Slide 1

October 22, 2011 Cloud Computing Panel Discussion Slide 2 Introductions Barnaby Jeans, Sr. Systems Engineer, VMware Canada Richard Livesley, BMO Malik Datardina, UWCISA Chris Andersen, Partner, Grant Thornton Skip White, Professor of Accounting & MIS, University of Delaware Slide 3 What is the Cloud? Barnaby Jeans Sr. Systems Engineer, VMware Canada @bjeans Previously: Sr. Technology Advisor & Evangelist Microsoft Sr. Sales Engineer Red Hat Sr. Sales Consultant Oracle 3 Slide 4 50 Years Ago Computing may someday be organized as a public utility John McCarthy, MIT 1961 Slide 5 What is Cloud Computing * National Institute of Standards and Technology v15 Providing IT resources as a Service Slide 6 Service Models Host Build Consume Slide 7 Deployment Models Virtualization is a modernization catalyst and unlocks cloud computing.Gartner Private Cloud Public Cloud Hybrid Cloud Slide 8 Why the Cloud Matters The Cloud Era (Virtualization, Cloud, SaaS) enable standardized IT metrics, e.g.: Cost to provision per VM Cost per GB of storage Time to Provision Cost to provision an email box, If you cant measure it, you cant manage it Andy Grove To be compared, shopped for Public Cloud Providers are establishing a rate card for IT Virtual Machine Will lead to better informed consumption & production of IT Slide 9 Parting thought Corporate IT Public Cloud Providers Where are Lines of Business getting the IT resources for their next project? Slide 10 Richard Livesley and Malik Datardina 10 Data in the Clouds: A Risk Management Approach Slide 11 Disclaimer 11 The opinions presented by Richard and Malik do not necessarily reflect that of their respective employers Slide 12 Cloud Computing 12 Agenda: Why cloud? Defining the Cloud: Technology vs Risk based approach Risk of Rogue Clouds Cloud Control: A Risk Management Approach Slide 13 Why Cloud? 13 Agility: Faster introduction of desired functionality Potential for Cost Reduction: Moving expenses from OpEx to CapEx Reduced maintenance, especially SaaS More efficient use of computing resources: Public cloud: Start-ups dont need a data center, large companies can send extra workloads to the cloud E.g. Animoto, flightcaster, NY Times Private clouds: Easier to maximize pooled resources e.g. Revlon: 1:7 1:34 servers, $70M in cost savings (unaudited) Slide 14 Challenge of Cloud Compliance 14 Not all clouds are equal: Risk profile of concern: High risk self-provisioning public clouds Amazon EC2 versus Amazon VPC Dont invest time, effort on tech definitions, but focus on risk & leverage existing processes Key Risks: Geographic dislocation: Wheres my data? Potential for data to be sent to India, China, etc, if public cloud providers data center exist in those countries Multi-tenancy & self-provisioning: Who is my neighbour? Hackers used Amazon Web Services to hack into Sony PSN Security researchers were able to extract info about co-tenants Potential for malicious co-tenants to hack into your instance Slide 15 Risk of Rogue Clouds 15 Rogue Clouds Clouds that enter the business environment with the going through all the appropriate control processes Direct to business marketing Businesses, instead of IT, are marketed SaaS Similar phenomenon to Business Managed Applications Easier for business to get up & running with SaaS then work with central IT Consumerization: Bring-your-own-cloud Google Docs users want same functionality at work as at home; e.g. Collaborating on confidential contract Slide 16 Cloud Control: Risk Mgmt Approach 16 Risk Identification Inventorying use: register current use, identify whats acceptable and what is not Working with users is critical Risk Measurement & Assessment Risk needs to be assessed in each information asset, i.e. the specific cloud environment The need for additional controls needs to be based on the data Slide 17 Cloud Control: Risk Mgmt Approach Risk Mitigation and Control Leverage existing vendor management processes to identify high risk cloud environments Emerging best practice: Encrypt data and hold the keys Providers are being acquired, e.g. Navajo systems was bought by Salesforce.com Current practice: Use vendor based encryption, but this is not feasible for all fields in SaaS Training and awareness: Users should understand risks of public cloud 17 Slide 18 Cloud Control: Risk Mgmt Approach 18 Monitoring and reporting Traditional controls wont