370 likes | 624 Views
Cloud Computing – Panel Discussion. October 22, 2011. Introductions. Barnaby Jeans , Sr. Systems Engineer, VMware Canada Richard Livesley , BMO Malik Datardina , UWCISA Chris Andersen , Partner, Grant Thornton Skip White , Professor of Accounting & MIS , University of Delaware.
E N D
Cloud Computing – Panel Discussion October 22, 2011
Introductions • Barnaby Jeans, Sr. Systems Engineer, VMware Canada • Richard Livesley, BMO • Malik Datardina, UWCISA • Chris Andersen, Partner, Grant Thornton • Skip White, Professor of Accounting & MIS, University of Delaware
Barnaby JeansSr. Systems Engineer, VMware Canada @bjeans Previously: Sr. Technology Advisor & Evangelist – Microsoft Sr. Sales Engineer – Red Hat Sr. Sales Consultant – Oracle What is the Cloud?
50 Years Ago… “ Computing may someday be organized as a public utility John McCarthy, MIT 1961 “
What is Cloud Computing Providing IT resources as a Service * National Institute of Standards and Technology v15
Service Models Consume Software as a Service - SaaS Platform as a Service - PaaS Build Infrastructure as a Service - IaaS Host
Deployment Models Public Cloud Hybrid Cloud Private Cloud “Virtualization is a modernization catalyst and unlocks cloud computing.” ―Gartner
Why the “Cloud” Matters… • The Cloud Era (Virtualization, Cloud, SaaS) enable standardized IT metrics, e.g.: • Cost to provision per VM • Cost per GB of storage • Time to Provision • Cost to provision an email box, … “If you can’t measure it, you can’t manage it” – Andy Grove Virtual Machine • To be compared, shopped for • Public Cloud Providers are establishing a “rate card” for IT • Will lead to better informed consumption & production of IT
Parting thought… Where are Lines of Business getting the IT resources for their next project?
Data in the Clouds: A Risk Management Approach Richard Livesley and Malik Datardina
Disclaimer • The opinions presented by Richard and Malik do not necessarily reflect that of their respective employers
Cloud Computing • Agenda: • Why cloud? • Defining the Cloud: Technology vs Risk based approach • Risk of Rogue Clouds • Cloud Control: A Risk Management Approach
Why Cloud? • Agility: Faster introduction of desired functionality • Potential for Cost Reduction: • Moving expenses from OpEx to CapEx • Reduced maintenance, especially SaaS • More efficient use of computing resources: • Public cloud: Start-ups don’t need a data center, large companies can send extra workloads to the cloud • E.g. Animoto, flightcaster, NY Times • Private clouds: Easier to maximize pooled resources • e.g. Revlon: 1:7 1:34 servers, $70M in cost savings (unaudited)
Challenge of Cloud Compliance • Not all clouds are equal: • Risk profile of concern: High risk self-provisioning public clouds • Amazon EC2 versus Amazon VPC • Don’t invest time, effort on tech definitions, but focus on risk & leverage existing processes • Key Risks: • Geographic dislocation: Where’s my data? • Potential for data to be sent to India, China, etc, if public cloud provider’s data center exist in those countries • Multi-tenancy & self-provisioning: Who is my neighbour? • Hackers used Amazon Web Services to hack into Sony PSN • Security researchers were able to extract info about co-tenants • Potential for malicious co-tenants to hack into your instance
Risk of Rogue Clouds • Rogue Clouds • Clouds that enter the business environment with the going through all the appropriate control processes • Direct to business marketing • Businesses, instead of IT, are marketed SaaS • Similar phenomenon to Business Managed Applications • Easier for business to get up & running with SaaS then work with central IT • Consumerization: Bring-your-own-cloud • Google Docs users want same functionality at work as at home; e.g. Collaborating on confidential contract
Cloud Control: Risk Mgmt Approach • Risk Identification • Inventorying use: register current use, identify what’s acceptable and what is not • Working with users is critical • Risk Measurement & Assessment • Risk needs to be assessed in each information asset, i.e. the specific cloud environment • The need for additional controls needs to be based on the data
