cloud services measurement, audit – and standards
DESCRIPTION
Martin Kuppinger Founder and Principal Analyst, KuppingerCole [email protected]. Cloud Services Measurement, Audit – and Standards. Abstract. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/1.jpg)
Cloud ServicesMeasurement, Audit – and Standards
Martin Kuppinger
Founder and Principal Analyst, KuppingerCole
![Page 2: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/2.jpg)
Abstract
• Cloud computing provides an opportunity for organizations to optimize the procurement of IT services from both internal and external suppliers However - many organizations are sleepwalking into the Cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource responsibility. This session will look at the issues that may be forgotten or ignored when adopting the cloud computing. These include:– Ensuring legal and regulatory compliance– Assuring data security– Ensuring business continuity– Avoiding lock in
2
![Page 3: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/3.jpg)
Agenda
• The Seven Deadly sins• The Ten Cloud commandments• Summary
3
![Page 4: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/4.jpg)
SEVEN DEADLY SINS
![Page 5: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/5.jpg)
Seven Capital Vices
• Used by the Christian church to teach the origin of sin.– Wrath– Greed– Sloth– Pride– Lust– Envy– Gluttony
5
![Page 6: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/6.jpg)
Cloud Computing Seven Deadly Sins
• Sloth– Not knowing you are using the Cloud– Not assuring legal and regulatory compliance– Not knowing what data is in the cloud– Not managing identity and access to the cloud– Not managing business continuity and the cloud– Becoming Locked-in to one provider.– Not managing your Cloud provider.
6
![Page 7: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/7.jpg)
TEN COMMANDMENTS OF CLOUD COMPUTING
7
![Page 8: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/8.jpg)
Summary
• To Avoid the Seven Deadly Sins of Cloud follow the ten commandments:1. Know that you are using the Cloud2. Use Good Governance for the Cloud and other IT Services3. Choose the right kind of Cloud4. Assure Compliance5. Assure Information Security6. Manage Identity and Access7. Assure privilege management8. Include the Cloud in your Business Continuity Plan9. Avoid Lock-in10. Manage the Cloud Service Provider
8
![Page 9: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/9.jpg)
#2 Use Good Governance for the Cloud as well as other IT Services
![Page 10: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/10.jpg)
Cloud Governance
10
![Page 11: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/11.jpg)
#10 Manage the Cloud Service Provider
![Page 12: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/12.jpg)
Legal Risk - Contract
• In General - Outsourcing Contracts are negotiated SLAs
• Cloud Provider Contracts are– Largely “take it or leave it”– May have less onerous obligations on provider– Almost total exclusion of liability
12
Probability Very High
Impact High
Legal Considerations Cloud computing contracts, Kristof de Vulder, DLA Piper LLPhttp://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/DLA_Cloudcomputing%20legal%20considerations.pdf
![Page 13: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/13.jpg)
Cloud Service Delivery Management
• Check the implementation of agreements, monitor compliance and manage changes to ensure that the services delivered meet all requirements agreed with the third party.
13
ISO 27001 Control 10.2
Customer Responsibility
Ensure service levels and security controls in the Cloud service agreement are implemented, operated, and maintained
Provider Responsibility
Provide data on service levels and controls and certification through external audits.
![Page 14: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/14.jpg)
What’s out there?
• Cloud Security Alliance „Cloud Controls Matrix“– Approach to enhance Internal Controls Frameworks to Cloud Services
• ISO 27001 – Independent of deployment model, works for Cloud Services as well
• Data Protection Requirement Analysis („Schutzbedarfsanalyse“ – BSI approach)– Focus on information assets which have to be protected– Can be enhanced for cloud
• Carnegie Mellon SMI– Cloud Service Measurement Initiative Consortium– Set of KPIs for measuring cloud services
• NIST– Just published a definition of „Cloud“
• Who else?– …
14
![Page 15: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/15.jpg)
Cloud Security Alliance: CCM
15
![Page 16: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/16.jpg)
ISO 27001
16
http://img.docstoccdn.com/thumb/orig/2108612.png
![Page 17: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/17.jpg)
What you need
• Selection– Quick, prepared, comprehensive, focused, risk-aware– Short list of questions
• Internal Controls – Less time-sensitive, probes, prepared, limited, risk-aware– Comprehensive control frameworks
17
![Page 18: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/18.jpg)
Vorgehensmodell und Voraussetzungen
18
![Page 19: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/19.jpg)
Traditional(System Governance)
Advanced(Information Governance)
Cloud basics(Information and
Service Governance)Cloud ready
(Full Governance)
Systems Systems Services Services
![Page 20: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/20.jpg)
QUESTIONS?
![Page 21: Cloud Services Measurement, Audit – and Standards](https://reader036.vdocuments.site/reader036/viewer/2022081519/56813e7a550346895da8a155/html5/thumbnails/21.jpg)
21