cloud computing: implementation challenges

Cloud Computing: Implementation Challenges

Marco RamosKPMG

marcoramos@kpmg.com787-367-9057

Stay-or-go: In-House vs. The Cloud

• Power consumption• Data Center Management• Storage Management• Ensuring availability

– Redundancy = $$$$$ x 2

• Virtualization• Carbon footprint

Service Organizations vs. The Cloud

Service Organization The Cloud

Fixed FeePay-per-user

Pay-as-you-goTransactional Basis

Independent Auditor’s Report SSAE #16 (formerly known as SAS70)

ApproachesIn-house SaaS PaaS IaaS

Salary Large scale standardization

Cost-effective and time saving to app development

Cost-effective

Hardware Business can focus on core activities

+ Upgrade Public vs. private: collaboration solutions

Faster set-up of development and testing environments

Manage peak loads

+ Maintenance Green IT

Licenses

Backup

Off-site

Development

Configuration

Storage

Network

Implementation Challenges• Data Privacy• Security• CAPEX vs. OPEX (fixed costs

vs. variable costs)• Tax-related issues• Regulatory ambiguity• Cross-country: transfer of

data across borders• Reliability and availability• Transition and execution

risks• Limited scope for

customization

• Cultural resistance (IT!)• SLAs• Ownership of data• What happens at the

end of the contract?• What information The

Cloud provider returns, on what format and if it is readable

• Performance(response time)

• Hardware decommissioning

More Challenges…

• Limited IT Budget: initial set-up & upgrades• Scalability of systems: manage peak demands

investing in additional hardware & software under utilized in non-peak loads.

• Larger time setting up IT infrastructure• Need for mobility

Larger benefits toindustry and market segments

• Government• Healthcare• Education• SME/PyMes – competitive edge to reach IT

resources of global companies: affordable, reliable, and flexible computing solutions, enabling them to compete more effectively with larger organizations

Cross-country Cloud:Data transfer across borders

• Is the Cloud provider ensuring where data is hosted? i.e. Data Centers in Chicago, LA & NY or India, China, and Mexico?

• Canada’s Patriot Act does not allow IT projects to use US-based hosting environments

• Germany and UK have regulations related to email

Cloud DOES NOT MEANDissolve IT staff!!!

The Company still needs:• Technical support• Network, provisioning, and user certification• Increased bandwidth• Training and On-boarding

Cloud Strategy

• Sponsored by the CIO• Shift focus from configuration,

implementation, and maintenance of in-house applications to implementing strategy and meeting business needs

• It is a strategic business decision rather than a purely technology decision

Green Computing: Green IT

Axel E. RobertCompany

email@email.com787-XXX-XXXX

Placeholder

• PLACEHOLDER

Cloud Computing: Security Challenges

Rory Rivera, PE, MSEE, MSMDeep Logistics

email@email.com

14

Security is the Major Issue

15

Analyzing Cloud Security

• Some key issues: – trust, multi-tenancy, encryption, compliance

• Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units

• Cloud security is a tractable problem– There are both advantages and challenges

Former Intel CEO, Andy Grove: “only the paranoid survive”

16

General Security Challenges

• Trusting vendor’s security model

• Customer inability to respond to audit findings

• Obtaining support for investigations

• Indirect administrator accountability

• Proprietary implementations can’t be examined

• Loss of physical control

17

Security Relevant Cloud Components

• Cloud Provisioning Services

• Cloud Data Storage Services

• Cloud Processing Infrastructure

• Cloud Support Services

• Cloud Network and Perimeter Security

• Elastic Elements: Storage, Processing, and Virtual Networks

18

Cloud Network and Perimeter Security

• Advantages– Distributed denial of service protection– VLAN capabilities– Perimeter security (IDS, firewall, authentication)

• Challenges– Virtual zoning with application mobility

19

Security and Data Privacy Across IaaS, PaaS, SaaS

• Many existing standards• Identity and Access Management (IAM)

– IdM federation (SAML, WS-Federation, Liberty ID-FF)– Strong authentication standards (HOTP, OCRA, TOTP)– Entitlement management (XACML)

• Data Encryption (at-rest, in-flight), Key Management – PKI, PKCS, KEYPROV (CT-KIP, DSKPP), EKMI

• Records and Information Management (ISO 15489)• E-discovery (EDRM)

20

Cloud Security Challenges Part 1

• Data dispersal and international privacy laws– EU Data Protection Directive and U.S. Safe Harbor

program– Exposure of data to foreign government and data

subpoenas– Data retention issues

• Need for isolation management• Multi-tenancy • Logging challenges• Data ownership issues • Quality of service guarantees

21

Cloud Security Challenges Part 2

• Dependence on secure hypervisors• Attraction to hackers (high value target)• Security of virtual OSs in the cloud • Possibility for massive outages• Encryption needs for cloud computing

