Cloud computing jason lannen_4-28-10

Cloud Computing

Jason D. Lannen, CISA
Wednesday, April 28, 2010
ISACA Atlanta

TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET

Agenda
• What is Cloud Computing
• Evolution & Drivers
• Recent Case Studies
• Components
• Risks
• Risk Mitigation
• An Audit Perspective
• Q&A
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 2

What is Cloud Computing


Definitions
• “A model for enabling convenient, on-demand
network access to a shared pool of configurable
computing resources (e.g. networks, servers,
storage, applications and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction”
(NIST & Cloud Security Alliance)

• “Performing computing tasks via a network
connection while remaining isolated from the
complex computing hardware and networking
infrastructures that supports it” (ISACA Journal,
Volume 6 2009, Sailesh Gadia)

Definitions
• “Taking advantage of services, storage space,
and resources provided somewhere else – on
another computer, through an Internet
connection.” (Tim O’Reilly, Web 2.0)

• “Computing over the internet using a web-
browser”


Characteristics of Cloud Computing

On Demand Resource
Pooling

Across
Networks

Rapid Elasticity Flexible Pricing
Models


Cloud Computing Examples
• Everyday User
– E-mail
– Pictures
– Video
– Personal Calendar
– Online Banking / EFT
– Social Media

Where is this information stored?


Cloud Computing Diagram

Source: Cloud Computing: An Auditor’s Perspective, ISACA Journal Volume 6, 2009

U.S. CIO – Vivek Kundra
Posted by Vivek Kundra on September 15, 2009 at 12:09 PM EDT on the
White House Blog (http://www.whitehouse.gov/blog/streaming-at-100-in-
the-cloud/):

• “Today, I am excited to announce that we have launched Apps.gov to help
continue the President’s initiative to lower the cost of government
operations while driving innovation within government…Apps.gov is an
online storefront for federal agencies to quickly browse and purchase
cloud-based IT services, for productivity, collaboration, and efficiency.”

• “Cloud computing is the next generation of IT in which data and
applications will be housed centrally and accessible anywhere and
anytime by a various devices (this is opposed to the current model where
applications and most data is housed on individual devices). By
consolidating available services, Apps.gov is a one-stop source for cloud
services – an innovation that not only can change how IT operates, but
also save taxpayer dollars in the process.”


Evolution to Cloud Computing



1990s
• Internet gained
widespread
1980s popularity and
• Client Server acceptance
architecture was
invented • Virtualization of
desktops and
Late 1960s servers
• Idea centralized
computing • Grid Computing

• Implementation • Utility
of mainframes Computing


1999 2002 2004
• Salesforce.com • Amazon Web • Web 2.0
(SaaS) Service (IaaS) Conference

2006 2009
• Amazon • Google,
launched its Microsoft
Elastic Compute offering
cloud (EC2/S3) browser-based
enterprise
applications


Drivers to Cloud Computing



Marketplace
Technology

People

Cloud
Computing


Technology:
• Encryption
• Virtualization (Multi-tenancy)
– Centralization of infrastructure
in locations with lower costs
(such as real estate, electricity,
etc.)
– Peak-load capacity increases
(users need not engineer for
highest possible load-levels)
– Utilization and efficiency
improvements for systems that
are often only 10–20% utilized.

• Affordable high-speed
bandwidth
Source: VMWare website


Marketplace:
• Changes in World
Markets

• Global Competition

• Increased cost of
computing & resources

• Current economic
conditions
– Operational Costs
– Shareholder Pressures


People:
• We have embraced
technology

• Trust internet

• Need IT to survive in
our lives


IT Computing Demands
• IT computing, processing and storing demands
are ever-increasing.

• Without the ‘Cloud’ and the emergence of
technology to support computing, there would
be exponential increases in:
– Number of servers
– Number of support staff to manage them
– Energy Consumption / Greenhouse Gas Emission
– Costs of using IT for business and consumers

Dilbert says…


Cloud Computing Case Studies


• Blue Coat - December 2009:
• 20-25% stated they had a cloud computing application
• 25-30% stated their organization has started to
implement private cloud computing.
• Companies with fewer than 99 employees were more
likely to use public cloud computing services than
implement a private cloud computing solution.
• Companies with greater than 10,000 employees are
more likely to have implemented private cloud
computing than they are to be using public cloud
computing services.


• Blue Coat (Continued):
• 33% of respondents indicated their organization would
either make an initial or additional use of public and or
private cloud computing in the next year.
• 25% of respondents indicated that their organization
sees value in cloud computing but the risks outweigh
the benefits.
• Less than 8% indicated that their organization did not
see any significant value in cloud computing.


2010 ISACA Survey Risk / Reward Barometer
(Published 4/7/10):
• Only 10 percent of respondents’ organizations plan to use
cloud computing for mission-critical IT services

• 26 percent do not plan to use it for any IT services.

• Close to half of US IT professionals say that the risks of cloud
computing outweigh the benefits


Benefits of Cloud Computing
Focus is the end-user:
 Users don’t need to have knowledge to manage and support it
 Users don’t own the infrastructure
 Users don’t need storage space
 Data is always backed up and is always available, anywhere you
need it
 Capacity and processing can change as demand changes
 Less up front capital is required to develop and deploy (Time & $)
 Lower total cost of ownership (TCO) and higher return on
investment (ROI)
 Cost transparency

Key is understanding and managing Cloud Computing risks!


Components of Cloud Computing


Deployment Models

Source: ISACA eSymposium, “Service Management – a linchpin to effective cloud computing” by Bruce E. Ott, IBM Cloud Marketing


Delivery Models
Google Apps,

Gmail
Software as a
service (SaaS) Salesforce.com

Google
Platform as a service AppEngine

(PaaS) Force.com

Amazon EC2
Infrastructure as a service (IaaS)
Data Centers


Infrastructure as a Service


• Data centers
– Ping (aka Remote Access)
– Pipe (aka Bandwidth)
– Power

• Data Centers provide:
– Managed Services
– Co-location
– Point to Point Connections

Risks of Cloud Computing


Implementation Risk

Higher
Risk

Lower

Small Company Size and IT Complexity Large


Security Risk
Authentication

Data Loss &
Administration
Privacy

Data
Access Control
Ownership


Operational Risk
System
Interfaces

Backup & System
Recovery Integration

Business System
Continuity Availability

Operational Risk


Regulatory Risk
Sarbanes
Oxley

GLBA SAS 70

ISO PCI

HIPPA

Risk Mitigation


Risk Mitigation

Governance

Policies &
Procedures
Implementation of
Controls

Risk Mitigation
Layers Inputs Outputs
Governance Determine governance Cloud vendor
framework Cloud application
Business needs user Cloud platform
requirements Cloud infrastructure
Involve all relevant business
units (i.e. finance, marketing,
legal, sales, etc).
Develop IT strategy

Policies & Procedures Work with management and Implementation of policies &
staff to document user awareness
Setup periodic review of
policies & training seminars
Implementation of Controls Via Internal Audit, Legal, Sustainable control
consultants, etc environment to mitigate Cloud
risks

Audit Key Considerations


Auditing - Take a TurnKey approach…


• Understand your client
– How do they make money?
– What is their current financial state?
– What are their business goals (short and long term)?
– How does IT fit in with their business strategy?

• Understand their IT systems
– What are the significant applications & underlying
infrastructure? Where are they located?
– How is IT access administration currently managed?
– How is data managed?
– Are there plans to move processes to the Cloud? If so, who is
the project champion(s) and what processes and data?


• Understand their control environment
– Business Process Controls
– IT General Controls
– Prior Year Deficiencies
– Areas of Risk

• Understand changes in roles at your client
resulting from Cloud Computing
– CIO
– CISO
– Tactical management & staff

Cloud Control Considerations
• How did the client choose the Cloud vendor?
• What controls will be managed by the Cloud
vendor?
• What controls will continue to be managed by
the client?
• What risk mitigation strategy has the client
put in place in the event the Cloud provider
does not come through on its promises?