catch everything: similar to BMAs DLP Tools: Identify traffic moving to unauthorized clouds Cloud vendors: Annual Risk Assessment and update registry accordingly Slide 19 Closing Thoughts Cloud computing is still in motion Need to monitor developments within public cloud computing: Book on risks is still be written Need to monitor threats and attacks on public clouds to determine what risks need to be identified Need to monitor development within encryption e.g. Homomorphic encryption 19 Slide 20 Chris Anderson, CA(NZ), CISA, CMC, CISSP, PCI QSA Cloud Panel Assurance Provider Perspective 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved. Slide 21 Assurance on Outsourcing to the Cloud The usual assurance challenges but more of it! Service providers have their own service providers Service Organisation Controls reports mostly ICFR (ISAE 3402/ SSAE16/ CSAE3416) not fully addressing operational and regulatory risks Carve out sub-service providers causes customer to have to assemble its own assurance after sleuthing who does what iteratively Its not your swimming pool any more! 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved. Slide 22 SOC 1 is a start, SOC 2 and SOC 3 better! CSAE 34165025TSP Seal What is covered by the report Controls related to financial reporting Controls over security, availability, processing integrity confidentiality, or privacy Intended Audience Auditors and management of user organizations ("auditor to auditor communication") Auditors, stakeholders (e.g. management, business partners, customers), and regulators Publicly available reports that can be freely distributed or posted on a website as a seal Report Format Long form which includes detailed description of testing Short form which does not include detailed description of testing 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved. Slide 23 Plus net new assurance considerations mostly caused by dynamic characteristics Physical Location can change The fishbowl (our traditional data centre) Was first outsourced but stayed out or moved en-masse Then became a cage at a hosting centre Now is a virtual cage, with little visibility by customer Itinerant nature of some use cases combined with multi- tenancy Access to other customer's data Collateral nature of security risk increases your neighbour could be a problem/ threat Metered service raises questions Completeness of billing (CSP objective) Verification of service delivery and accuracy of billing (Customer objective) 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved. Slide 24 Assurance Provider opportunity Work with CSPs to design and implement SOC2/ 3 assurance reports based on ENISA Cloud Computing Information Assurance Framework or equivalent Cloud Audit Shared Assessments Program Common Assurance Maturity Model Develop a dynamic assurance product/ service relevant and proportional to nature and extent of use of CSP products/ services These probably require that audit firms strengthen their technical IT audit capability! 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved. Slide 25 Shared Assessments Program November 10, 2009 Santa Fe, NM The Shared Assessments Program announced today the launch of Version 5.0 of its tools for evaluating service provider controls for information security, privacy and business continuity. The free tools, whose previous versions are in use around the globe including in the US, Canada, the EU, Australia, India and Brazil, comprise a rigorous toolkit for service provider audits that can be used in popular cloud computing and software-as-a- service (SaaS) environments. The Shared Assessments Technical Development Committee has added 22 new procedures to its assessment tool (the AUP) with an eye to computing services offered in the cloud, that is, on-demand IT services that rely on Internet-based virtualization technologies. Questions relevant to cloud and SaaS environments have been inserted into several sections of the Shared Assessments questionnaire, known as the SIG, as well. 