The Elephant in the Room: What s the Buzz Around Cloud Computing?

Similar documents
Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Cloud Computing; What is it, How long has it been here, and Where is it going?

BUSINESS MANAGEMENT SUPPORT

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Computing An Auditor s Perspective

Cloud Computing Safe Harbor or Wild West?

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

Orchestrating the New Paradigm Cloud Assurance

The Benefits of Cloud Computing to the E-Commerce Industry July 2011 A whitepaper on how hosting on a cloud platform can lower costs, improve

Cloud Services Overview

Compliance and the Cloud: What You Can and What You Can t Outsource

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Managing Cloud Computing Risk

Cloud Computing. Bringing the Cloud into Focus

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Computing: Risks and Auditing

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing. What is Cloud Computing?

Auditing Cloud Computing and Outsourced Operations

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Enhancing Operational Capacities and Capabilities through Cloud Technologies

Key Considerations of Regulatory Compliance in the Public Cloud

BMC s Security Strategy for ITSM in the SaaS Environment

Cloud Security and Managing Use Risks

Security Issues in Cloud Computing

Cloud models and compliance requirements which is right for you?

Securing Oracle E-Business Suite in the Cloud

Tips For Buying Cloud Infrastructure

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Cloud Computing: Background, Risks and Audit Recommendations

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Data Privacy and Security for Market Research in the Cloud

Cloud Computing Trends, Examples & What s Ahead

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Clinical Trials in the Cloud: A New Paradigm?

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

How To Choose A Cloud Computing Solution

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Everything You Need To Know About Cloud Computing

Commercial Software Licensing

Time to Value: Successful Cloud Software Implementation

With Eversync s cloud data tiering, the customer can tier data protection as follows:

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Cloud Courses Description

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Cloud Computing Security Issues

SECURITY AND EXTERNAL SERVICE PROVIDERS

Private vs. Public Cloud Solutions

2014 HIMSS Analytics Cloud Survey

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Module 1: Facilitated e-learning

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Things You Need to Know About Cloud Backup

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Securing the Service Desk in the Cloud

SaaS, PaaS & TaaS. By: Raza Usmani

How cloud computing can transform your business landscape

Clarity in the Cloud. Defining cloud services and the strategic impact on businesses.

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

John Essner, CISO Office of Information Technology State of New Jersey

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

THE BLUENOSE SECURITY FRAMEWORK

Security & Trust in the Cloud

EXIN Cloud Computing Foundation

Is a Cloud ERP Solution Right for You?

Cloud Computing in a Regulated Environment

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

CLOUD COMPUTING SECURITY ISSUES

How to Turn the Promise of the Cloud into an Operational Reality

6 Cloud computing overview

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

The Cloud Computing Revolution: Beyond the Hype

Cloud Courses Description

NCTA Cloud Architecture

What Cloud computing means in real life

Transcription:

The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton LLP Matt Thompson Senior Manager, Business Advisory Services Grant Thornton LLP

Learning objectives Presentation focus Today s presentation will focus on the following: Understanding primary outsourced/hosted cloud computing options Understanding unique risks associated with various cloud computing models Practical controls for securing the Company s assets when using cloud computing Methods for deciding if cloud computing fulfills the organization s business needs and risk appetite Methods for auditing the Company s use of cloud computing technologies

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Introductions Warren W. Stippich, Jr. Chicago Partner and National Governance, Risk and Compliance Solution Leader, including Cyber Security Solution, in Grant Thornton's Business Advisory Services Practice Certified Internal Auditor (CIA) Certified Public Accountant (CPA IL) 20 years practicing internal audit, including 5 years as a CAE for a multi-national public company Global engagement partner for multi-national engagements

Introductions Matt Thompson Raleigh, NC Senior Manager in Grant Thornton s Business Advisory Services Practice Certified Information Systems Auditor (CISA) A member of the Triad (NC) IIA Board of Governors 15+ years experience working in the Cyber Security and IT Internal Audit arenas A leader of Grant Thornton's Southeast Cyber Security and IT Internal Audit Practices A leader of Grant Thornton's National Cyber Security Solution Group

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Cloud computing overview Why the buzz? Cloud computing is the future of IT A new and flexible model for deploying technology Extremely reliable and infinitely scalable Cost benefits and ease of ownership Allows you to expand or contract as business needs dictate Pay for only what you need at any given time

Cloud computing overview Group discussion What are you hoping to learn from today s presentation? What is your experience with cloud computing? How does your company utilize cloud computing? What level of involvement did your Internal Audit group have with your Company s cloud computing implementation? Has your company s cloud environment been audited?