Q&A


Contact Information

Jason Lannen, CISA
Phone: 770.402.9102
Email: Jason.Lannen@turnkeyit.net
Website: http://www.turnkeyit.net


Resources Identified
– Gerard, Scott, “Maximize your Web 2.0 efforts with Cloud Computing,”
IBM Cloud Computing, April 2 2009
– Clyde, Rob., “5 Questions with Cloud Computing,” ISACA JOURNAL,
published 2010; Vol. 2 2010, pp. 1-4
– Gadia, Sailesh, “Cloud Computing: An Auditors Perspective,” ISACA
JOURNAL, published 2009; Vol. 6 2009, pp. 1-5
– Hardy, Gary, “Cloud Computing: Improving the Business Management and
Governance of Services,” ISACA e-Symposium
– Raval, Vasant, “Risk Landscape of Cloud Computing,” ISACA JOURNAL,
published 2010; Vol. 1 2010, pp. 1-5
– Otte, Bruce E., “Service Management – a Linchpin to Effective Cloud
Computing,” ISACA e-Symposium
– Wikipedia, “Cloud Computing,”
http://en.wikipedia.org/wiki/Cloud_computing [retrieved April 27, 2010].



– Mulholland, Andy , “Why are Clouds so Hard to Understand?”, Cap
Gemini [online], Feb. 1, 2010, http://www.capgemini.com/cgi-
bin/blog/mt-tb.cgi/1233 [retrieved 13 April 2010].
– Antonick, Jasmine , “A Brief History of… Cloud Computing”, Under the
Radar [online], March 30, 2010,
http://www.undertheradarblog.com/blog/a-brief-history-of-cloud-
computing/ [retrieved 13 April 2010].
– Mohamed, Arif , “A History of Cloud Computing”, ComputerWeekly.com
[online], March 27, 2009,
http://utilitycomputing.com/links/AHistoryOfCloudComputing20090327.
asp [retrieved 13 April 2010].
– Claburn, Thomas , “FTC Examining Cloud Computing”, Information Week
[online], Jan. 5, 2010,
http://www.informationweek.com/news/government/policy/showArticle
.jhtml?articleID=22 [retrieved 7 January 2010].


– Metzler, Dr. Jim, "Cloud Computing: A Reality check & Guide to Risk Mitigation",
Webtorials [online], December 2009, www.bluecoat.com/doc/direct/12771 [retrieved
20 April 2009].
– Almond, Carl, "A Practical Guide to Cloud Computing Security: What you need to know
now about your business and cloud security",
Avanade [online], Aug. 27, 2009,
http://www.avanade.com/_uploaded/pdf/practicalguidetocloudcomputingsecurity6814
82.pdf [retrieved 20 April 2009].
– Stokes, Jon, “The Cloud: A Short Introduction,” ars technica [online], Nov. 8, 2009,
http://arstechnica.com/business/news/2009/11/the-cloud-a-short-introduction.ars/2
[retrieved 13 April 2010].
– McCroy, Dave, “Is Cloud Computing Really New? (The History Behind the Cloud)”, The
Collective [online], Jan. 20, 2010,
http://community.hyper9.com/blogs/streettalk/archive/2010/01/20/is-cloud-
computing-really-new-the-history-behind-the-cloud.aspx [retrieved 13 April 2010].
– Chiu, Willy, “From Cloud Computing to the New Enterprise Data Center”, IBM [online],
May 28, 2008, www.ibm.com/developerworks/websphere/zones/hipods/ [retrieved 7
January 2010].
– Karpinski, Rich, “Study: IT shops have cash in hand for cloud computing”, Telephony
Online [online], Aug. 5, 2009, http://telephonyonline.com/business_services/news/it-
study-cloud-computing-0825/ [retrieved 3 Sept 2009].


Cloud computing jason lannen_4-28-10

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cloud computing jason lannen_4-28-10

Similar to Cloud computing jason lannen_4-28-10 (20)

More from Ngy Ea

More from Ngy Ea (20)

Cloud computing jason lannen_4-28-10