cloud computing - institute of internal auditors · platform as a service ... consider a situation...
TRANSCRIPT
Cloud Computingdemystified!
ISACA-IIA Joint Meeting Dec 9, 2014
By: Juman Doleh-AlomaryOffice of Internal Audit
People are driving a convergence of information, social interaction, mobility, and cloud.
Estimated to be
29% of 2014 IT spending
89% of all IT spending growth
77% of Market is moving to cloud or non-traditional storage by 2016
IDC #237886, Volume: 1, Tab: Markets. Storage Systems: Forecast Update
3
What is the Big Deal?
Cloud Computing is the ability to gain access and use of a shared pool of
computing resources.
(e.g. network, servers, storage, applications, and services)
5
What is Cloud Computing?
Cloud Computing has two dimensions
1. Type of cloud
2. Services provided by the cloud
7
Cloud Computing Dimensions
Internal /Private cloud – its infrastructure is operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally.
9
Type: Private Cloud
Individual Company LAN with virtualization
Tailored to the company’s needs.
Accessed only by company employees and vendors.
Hosted internally or externally exclusively for the organization.
Reliable and more controlled.
10
Private Cloud
Public cloud – its infrastructure provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
11
Type: Public Cloud
Publically Shared Services
Open to all users
Easy to set-up
Inexpensive, cost is covered by provider
Pay as you go - if there is cost
Location indepndent
12
Public Cloud
Community cloud – its infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. .
13
Type: Community Cloud
Healthcare community cloud
Subset of a public cloud
Tailored to provide security and regulatory requirements in line with HIPAA (Health Insurance Portability and Accountability Act)
Users share common need for the cloud
14
Community Cloud
Hybrid cloud – its infrastructure is a composition of two or more distinct cloud types (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability and use.
15
Type: Hybrid Cloud
Software as a Service (SaaS)
Is a case where you use the complete software application that’s running on someone else’s servers. The best example of this is Google Docs, which you can use for creating and storing text documents, presentations, spreadsheets and so on…
User install zero software
Application accessed through the web
Maintenance & upgrades are completed by the vendor
17
What is SaaS?
Platform as a Service (PaaS) User creates applications using web-based tools so they run on
systems software and hardware provided by another company. As an example, consider a situation where you develop your own e-commerce website but have the whole thing, including the shopping cart, checkout, and payment mechanism running on a merchant’s server.
the underlying computer and storage resources scale automatically to match application demand
User may install a thin client to access the service
Maintenance & upgrades are completed by the vendor
18
What is PaaS?
Infrastructure as a Service (IaaS) Is basically when you buy raw computing hardware to use over the
net, usually servers, or online storage. You buy what you need and pay-as-you-go. The best and the most basic example of this type of cloud computing is buying a web hosting for your website. You pay monthly fee to a hosting company for the storage on their servers and to have them serve up files for your website from those servers
User may install needed software
User access the service through the internet or carrier clouds (dedicated virtual private networks).
Maintenance & upgrades are completed by the vendor
19
What is IaaS?
20
Cloud View
Internet
Company user machine
PaaS
SaaS
IaaS
**All logos are copyrighted by their perspective company
On-demand self-service
Accessible from anywhere – Mobile, computer, tablet
Collaboration capabilities
Scalability Cloud Bursting (organization only pays for extra compute resources )
Backup and disaster recovery
Don’t need to retain SMEs Resource pooling
21
Benefits
Each cloud service offers tradeoffs between extensibility (openness) and security responsibility
SaaS: least extensibility and greatest amount of security responsibility taken on by the Cloud provider
IaaS: greatest extensibility and least amount of security responsibility taken on by the Cloud provider
PaaS: somewhere in the middle, with extensibility and security features that is leveraged by the customer
22
Tradeoffs: Openness vs Security
Step 1.Why I need the cloud?
Identify the business need for the cloud
Interview the business stakeholders
Identify the specific need
Ensure it is aligned with the organization objective
24
Assessing for the Cloud
Step 2.Who will use it and where?
Identify the users for the cloud service
Understand the users base for the service globally
Categorize them based on their job function
Capture the projected total number of users
25
Assessing for the Cloud
Step 3. When does the company need it?
Identify the timeline that the services need to be deployed
Obtain the IT strategy plan to identify possible deployment time
Understand your resources availability to work on the Cloud deployment
26
Assessing for the Cloud
Step 4. What type of service is needed from the cloud?
Identify which service is needed (IaaS, PaaS, SaaS)
Research companies that offer the service needed with requirements gathered
Compare each provider’s pros and cons
Ensure the technology interfaces with company’s systems
27
Assessing for the Cloud
Questions Checklist:
How long has the provider been in business?
What is the BBB rating and reviews?
Are there any lawsuits?
Where is the company incorporated? For compliance
29
Assessing the Cloud
Questions Checklist:
What critical data is stored or processed in the cloud?
Where will the data be hosted?
Who owns the data? Or uploaded transactional material?
30
Assessing the Cloud
Questions Checklist:
What is the security profile of the cloud? Security risks and controls in place for compliance
Access
Encryption
Durability
Availability
How to obtain security assurance from the cloud service provider? SOC1,2,3 or SSAE16, or ISO 27001
31
Assessing the Cloud
Cloud Computing is here to stay – Driven by you!
Dimensions of the cloud Type: Private, Public, Community, & Hybrid
Service: IaaS, PaaS, SaaS
Benefits & Trade Offs On Demand
Accessibility from anywhere
Scalable
Security & Control
Assessing the Cloud is a must!
32
Summary
QUESTIONS?
Juman Doleh-Alomary, Office of Internal [email protected], 313-577-6406