1 The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton LLP Matt Thompson Senior Manager, Business Advisory Services Grant Thornton LLP
2 Learning objectives Presentation focus Today s presentation will focus on the following: Understanding primary outsourced/hosted cloud computing options Understanding unique risks associated with various cloud computing models Practical controls for securing the Company s assets when using cloud computing Methods for deciding if cloud computing fulfills the organization s business needs and risk appetite Methods for auditing the Company s use of cloud computing technologies
3 Agenda Introductions Cloud computing overview Risks and audit strategies Q&A
4 Introductions Warren W. Stippich, Jr. Chicago Partner and National Governance, Risk and Compliance Solution Leader, including Cyber Security Solution, in Grant Thornton's Business Advisory Services Practice Certified Internal Auditor (CIA) Certified Public Accountant (CPA IL) 20 years practicing internal audit, including 5 years as a CAE for a multi-national public company Global engagement partner for multi-national engagements
5 Introductions Matt Thompson Raleigh, NC Senior Manager in Grant Thornton s Business Advisory Services Practice Certified Information Systems Auditor (CISA) A member of the Triad (NC) IIA Board of Governors 15+ years experience working in the Cyber Security and IT Internal Audit arenas A leader of Grant Thornton's Southeast Cyber Security and IT Internal Audit Practices A leader of Grant Thornton's National Cyber Security Solution Group
6 Agenda Introductions Cloud computing overview Risks and audit strategies Q&A
7 Cloud computing overview Why the buzz? Cloud computing is the future of IT A new and flexible model for deploying technology Extremely reliable and infinitely scalable Cost benefits and ease of ownership Allows you to expand or contract as business needs dictate Pay for only what you need at any given time
8 Cloud computing overview Group discussion What are you hoping to learn from today s presentation? What is your experience with cloud computing? How does your company utilize cloud computing? What level of involvement did your Internal Audit group have with your Company s cloud computing implementation? Has your company s cloud environment been audited?
9 Cloud computing overview Grant Thornton's CAE Survey More than 300 CAEs surveyed responded that 77% are at least somewhat familiar with cloud computing 69% use cloud computing; many expect cloud computing use to increase (45%) or stay the same (55%) in the next 12 months When asked to describe their view as to the security, governance, risk and controls implications in moving to a cloud environment, 43% responded "I haven t really given it much thought." 64% of respondents do not include cloud computing in their audit plan
10 Cloud computing overview Future of cloud computing Looking past the current industry hype surrounding all things Cloud, Forrester believes that Cloud computing is a sustainable, long-term IT paradigm, and the successor to previous mainframe, client/server, and network computing eras. - Forrester Research, Inc. The Evolution of Cloud Computing Markets
11 Cloud computing overview A full spectrum of definitions - simple The cloud is about immediacy, elasticity, and utility economics Mark Shuttleworth, Ubuntu & Canonical The cloud is water vapor Larry Ellison, Oracle
12 Cloud computing overview A full spectrum of definitions more meaty Cloud computing is the next stage in the Internet's evolution, providing the means through which everything from computing power to computing infrastructure, applications, business processes to personal collaboration can be delivered to you as a service wherever and whenever you need. Dummies.com
13 Cloud computing overview History The term Cloud originated as a metaphor to depict the public switched telephone system on network diagrams.
14 Cloud computing overview Principal characteristics Network enabled Abstraction of infrastructure Resource democratization Services oriented architecture Elasticity/Dynamism of resources Utility model of consumption and allocation
15 Cloud computing overview Economic value The financial benefits of cloud computing and cloud-based services
16 Cloud computing overview Three basic flavors of service (cont'd) #1 Infrastructure Data Center Processor Memory Storage Virtualized & Dynamic Redundant/Hardened
17 Cloud computing overview Three basic flavors of service (cont'd) #2 Platform Operating System Web Servers Database Servers Operational Services Virtualized Infrastructure
18 Cloud computing overview Three basic flavors of service (cont'd) #3 Application Google Apps Salesforce Mobile Me Platform Utility
19 Cloud computing overview Types and models Types of Clouds Public - Shared computer resources provided by an off-site third-party provider Private - Dedicated computer resources provided by an off-site third party or use of cloud technologies on a private internal network Hybrid - Consisting of multiple public and private clouds Models of Cloud: Software as a Service (SaaS) - Software applications delivered over the Internet Platform as a Service (PaaS) - Full or partial operating system/development environment delivered over the Internet Infrastructure as a Service (IaaS) - Computer infrastructure delivered over the Internet
20 Cloud computing overview Grant Thornton technology model Grant Thornton Technology Model A tool for IT Internal Auditing SaaS relates to the application and data management layers. PaaS relates to the operating system layer for servers. IaaS relates to the physical and sometimes network layers.
