cloud computing jason lannen_4-28-10
TRANSCRIPT
Jason D. Lannen, CISA
Wednesday, April 28, 2010
ISACA Atlanta
Cloud Computing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Agenda
• What is Cloud Computing• Evolution & Drivers• Recent Case Studies• Components• Risks• Risk Mitigation• An Audit Perspective• Q&A
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 2
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
What is Cloud Computing
Definitions
• “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST & Cloud Security Alliance)
• “Performing computing tasks via a network connection while remaining isolated from the complex computing hardware and networking infrastructures that supports it” (ISACA Journal, Volume 6 2009, Sailesh Gadia)
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 4
Definitions
• “Taking advantage of services, storage space, and resources provided somewhere else – on another computer, through an Internet connection.” (Tim O’Reilly, Web 2.0)
• “Computing over the internet using a web-browser”
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 5
Characteristics of Cloud Computing
On Demand
Across Networks
Rapid Elasticity Flexible Pricing Models
Resource Pooling
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 6
Cloud Computing Examples
• Everyday User– E-mail– Pictures– Video– Personal Calendar– Online Banking / EFT– Social Media
Where is this information stored?
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 7
Cloud Computing Diagram
Source: Cloud Computing: An Auditor’s Perspective, ISACA Journal Volume 6, 2009TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 8
U.S. CIO – Vivek KundraPosted by Vivek Kundra on September 15, 2009 at 12:09 PM EDT on the
White House Blog (http://www.whitehouse.gov/blog/streaming-at-100-in-the-cloud/):
• “Today, I am excited to announce that we have launched Apps.gov to help continue the President’s initiative to lower the cost of government operations while driving innovation within government…Apps.gov is an online storefront for federal agencies to quickly browse and purchase cloud-based IT services, for productivity, collaboration, and efficiency.”
• “Cloud computing is the next generation of IT in which data and applications will be housed centrally and accessible anywhere and anytime by a various devices (this is opposed to the current model where applications and most data is housed on individual devices). By consolidating available services, Apps.gov is a one-stop source for cloud services – an innovation that not only can change how IT operates, but also save taxpayer dollars in the process.”
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 9
Evolution to Cloud Computing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Evolution to Cloud Computing
Late 1960s• Idea centralized
computing
• Implementation of mainframes
1980s• Client Server
architecture was invented
1990s• Internet gained
widespread popularity and acceptance
• Virtualization of desktops and servers
• Grid Computing
• Utility Computing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 11
1999• Salesforce.com
(SaaS)
2002• Amazon Web
Service (IaaS)
2004• Web 2.0
Conference
2006• Amazon
launched its Elastic Compute cloud (EC2/S3)
2009• Google,
Microsoft offering browser-based enterprise applications
Evolution to Cloud Computing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 12
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Drivers to Cloud Computing
Drivers to Cloud Computing
People
Technology
Marketplace
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Cloud Computing
14
Drivers to Cloud ComputingTechnology:• Encryption
• Virtualization (Multi-tenancy)– Centralization of infrastructure
in locations with lower costs (such as real estate, electricity, etc.)
– Peak-load capacity increases (users need not engineer for highest possible load-levels)
– Utilization and efficiencyimprovements for systems that are often only 10–20% utilized.
• Affordable high-speed bandwidth
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Source: VMWare website
15
Drivers to Cloud Computing
Marketplace:• Changes in World
Markets
• Global Competition
• Increased cost of computing & resources
• Current economic conditions– Operational Costs– Shareholder Pressures
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 16
Drivers to Cloud Computing
People:• We have embraced
technology
• Trust internet
• Need IT to survive in our lives
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 17
IT Computing Demands
• IT computing, processing and storing demands are ever-increasing.
• Without the ‘Cloud’ and the emergence of technology to support computing, there would be exponential increases in:– Number of servers– Number of support staff to manage them– Energy Consumption / Greenhouse Gas Emission– Costs of using IT for business and consumers
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 18
Dilbert says…
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 19
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Cloud Computing Case Studies
Cloud Computing Case Studies
• Blue Coat - December 2009:• 20-25% stated they had a cloud computing application• 25-30% stated their organization has started to
implement private cloud computing.• Companies with fewer than 99 employees were more
likely to use public cloud computing services than implement a private cloud computing solution.
