Network and Information Security Agency (ENISA)
– Cloud Computing: Information Assurance Framework NIST 800-144