Cloud computing overview Grant Thornton's CAE Survey More than 300 CAEs surveyed responded that 77% are at least somewhat familiar with cloud computing 69% use cloud computing; many expect cloud computing use to increase (45%) or stay the same (55%) in the next 12 months When asked to describe their view as to the security, governance, risk and controls implications in moving to a cloud environment, 43% responded "I haven t really given it much thought." 64% of respondents do not include cloud computing in their audit plan

Cloud computing overview Future of cloud computing Looking past the current industry hype surrounding all things Cloud, Forrester believes that Cloud computing is a sustainable, long-term IT paradigm, and the successor to previous mainframe, client/server, and network computing eras. - Forrester Research, Inc. The Evolution of Cloud Computing Markets

Cloud computing overview A full spectrum of definitions - simple The cloud is about immediacy, elasticity, and utility economics Mark Shuttleworth, Ubuntu & Canonical The cloud is water vapor Larry Ellison, Oracle

Cloud computing overview A full spectrum of definitions more meaty Cloud computing is the next stage in the Internet's evolution, providing the means through which everything from computing power to computing infrastructure, applications, business processes to personal collaboration can be delivered to you as a service wherever and whenever you need. Dummies.com

Cloud computing overview History The term Cloud originated as a metaphor to depict the public switched telephone system on network diagrams.

Cloud computing overview Principal characteristics Network enabled Abstraction of infrastructure Resource democratization Services oriented architecture Elasticity/Dynamism of resources Utility model of consumption and allocation

Cloud computing overview Economic value The financial benefits of cloud computing and cloud-based services

Cloud computing overview Three basic flavors of service (cont'd) #1 Infrastructure Data Center Processor Memory Storage Virtualized & Dynamic Redundant/Hardened

Cloud computing overview Three basic flavors of service (cont'd) #2 Platform Operating System Web Servers Database Servers Operational Services Virtualized Infrastructure

Cloud computing overview Three basic flavors of service (cont'd) #3 Application Google Apps Salesforce Mobile Me Platform Utility

Cloud computing overview Types and models Types of Clouds Public - Shared computer resources provided by an off-site third-party provider Private - Dedicated computer resources provided by an off-site third party or use of cloud technologies on a private internal network Hybrid - Consisting of multiple public and private clouds Models of Cloud: Software as a Service (SaaS) - Software applications delivered over the Internet Platform as a Service (PaaS) - Full or partial operating system/development environment delivered over the Internet Infrastructure as a Service (IaaS) - Computer infrastructure delivered over the Internet

Cloud computing overview Grant Thornton technology model Grant Thornton Technology Model A tool for IT Internal Auditing SaaS relates to the application and data management layers. PaaS relates to the operating system layer for servers. IaaS relates to the physical and sometimes network layers.

Cloud computing overview Global Public Cloud Market Size

Cloud computing overview Forrester's full taxonomy of cloud market

Cloud computing overview Service model attributes Software as a Service (SaaS) The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) Consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure as a Service (IaaS) Consumer has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers).

Cloud computing overview SaaS example vendors

Cloud computing overview Potential benefits Interoperability Across Platform Owners User to Application or Hardware Resource Application to Application Hardware Resource to Hardware Resource Cost Effective and Higher Utilization of Resources Dynamic Allocation As Needed Dynamically De-Provision when Not Needed Speed to Market Enable Faster Delivery of Applications & Upgrades Enable Pay by the Drink, Self-Service Models

Cloud computing overview New clouds are rolling in daily. Are you ready?

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Risks and audit strategies System failure at Amazon.com "A widespread failure in Amazon.com s Web services business affected many Internet sites, highlighting the risks involved when companies rely on so-called cloud computing. The problems affected sites including Quora.com, Reddit.com, GroupMe.com and Scvngr.com, which all posted messages to their visitors about the issue. Most of the sites have been inaccessible for hours, and others were only partly operational " - NYTimes.com April 21, 2011

Risks and audit strategies Security Breach at Epsilon "A data breach at one of the world's largest providers of marketing email services may have enabled unauthorized people to access the names and email addresses for customers of major financial-services, retailing and other companies." - WSJ.com April 4, 2011

Risks and audit strategies Potential risks What are the physical components of the Clouds? Data Centers self-hosted, third-party, both, etc.? Network circuits and firewalls who s managing, who s watching, etc.? Disaster preparedness and recoverability is there a plan, is it tested, etc.? Who is aware of and managing vendor SLAs and are they adequate? Where s the data and how is it protected? In-flight, standing still/at-rest, etc.? Archives and back-up? Unintended uses? Data privacy and compliance? What is the tone at the top? Stakeholder knowledge of attributes and risks Have internal controls evolved effectively? Who is monitoring internal use of public cloud services?

Risks and audit strategies Service organization considerations When outsourcing parts of their business (including cloud computing), companies are still responsible for the data, processing and/or services provided by the outsourcing company (service organization). As a result, many companies (and their auditors) desire or require their service organizations to obtain an independent assessment of their security, availability, processing integrity, confidentiality and privacy practices.

Risks and audit strategies Service organization considerations SSAE No. 16, Reporting on Controls at a Service Organization, superseded SAS 70 on June 15, 2011. There are several reporting options for service auditors examining controls at service organizations. Financial Reporting Risks Nonfinancial Reporting Risks SOC 1 SOC 2 SOC 3 SSAE 16 With testing details "Pass" with a seal display

Risks and audit strategies Six additional risk areas Security Multi-tenancy Data location Reliability Sustainability Scalability

Risks and audit strategies 1. Security - risks The cloud provider s security policies are not as strong as the Company s data security requirements Cloud systems which store Company data are not updated or patched when necessary Security vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in place The physical location of company data is not properly secured

Risks and audit strategies 1. Security audit strategy Determine if the cloud provider meets or exceeds the Company s security requirements Determine if the cloud provider s security posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.) Determine if the cloud provider has a security assessment performed Determine if the cloud provider s Service Organization Report (i.e., SSAE 16, SOC Reports) addresses specific security controls

Risks and audit strategies 2. Multi-tenancy risks Company data is not appropriately segregated on shared hardware resulting in Company data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit The cloud service provider cannot determine the specific location of the Company s data on its systems Company data resides on shared server space which might conflict with regulatory compliance requirements for the Company

Risks and audit strategies 2. Multi-tenancy audit strategy Inquire of the cloud service provider s method used to secure the Company s data from being accessed by other customers/third parties Review the cloud service provider s SLA to determine if the SLA addresses security of the Company s data Review independent audit report(s) related to the Cloud provider s security posture (i.e., security settings, data encryption methods, etc.) and/or exercise the Company s right-to-audit clause Gain access to cloud system(s) and perform limited auditing procedures from the Company s location

Risks and audit strategies 3. Data location risks The Company is not aware of all of the cloud service provider s physical location(s) The Company does not know where their data is physically or virtually stored The Cloud service provider moves company data to another location without informing the Company Company data is stored in international locations and falls under foreign business or national laws/regulations

Risks and audit strategies 3. Data location audit strategy Inquire of the cloud provider the specific physical and virtual location of the Company s data Work with the Company s legal group to fully understand the impact and potential risks of the Company s data residing in a foreign country Ensure regulatory compliance is maintained if data resides in multiple locations

Risks and audit strategies 4. Reliability risks The cloud service provider has quality of service standards which conflict with business requirements During peak system activity times, the cloud service provider experiences system performance issues that result in the following: - Company employees cannot access the Company s data when needed - Customers are unable to use the Company s systems (such as placing an order on the Company s web site) because of performance problems with the cloud provider

Risks and audit strategies 4. Reliability audit strategy Inquire of the cloud service provider to determine the controls in place to ensure the reliability of the cloud solution Obtain an SLA/contract from the cloud service provider which details the specific reliability agreement for the Company. Compare this information to actual performance Determine the times that the cloud provider performs system upgrades and/or patches to ensure data availability during peak business hours is not affected Review the Company s business continuity plan and determine if the plan addresses interruptions with the cloud systems used by the Company

Risks and audit strategies 5. Sustainability risks In the event the cloud service provider goes out of business, the Company might not be able to retrieve the Company s data. In addition, another third party might gain access/control of the Company s data The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The Company s business continuity plan does not address the cloud s service offering being unavailable Company data is compromised as a result of a disaster

Risks and audit strategies 5. Sustainability audit strategy Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the Company s data even in the event of a disaster Review the Company s business continuity plan and determine if the plan addresses interruptions with the cloud solution Inquire of the cloud service provider to determine how the Company would gain access to its data in the event the cloud service provider goes out of business

Risks and audit strategies 6. Scalability risks The cloud service provider s systems cannot scale to meet the Company s anticipated growth, both for a short-term spike and/or to meet a long-term strategy If the Company decides to migrate all or part of the Company s system and/or data back inhouse (or to another provider), the cloud service provider cannot (or will not) provide the data

Risks and audit strategies 6. Scalability audit strategy Determine if the cloud provider s system can scale to meet the Company s expected short-term spikes and/or growth over the next five years Determine if the Company has a contingency plan in the event the cloud provider s systems cannot scale to meet the Company s needs Determine who is the owner of the Company s data Determine if the cloud provider would allow the Company to move data back in house and/or to another provider. Determine the specific procedures and associated costs needed to perform this task

Risks and audit strategies Case study An energy solutions company is a leading provider of energy solutions with annual revenues in excess of $850 million for a payroll size of 400 employees Decision made by Senior Management to outsource their payroll system to a SaaS vendor cloud solution to allow for increased efficiency and cost savings Internal Audit identified payroll as a high-risk area since this was the Company s first use of a cloud computing solution Key Payroll data is transmitted on a bi-weekly basis to facilitate payment by the SaaS cloud provider

Risks and audit strategies Case study (cont'd) Company's Internal Audit department reviewed the cloud provider's Service Organization Report and did not note any exceptions Internal Audit also used existing user-ids to perform limited audit procedures and discovered they had access to view and edit another company's payroll information The Company discussed the findings with the cloud provider and determined the error occurred after a recent system upgrade

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Q & A

Contact info Warren W. Stippich, Jr. Partner, Business Advisory Services T: 312.602.8499 E: Warren.Stippich@us.gt.com Matt Thompson Senior Manager, Business Advisory Services T: 919.881.5882 E: Matthew.Thompson@us.gt.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information