21 Cloud computing overview Global Public Cloud Market Size
22 Cloud computing overview Forrester's full taxonomy of cloud market
23 Cloud computing overview Service model attributes Software as a Service (SaaS) The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) Consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure as a Service (IaaS) Consumer has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers).
24 Cloud computing overview SaaS example vendors
25 Cloud computing overview Potential benefits Interoperability Across Platform Owners User to Application or Hardware Resource Application to Application Hardware Resource to Hardware Resource Cost Effective and Higher Utilization of Resources Dynamic Allocation As Needed Dynamically De-Provision when Not Needed Speed to Market Enable Faster Delivery of Applications & Upgrades Enable Pay by the Drink, Self-Service Models
26 Cloud computing overview New clouds are rolling in daily. Are you ready?
27 Agenda Introductions Cloud computing overview Risks and audit strategies Q&A
28 Risks and audit strategies System failure at Amazon.com "A widespread failure in Amazon.com s Web services business affected many Internet sites, highlighting the risks involved when companies rely on so-called cloud computing. The problems affected sites including Quora.com, Reddit.com, GroupMe.com and Scvngr.com, which all posted messages to their visitors about the issue. Most of the sites have been inaccessible for hours, and others were only partly operational " - NYTimes.com April 21, 2011
29 Risks and audit strategies Security Breach at Epsilon "A data breach at one of the world's largest providers of marketing services may have enabled unauthorized people to access the names and addresses for customers of major financial-services, retailing and other companies." - WSJ.com April 4, 2011
30 Risks and audit strategies Potential risks What are the physical components of the Clouds? Data Centers self-hosted, third-party, both, etc.? Network circuits and firewalls who s managing, who s watching, etc.? Disaster preparedness and recoverability is there a plan, is it tested, etc.? Who is aware of and managing vendor SLAs and are they adequate? Where s the data and how is it protected? In-flight, standing still/at-rest, etc.? Archives and back-up? Unintended uses? Data privacy and compliance? What is the tone at the top? Stakeholder knowledge of attributes and risks Have internal controls evolved effectively? Who is monitoring internal use of public cloud services?
31 Risks and audit strategies Service organization considerations When outsourcing parts of their business (including cloud computing), companies are still responsible for the data, processing and/or services provided by the outsourcing company (service organization). As a result, many companies (and their auditors) desire or require their service organizations to obtain an independent assessment of their security, availability, processing integrity, confidentiality and privacy practices.
