Orchestrating the New Paradigm Cloud Assurance

Transcription

1 Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner

2 Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems to be unable to support the business: Cost savings Increasing expenditure Faster time-to-market Rigidity Innovation Outdated infrastructure Traditional IT seems to fail to keep pace within innovations and the way consumers use IT

3 Understanding the Cloud Environment Cloud Environment = Internet-based data access & exchange + Internet-based access to low cost computing & applications Cloud Environment Characteristics: On-Demand Self-Service Internet Accessibility Pooled Resources Elastic Capacity Usage- Based Billing Software as a Service Business operations over a network Cloud Service Models Platform as a Service Deploy customercreated applications to a cloud Infrastructure as a Service SaaS PaaS IaaS Rent storage, processing, network and other computing resources Private Public Cloud Deployment Models Operated for a single organization Available to the general public or large industry group, owned by an organization selling cloud services Google Docs, Salesforce.com MS Azure, Amazon Web Services Mozy, Rackspace Community Shared by several organizations, supporting a specific community

4 Business Benefits of Cloud Increased Agility Rapidly respond to changing market conditions or needs Greater Flexibility More options in combining people, process, and technology to deliver economic value Faster Results Faster time-to-value in achieving results that support more iterative solution design and delivery strategies Reduced Cost Lower total cost to deploy new solutions or to achieve new capability levels

5 KPMG Survey May 2010 Conducted in the Netherlands 120 CIOs/CISOs participated

6 Cloud into perspective: cloud computing is both marginal and significant Marginality of the cloud Europe < 5 percent of total IT spending US: 60 percent of total IT spending Significance of the cloud Growth of commercial cloud services 20 to 30 percent per year ( ) Move towards centralization and commoditization of IT

7 Cloud Computing is here to stay!

8 The hybrid environment as new paradigm On premise IT, serviced by local, own organization Organization Other Cloud Customers Outsourced IT, serviced by limited number of outsourcing partners Users Services Users Internet or LAN Internet IT in the Cloud, services by growing numbers of cloud service providers Organizations Internal IT Service provider Service provider Service provider Hardware, software + data Hardware, software + data Hardware, software + data Hardware, software + data Internal Data Center Private Managed hosting Private-External Third-Party Vendor (Multi-Tenant) Public Combined Public + Private Cloud Hybrid

9 IT Service Integrator Model: ability to Orchestrate Successful adoption of a Cloud delivery model depends on an organization s ability to establish a robust Enterprise IT Service Integration model. The Business Service Ownership: Single Point of Contact with the Cloud Service Providers (CSP) & IT Demand Capture Services Standards Service Level Monitoring Service Owner Vendor Manager IT Risk Manager IT Finance Manager IT Risk Management Risk identification and analysis across different CSPs Risk library Vendor/CSP Audits Vendor Management: Vendor certification Contract Negotiations Rackspace Google Amazon Web Services Internal IT Organization (retained IT Services) IT Finance Management Business case Service Costing and Chargeback SLA penalty-bonus calculation

10 Risk and security is seen as major concern for cloud adoption

11 Key Privacy, Regulatory and Compliance Challenges Some key regulatory and compliance challenges that can be characterized as particular to the Cloud-computing context are: Localization of Information: Data may be stored in the cloud without proper customer segregation allowing possible accidental or malicious disclosure to third parties. Individual Rights: Data may physically reside in a legal jurisdiction where the rights of data subject conflict or may not be protected at all. Data Movement: The cloud s loosely defined, uncertain or moving geography means that consumers are faced with increased legal complexity, legal contradictions and uncertainty. Confidentiality: The cloud facilitates the ability to use/share data across organizations and therefore increases the potential for secondary uses of data that require additional consent or authorization. Breach and Disclosure: The timely discovery, assessment, and reporting of the breaches from within the cloud are more challenging.. Cloud Audit: It is difficult to audit the data in the cloud, because isolating the scope in a cloud environment is challenging. Data Retention: Enterprise s data retention or data archiving requirements may not be met when using cloud due to lack of standardization. 10

12 Considerations Dependency of the cloud External data storage and processing Sharing of IT resources (multi tenancy) Dependency on the public internet Complexity of the hybrid environment Multiple concepts regarding: Data management Contracts Technology Financial Security Assurance Complexity to ensure compliance Lack of industry standards and certifications for cloud providers (ISAE3400 / ISAE3000) Vendor Business Risks Operational Emerging government schemes like FEDRAMP Regulatory Compliance Technology

