Asset Management in the Cloud How to identify and manage Cloud based assets and services. September 19, 2014

Asset Management in the Cloud How to identify and manage Cloud based assets and services September 19, 2014

Contents Overview 4 Standard asset management process 6 Asset identification 9 Asset management and planning 15 Wrap-up/questions 22 2

Overview Presentation objectives Provide a high level understanding of asset management Understand how assets are identified and managed in the cloud Identify ways that you can bring asset management to the cloud services being utilized in your organization 3

Overview What is an asset? ISO 55000 Coordinated activity of an organization to realize value from assets IT asset management (ISO 19770) For Example, Software Licensing What are assets in a cloud environment? For Example, Virtual Hard Drive (VHD), Servers, Network Devices, Data, Box Storage ISO 19770-4 (Possible future standard) Why use asset management? 4

Standard asset management process 5

Standard asset management process Foundation of asset management process Defining what assets are being managed Identifying the assets currently within the environment Implementing systems for tracking assets in place Developing policies and procedures around asset handling and management Asset Lifecycle 6

Standard asset management process Goal of asset management in the cloud Identifying the assets currently within the environment Determining who owns these assets Standardizing asset management to maintain compliance in dynamic environment Associated risk Risk of not knowing what assets are being used and how they are utilized can cost organizations in large expenses, possible outages, or environments not aligned with security policies 7

Additional considerations: What are some risks that your company has faced or that you have seen related to Asset Management? Who in your organization can help assist in the IT Asset Management process? 8

Asset identification 9

Asset identification Techniques that can be used to identify cloud based assets Network Monitoring Purchase Card/Expense Monitoring Third-party Tools Audit Evaluations/Interviews 10

Asset identification Network monitoring Some key drivers: IT Department/Networking Group What to look for: Network traffic known cloud service providers Large data uploads/downloads that align with new system acquisitions/creation Recurring network traffic that is not being managed by known batch processing systems or access specific restrictions (Server Build-out) 11

Asset identification P-Card / Expense monitoring Key drivers: Finance Department/Accounts Payable What to look for: Reoccurring expenses to known cloud service providers Expenses related to cloud management tools or new IT software For Example, Telnet software, SQL Server cloud licenses ABC Web Services Conferencing 12

Asset identification Third-party tools Key drivers: IT Department/Management How to leverage: Working with the IT department to identify the applicable tools and approaches for using a third party for identifying assets Tools: Asset Tracking Tools Cloud Service Provider vs. External Provider Asset Management Tools 13

Asset identification Audit evaluations / Interviews Key drivers: Internal Audit/External Auditors How to leverage: Have Internal Audit perform a directed assessment of the use of cloud services Provide Internal/External auditors questions to ask directed at the identification of cloud assets Simple vs Complex Questions 14

Asset identification Audience discussion Additional considerations: Outside of the four methods presented: Network Monitoring, Purchase Card/ Expense Monitoring, Third-party Tools, and Audit Evaluations/Interviews, what other methods could be used to identify assets? Who should be performing or managing an Asset Identification Project? 15

Asset management & planning 16

Asset management & planning - Identifying and tracking assets Many Cloud Service Providers offer built-in tools for tracking assets deployed in their respective environments: AWS Management Console Microsoft Azure Management Portal Third-Party Tools (Bolt-ons) can also be used This presentation should not be construed as an endorsement on the part of Deloitte for AWS Management Console, Microsoft Azure Management Portal, or other Third- Party Tools 17

Asset management & planning - Identifying and tracking assets AWS Management Console: 18

Asset management & planning - Identifying and tracking assets AWS Billing Console: 19

Asset management & planning - Identifying and tracking assets Microsoft Azure Portal: 20

Asset management & planning Policies and taxonomy Policy development Current policies should be modified New policies and procedures developed Tagging/Naming convention Driven from standardized procedures in policy documents Used to easily identify and track assets Tagging in AWS: 21

Asset management & planning Server deployment Server deployments Driven from policy Establish a deployment approach Flatten & Repave Have specified zones for deployment Record how long assets will be deployed for 22

Asset management & planning Disaster recovery / Capacity planning Disaster recovery Simple approach - Standard Business Continuity/Disaster Recovery processes Failover Testing Complex approach - Data Storage and Recovery What needs to be backed up? For how long? Replication & Redundancy 23

Asset management & planning Disaster recovery / Capacity planning Capacity planning Understanding what assets are available Determine budget for cloud services Track that capacity is meeting demand Track that usage does not exceed budget 24

Closing remarks / Questions 25

Closing remarks Asset management in the cloud: Can be complex Take time to understand your environment Utilize information and services provided by the cloud service providers 26

Contact Information Aaron Brown Partner Deloitte & Touche LLP aaronbrown@deloitte.com Tel 1-206-716-7457 Todd Mack Manager Deloitte & Touche LLP tmack@deloitte.com Tel 1-206-716-6528 David Fantham Consultant Deloitte & Touche LLP dfantham@deloitte.com Tel 1-206-716-7077

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. Product names mentioned in this presentation are the trademarks or registered trademarks of their respective owners and are mentioned for identification purposes only. Deloitte is not endorsing any specific company, product or service by means of this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited 28