Cloud Computing – Risk and Rewards Mark Salamasick Director of Center for Internal Auditing For Austin Chapter of the IIA April 14, 2015.

Cloud Computing – Risk and Rewards

Mark SalamasickDirector of Center for Internal Auditing

For Austin Chapter of the IIAApril 14, 2015

Mark Salamasick

• Over 25 years internal audit and consulting experience

• Industry experience: Financial Services, Utility, Oil & Gas, Technology, and Education

• Companies: Central Michigan University, Accenture, Bank of America, and University of Texas at Dallas

• Published: Most recent book “Auditing Outsourced Functions”

University of Texas at Dallas• Founded in 1969, based in Richardson• Over 19,000 students and over 7,000 in the

business school• One of the fastest growing Universities in the US• One of the largest graduate Accounting programs

with over 750 students and over 900 undergraduate accounting students

• Largest Graduate Internal Audit program worldwide• New cross discipline cybersecurity concentration

Session OverviewCloud computing is changing the way we all look at outsourced technology. This session will help in gaining an understanding and evaluating the rewards that can be gained from the cloud. The reduction of technology costs and immediate availability of technology infrastructure provide alternatives that must be considered. At the same time all cloud based solutions are not the same and your organization must evaluate the risks. Cloud solutions are here to stay and transform the way we do business. Also, come hear the latest guidance provided by COSO in addressing the opportunities, rewards and risk mitigation of doing business in the cloud.

Learning Objectives:1. Understand the opportunities provided by cloud computing. 2. Understand the new risks from cloud computing along with risk mitigation techniques. 3. Learn the right questions to ask when doing business in the Cloud.

Cloud Computing…

*

Dilbert on Cloud Computing

What is Cloud?

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling “…… convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

*

Service Models & UsesSoftware as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Overview Applications over a network

Developer platform with built-in services

Rent processing, storage, network capacity and other computing resources

Level of Customer Control

Does not manage or control the underlying Cloud infrastructure, servers, O/S, network, storage or individual application capabilities (with the exception of user configurable settings)

Has control over the deployed applications and possibly the application hosting environment configurations

Has control over the operating systems, storage and deployed application

*

Deployment Models & UsesDeployment Model Description

Private Cloud • Operated solely for an organization• May be managed by the organization or a third party• May exist on or off premise

Public Cloud • Made available to the general public• Owned by an organization selling cloud services

Hybrid Cloud • A composition of two or more clouds (private, public and/or community) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Community Cloud • Shared by several organizations• Supports a specific community that has a shared mission or

interest• May be managed by the organization or a third party• May reside on or off premise

*

Gartner Key Players in the Cloud

Examples of Good Uses of Cloud

General Business applications E-business hosting Enterprise Applications Cloud native applications Test and development

ISACA Survey

Benefits of Cloud Computing Cost control – Utility model

Speed - Immediate provisioning (setting up resources)

Focus - Allows company to focus on core competencies

Scalability – Ability to dynamically adjust resources according to demand with little to no notice

Performance – Utilizing severer load balancing

Operational Expertise – Patch management, version updates, data security

*

Elasticity

Utility Pricing

Virtual Resources

AutomationSelf-Service

Third-Party Owners

Managed Operations

Economic

Architectural

StrategicElements of

Cloud Computing Value

*

Cloud Security—Today Provider transparency

– Trust , reliability and viability– SLAs

Data protection Malicious insiders—social engineering Cloud-specific attacks Account/service hijacking Physical threats

Cloud Security—Tomorrow Globally compatible legislation Cloud compatibility standards Real-time management Identity management Responding to security incidents Bandwidth Pricing

Controls Virtual firewalls Encryption—as close to the source as possible Network access Secure SAN protocols Regular deletion of unused assets Logs and audit trails Compliance requirements

– SOX and (SSAE 16/SAS70)

Public Clouds—Entertainment Tech and media companies are racing to create

Internet-video hit programs on the scale of traditional TV– Netflix and Kevin Spacey– Hulu and Kiefer Sutherland– Yahoo, Sony, AOL, YouTube– Consumers are watching more

video on Internet TVs and tablet computers

State of the Cloud Worldwide

Attributes of BSA Report Card

Right Questions to Ask

Risks Disruptive Force Residing in the same risk ecosystem as the CSP Lack of Transparency Security, Compliance and Data Jurisdiction Reliability, performance, and high-value cyber-

attack target Risk of data leakage IT organizational changes Potential vendor lock-in Cloud service provider viability

Cloud Computing Board Oversight Questions?

Who in management is responsible for understanding and management the business risks associated with cloud computing?

What are competitors doing with cloud solutions? Are cloud computing initiatives aligned with the

organization’s risk appetite? Does management have the skills required to understand

the complexities associated with cloud computing? How is management mitigating organizational risks

resulting from reliance on the activities of a third-party cloud service provider?

Cloud Computing Management Questions?

What is management’s stand on outsourcing functions? Does the organization anticipate rapid growth that might

require using cloud solutions? Is the organization in a mature market that might require

using cloud computing to save costs to remain competitive?

How should the organization prepare for cloud computing? Who should be involved in the evaluation process, and who

makes the decision? How can the organization manage its risks adequately

while operating in a business environment with cloud computing?

*

Other Considerations

Cloud solution pricing predictability Captive renter Involvement of representatives across the organization Clear definitions of responsibilities and required

interactions between the organization and the CSP Evaluation of business continuity requirements Ultimate legal responsibility and liability Relinquishment of direct control of specific technology

areas

Key Tasks in the Road to the Cloud

• Assessing the Cloud Strategy• Evaluating Cloud Providers• Moving to the Cloud• Monitoring the Service Providers

*

Conclusions Many benefits to utilizing Cloud

technologies Management should have a strategy for

adopting Cloud technologies Establish processes for periodically

evaluating and monitoring risks Management should ensure costs and

benefits are reviewed for long term

*

QUESTIONS

Contact Information:Mark SalamasickJindal School of ManagementThe University of Texas at

Dallas(972) [email protected]

Informational Sources COSO Enterprise Risk Management for Cloud Computing Global Technology Guide 18 Cloud Computing from IIA

International Cloud Security Alliance (CSA)

– Cloud Controls Matrix– Consensus Assessments Initiative Questionnaire

CloudAudit.org Isaca.org cloud computing European Network and Information Security Agency (ENISA)

– Cloud Computing: Information Assurance Framework NIST 800-144