13 Dimensions of Risk Operating in a cloud environment presents risks in six key dimensions Financial Underestimated start-up costs Exit costs Contract complexity Run-away variable costs Financial Security Security Data segregation, isolation, encryption Information security Identity and access management Intellectual property protection Vendor Operational Vendor lock-in Service provider reliance Performance failure Vendor governance Vendor Business Risks Operational Business Resiliency/Disaster Recovery Service reliability and uptime SLA Compliance Regulatory Compliance Complexity to ensure compliance Regulatory Compliance Technology Technology Lack of industry standards and certifications for cloud providers Records management / records retention Regulatory change control, reliant on vendor timeliness Data privacy Cross-vendor compatibility Proprietary lock-in Customization limitations Inadequate change control capabilities Technical security risks

14 Characteristics of Cloud Computing and impact on assurance Different models Different risks Different controls

15 Assurance frameworks Complexity to ensure compliance Due to cloud additional standards are coming up to address new risk Lack of clarity in industry standards and certifications for cloud providers (ISAE3400 / ISAE3000) Emerging government schemes like FEDRAMP

16 Context: Relevant changes in IT The shift from an IT auditor s point of view Scope of audit Data IT assets/resources Data IT assets/resources Data IT assets/resources IT management IT management IT management Trust Provider s proprietary technology and processes Provider s proprietary technology and processes Provider s proprietary technology and processes Traditional IT Outsourcing Cloud computing

17 Context Assurance: complexity of trust in hybrid cloud environments Customer organisation IT Management Data Internet IT service provider IT service provider IT Management Data Assurance & Quality statement European Union Internet Assuranc e & Quality statement IT service provider IT Management Data Assuranc e & Quality statement Internet United States e Assuranc & Quality statement India IT service provider IT Management Data IT service provider IT Management Data

18 Relevant changes in Assurance New standards due to replacement of SAS70 with ISAE3402 Service Org. Control 1 (SOC 1) Service Org. Control 2 (SOC 2) Service Org. Control 3 (SOC 3) SSAE16 / ISAE3402 Service Auditor Guidance AT 101 / COS & ISAE 3000 AT 101 / COS & ISAE 3000 Restricted Use Report (Type I or II report) Generally a Restricted Use Report (Type I or II report) General Use Report (public seal) Purpose: Reports on controls for FSA Purpose: Reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria Bron: AICPA 2010 ( )

19 Cloud Service Provider s Control Requirements Information Security Management System Areas of Added Emphasis for CSPs Security Policy Organization of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Data Protection/Segregation Privacy Encryption Standards Logging Authentication to the Cloud Configuration Management Monitoring/Compliance Function The SOC2 and SOC3 assurance framework can be used to demonstrate the effectiveness of the CSP s controls in these areas. 18

20 Relevant changes in Assurance SOC2/3 Criteria Topics Align Well with Cloud Availability Confidentiality Processing Integrity Privacy Availability policy Backup and restoration Disaster recovery Business continuity management Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures (including third parties) Confidentiality of Information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and enforcement Security IT security policy Security awareness and communication Risk assessment Logical access Physical access Environmental controls Security monitoring User authentication Incident management Asset classification and management Systems development and maintenance Personnel security Configuration management Change management Monitoring and compliance

21 However.. Is this the only applicable standard? ISO Information Security Management System certification ISO IT Service Management certification Federal Information Security Management Act (FISMA) Federal Risk and Authorization Program (FedRAMP ) Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) Financial Industry Shared Assessments Program (FISAP) Cloud Security Alliance (CSA) Framework ENISA Cloud Assurance Framework PCI Data Security Standard (from an advisory perspective) Localized standards and requirements COBIT 4.1 vs Cloud assurance.. And more to come..

22 To conclude IT is changing fast To meet the changing requirements from the business To meet the changing requirements from the end-user (consumerization of IT) Cloud Computing / Consumerization are seen as key enablers to fulfill these changing requirements However, this will create on mid-term another complexity the hybrid IT environment Key question: how to control the risks of this hybrid IT environment? As assurance frameworks are not keeping up the pace of these new developments

23 KPMG Key Contact Details John Hermans Partner KPMG Advisory N.V. Tel: [email protected] 22

24 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number , is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and cutting through complexity are registered trademarks of KPMG International Cooperative. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).