The document discusses cloud computing and provides an overview of the topic. It defines cloud computing, discusses its evolution and drivers, provides examples of cloud computing models and components, reviews case studies, and outlines both the risks and approaches to mitigate risks of cloud computing. The presentation covers key aspects of cloud computing including definitions, characteristics, examples, deployment models, delivery models, benefits, risks at various levels (implementation, security, operational, regulatory), and
1. Cloud Computing
Jason D. Lannen, CISA
Wednesday, April 28, 2010
ISACA Atlanta
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
2. Agenda
• What is Cloud Computing
• Evolution & Drivers
• Recent Case Studies
• Components
• Risks
• Risk Mitigation
• An Audit Perspective
• Q&A
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 2
W W W .TUR N K EYI T.N ET
3. What is Cloud Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
4. Definitions
• “A model for enabling convenient, on-demand
network access to a shared pool of configurable
computing resources (e.g. networks, servers,
storage, applications and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction”
(NIST & Cloud Security Alliance)
• “Performing computing tasks via a network
connection while remaining isolated from the
complex computing hardware and networking
infrastructures that supports it” (ISACA Journal,
Volume 6 2009, Sailesh Gadia)
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 4
W W W .TUR N K EYI T.N ET
5. Definitions
• “Taking advantage of services, storage space,
and resources provided somewhere else – on
another computer, through an Internet
connection.” (Tim O’Reilly, Web 2.0)
• “Computing over the internet using a web-
browser”
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 5
W W W .TUR N K EYI T.N ET
6. Characteristics of Cloud Computing
On Demand Resource
Pooling
Across
Networks
Rapid Elasticity Flexible Pricing
Models
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 6
W W W .TUR N K EYI T.N ET
7. Cloud Computing Examples
• Everyday User
– E-mail
– Pictures
– Video
– Personal Calendar
– Online Banking / EFT
– Social Media
Where is this information stored?
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 7
W W W .TUR N K EYI T.N ET
8. Cloud Computing Diagram
Source: Cloud Computing: An Auditor’s Perspective, ISACA Journal Volume 6, 2009
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 8
W W W .TUR N K EYI T.N ET
9. U.S. CIO – Vivek Kundra
Posted by Vivek Kundra on September 15, 2009 at 12:09 PM EDT on the
White House Blog (http://www.whitehouse.gov/blog/streaming-at-100-in-
the-cloud/):
• “Today, I am excited to announce that we have launched Apps.gov to help
continue the President’s initiative to lower the cost of government
operations while driving innovation within government…Apps.gov is an
online storefront for federal agencies to quickly browse and purchase
cloud-based IT services, for productivity, collaboration, and efficiency.”
• “Cloud computing is the next generation of IT in which data and
applications will be housed centrally and accessible anywhere and
anytime by a various devices (this is opposed to the current model where
applications and most data is housed on individual devices). By
consolidating available services, Apps.gov is a one-stop source for cloud
services – an innovation that not only can change how IT operates, but
also save taxpayer dollars in the process.”
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 9
W W W .TUR N K EYI T.N ET
10. Evolution to Cloud Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
11. Evolution to Cloud Computing
1990s
• Internet gained
widespread
1980s popularity and
• Client Server acceptance
architecture was
invented • Virtualization of
desktops and
Late 1960s servers
• Idea centralized
computing • Grid Computing
• Implementation • Utility
of mainframes Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 11
W W W .TUR N K EYI T.N ET
12. Evolution to Cloud Computing
1999 2002 2004
• Salesforce.com • Amazon Web • Web 2.0
(SaaS) Service (IaaS) Conference
2006 2009
• Amazon • Google,
launched its Microsoft
Elastic Compute offering
cloud (EC2/S3) browser-based
enterprise
applications
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 12
W W W .TUR N K EYI T.N ET
13. Drivers to Cloud Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
14. Drivers to Cloud Computing
Marketplace
Technology
People
Cloud
Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 14
W W W .TUR N K EYI T.N ET
15. Drivers to Cloud Computing
Technology:
• Encryption
• Virtualization (Multi-tenancy)
– Centralization of infrastructure
in locations with lower costs
(such as real estate, electricity,
etc.)
– Peak-load capacity increases
(users need not engineer for
highest possible load-levels)
– Utilization and efficiency
improvements for systems that
are often only 10–20% utilized.
• Affordable high-speed
bandwidth
Source: VMWare website
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 15
W W W .TUR N K EYI T.N ET
16. Drivers to Cloud Computing
Marketplace:
• Changes in World
Markets
• Global Competition
• Increased cost of
computing & resources
• Current economic
conditions
– Operational Costs
– Shareholder Pressures
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 16
W W W .TUR N K EYI T.N ET
17. Drivers to Cloud Computing
People:
• We have embraced
technology
• Trust internet
• Need IT to survive in
our lives
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 17
W W W .TUR N K EYI T.N ET
18. IT Computing Demands
• IT computing, processing and storing demands
are ever-increasing.
• Without the ‘Cloud’ and the emergence of
technology to support computing, there would
be exponential increases in:
– Number of servers
– Number of support staff to manage them
– Energy Consumption / Greenhouse Gas Emission
– Costs of using IT for business and consumers
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 18
W W W .TUR N K EYI T.N ET
19. Dilbert says…
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 19
W W W .TUR N K EYI T.N ET
20. Cloud Computing Case Studies
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
21. Cloud Computing Case Studies
• Blue Coat - December 2009:
• 20-25% stated they had a cloud computing application
• 25-30% stated their organization has started to
implement private cloud computing.
• Companies with fewer than 99 employees were more
likely to use public cloud computing services than
implement a private cloud computing solution.
• Companies with greater than 10,000 employees are
more likely to have implemented private cloud
computing than they are to be using public cloud
computing services.
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 21
W W W .TUR N K EYI T.N ET
22. Cloud Computing Case Studies
• Blue Coat (Continued):
• 33% of respondents indicated their organization would
either make an initial or additional use of public and or
private cloud computing in the next year.
• 25% of respondents indicated that their organization
sees value in cloud computing but the risks outweigh
the benefits.
• Less than 8% indicated that their organization did not
see any significant value in cloud computing.
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 22
W W W .TUR N K EYI T.N ET
23. Cloud Computing Case Studies
2010 ISACA Survey Risk / Reward Barometer
(Published 4/7/10):
• Only 10 percent of respondents’ organizations plan to use
cloud computing for mission-critical IT services
• 26 percent do not plan to use it for any IT services.
• Close to half of US IT professionals say that the risks of cloud
computing outweigh the benefits
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 23
W W W .TUR N K EYI T.N ET
24. Benefits of Cloud Computing
Focus is the end-user:
Users don’t need to have knowledge to manage and support it
Users don’t own the infrastructure
Users don’t need storage space
Data is always backed up and is always available, anywhere you
need it
Capacity and processing can change as demand changes
Less up front capital is required to develop and deploy (Time & $)
Lower total cost of ownership (TCO) and higher return on
investment (ROI)
Cost transparency
Key is understanding and managing Cloud Computing risks!
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 24
W W W .TUR N K EYI T.N ET
25. Components of Cloud Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
26. Deployment Models
Source: ISACA eSymposium, “Service Management – a linchpin to effective cloud computing” by Bruce E. Ott, IBM Cloud Marketing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 26
W W W .TUR N K EYI T.N ET
27. Delivery Models
Google Apps,
Gmail
Software as a
service (SaaS) Salesforce.com
Google
Platform as a service AppEngine
(PaaS) Force.com
Amazon EC2
Infrastructure as a service (IaaS)
Data Centers
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 27
W W W .TUR N K EYI T.N ET
28. Infrastructure as a Service
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 28
W W W .TUR N K EYI T.N ET
29. Infrastructure as a Service
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 29
W W W .TUR N K EYI T.N ET
30. Infrastructure as a Service
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 30
W W W .TUR N K EYI T.N ET
31. Infrastructure as a Service
• Data centers
– Ping (aka Remote Access)
– Pipe (aka Bandwidth)
– Power
• Data Centers provide:
– Managed Services
– Co-location
– Point to Point Connections
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 31
W W W .TUR N K EYI T.N ET
32. Risks of Cloud Computing
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
33. Implementation Risk
Higher
Risk
Lower
Small Company Size and IT Complexity Large
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 33
W W W .TUR N K EYI T.N ET
34. Security Risk
Authentication
Data Loss &
Administration
Privacy
Data
Access Control
Ownership
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 34
W W W .TUR N K EYI T.N ET
35. Operational Risk
System
Interfaces
Backup & System
Recovery Integration
Business System
Continuity Availability
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 35
W W W .TUR N K EYI T.N ET
36. Operational Risk
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 36
W W W .TUR N K EYI T.N ET
37. Operational Risk
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 37
W W W .TUR N K EYI T.N ET
38. Regulatory Risk
Sarbanes
Oxley
GLBA SAS 70
ISO PCI
HIPPA
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 38
W W W .TUR N K EYI T.N ET
39. Risk Mitigation
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010
W W W .TUR N K EYI T.N ET
40. Risk Mitigation
Governance
Policies &
Procedures
Implementation of
Controls
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 40
W W W .TUR N K EYI T.N ET
41. Risk Mitigation
Layers Inputs Outputs
Governance Determine governance Cloud vendor
framework Cloud application
Business needs user Cloud platform
requirements Cloud infrastructure
Involve all relevant business
units (i.e. finance, marketing,
legal, sales, etc).
Develop IT strategy
Policies & Procedures Work with management and Implementation of policies &
staff to document user awareness
Setup periodic review of
policies & training seminars
Implementation of Controls Via Internal Audit, Legal, Sustainable control
consultants, etc environment to mitigate Cloud
risks
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 41
W W W .TUR N K EYI T.N ET
43. Auditing - Take a TurnKey approach…
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 43
W W W .TUR N K EYI T.N ET
44. Audit Key Considerations
• Understand your client
– How do they make money?
– What is their current financial state?
– What are their business goals (short and long term)?
– How does IT fit in with their business strategy?
• Understand their IT systems
– What are the significant applications & underlying
infrastructure? Where are they located?
– How is IT access administration currently managed?
– How is data managed?
– Are there plans to move processes to the Cloud? If so, who is
the project champion(s) and what processes and data?
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 44
W W W .TUR N K EYI T.N ET
45. Audit Key Considerations
• Understand their control environment
– Business Process Controls
– IT General Controls
– Prior Year Deficiencies
– Areas of Risk
• Understand changes in roles at your client
resulting from Cloud Computing
– CIO
– CISO
– Tactical management & staff
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 45
W W W .TUR N K EYI T.N ET
46. Audit Key Considerations
Cloud Control Considerations
• How did the client choose the Cloud vendor?
• What controls will be managed by the Cloud
vendor?
• What controls will continue to be managed by
the client?
• What risk mitigation strategy has the client
put in place in the event the Cloud provider
does not come through on its promises?
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 46
W W W .TUR N K EYI T.N ET
47. Q&A
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 47
W W W .TUR N K EYI T.N ET
48. Contact Information
Jason Lannen, CISA
Phone: 770.402.9102
Email: Jason.Lannen@turnkeyit.net
Website: http://www.turnkeyit.net
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 48
W W W .TUR N K EYI T.N ET
49. Resources Identified
– Gerard, Scott, “Maximize your Web 2.0 efforts with Cloud Computing,”
IBM Cloud Computing, April 2 2009
– Clyde, Rob., “5 Questions with Cloud Computing,” ISACA JOURNAL,
published 2010; Vol. 2 2010, pp. 1-4
– Gadia, Sailesh, “Cloud Computing: An Auditors Perspective,” ISACA
JOURNAL, published 2009; Vol. 6 2009, pp. 1-5
– Hardy, Gary, “Cloud Computing: Improving the Business Management and
Governance of Services,” ISACA e-Symposium
– Raval, Vasant, “Risk Landscape of Cloud Computing,” ISACA JOURNAL,
published 2010; Vol. 1 2010, pp. 1-5
– Otte, Bruce E., “Service Management – a Linchpin to Effective Cloud
Computing,” ISACA e-Symposium
– Wikipedia, “Cloud Computing,”
http://en.wikipedia.org/wiki/Cloud_computing [retrieved April 27, 2010].
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 49
W W W .TUR N K EYI T.N ET
50. Resources Identified
– Mulholland, Andy , “Why are Clouds so Hard to Understand?”, Cap
Gemini [online], Feb. 1, 2010, http://www.capgemini.com/cgi-
bin/blog/mt-tb.cgi/1233 [retrieved 13 April 2010].
– Antonick, Jasmine , “A Brief History of… Cloud Computing”, Under the
Radar [online], March 30, 2010,
http://www.undertheradarblog.com/blog/a-brief-history-of-cloud-
computing/ [retrieved 13 April 2010].
– Mohamed, Arif , “A History of Cloud Computing”, ComputerWeekly.com
[online], March 27, 2009,
http://utilitycomputing.com/links/AHistoryOfCloudComputing20090327.
asp [retrieved 13 April 2010].
– Claburn, Thomas , “FTC Examining Cloud Computing”, Information Week
[online], Jan. 5, 2010,
http://www.informationweek.com/news/government/policy/showArticle
.jhtml?articleID=22 [retrieved 7 January 2010].
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 50
W W W .TUR N K EYI T.N ET
51. Resources Identified
– Metzler, Dr. Jim, "Cloud Computing: A Reality check & Guide to Risk Mitigation",
Webtorials [online], December 2009, www.bluecoat.com/doc/direct/12771 [retrieved
20 April 2009].
– Almond, Carl, "A Practical Guide to Cloud Computing Security: What you need to know
now about your business and cloud security",
Avanade [online], Aug. 27, 2009,
http://www.avanade.com/_uploaded/pdf/practicalguidetocloudcomputingsecurity6814
82.pdf [retrieved 20 April 2009].
– Stokes, Jon, “The Cloud: A Short Introduction,” ars technica [online], Nov. 8, 2009,
http://arstechnica.com/business/news/2009/11/the-cloud-a-short-introduction.ars/2
[retrieved 13 April 2010].
– McCroy, Dave, “Is Cloud Computing Really New? (The History Behind the Cloud)”, The
Collective [online], Jan. 20, 2010,
http://community.hyper9.com/blogs/streettalk/archive/2010/01/20/is-cloud-
computing-really-new-the-history-behind-the-cloud.aspx [retrieved 13 April 2010].
– Chiu, Willy, “From Cloud Computing to the New Enterprise Data Center”, IBM [online],
May 28, 2008, www.ibm.com/developerworks/websphere/zones/hipods/ [retrieved 7
January 2010].
– Karpinski, Rich, “Study: IT shops have cash in hand for cloud computing”, Telephony
Online [online], Aug. 5, 2009, http://telephonyonline.com/business_services/news/it-
study-cloud-computing-0825/ [retrieved 3 Sept 2009].
TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 51
W W W .TUR N K EYI T.N ET