'Delta Controls' list Looks like a comprehensive approach to Efficient and effective assurance ('audit once, assure many times) Preventing cherry picking control objectives and procedures The Shared Assessments Program (www.sharedassessments.org) was originally developed by Bank of America Corporation, The Bank of New York Mellon, Citi, JPMorgan Chase & Company, U.S. Bank, and Wells Fargo & Company in collaboration with leading service providers and the Big 4 accounting firms. These founding organizations saw the need for a standardized and objective vendor management assessment methodology that would help outsourcers meet regulatory and risk management requirements while significantly reducing costs for all stakeholders 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved. Slide 26 Clinton E. White, Jr Professor of Accounting & MIS Lerner College of Business University of Delaware Cloud Computing: Research Results Slide 27 Cloud Computing Research 4 categories of research: Practitioner-oriented (surveys & whitepapers) Practitioner-oriented (standards & professional guidance) Academic computer science Academic MIS Slide 28 Cloud Computing Research Practitioner-oriented surveys & WPs: CIO magazine (www.cio.com)www.cio.com Surveys of IT leaders 2008: Big promise Big security questions (1) 2009: Adoption prospects are hazy (2) 2011: CIOs are putting the cloud first (3) 2011: Cloud is now (4) Slide 29 Cloud Computing Research Practitioner-oriented standards & guidance: CSA (Cloud Security Alliance) (5) ENISA (Euo Network & Info Sec Alliance) (6) OWASP (Open World Appl Security Proj (7) ISO (ISO Disb Appl Platforms & Services (8) OWF (Open Web Foundation) (9) EuroCloud (10) CICA (11) AICPA (12) Slide 30 Cloud Computing Research Academic computer science: Cloud Computing Issues, Research and Implementations (13) Open research issues: Economy of scale & economics of image & service construction Temporal & spatial feedback that large scale workflows present Cloud provenance (ascertaining the source of goods) Data management Process control flows, execution, & performance Dynamics of data flows, file location, & application input & output The structure, form, & evolution of workflows System information, O/S information, compilers, versions, & load libraries Security issues & complexities ROI & total cost of ownership Slide 31 Cloud Computing Research Academic MIS Cloud Computing The Business Perspective (14) Open research issues: Economics: Cloud service strategy Cloud computing provider economic value & the entire value chain Strategy Impact on corporate culture Impact on business partnerships IS policy Policy consistency across multiple providers & applications Software management for both providers & users Audit policy, security stds, risk assmt, forensics, & evidence gathering Technology adoption & implementation Design of optimal rules for adoption, moving apps, & private vs pub Government policy & regulation Identification of pertinent issues to be addressed Slide 32 References 1) McLaughlin, Laurianne, Cloud Computing Survey: IT Leaders See Big Promise, Have Big Security Questions, CIO.com, Oct 21, 2008 2) Johnson, Carolyn, Cloud Computing Survey: Adoption Prospects Are Hazy, CIO.com July 31, 2009 3) Brousell, Layren, Survey: CIOs Are Putting the Cloud First, CIO.com, June 14, 2011 4) KPMG, Cloud is Now; Technology Spending to Leap Next Year, SmartPros.com, Oct 6, 2011 Slide 33 References 5) CSA (https://cloudsecurityalliance.org/)https://cloudsecurityalliance.org/ 6) ENISA (http://www.enisa.europa.eu/)http://www.enisa.europa.eu/ 7) OWASP (https://www.owasp.org/index.php/Main_Page)https://www.owasp.org/index.php/Main_Page 8) ISO (http://www.iso.org/iso/iso_technical_committee. html?commid=601355)http://www.iso.org/iso/iso_technical_committee. html?commid=601355 9) OWF (http://www.openwebfoundation.org/)http://www.openwebfoundation.org/ 10) EuroCloud (http://www.eurocloud.org/)http://www.eurocloud.org/ 11) CICA (http://www.cica.ca/)http://www.cica.ca/ 12) AICPA (http://www.aicpa.org/Pages/Default.aspx)http://www.aicpa.org/Pages/Default.aspx Slide 34 References 13) Vauk, Mladen A., Cloud Computing Issues, Research and Implementations. Journal of Computing and Information Technology CIT 16, 2008, 4 14) Marston, Sean, Zhi Li, Subhajyoti Bandyopadhyay, Juheng Zhang, Anand Ghalsasi, Cloud Computing The Business Perspective, Decision Support Systems, 51 (2011) Slide 35 Questions? Barnaby Jeans, Sr. Systems Engineer, VMware Canada Richard Livesley, BMO Malik Datardina, UWCISA Chris Andersen, Partner, Grant Thornton Skip White, Professor of Accounting & MIS, University of Delaware Slide 36 Appendix Slide 37 The NIST Definition of Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf