iia2013 ppt slides deck
TRANSCRIPT
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Auditing in the Subscription Economy– CAE Overview
Implementing the next generation best practices in Governance and Risk
Mr. Bhavesh BhagatFounder - EnCrisp – ConfidentGovernance.com
Founding Chair - CSADC
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
“Clouds come floating into my life, no longer to carry rain or storm, but to add color to my sunset sky.”
– Rabindranath Tagore, Nobel Laureate Literature -150 year Anniversary
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Agenda
• Understand Subscription Economy
• Cloud Computing concepts• Risks and challenges• “Democratizing Governance”
use case• Role of CAE and Internal Audit
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
TenYear Computing Cycles10X more users with each cycle
2000s Mobile Cloud Computing
1990s Desktop Cloud Computing
1980s Client/server Computing
1970s Mini Computing
1960s Mainframe Computing
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Global Users (MM)
1,000
11/06 5/07 11/07 5/08 11/08 5/09 11/09 5/10 11/10
Social Networking Surpasses Email
Social Networking Users
Facebook has reached its half-billion member mark, with an online populationlarger than the combined population of the U.S., Mexico, and France.
Email Users750
Inflection Point
500
250
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Broad Change in Internet Usage
Top Internet Users
22% of Internet time is social.
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Next Generation Devices Changing How We Access the Internet
2000
1000
Annual unit shipments(MM)
2007 2008 2oo9 2010 2011E 2012E 2013E 2014E
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud ComputingNIST Definition
• National Institute of Standards and Technology (NIST) Special Publication 800-145
– Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources,(e.g., networks, servers, storage, applications, and services)
– Rapidly provisioned and released with minimal management effort or service provider interaction
– Composed of 5 essential characteristics, 3 service models, and 4 deployment models
– Source: http://www.nist.gov/itl/csd/cloud-020111.cfm
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Computing
Five Essential Characteristics:
• On-demand self-service: Get it when you need it
• Measured service: Pay for what you use
• Rapid elasticity: Increase and decrease capacity quickly
• Broad network access: Access it from any Internet connection
• Resource pooling: Share fixed costs, which lowers individual costs
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud ComputingThree Service Models
• Software as a Service (SaaS)– Capability made available to tenant (or consumer) to use provider’s applications
running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces
– Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx
• Platform as a Service (PaaS)– Capability made available to tenant to deploy tenant owned (created or acquired)
applications using programming languages and tools supported by provider– Examples: Force.com, Microsoft Azure, Amazon Web Services
• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)– Capability made available to tenant to provision processing, storage, networks or
other fundamental computing resources to host and run tenant’s apps– Examples: Rackspace, Terremark (Verizon), Savvis, AT&T
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Four Deployment Models
(1) PRIVATE (2) COMMUNITY (3)PUBLIC
ACCESSIBILITY Single OrganizationShared with
Common Interests / Requirements
General Public / Large Industry Group
MANAGEMENT Organization or Third Party
Organization or Third Party Cloud Provider
HOST On or Off Premise On or Off Premise On or Off Premise
Cloud Computing
(4) HYBRID
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Why cloud – Business Impact and Use Case Considerations
Data Infrastructure Access Method
Virtualized Technology
Local Data On or Off premises Off premises On or Off Premises
Virtualized Processes and Data
Local Data plus BIG DATA (social media
domain)Shared local and
Cloud On or Off Premises
Virtualized Organizations On or Off Premise On or Off Premise BYOD
Cloud Computing
Virtualized Business Models
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud ComputingCAEs need to think from CFOs perspective
• Faster Time to Results
• Better Working Capital cycle
• Reduced CAPEX
• Reduced CGS
• Reduced SG&A
• Environmental Sustainability as byproduct
Virtualized Business Models
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
CAE’s guide to Cloud Use Cases Source CIO.com Annual CIO survey 2010-2011
Plans to Use Cloud Services Currently using, Actively Researching, Planning to use in one to three years
Planning to use three to five years
No plans to use
Application platforms and development software
68% 2% 30%
Collaboration tools 79% 4% 17%
Enterprise application software
63% 3% 34%
Personal productivity software
53% 4% 43%
Utilities / management software
66% 2% 32%
Networks 52% 2% 45%
Storage 63% 7% 30%
Servers 59% 2% 39%
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
CAE decision enablers Evaluating the Cloud Model
CAE Cloud Vendor Considerations How Does our Enterprise Benefit From Cloud Opportunity?
Do they understand our business and needs?
Can they provide support that we are used to?
How does it fit with my existing architecture?
Who else has adopted within my industry - relevant references?
How do the new entrants in the enterprise IT market (Amazon, Google, etc) view the enterprise market?
What are the new Risk Domains?
What are the Regulatory, Compliance and Risk mitigation guidelines?
How do we reduce complexity of my Business process and IT footprint by taking non-core computing to the cloud, Transfer non-core applications to the cloud or outsource to the cloud?
Can we improve the efficiency of my development organization through speedy access to computing resources?
Can we make IT more responsive/nimble by using cloud computing architectures?
Can we assist in reduced CAPEX spend in line with CFO needs?
Can we get higher availability and recovery at lower price?
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
• Security - New ways of thinking about Security need to evolve for new issues - Cloud computing presents new security challenges– Trusting vendor's security model– Customer inability to respond to audit findings – Obtaining support for investigations – Indirect administrator accountability – Proprietary implementations cannot be examined – Loss of physical control– Attraction to hackers (high value target)
• Privacy Issues moving PII and sensitive data into the cloud• Fear of mass outages Fueled by high-profile outages of many popular cloud services (i.e., Gmail, Google
Apps, Apple's Mobile Me, Amazon's S3)
New Opportunities - New Challenges
New Risk Mitigating Strategies
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
• Cultural and organizational barriers Organization must acquire new core capabilities Cloud skepticism
• Difficulty tracking and delivering against defined SLAs Especially significant in the federal government, where a data breach
could constitute a violation of the law
• International sovereignty / cooperation Cloud computing could involve the movement of data
between countries with differing laws regarding technology and property. Determining jurisdiction and facilitating cross-border cooperation
on these matters may prove challenging.
New Opportunities - New Challenges
New Risk Mitigating Strategies
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
What is Different about Cloud?
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
GRC-XML: What is it?• Standard language for Risks and Controls definition/exchange• One language for many areas:
– Security risk– IT risk– Financial risk– Operational risk, etc.
• Visibility across silos• Eliminate redundancy and duplication• Facilitate effective continuous monitoring and audit of controls• Extensible: Companies can add their own
– Activities– Risks– Control Objectives– Control Activities, etc.
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
GRC Applications & Systems
Enterprise GRC,Operational GRC,IT GRC, Cloud GRC,etc.
Controls Testing & Monitoring
Risk & Controls Repository
GRC-XML
Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys Sampling
Risk modelsControls documentation Organization / Process Test Procedures Test Results
GRC-XML
GRC-XML: Illustrated Business Integration
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Governance
Practical approach with CSA and other third party tools
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Security Framework (ISO-27002)
IT Audit Framew
ork
(COBIT)
Legislative Framework
(PCI, SOX, Etc.)
S-P-I Framework
Your Cloud Controls
Matrix
Trusted Cloud Initiative
Holistic Approach Around Controls . . .
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
• Security Patterns • Guidelines• Vendor Certification
BOSS ITOS Presentation SRM
Application
Information
Infrastructure
• Control Mapping• Operational Checklists
Assess the opportunity
• Capability mapping• Strategy alignment• Use Cases (OSA)
Roadmap
Reuse
Reference ArchitectureCSA Controls MatrixCSA Questionnaire
Security Framework and Patterns
Trusted Cloud Initiative
Suggested Approach to Use the CSA Cloud Audit Guideline
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
How it Works (A Simplified View) . . .
Third Party Assurance Centre
Maturity
Maturity
Maturity
Third party requesting access
Cloud provider
Internal hosting provider
Risk Appetite
1. Business sets level of risk they are willing to tolerate (number of levels
depending on the data). Maturity will include CAMM plus possible bespoke
modules. 2.Level of risk management maturity is
communicated to business partners (and
possible partners)
3. Evidence of compliance may be uploaded to central repository that can
be used by numerous customers.
4. Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Governance-Subcontractor due diligence-Risk Management
Human Resources
Physical Security-Site security-Environmental Protection
IT Services-Networks-Change Management-Service Management-Development, etc
Incident Management
Business Continuity
5
4
3
2
1
ISO 27001
NIST SP800-53
PCI
CSA Controls Matrix
COBIT
ENISA Cloud doc.
ITIL
BS25999
Source Domains Maturity
Evaluate Key Control Domains
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Mapping ExampleCloud Matrix FedRAMP
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Audit AutomationLeveraging CSA CAIQ Example
CSA Cloud Audit modules bit.ly/ClearGRC
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
CAMM & CAIQ Data Governance RiskRISK: Inadequate Cloud Data Governance
Results: Benchmarking vendors based on CSA standards
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Aggregate CSA Analytic Dashboards
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
CAE Leadership in Internal Auditor assured
Cloud Governance and Emerging Technologies adoption
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
3 Things CAEs will need to understand
Cloud Computing
Big DATA
Mobility
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Governance Internal Audit Leadership
Business Advisor
•Advise on benefits, risks, and mitigation techniques•Create awareness•Participate in cloud conversion activities•Study and measure opportunities for increase efficiency and cost-savings
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Governance Internal Audit Leadership
Auditor
•Interact with cloud provider to understand operation of key controls and monitoring program•Participate in SLA and contract development•Review service organization reports and determine assurance needs•Audit end-user control responsibilities (browser and device security, APIs, admin access)•Monitor changes and update risk assessment
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Cloud Governance Internal Audit Leadership
User
•Collaboration - Email, Documents•Application Development-Audit Document Repositories, Tools•Mobility- Improve connections, monitoring•Back-office - Transparent use for data storage
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
About EnCrisp is an INC 500 award winning global leader in providing
“business driven” solutions enhancing trust, governance, and transparency
since 2004.
EnCrisp is a “Governance and Compliance Niche” specialist and its
efforts result in strategic Increases in Trust, Efficiency, Compliance and Less
Risks Without the complexities and overburdened capital costs for leaders in
IT, finance, business, quality, security and audit.
AWARDS – INC 500 2009, NVTC Hot Ticket Tech 2007,2009,2011 –
Hottest Bootstrap Category
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Three Take-aways• Define your AUDIT challenges
– Technological as well as do not ignore Process• Set realistic MANAGEMENT expectation
– Start using technology first then AUDIT – Expertise is not instantaneous
• Keep your eye on the BUSINESS goal– Mentorship programs– Work with SME and third party experts
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
RESOURCES• NIST - http://www.nist.gov/itl/csd/cloud-020111.cfm • CSA - Cloudsecurityalliance.org• GRCXchange Executive LinkedIN Group• CIO.com• http://Trust.Salesforce.com• http://
www.google.com/apps/intl/en-GB/trust/data_protection.html
• http://aws.amazon.com/security/
ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
Mr. Bhavesh Bhagat703.728.2493
EnCrisp PresidentFounding Chair - CSA Washington DC federal center
Chairman - GRCXchange Global Policy Thinktank
Thank You!
Hopefully you have found new appreciation for CLOUDY days!