Cloud Control: Risk Mgmt Approach • Risk Mitigation and Control • Leverage existing vendor management processes to identify high risk cloud environments • Emerging best practice: Encrypt data and hold the keys • Providers are being acquired, e.g. Navajo systems was bought by Salesforce.com • Current practice: Use vendor based encryption, but this is not feasible for all fields in SaaS • Training and awareness: Users should understand risks of public cloud
Cloud Control: Risk Mgmt Approach • Monitoring and reporting • Traditional controls won’t catch everything: similar to BMAs • DLP Tools: Identify traffic moving to unauthorized clouds • Cloud vendors: Annual Risk Assessment and update registry accordingly
Closing Thoughts • Cloud computing is still in motion • Need to monitor developments within public cloud computing: • “Book” on risks is still be written • Need to monitor threats and attacks on public clouds to determine what risks need to be identified • Need to monitor development within encryption e.g. Homomorphic encryption
Cloud PanelAssurance Provider Perspective Chris Anderson, CA(NZ), CISA, CMC, CISSP, PCI QSA © 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Assurance on Outsourcing to the Cloud • The usual assurance challenges but more of it! • Service providers have their own service providers • Service Organisation Controls reports mostly • ICFR (ISAE 3402/ SSAE16/ CSAE3416) not fully addressing operational and regulatory risks • Carve out sub-service providers causes customer to have to assemble its own assurance after sleuthing who does what iteratively Its not your swimming pool any more! © 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
SOC 1 is a start, SOC 2 and SOC 3 better! © 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Plus net new assurance considerations mostly caused by dynamic characteristics • Physical • Location can change • The fishbowl (our traditional data centre) • Was first outsourced but stayed out or moved en-masse • Then became a cage at a hosting centre • Now is a virtual cage, with little visibility by customer • Itinerant nature of some use cases combined with multi-tenancy • Access to other customer's data • Collateral nature of security risk increases – your neighbour could be a problem/ threat • Metered service raises questions • Completeness of billing (CSP objective) • Verification of service delivery and accuracy of billing (Customer objective) © 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Assurance Provider opportunity • Work with CSPs to design and implement SOC2/ 3 assurance reports based on • ENISA Cloud Computing Information Assurance Framework or equivalent • Cloud Audit • Shared Assessments Program • Common Assurance Maturity Model • Develop a dynamic assurance product/ service relevant and proportional to nature and extent of use of CSP products/ services • These probably require that audit firms strengthen their technical IT audit capability! © 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Shared Assessments Program • November 10, 2009 – Santa Fe, NM – The Shared Assessments Program announced today the launch of Version 5.0 of its tools for evaluating service provider controls for information security, privacy and business continuity. The free tools, whose previous versions are in use around the globe including in the US, Canada, the EU, Australia, India and Brazil, comprise a rigorous toolkit for service provider audits that can be used in popular cloud computing and software-as-a-service (SaaS) environments. • The Shared Assessments Technical Development Committee has added 22 new procedures to its assessment tool (the “AUP”) with an eye to computing services offered “in the cloud,” that is, on-demand IT services that rely on Internet-based virtualization technologies. Questions relevant to cloud and SaaS environments have been inserted into several sections of the Shared Assessments questionnaire, known as the “SIG,” as well. • 'Delta Controls' list Looks like a comprehensive approach to • Efficient and effective assurance ('audit once, assure many times) • Preventing cherry picking control objectives and procedures The Shared Assessments Program (www.sharedassessments.org) was originally