32 Risks and audit strategies Service organization considerations SSAE No. 16, Reporting on Controls at a Service Organization, superseded SAS 70 on June 15, There are several reporting options for service auditors examining controls at service organizations. Financial Reporting Risks Nonfinancial Reporting Risks SOC 1 SOC 2 SOC 3 SSAE 16 With testing details "Pass" with a seal display
33 Risks and audit strategies Six additional risk areas Security Multi-tenancy Data location Reliability Sustainability Scalability
34 Risks and audit strategies 1. Security - risks The cloud provider s security policies are not as strong as the Company s data security requirements Cloud systems which store Company data are not updated or patched when necessary Security vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in place The physical location of company data is not properly secured
35 Risks and audit strategies 1. Security audit strategy Determine if the cloud provider meets or exceeds the Company s security requirements Determine if the cloud provider s security posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.) Determine if the cloud provider has a security assessment performed Determine if the cloud provider s Service Organization Report (i.e., SSAE 16, SOC Reports) addresses specific security controls
36 Risks and audit strategies 2. Multi-tenancy risks Company data is not appropriately segregated on shared hardware resulting in Company data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit The cloud service provider cannot determine the specific location of the Company s data on its systems Company data resides on shared server space which might conflict with regulatory compliance requirements for the Company
37 Risks and audit strategies 2. Multi-tenancy audit strategy Inquire of the cloud service provider s method used to secure the Company s data from being accessed by other customers/third parties Review the cloud service provider s SLA to determine if the SLA addresses security of the Company s data Review independent audit report(s) related to the Cloud provider s security posture (i.e., security settings, data encryption methods, etc.) and/or exercise the Company s right-to-audit clause Gain access to cloud system(s) and perform limited auditing procedures from the Company s location
38 Risks and audit strategies 3. Data location risks The Company is not aware of all of the cloud service provider s physical location(s) The Company does not know where their data is physically or virtually stored The Cloud service provider moves company data to another location without informing the Company Company data is stored in international locations and falls under foreign business or national laws/regulations
39 Risks and audit strategies 3. Data location audit strategy Inquire of the cloud provider the specific physical and virtual location of the Company s data Work with the Company s legal group to fully understand the impact and potential risks of the Company s data residing in a foreign country Ensure regulatory compliance is maintained if data resides in multiple locations
40 Risks and audit strategies 4. Reliability risks The cloud service provider has quality of service standards which conflict with business requirements During peak system activity times, the cloud service provider experiences system performance issues that result in the following: - Company employees cannot access the Company s data when needed - Customers are unable to use the Company s systems (such as placing an order on the Company s web site) because of performance problems with the cloud provider
41 Risks and audit strategies 4. Reliability audit strategy Inquire of the cloud service provider to determine the controls in place to ensure the reliability of the cloud solution Obtain an SLA/contract from the cloud service provider which details the specific reliability agreement for the Company. Compare this information to actual performance Determine the times that the cloud provider performs system upgrades and/or patches to ensure data availability during peak business hours is not affected Review the Company s business continuity plan and determine if the plan addresses interruptions with the cloud systems used by the Company
42 Risks and audit strategies 5. Sustainability risks In the event the cloud service provider goes out of business, the Company might not be able to retrieve the Company s data. In addition, another third party might gain access/control of the Company s data The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The Company s business continuity plan does not address the cloud s service offering being unavailable Company data is compromised as a result of a disaster
43 Risks and audit strategies 5. Sustainability audit strategy Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the Company s data even in the event of a disaster Review the Company s business continuity plan and determine if the plan addresses interruptions with the cloud solution Inquire of the cloud service provider to determine how the Company would gain access to its data in the event the cloud service provider goes out of business
44 Risks and audit strategies 6. Scalability risks The cloud service provider s systems cannot scale to meet the Company s anticipated growth, both for a short-term spike and/or to meet a long-term strategy If the Company decides to migrate all or part of the Company s system and/or data back inhouse (or to another provider), the cloud service provider cannot (or will not) provide the data
45 Risks and audit strategies 6. Scalability audit strategy Determine if the cloud provider s system can scale to meet the Company s expected short-term spikes and/or growth over the next five years Determine if the Company has a contingency plan in the event the cloud provider s systems cannot scale to meet the Company s needs Determine who is the owner of the Company s data Determine if the cloud provider would allow the Company to move data back in house and/or to another provider. Determine the specific procedures and associated costs needed to perform this task
46 Risks and audit strategies Case study An energy solutions company is a leading provider of energy solutions with annual revenues in excess of $850 million for a payroll size of 400 employees Decision made by Senior Management to outsource their payroll system to a SaaS vendor cloud solution to allow for increased efficiency and cost savings Internal Audit identified payroll as a high-risk area since this was the Company s first use of a cloud computing solution Key Payroll data is transmitted on a bi-weekly basis to facilitate payment by the SaaS cloud provider
47 Risks and audit strategies Case study (cont'd) Company's Internal Audit department reviewed the cloud provider's Service Organization Report and did not note any exceptions Internal Audit also used existing user-ids to perform limited audit procedures and discovered they had access to view and edit another company's payroll information The Company discussed the findings with the cloud provider and determined the error occurred after a recent system upgrade
48 Agenda Introductions Cloud computing overview Risks and audit strategies Q&A
49 Q & A
50 Contact info Warren W. Stippich, Jr. Partner, Business Advisory Services T: E: Matt Thompson Senior Manager, Business Advisory Services T: E: