cloud computing jason lannen_4-28-10

Jason D. Lannen, CISA

Wednesday, April 28, 2010

ISACA Atlanta

Cloud Computing

TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET

Wednesday April 28, 2010

Agenda

• What is Cloud Computing• Evolution & Drivers• Recent Case Studies• Components• Risks• Risk Mitigation• An Audit Perspective• Q&A


Wednesday April 28, 2010 2



What is Cloud Computing

Definitions

• “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST & Cloud Security Alliance)

• “Performing computing tasks via a network connection while remaining isolated from the complex computing hardware and networking infrastructures that supports it” (ISACA Journal, Volume 6 2009, Sailesh Gadia)



Definitions

• “Taking advantage of services, storage space, and resources provided somewhere else – on another computer, through an Internet connection.” (Tim O’Reilly, Web 2.0)

• “Computing over the internet using a web-browser”



Characteristics of Cloud Computing

On Demand

Across Networks

Rapid Elasticity Flexible Pricing Models

Resource Pooling



Cloud Computing Examples

• Everyday User– E-mail– Pictures– Video– Personal Calendar– Online Banking / EFT– Social Media

Where is this information stored?



Cloud Computing Diagram

Source: Cloud Computing: An Auditor’s Perspective, ISACA Journal Volume 6, 2009TURNKEY IT SOLUTIONS, LLC WWW.TURNKEYIT.NET


U.S. CIO – Vivek KundraPosted by Vivek Kundra on September 15, 2009 at 12:09 PM EDT on the

White House Blog (http://www.whitehouse.gov/blog/streaming-at-100-in-the-cloud/):

• “Today, I am excited to announce that we have launched Apps.gov to help continue the President’s initiative to lower the cost of government operations while driving innovation within government…Apps.gov is an online storefront for federal agencies to quickly browse and purchase cloud-based IT services, for productivity, collaboration, and efficiency.”

• “Cloud computing is the next generation of IT in which data and applications will be housed centrally and accessible anywhere and anytime by a various devices (this is opposed to the current model where applications and most data is housed on individual devices). By consolidating available services, Apps.gov is a one-stop source for cloud services – an innovation that not only can change how IT operates, but also save taxpayer dollars in the process.”



Evolution to Cloud Computing




Late 1960s• Idea centralized

computing

• Implementation of mainframes

1980s• Client Server

architecture was invented

1990s• Internet gained

widespread popularity and acceptance

• Virtualization of desktops and servers

• Grid Computing

• Utility Computing



1999• Salesforce.com

(SaaS)

2002• Amazon Web

Service (IaaS)

2004• Web 2.0

Conference

2006• Amazon

launched its Elastic Compute cloud (EC2/S3)

2009• Google,

Microsoft offering browser-based enterprise applications






Drivers to Cloud Computing


People

Technology

Marketplace



Cloud Computing

14

Drivers to Cloud ComputingTechnology:• Encryption

• Virtualization (Multi-tenancy)– Centralization of infrastructure

in locations with lower costs (such as real estate, electricity, etc.)

– Peak-load capacity increases (users need not engineer for highest possible load-levels)

– Utilization and efficiencyimprovements for systems that are often only 10–20% utilized.

• Affordable high-speed bandwidth



Source: VMWare website

15


Marketplace:• Changes in World

Markets

• Global Competition

• Increased cost of computing & resources

• Current economic conditions– Operational Costs– Shareholder Pressures




People:• We have embraced

technology

• Trust internet

• Need IT to survive in our lives



IT Computing Demands

• IT computing, processing and storing demands are ever-increasing.

• Without the ‘Cloud’ and the emergence of technology to support computing, there would be exponential increases in:– Number of servers– Number of support staff to manage them– Energy Consumption / Greenhouse Gas Emission– Costs of using IT for business and consumers



Dilbert says…





Cloud Computing Case Studies


• Blue Coat - December 2009:• 20-25% stated they had a cloud computing application• 25-30% stated their organization has started to

implement private cloud computing.• Companies with fewer than 99 employees were more

likely to use public cloud computing services than implement a private cloud computing solution.

• Companies with greater than 10,000 employees are more likely to have implemented private cloud computing than they are to be using public cloud computing services.




• Blue Coat (Continued):• 33% of respondents indicated their organization would

either make an initial or additional use of public and or private cloud computing in the next year.

• 25% of respondents indicated that their organization sees value in cloud computing but the risks outweigh the benefits.

• Less than 8% indicated that their organization did not see any significant value in cloud computing.




2010 ISACA Survey Risk / Reward Barometer (Published 4/7/10):

• Only 10 percent of respondents’ organizations plan to use cloud computing for mission-critical IT services

• 26 percent do not plan to use it for any IT services.

• Close to half of US IT professionals say that the risks of cloud computing outweigh the benefits



Benefits of Cloud Computing

Focus is the end-user: Users don’t need to have knowledge to manage and support it Users don’t own the infrastructure Users don’t need storage space Data is always backed up and is always available, anywhere you

need it Capacity and processing can change as demand changes Less up front capital is required to develop and deploy (Time & $) Lower total cost of ownership (TCO) and higher return on

investment (ROI) Cost transparency

Key is understanding and managing Cloud Computing risks!



Components of Cloud Computing



Deployment Models

Source: ISACA eSymposium, “Service Management – a linchpin to effective cloud computing” by Bruce E. Ott, IBM Cloud Marketing



Delivery Models

Software as a service (SaaS)

Platform as a service (PaaS)

Infrastructure as a service (IaaS)

Google Apps,

Gmail

Salesforce.com

Amazon EC2

Data Centers

Google AppEngine

Force.com



Infrastructure as a Service




• Data centers– Ping (aka Remote Access)– Pipe (aka Bandwidth)– Power

• Data Centers provide:– Managed Services– Co-location– Point to Point Connections



Risks of Cloud Computing



Implementation RiskR

isk

Company Size and IT ComplexitySmall Large

Lower

Higher



Security Risk

Authentication

Data Loss & Privacy

Data OwnershipAccess Control

Administration



Operational RiskSystem

Interfaces

System Integration

System Availability

Business Continuity

Backup & Recovery



Operational Risk



Regulatory RiskSarbanes

Oxley

SAS 70

PCI

HIPPA

ISO

GLBA



Risk Mitigation



Risk Mitigation

Governance

Policies & Procedures

Implementation of Controls



Risk Mitigation

Layers Inputs Outputs

Governance Determine governance frameworkBusiness needs user requirementsInvolve all relevant business units (i.e. finance, marketing, legal, sales, etc).Develop IT strategy

Cloud vendorCloud applicationCloud platformCloud infrastructure

Policies & Procedures Work with management and staff to documentSetup periodic review of policies & training seminars

Implementation of policies & user awareness

Implementation of Controls Via Internal Audit, Legal, consultants, etc

Sustainable control environment to mitigate Cloud risks





Audit Key Considerations

Auditing - Take a TurnKey approach…




• Understand your client– How do they make money?– What is their current financial state?– What are their business goals (short and long term)?– How does IT fit in with their business strategy?

• Understand their IT systems– What are the significant applications & underlying

infrastructure? Where are they located?– How is IT access administration currently managed?– How is data managed?– Are there plans to move processes to the Cloud? If so, who is

the project champion(s) and what processes and data?




• Understand their control environment– Business Process Controls– IT General Controls– Prior Year Deficiencies– Areas of Risk

• Understand changes in roles at your client resulting from Cloud Computing– CIO– CISO– Tactical management & staff




Cloud Control Considerations• How did the client choose the Cloud vendor?• What controls will be managed by the Cloud

vendor?• What controls will continue to be managed by

the client?• What risk mitigation strategy has the client

put in place in the event the Cloud provider does not come through on its promises?



Q&A



Contact Information

Jason Lannen, CISAPhone: 770.402.9102

Email: [email protected]

Website: http://www.turnkeyit.net



Resources Identified

– Gerard, Scott, “Maximize your Web 2.0 efforts with Cloud Computing,” IBM Cloud Computing, April 2 2009

– Clyde, Rob., “5 Questions with Cloud Computing,” ISACA JOURNAL, published 2010; Vol. 2 2010, pp. 1-4

– Gadia, Sailesh, “Cloud Computing: An Auditors Perspective,” ISACA JOURNAL, published 2009; Vol. 6 2009, pp. 1-5

– Hardy, Gary, “Cloud Computing: Improving the Business Management and Governance of Services,” ISACA e-Symposium

– Raval, Vasant, “Risk Landscape of Cloud Computing,” ISACA JOURNAL, published 2010; Vol. 1 2010, pp. 1-5

– Otte, Bruce E., “Service Management – a Linchpin to Effective Cloud Computing,” ISACA e-Symposium

– Wikipedia, “Cloud Computing,” http://en.wikipedia.org/wiki/Cloud_computing [retrieved April 27, 2010].



Resources Identified

– Mulholland, Andy , “Why are Clouds so Hard to Understand?”, Cap Gemini [online], Feb. 1, 2010, http://www.capgemini.com/cgi-bin/blog/mt-tb.cgi/1233 [retrieved 13 April 2010].

– Antonick, Jasmine , “A Brief History of… Cloud Computing”, Under the Radar [online], March 30, 2010, http://www.undertheradarblog.com/blog/a-brief-history-of-cloud-computing/ [retrieved 13 April 2010].

– Mohamed, Arif , “A History of Cloud Computing”, ComputerWeekly.com[online], March 27, 2009, http://utilitycomputing.com/links/AHistoryOfCloudComputing20090327.asp [retrieved 13 April 2010].

– Claburn, Thomas , “FTC Examining Cloud Computing”, Information Week[online], Jan. 5, 2010, http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=22 [retrieved 7 January 2010].



Resources Identified– Metzler, Dr. Jim, "Cloud Computing: A Reality check & Guide to Risk Mitigation",

Webtorials [online], December 2009, www.bluecoat.com/doc/direct/12771 [retrieved 20 April 2009].

– Almond, Carl, "A Practical Guide to Cloud Computing Security: What you need to know now about your business and cloud security",Avanade [online], Aug. 27, 2009, http://www.avanade.com/_uploaded/pdf/practicalguidetocloudcomputingsecurity681482.pdf [retrieved 20 April 2009].

– Stokes, Jon, “The Cloud: A Short Introduction,” ars technica [online], Nov. 8, 2009, http://arstechnica.com/business/news/2009/11/the-cloud-a-short-introduction.ars/2 [retrieved 13 April 2010].

– McCroy, Dave, “Is Cloud Computing Really New? (The History Behind the Cloud)”, The Collective [online], Jan. 20, 2010, http://community.hyper9.com/blogs/streettalk/archive/2010/01/20/is-cloud-computing-really-new-the-history-behind-the-cloud.aspx [retrieved 13 April 2010].

– Chiu, Willy, “From Cloud Computing to the New Enterprise Data Center”, IBM [online], May 28, 2008, www.ibm.com/developerworks/websphere/zones/hipods/ [retrieved 7 January 2010].

– Karpinski, Rich, “Study: IT shops have cash in hand for cloud computing”, Telephony Online [online], Aug. 5, 2009, http://telephonyonline.com/business_services/news/it-study-cloud-computing-0825/ [retrieved 3 Sept 2009].



cloud computing jason lannen_4-28-10

Documents

t s oluti

lives tur n

web browser tur n

vmware website tur n

sailesh gadia tur n

isaca atlantatur n

audit perspective qa

cloud computing diagramsource