– Encrypting access to the cloud resource control interface

– Encrypting administrative access to OS instances– Encrypting access to applications– Encrypting application data at rest

• Public cloud vs internal cloud security • Lack of public SaaS version control

22

Additional Issues• Issues with moving PII and sensitive data to the

cloud– Privacy impact assessments

• Using SLAs to obtain cloud security– Suggested requirements for cloud SLAs– Issues with cloud forensics

• Contingency planning and disaster recovery for cloud implementations

• Handling compliance– FISMA – HIPAA – SOX– PCI – SAS 70 Audits

23

Cloud Migration and Cloud Security Architectures

• Clouds typically have a single security architecture but have many customers with different demands– Clouds should attempt to provide configurable security

mechanisms

• Organizations have more control over the security architecture of private clouds followed by community and then public– This doesn’t say anything about actual security

• Higher sensitivity data is likely to be processed on clouds where organizations have control over the security model

24

Putting it Together

• Most clouds will require very strong security controls

• All models of cloud may be used for differing tradeoffs between threat exposure and efficiency

• There is no one “cloud”. There are many models and architectures.

• How does one choose?

Cloud Computing: Audit Challenges

John R. RoblesJohn R. Robles and Associates

www.johnrrobles.comjrobles@coqui.net

787-647-3961

Cloud Computing: Audit Challenges

• Must – Audit, – Review, and – Report on the Internal Controls System surrounding the

implementation and operations of Cloud Technology

• You must have an ICS, so lets determine if it is effective and efficient (effective & efficient internal controls)

Cloud Computing: Audit ChallengesSo you want to go to the Cloud or are already there? Then•How did you identify the assets selected for cloud deployment •Did you evaluate risks related to those assets? •For each asset, did you analyze risks to organization if:

– Assets became widely public and widely distributed? – Employees of our cloud provider accessed the assets? – Cloud processes or functions were manipulated by an outsider? – Cloud processes or functions failed to provide expected results? – Information/data were unexpectedly changed? – Asset were unavailable for a period of time?

Cloud Challenges: Audit Challenges• How did you map assets to potential cloud deployment models

– Public– Private, internal/on-premises– Private, external (including dedicated or shared infrastructure)– Community; taking into account the hosting location, potential service

provider, and identification of other community members– Hybrid. To effectively evaluate a potential hybrid deployment, you

must have in mind at least a rough architecture of where components, functions, and data will reside

• Did you evaluate relevant potential cloud service models and providers

• Did you documentation the potential data flow

Internal Control Framework

• Review internal control framework– Control Environment (set up by BOD &

management)– Organization's risk appetite– Risk Assessments– Control Activities– Information and Communications Management

Systems– Operations Monitoring

Cloud Computing – Maturity Model

Maturity Model for Internal ControlMaturity Level

Status of the Internal Control Environment

Establishment of Internal Controls

0 - Non-existent

There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and incidents.

There is no intent to assess the need for internal control. Incidents are dealt with as they arise.

Cloud Computing – Maturity Model

Maturity Model for Internal ControlMaturity

LevelStatus of the Internal Control

EnvironmentEstablishment of Internal

Controls

1 - Initial/ad hoc

There is some recognition of the need for internal control.

The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities.

There is no awareness of the need for assessment of what is needed in terms of IT controls.

When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident.

Cloud Computing – Maturity ModelMaturity Model for Internal Control

Maturity Level

Status of the Internal Control Environment

Establishment of Internal Controls

2 -Repeatable but Intuitive

Controls are in place but are not documented.

Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe.

Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist.

An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to motivate an agreed-upon action plan.

Cloud Computing – Maturity Model

Maturity Model for Internal ControlMaturity

LevelStatus of the Internal Control

EnvironmentEstablishment of Internal Controls

3 - Defined Controls are in place and adequately documented.

Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe

Critical IT processes are identified based on value and risk drivers.

A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an IT process owner owns and drives the assessment and improvement process.

Cloud Computing – Maturity ModelMaturity Model for Internal Control

Maturity Level

Status of the Internal Control Environment

Establishment of Internal Controls

4 - Managed and Measurable

There is an effective internal control and risk management environment.

A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified.

IT process criticality is regularly defined with full support and agreement from the relevant business process owners.

Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders.

Cloud Computing – Maturity ModelMaturity Model for Internal Control

Maturity Level

Status of the Internal Control Environment

Establishment of Internal Controls

5 -Optimized

An enterprise-wide risk and control program provides continuous and effective control and risk issues resolution.

Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement.

Business changes consider the criticality of IT processes and cover any need to reassess process control capability.

IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective.

Cloud Computing: Now What?

• During the year, PRCCUG will:– Have periodic meetings to discuss these

challenges– Discuss solutions– Present solutions from 1st Level vendors– Provide networking among professionals

interested in Cloud Computing

Cloud Computing: Now What?

• Join us and the Puerto Rico Cloud Computing and Green Computing User Group.

Questions and Answers!!