• Companies with greater than 10,000 employees are more likely to have implemented private cloud computing than they are to be using public cloud computing services.
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 21
Cloud Computing Case Studies
• Blue Coat (Continued):• 33% of respondents indicated their organization would
either make an initial or additional use of public and or private cloud computing in the next year.
• 25% of respondents indicated that their organization sees value in cloud computing but the risks outweigh the benefits.
• Less than 8% indicated that their organization did not see any significant value in cloud computing.
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 22
Cloud Computing Case Studies
2010 ISACA Survey Risk / Reward Barometer (Published 4/7/10):
• Only 10 percent of respondents’ organizations plan to use cloud computing for mission-critical IT services
• 26 percent do not plan to use it for any IT services.
• Close to half of US IT professionals say that the risks of cloud computing outweigh the benefits
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 23
Benefits of Cloud Computing
Focus is the end-user: Users don’t need to have knowledge to manage and support it Users don’t own the infrastructure Users don’t need storage space Data is always backed up and is always available, anywhere you
need it Capacity and processing can change as demand changes Less up front capital is required to develop and deploy (Time & $) Lower total cost of ownership (TCO) and higher return on
investment (ROI) Cost transparency
Key is understanding and managing Cloud Computing risks!
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 24
Components of Cloud Computing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Deployment Models
Source: ISACA eSymposium, “Service Management – a linchpin to effective cloud computing” by Bruce E. Ott, IBM Cloud Marketing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 26
Delivery Models
Software as a service (SaaS)
Platform as a service (PaaS)
Infrastructure as a service (IaaS)
Google Apps,
Gmail
Salesforce.com
Amazon EC2
Data Centers
Google AppEngine
Force.com
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 27
Infrastructure as a Service
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 28
Infrastructure as a Service
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 29
Infrastructure as a Service
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 30
Infrastructure as a Service
• Data centers– Ping (aka Remote Access)– Pipe (aka Bandwidth)– Power
• Data Centers provide:– Managed Services– Co-location– Point to Point Connections
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 31
Risks of Cloud Computing
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Implementation RiskR
isk
Company Size and IT ComplexitySmall Large
Lower
Higher
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 33
Security Risk
Authentication
Data Loss & Privacy
Data OwnershipAccess Control
Administration
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 34
Operational RiskSystem
Interfaces
System Integration
System Availability
Business Continuity
Backup & Recovery
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 35
Operational Risk
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 36
Operational Risk
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 37
Regulatory RiskSarbanes
Oxley
SAS 70
PCI
HIPPA
ISO
GLBA
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 38
Risk Mitigation
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Risk Mitigation
Governance
Policies & Procedures
Implementation of Controls
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 40
Risk Mitigation
Layers Inputs Outputs
Governance Determine governance frameworkBusiness needs user requirementsInvolve all relevant business units (i.e. finance, marketing, legal, sales, etc).Develop IT strategy
Cloud vendorCloud applicationCloud platformCloud infrastructure
Policies & Procedures Work with management and staff to documentSetup periodic review of policies & training seminars
Implementation of policies & user awareness
Implementation of Controls Via Internal Audit, Legal, consultants, etc
Sustainable control environment to mitigate Cloud risks
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 41
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010
Audit Key Considerations
Auditing - Take a TurnKey approach…
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 43
Audit Key Considerations
• Understand your client– How do they make money?– What is their current financial state?– What are their business goals (short and long term)?– How does IT fit in with their business strategy?
• Understand their IT systems– What are the significant applications & underlying
infrastructure? Where are they located?– How is IT access administration currently managed?– How is data managed?– Are there plans to move processes to the Cloud? If so, who is
the project champion(s) and what processes and data?
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 44
Audit Key Considerations
• Understand their control environment– Business Process Controls– IT General Controls– Prior Year Deficiencies– Areas of Risk
• Understand changes in roles at your client resulting from Cloud Computing– CIO– CISO– Tactical management & staff
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 45
Audit Key Considerations
Cloud Control Considerations• How did the client choose the Cloud vendor?• What controls will be managed by the Cloud
vendor?• What controls will continue to be managed by
the client?• What risk mitigation strategy has the client
put in place in the event the Cloud provider does not come through on its promises?
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 46
Q&A
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 47
Contact Information
Jason Lannen, CISAPhone: 770.402.9102
Email: [email protected]
Website: http://www.turnkeyit.net
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 48
Resources Identified
– Gerard, Scott, “Maximize your Web 2.0 efforts with Cloud Computing,” IBM Cloud Computing, April 2 2009
– Clyde, Rob., “5 Questions with Cloud Computing,” ISACA JOURNAL, published 2010; Vol. 2 2010, pp. 1-4
– Gadia, Sailesh, “Cloud Computing: An Auditors Perspective,” ISACA JOURNAL, published 2009; Vol. 6 2009, pp. 1-5
– Hardy, Gary, “Cloud Computing: Improving the Business Management and Governance of Services,” ISACA e-Symposium
– Raval, Vasant, “Risk Landscape of Cloud Computing,” ISACA JOURNAL, published 2010; Vol. 1 2010, pp. 1-5
– Otte, Bruce E., “Service Management – a Linchpin to Effective Cloud Computing,” ISACA e-Symposium
– Wikipedia, “Cloud Computing,” http://en.wikipedia.org/wiki/Cloud_computing [retrieved April 27, 2010].
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 49
Resources Identified
– Mulholland, Andy , “Why are Clouds so Hard to Understand?”, Cap Gemini [online], Feb. 1, 2010, http://www.capgemini.com/cgi-bin/blog/mt-tb.cgi/1233 [retrieved 13 April 2010].
– Antonick, Jasmine , “A Brief History of… Cloud Computing”, Under the Radar [online], March 30, 2010, http://www.undertheradarblog.com/blog/a-brief-history-of-cloud-computing/ [retrieved 13 April 2010].
– Mohamed, Arif , “A History of Cloud Computing”, ComputerWeekly.com[online], March 27, 2009, http://utilitycomputing.com/links/AHistoryOfCloudComputing20090327.asp [retrieved 13 April 2010].
– Claburn, Thomas , “FTC Examining Cloud Computing”, Information Week[online], Jan. 5, 2010, http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=22 [retrieved 7 January 2010].
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 50
Resources Identified– Metzler, Dr. Jim, "Cloud Computing: A Reality check & Guide to Risk Mitigation",
Webtorials [online], December 2009, www.bluecoat.com/doc/direct/12771 [retrieved 20 April 2009].
– Almond, Carl, "A Practical Guide to Cloud Computing Security: What you need to know now about your business and cloud security",Avanade [online], Aug. 27, 2009, http://www.avanade.com/_uploaded/pdf/practicalguidetocloudcomputingsecurity681482.pdf [retrieved 20 April 2009].
– Stokes, Jon, “The Cloud: A Short Introduction,” ars technica [online], Nov. 8, 2009, http://arstechnica.com/business/news/2009/11/the-cloud-a-short-introduction.ars/2 [retrieved 13 April 2010].
– McCroy, Dave, “Is Cloud Computing Really New? (The History Behind the Cloud)”, The Collective [online], Jan. 20, 2010, http://community.hyper9.com/blogs/streettalk/archive/2010/01/20/is-cloud-computing-really-new-the-history-behind-the-cloud.aspx [retrieved 13 April 2010].
– Chiu, Willy, “From Cloud Computing to the New Enterprise Data Center”, IBM [online], May 28, 2008, www.ibm.com/developerworks/websphere/zones/hipods/ [retrieved 7 January 2010].
– Karpinski, Rich, “Study: IT shops have cash in hand for cloud computing”, Telephony Online [online], Aug. 5, 2009, http://telephonyonline.com/business_services/news/it-study-cloud-computing-0825/ [retrieved 3 Sept 2009].
TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET
Wednesday April 28, 2010 51