Cloud computing
The role of Internal Audit
Securities Industry and Financial
Markets Association
Agenda
•
•
•
•
•
•
•
•
1
Introductions
What is Cloud computing
Key attributes
Key drivers
Cloud security risks, threats, vulnerabilities
Cloud maturity model
Role of Internal Audit
Q&A
Cloud computing
Cloud computing represents a major shift in information technology architecture,
sourcing, and services delivery
Cloud computing has emerged based on the
convergence of Internet technologies,
virtualization, and IT standardization.
Network-based applications and data
services, decoupled from enterprise data
centers, has evolved into a growing "cloud"
of software services and methods of
computing.
Industry analysts have defined capabilities
and services offered by cloud computing to
include three major qualities:
• Abstracted hardware resources
Software
$15B–2012
Integration
Platform
Information
Process
“X-as-aService”
Cloud
Storage
Security
Infrastructure
• Consumed as variable expense
• Increased elastic capacity and capability
2
Testing
Management
/Governance
Database
Cloud computing architectures
Cloud computing technology is deployed in three general types, based on the
level of internal or external ownership and technical architectures
3
Vendor cloud
(External)
Cloud computing services from vendors that can be accessed across
the Internet or a private network, using systems in one or more data
centers, shared among multiple customers, with varying degrees of
data privacy control. Sometimes called “public” cloud computing.
Private cloud
(Internal)
Computing architectures modeled after vendor clouds, yet built,
managed, and used internally by an enterprise; uses a shared
services model with variable usage of a common pool of virtualized
computing resources. Data is controlled within the enterprise.
Hybrid cloud
(Mixed)
A mix of vendor cloud services, internal cloud computing
architectures, and classic IT infrastructure, forming a hybrid model
that uses the best-of-breed technologies to meet specific needs.
Cloud computing architecture advantages and constraints
The optimal cloud computing architecture depends on specific business needs,
which can be met by different services capabilities, technology, and vendors
Vendor cloud
(external)
• Quick startup time; limited to no
capital investment required
• Allows outsourcing of noncore
functions to a service provider;
yet enterprises may not be ready
to turn over control of technical
architecture
• Leverage scalable vendor
infrastructure.
• Use a standardized software
stack
• Lower initial fees, variable costs,
billed by usage; however, beware
of vendor lock-in
4
Private cloud
(internal)
Hybrid cloud
(mixed)
• Quick startup and flexibility of
resource allocation; requires
capital investment
• Quick startup, but integration of
vendor and private cloud adds
complexity
• On-premise data and systems;
allows direct support of
governance and compliance,
security, data privacy, etc; limited
opportunities for reduction of
staffing
• Allows for better control of data
and reduction of noncore focus
that meets your requirements
• Good choice when possible to
leverage existing staff and
investments; allows control of
service levels and operational
reporting
• Cost savings through leveraging
virtualization and grid technology
to increase resource utilization
and lower internal costs
• Allows selection of scalable
vendor infrastructure when
needed; can allow internal control
when required
• Allows fine-grained sourcing of
technology and cost profiles;
integration may constrain savings
potential
Cloud computing services – X as a Service
Different types of cloud computing services are grouped into specific categories:
Infrastructure, Platform and Software services
Infrastructure as a Service
(IaaS)
Software as a Service
(SaaS)
Definition
Definition
Definition
• Delivers computer infrastructure,
typically a platform virtualization
environment as a service. Service
is typically billed on a utility
computing basis and amount of
resources consumed.
• Delivers a computing platform as
a service. It facilitates deployment
of applications while limiting or
reducing the cost and complexity
of buying and managing the
underlying hardware and software
layers
• Delivers software as a service
over the Internet, avoiding the
need to install and run the
application on the customer's own
computers and simplifying
maintenance and support.
Customization
• Customization where technology
being deployed requires minimal
configuration
Operational Notes
• Easier to migrate applications
• User of cloud maintains a large
portion of the technical staff
(Developer, System Administrator,
and DBA)
5
Platform as a Service
(PaaS)
Customization
• Moderate customization - build
applications within the constraints
of the platform
Operational Notes
• Applications may require to be rewritten to meet the specifications
of the vendor
• User of the cloud maintains a
development staff
Customization
• Limited customization – existing
applications will not be able to
migrate
Operational Notes
• Applications may require to be rewritten to meet the specifications
of the vendor
• User utilizes the vendors IT staff
and has limited to no technical
staff
Sample services within the 3 categories of cloud computing
There is an evolving “ecosystem” of services providers
Infrastructure-as-a-Service:
• Amazon Web Services
– Provide on-demand cloud computing services
using variable cost model
• Amazon Virtual Private Cloud
– Provide fully private cloud services model
using the Amazon cloud infrastructure
• Mozy.com
– Provides backup services over the Internet
Platform-as-a-Service:
• Google Applications Engine
– Allows Web applications to be deployed on
Google’s architecture
• Microsoft Windows Azure
– Cloud Computing architecture that is offered
to host .NET applications
6
Software-as-a-Service:
• Customer Relationship Management
–
–
–
–
salesforce.com
myERP.com
Oracle OnDemand
RightNow
• Business Intelligence
– SAS Suite of On-Demand Applications
– Vitria M3O
• Human Resources
– Oracle Peoplesoft
– NetSuite ePayroll
– Workday
• Productivity and Collaboration
– Gmail, Google Apps
– Zoho.com
Key attributes of Cloud computing
Offsite
IT resources are accessed from an offsite data center that is not owned by you; thus yielding in cost of
ownership, licenses etc.