developed by Bank of America Corporation, The Bank of New York Mellon, Citi, JPMorgan Chase & Company, U.S. Bank, and Wells Fargo & Company in collaboration with leading service providers and the Big 4 accounting firms. These founding organizations saw the need for a standardized and objective vendor management assessment methodology that would help outsourcers meet regulatory and risk management requirements while significantly reducing costs for all stakeholders © 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Cloud Computing:Research Results Clinton E. White, Jr Professor of Accounting & MIS Lerner College of Business University of Delaware
Cloud Computing Research • 4 categories of research: • Practitioner-oriented (surveys & whitepapers) • Practitioner-oriented (standards & professional guidance) • Academic computer science • Academic MIS
Cloud Computing Research • Practitioner-oriented surveys & WPs: • CIO magazine (www.cio.com) • Surveys of IT leaders • 2008: Big promise … Big security questions (1) • 2009: Adoption prospects are hazy (2) • 2011: CIOs are putting the cloud first (3) • 2011: Cloud is now (4)
Cloud Computing Research • Practitioner-oriented standards & guidance: • CSA (Cloud Security Alliance) (5) • ENISA (Euo Network & Info Sec Alliance) (6) • OWASP (Open World Appl Security Proj (7) • ISO (ISO Disb Appl Platforms & Services (8) • OWF (Open Web Foundation) (9) • EuroCloud (10) • CICA (11) • AICPA (12)
Cloud Computing Research • Academic computer science: • Cloud Computing – Issues, Research and Implementations (13) • Open research issues: • Economy of scale & economics of image & service construction • Temporal & spatial feedback that large scale workflows present • Cloud provenance (ascertaining the source of goods) • Data management • Process control flows, execution, & performance • Dynamics of data flows, file location, & application input & output • The structure, form, & evolution of workflows • System information, O/S information, compilers, versions, & load libraries • Security issues & complexities • ROI & total cost of ownership
Cloud Computing Research • Academic MIS • Cloud Computing – The Business Perspective (14) • Open research issues: • Economics: • Cloud service strategy • Cloud computing provider economic value & the entire value chain • Strategy • Impact on corporate culture • Impact on business partnerships • IS policy • Policy consistency across multiple providers & applications • Software management for both providers & users • Audit policy, security stds, risk assmt, forensics, & evidence gathering • Technology adoption & implementation • Design of optimal rules for adoption, moving apps, & private vs pub • Government policy & regulation • Identification of pertinent issues to be addressed
References 1) McLaughlin, Laurianne, Cloud Computing Survey: IT Leaders See Big Promise, Have Big Security Questions, CIO.com, Oct 21, 2008 2) Johnson, Carolyn, Cloud Computing Survey: Adoption Prospects Are Hazy, CIO.com July 31, 2009 3) Brousell, Layren, Survey: CIOs Are Putting the Cloud First, CIO.com, June 14, 2011 4) KPMG, ‘Cloud is Now’; Technology Spending to Leap Next Year, SmartPros.com, Oct 6, 2011
References 5) CSA (https://cloudsecurityalliance.org/) 6) ENISA (http://www.enisa.europa.eu/) 7) OWASP (https://www.owasp.org/index.php/Main_Page) 8) ISO (http://www.iso.org/iso/iso_technical_committee. html?commid=601355) 9) OWF (http://www.openwebfoundation.org/) 10) EuroCloud (http://www.eurocloud.org/) 11) CICA (http://www.cica.ca/) 12) AICPA (http://www.aicpa.org/Pages/Default.aspx)
References 13) Vauk, Mladen A., Cloud Computing – Issues, Research and Implementations. Journal of Computing and Information Technology CIT 16, 2008, 4 14) Marston, Sean, Zhi Li, SubhajyotiBandyopadhyay, Juheng Zhang, AnandGhalsasi, Cloud Computing – The Business Perspective, Decision Support Systems, 51 (2011)
Questions? Barnaby Jeans, Sr. Systems Engineer, VMware Canada Richard Livesley, BMO Malik Datardina, UWCISA Chris Andersen, Partner, Grant Thornton Skip White, Professor of Accounting & MIS, University of Delaware
The NIST Definition of Cloud Computing • Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf