www.isaca.org

Cloud Computing Risk Cloud Computing Risk AssessmentsAssessments

Donald GallienDonald Gallien

March 31, 2011March 31, 2011

www.isaca.org 2

OverviewOverview

• Cloud Computing Refresher

• Assessing Cloud Computing Universe Completeness

• Using a Cloud Computing Risk Ranking Model

• Risk Ranking Case Study

www.isaca.org 3

QuizQuiz

• What do the following have in common?– Paisley GRC– Salesforce.com– Amazon EC2– Google Apps– Microsoft Business Productivity Online Suite

(BPOS) – Rackspace– WebEx

www.isaca.org

Cloud Computing RefresherCloud Computing Refresher

www.isaca.org 5

Cloud Computing BasicsCloud Computing Basics

• Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid (Source: Wikipedia)

• Based on virtualization and abstraction of the underlying infrastructure

• IT Audit Risk is largely driven by:– Deployment Model– Service Model– Nature of Applications & Data in Cloud

www.isaca.org 6

Deployment ModelsDeployment Models

Model Definition Example

Public Available to the general public or a large industry group

Google Apps (Free)

Community Shared by several organizations and supports a specific community that has shared concerns

Google Apps for Government

Private Operated solely for an organization

Microsoft BPOS for a Business

Source: NIST

www.isaca.org 7

Service ModelsService Models

Model Definition Example

Infrastructure as a Service (IaaS)

Fundamental computing resources to deploy software, including OS and applications

Rackspace Cloud

Platform as a Service (PaaS)

Applications based on programming languages and tools supported by the cloud provider

Force.com

Software as a Service (SaaS)

Cloud provider applications running on a cloud infrastructure

Salesforce.com (CRM)

Source: NIST

www.isaca.org 8

Another Way to Look as Service Another Way to Look as Service ModelsModels

WebEx

BPOS

Amazon EC2

Example

www.isaca.org 9

Deployment Model Risk ProfileDeployment Model Risk Profile

Public PrivateCommunity

Likelihood of Data Security, Privacy, and

Control Breach

www.isaca.org 10

Service Model Risk ProfileService Model Risk Profile

IaaS SaaSPaaS

Impact of Loss of Control & Security

Breach

www.isaca.org 11

Cloud Refresher SummaryCloud Refresher Summary

• Public clouds are inexpensive, but provide less security and service

• Private clouds are expensive, but align better with technology and security standards

• IaaS models are very broad in scope, but organizations maintain more control

• SaaS models are narrow in scope, but organizations relinquish almost all control

What is the impact of cloud computing on the IT audit function?

www.isaca.org 12

But one thing never changesBut one thing never changes

• All IT Audit and Governance groups must:1. Identify an Universe

2. Risk Rank the Universe

3. Provide Appropriate Coverage based on Risk

www.isaca.org

Assessing Cloud Computing Assessing Cloud Computing Universe Completeness Universe Completeness

www.isaca.org 14

The Cloud Universe ChallengeThe Cloud Universe Challenge

www.isaca.org 15

Finding the CloudsFinding the Clouds

www.isaca.org 16

Technology GovernanceTechnology Governance

•Oversight•Technology Approvals•Partner Approvals

How does your organization promote controlled cloud computing?

www.isaca.org 17

Firewalls and Encryption Firewalls and Encryption CertificatesCertificates

•Firewall & VPN Rule Changes•Firewall Logs•Encryption Certificate Requests

Cloud computing environments are unlikely to stand-alone.

www.isaca.org 18

Invoices / T&E ReportingInvoices / T&E Reporting

•

•Vendor Master•Invoice Lists•T&E Reporting

How much does it cost to deploy cloud based e-mail service at Google?

www.isaca.org 19

Process WalkthroughsProcess Walkthroughs

•Business Process•Data Flow•Technology Overview

Has anyone discovered cloud based computing in a walkthrough meeting?

www.isaca.org 20

Summary – Universe CompletenessSummary – Universe Completeness

• Cloud computing can be difficult to identify

• Traditional technology governance, security, and procurement controls can be used to identify cloud computing

• Users and business analysts could be your best source of cloud computing information

What else can you do to identify cloud computing?

www.isaca.org

Using a Cloud Computing Risk Using a Cloud Computing Risk Ranking ModelRanking Model

www.isaca.org 22

A few thoughts before we startA few thoughts before we start

• Risk models include elements of judgment and must fit the organization

• Some model assumptions may be completely wrong for your organization– We should have a lot of debate on this topic

• Risk ranking scores must drive governance requirements and audit activities

www.isaca.org 23

Attribute High (5) Med (3) Low (1)Deployment Model Public Community PrivateService Model IaaS PaaS SaaSData Security level Secret Restricted UnclassifiedPhysical Hosting Site Undefined Int'l Location Domestic LocationSOX Critical Yes NoDependent Apps Greater than 10 4 to 10 0 to 3Recovery Time 4 Hours 7 Days 31 DaysRegion Supported Europe or Global US All other

Cloud Risk Ranking ExampleCloud Risk Ranking Example

www.isaca.org 24

Potential Governance & Audit Potential Governance & Audit RequirementsRequirements

Cloud Risk Category

ScoreGovernance

Requirements

Audit Requirements /

Frequency

High >25 SAS 70 Type IIFull Scope /

Annual

Medium 11-24 SAS 70 Type ILimited Scope /

Bi – Annual

Low <10 NoneRisk Assess

Only

www.isaca.org 25

Deployment Model ConsiderationsDeployment Model Considerations

High Medium Low

DeployModel

Public Community Private

Public

Private

www.isaca.org 26

Service Model ConsiderationsService Model Considerations

High Medium Low

Service Model

IaaS PaaS SaaS

IaaS

SaaS

www.isaca.org 27

Data Security ConsiderationsData Security Considerations

High Medium Low

Security Level

Secret Restricted Unclassified

Secret

Unclassified

www.isaca.org 28

Physical Hosting Site Physical Hosting Site ConsiderationsConsiderations

High Medium Low

Hosting Site

Undefined International Location

Domestic Location

Undefined

Domestic Location

www.isaca.org 29

SOX Criticality ConsiderationsSOX Criticality Considerations

High Medium Low

SOX Critical

Yes No

Yes

No

www.isaca.org 30

Dependent ApplicationsDependent Applications

High Medium Low

Number of Apps

Greater than 10 4 to 9 Less than 3

> 10

< 3

www.isaca.org 31

Recovery Time Objectives (RTO) Recovery Time Objectives (RTO) ConsiderationsConsiderations

High Medium Low

RTO 4 Hours 7 days 31 Days

4 Hours

31 Days

www.isaca.org 32

Regions Supported ConsiderationsRegions Supported Considerations

High Medium Low

Region Europe or Global

United States All Other

Europe/ Global

All Other

www.isaca.org 33

Summary – Cloud Risk Ranking Summary – Cloud Risk Ranking ModelsModels

• Cloud risk ranking attributes and scoring must vary based on environment and need

• Risk attributes and scoring require alignment with organizational standards

What other risk attributes might you use, and how would your rank them on a high, medium, low basis?

www.isaca.org

Risk Ranking Case StudyRisk Ranking Case Study

www.isaca.org 35

ConclusionsConclusions

• Business and technology leaders are embracing cloud computing - it is here to stay and growing

• Cloud computing standards and risk ranked cloud universes are foundational requirements for governance

• We must adjust our approach to remain relevant

www.isaca.org 36

QuestionsQuestions

Contact Information:donald.w.gallien@aexp.com