Virtual
Software stacks of databases, web servers, operating systems, storage, and networking are assembled
virtually and accessed via the web
On-demand
Pay-per-use
Simple
Massive scale
Use as needed, resources can be turned on or off quickly and as needed including storage capacity,
data bases, web servers and operating systems
Pay for what you need, not for unneeded capacity
Resources can be configured quickly and easily, e.g. leading Cloud Computing platforms have open
API’s
Access to extremely large infrastructure that would be challenging to build as a single entity
The use of Cloud Computing for storage capacity can be ideal, especially for spikes in usage. Because
Storage capacity the use of the cloud entails low or no upfront capital cost and low ongoing operational costs, the ability to
take advantage of pools of resources on demand in real-time can yield business advantage
7
Elasticity and
resizability
Ability to be highly flexible – nearly instantaneously – to changes in load. With Cloud Computing, an
infrastructure supporting an application, business, or business process can be easily resized and rightsized, depending upon conditions
Collaboration
Shared environment, IT resources can be consolidated, many users share a common network, allowing
costs to be managed
Cloud computing – key drivers
Globalization & Data Access
Cost Pressures
• Computing delivered as a borderless utility
• Pay for what you use
• Accessibility from anywhere via Internet
• Repair & maintenance savings
• Sharing made easier between disparate
offices, remote workers and suppliers
• Software and license purchase savings
Data Access
• Physical space savings
Cost
pressures
Globalization
Drivers
Green IT
• Cloud computing virtualization
technology can migrate to where
computing power is cheapest or
energy is the greenest
•
Reduces companies consumption of
energy and need for multiple data
centers
Global talent
shortage
Green IT
• Less in-house IT staff required
• Highly automated-easy/fast to deploy
Availability
Availability
• 24X7 availability to applications &
services from anywhere
8
Global Talent Shortage
•
Resilience achieved through ultraredundant architecture
•
Scalable services and applications
•
Increase in outsourcing to find talent in
other countries
Cloud computing - incentives to adopt
Cloud computing is being driven by many urgent IT priorities:
Reduce amounts of IT capital equipment spending
•
•
•
•
Lower implementation costs compared to on-premise solutions
Less hardware to purchase and support; few assets on the balance sheet
Fewer IT resources required in-house
Costs are treated as operating expense, not capital expenses
Gain flexibility and speed in implementations
•
•
•
•
Allows greater flexibility and shorter time to implementation
Shift IT from supporting the infrastructure to innovating
Software maintenance and upgrades may be handled by cloud providers
Greater ability to flexibly respond to the business as needs change
Leverage IT technology evolution
• Rapidly changing technology standards and practices are driving enterprise to consider
cloud computing as a viable alternative
9
Top cloud consideration & risks
Considerations around moving IT components into
the cloud:
• What corporate security policies are in place?
• What type of configuration management is used to
protect against accidental changes that could
negatively affect security?
• How is data backed up?
• How will availability objectives, recovery time
objectives, and recovery point objectives be met?
• How will disaster recovery testing occur and will
clients have access to truthful results?
• Who will have access to the data?
• Where will the data be housed?
• Will you have accessibility to the data for audits,
etc.?
• Consumer users – Privacy, data usage
• Enterprise users – Encryption, data integrity
• Service providers – Cross-border issues,
regulations
Security tops cloud concerns
How concerned are you with following issues as they relate to cloud
computing?
4.3
Security
3.8
Control
3.8
Performance
3.7
Support
3.7
Vendor lock-in
3.3
Speed to activate new services/expand capacity
3.3
Configurability
0
1
2
3
4
5
Data: InformationWeek Analytics Cloud Computing Survey of 453 business
technology professionals
A recent survey was conducted of 244 IT executives/CIOs about their
companies’ use of, and views about, IT Cloud Services. Biggest Cloud
Challenge reported was Security.
10
Risks and controls
1. SaaS controls
3. IaaS controls
5. Data management
and storage
controls
6. ACLs
7. Communication
channels
Governance
4. Virtualization
controls
8. Supporting
infrastructure
End users, laptops,
cell phones, etc.
11
7
Business processes, IT operational
processes, information security
1
2. PaaS controls
Data
Data
Data
storage
storage
storage
5
Application
Software as a
Service (SaaS)
Application
2
Application
Platform as a
Service (PaaS)
Application
Programming environment
6
Application
Application
Application
Operating
system
Operating
system
Operating
VIRTUAL
system
VIRTUAL
computer
VIRTUAL
computer
computer
Application
Application
Application
Operating
system
Operating
system
Operating
VIRTUAL
system
3
Infrastructure as a
Service (IaaS)
VIRTUAL
computer
VIRTUAL
computer
computer
Virtualization
4
Supporting infrastructure
(physical hardware, network devices)
8
Virtual layer
Cloud supporting
infrastructure
Risks, Threats, Vulnerabilities (1/6)
Security
Category
Availability
Risks, Threats & Vulnerabilities
Service Availability and Recoverability
• Cloud provider may not be able to match in-house IT service availability, recovery time
objectives (RTO), and recovery point objectives (RPO)
• Cloud providers may drastically change business model or discontinue cloud services
Complexity
• Complexity introduced by cloud computing environment results in more pieces that can
go wrong, and more complex recovery procedures
Single-Points-of-Failure
• Even if the cloud environment is architecturally designed for high-availability, singlepoints-of-failure may exist in the access path to the cloud
Data Replication
• Due to technical architecture complexity and potentially restrictions by the cloud
provider, replicating data back to the enterprise or to another provider may be difficult
Testing Constraints
• Due to concerns about confidentiality and impact to other customers, cloud providers
may place heavy constraints on disaster recovery testing activities
Over-Subscription Risk
• In the event of a disaster, other customers may receive higher priority in recovery
activities
• As cloud providers shift from investment mode to capture market share to cost cutting
mode to reach profitability, capacity may become constrained
12
Risks, Threats, Vulnerabilities (2/6)
Security
Category
Access
Risks, Threats & Vulnerabilities
Multi-Tenancy
• Data is possibly exposed to 3rd parties due to lack of access controls on the cloud ,
allowing unauthenticated parties access to confidential data
Data Access
• Cloud stores data without proper customer segregation allowing possible disclosure to
3rd parties
Secure Data Deletion
• Company data that was deleted is still be retained on servers or storage located on the
cloud without knowing
13
Risks, Threats, Vulnerabilities (3/6)
Security
Category
Authentication
Risks, Threats & Vulnerabilities
External Authentication
• Ownership and maintenance of credential repositories is the responsibility of an
external party. Security leading practices cannot be guaranteed.
Federated Authentication
• Organizations implement single sign on applications used by multiple business partners
but the SSO also grants access to sensitive internal information due to authentication
mashups.
Key Management
• Any activity related to key generation, exchange, storage, safeguarding, use, vetting,
and replacement that results in disclosure will provide access to infrastructure and
data.
Cloud to Cloud Authentication
• One cloud provider will rely on a second cloud provider to authenticate a user’s identity
based on the first cloud passing a SAML assertion to the second cloud at the request
of a user. Based strictly on the assertion, the second cloud provider will grant the user
access to cloud resources. SAML assertions are susceptible to the following attacks:
DoS, Man-in-the-Middle, Replay, and Session Hijacking.
14
Risks, Threats, Vulnerabilities (4/6)
Security
Category
Regulatory
Risks, Threats & Vulnerabilities
Audit Rights
• Organizational Rights to perform audits, and review performance against contracts or
SLA.
Compliance
• Migration to the cloud includes a more complex regulatory environment for some
corporations.
Integrity
Shared Environments
• Data in cloud is in a shared environment alongside data from other customers.
Data Monitoring
• Changes made to data without knowledge of the data owners, or accidental overwrites
due to collisions with data storage techniques of cloud provider.
Data Encryption
• Data at rest is not encrypted and accessed by 3rd parties unknowingly due to faulty
access controls
15
Risks, Threats, Vulnerabilities (5/6)
Security
Category
Privacy
Risks, Threats & Vulnerabilities
Legal Uncertainties
• Multiple jurisdictions increase regulatory complexity
• Conflicting legal provisions create significant uncertainty in assessing compliance and
risk
• The Privacy and Data Protection legal landscape continues to evolve at a rapid pace
• Data sharing agreements may be required before moving data to the cloud
–Business associate agreements (HIPAA)
–Data controllers and third parties (EU DPD)
Individual Rights/Confidentiality
• Strict terms of service are particularly important in the cloud to preserve individual
privacy/confidentiality and to meet regulatory requirements to which the user is subject
• The cloud facilitates the ability to use/share data across organizations and therefore
increase secondary uses of data that may require additional consent/authorization
• Data is easily accessible by a larger group of users and must be strictly controlled
(Protect data at rest)
Breach/Disclosure
• Centralized data stores are especially prone to security breaches
• Timely discovery and reporting of the breach by the cloud provider may be challenging
16
Risks, Threats, Vulnerabilities (6/6)
Security
Category
Operational
Security
Risks, Threats & Vulnerabilities
Vulnerability Management
• One vulnerability has the potential to expose large number of corporations critical
assets.
Asset Management
• Assets in the cloud are not properly managed and could leak critical company
information or cause data exposures.
Incident Response
• Ownership, responsibilities, and actions during incident response are not defined.
17
Cloud computing maturity model
Charting a migration path to a cloud computing service requires clear
understanding of the maturity and viability of current cloud categories, as shown:
Cloud computing maturity/viability
High
~Software-as-a-Service for
niche applications
Functional viability
~Physical Infrastructureas-a-Service
~Application Components-as-a-Service
~Software-as-a-Service for Large Scale ERPs (e.g. ,SAP)
~Software Platform-as-a-Service
~Virtual Infrastructure-as-a-Service
Low
Immature
Adoption maturity
Mature
Concerns about data security, data access, network latency, service levels, vendor lock-in, and
service availability have inhibited the more rapid adoption of cloud computing.
18
Targeted approach to adopting cloud computing
Enterprises should take on targeted pilot projects for specific services, and adopt
a measured approach for adoption of cloud computing services
Ease in
Work with
colleagues
Specify
services
Learn from
vendors
Build hybrid
Test clouds
19
Start experimenting with non–critical applications and
services, such as test, development, or overflow capacity
Leverage lessons from cloud computing use case from
business colleagues; learn from their efforts
Let the cloud vendors know your specific requirements, and
request customization and specific services characteristics
Learn from what the cloud vendors are doing to improve
utilization and reusability of your internal infrastructure
If you have datacenter resources, develop test clouds within
your IT department to determine optimum hybrid models
Role of Internal Audit (1/3)
Internal Audit can play a role of strategic advisor and assist the business to
understand and manage the risks associated with cloud computing
Role of IA
►Understanding the business case
►Align requirements to the corporate
policies and requirements
►Incomplete requirements
►Poorly designed business case
►Requirements are not aligned within
corporate policies and requirements
►Vendor evaluation and selection
►Update business case
►Incomplete selection criteria
Implementation
►Prioritization of migration
►Vendor contract
►Controls not considered
►Insecure design
Test
►Select area to pilot
►Migrate areas to test cloud
►Non existent/ineffective controls
►Inadequate testing
Migration
►Build infrastructure
►Migrate data and processes
►Inadvertent exposure of data
►Business processes don’t work as expected
►Decommission legacy systems
►SAS70, ISO
►Loss of financial records
►Loss due to inadequate monitoring
Requirements
Vendors
Validate and
Monitor
20
Risks Involved
Role of Internal Audit (2/3)
Sample support activities
Identify control requirements
• Scope – identify controls to be implemented
• Value – IA can help the business understand and manage the risks and
therefore support their business case
Vendor selection support
• Scope – support the evaluation of vendors and ensure balanced
assessment
• Value – manages the significant risk that the selected vendor will not be
around tomorrow, internal technology won’t integrate, evidence of reliability
Vendor management review
• Scope – evaluate controls for managing vendor relationships (SLA’s/OLA’s),
invoice review, escalation etc
• Value – ensures that appropriate processes are in place to manage the
significant new vendor relationship and maximize the value the company
gets from it
21
Role of Internal Audit (3/3)
Sample support activities
Data migration assessment
• Scope – assess planned data migration scope and method as well as future
state data interface design
• Value – helps the business and finance gain comfort around the plans for cut
over from old new systems and for the completeness and accuracy of data
transferred
PMO / Project management assessment
• Scope – review project management / PMO capabilities
• Value – ensures processes are in place that can support managing this
complex and high risk project to the greatest benefit in the shortest time
Controls review / assessment / test
• Scope – perform review of controls to be put in place, test controls and
provide advice on improvement
• Value – ensures IT and business have taken appropriate steps to mitigate
implementation and business process risk that will arise as part of the
implementation
22
Q&A
23
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not
a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that
may affect your business. Before making any decision or taking any action that may affect your business, you should
consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on
this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and
its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its
member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP
and its subsidiaries.
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited