Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011.

Published byBarnaby Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011."— Presentation transcript:

1 www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011

2 www.isaca.org 2 Overview Cloud Computing Refresher Assessing Cloud Computing Universe Completeness Using a Cloud Computing Risk Ranking Model Risk Ranking Case Study

3 www.isaca.org 3 Quiz What do the following have in common? –Paisley GRC –Salesforce.com –Amazon EC2 –Google Apps –Microsoft Business Productivity Online Suite (BPOS) –Rackspace –WebEx

4 www.isaca.org Cloud Computing Refresher

5 www.isaca.org 5 Cloud Computing Basics Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on- demand, like the electricity grid (Source: Wikipedia) Based on virtualization and abstraction of the underlying infrastructure IT Audit Risk is largely driven by: –Deployment Model –Service Model –Nature of Applications & Data in Cloud

6 www.isaca.org 6 Deployment Models ModelDefinitionExample PublicAvailable to the general public or a large industry group Google Apps (Free) CommunityShared by several organizations and supports a specific community that has shared concerns Google Apps for Government PrivateOperated solely for an organization Microsoft BPOS for a Business Source: NIST

7 www.isaca.org 7 Service Models ModelDefinitionExample Infrastructure as a Service (IaaS) Fundamental computing resources to deploy software, including OS and applications Rackspace Cloud Platform as a Service (PaaS) Applications based on programming languages and tools supported by the cloud provider Force.com Software as a Service (SaaS) Cloud provider applications running on a cloud infrastructure Salesforce. com (CRM) Source: NIST

8 www.isaca.org 8 Another Way to Look as Service Models SaaS PaaS IaaS WebEx BPOS Amazon EC2 Provider Control Example

9 www.isaca.org 9 Deployment Model Risk Profile HigherLower PublicPrivateCommunity Likelihood of Data Security, Privacy, and Control Breach

10 www.isaca.org 10 Service Model Risk Profile HigherLower IaaSSaaSPaaS Impact of Loss of Control & Security Breach

11 www.isaca.org 11 Cloud Refresher Summary Public clouds are inexpensive, but provide less security and service Private clouds are expensive, but align better with technology and security standards IaaS models are very broad in scope, but organizations maintain more control SaaS models are narrow in scope, but organizations relinquish almost all control What is the impact of cloud computing on the IT audit function?

12 www.isaca.org 12 But one thing never changes All IT Audit and Governance groups must: 1.Identify an Universe 2.Risk Rank the Universe 3.Provide Appropriate Coverage based on Risk

13 www.isaca.org Assessing Cloud Computing Universe Completeness

14 www.isaca.org 14 The Cloud Universe Challenge Cloud DynamicFlexibleTransientAbstract Rapidly Deployed

15 www.isaca.org 15 Finding the Clouds Technology Governance Firewalls & Encryption Certificates Invoices / Time & Expense Reporting Process Walkthroughs Control Points

16 www.isaca.org 16 Technology Governance Oversight Technology Approvals Partner Approvals How does your organization promote controlled cloud computing?

17 www.isaca.org 17 Firewalls and Encryption Certificates Firewall & VPN Rule Changes Firewall Logs Encryption Certificate Requests Cloud computing environments are unlikely to stand-alone.

18 www.isaca.org 18 Invoices / T&E Reporting Vendor Master Invoice Lists T&E Reporting How much does it cost to deploy cloud based e-mail service at Google?

19 www.isaca.org 19 Process Walkthroughs Business Process Data Flow Technology Overview Has anyone discovered cloud based computing in a walkthrough meeting?

20 www.isaca.org 20 Summary – Universe Completeness Cloud computing can be difficult to identify Traditional technology governance, security, and procurement controls can be used to identify cloud computing Users and business analysts could be your best source of cloud computing information What else can you do to identify cloud computing?

21 www.isaca.org Using a Cloud Computing Risk Ranking Model

22 www.isaca.org 22 A few thoughts before we start Risk models include elements of judgment and must fit the organization Some model assumptions may be completely wrong for your organization – We should have a lot of debate on this topic Risk ranking scores must drive governance requirements and audit activities

23 www.isaca.org 23 Cloud Risk Ranking Example

24 www.isaca.org 24 Potential Governance & Audit Requirements

25 www.isaca.org 25 Deployment Model Considerations HighMediumLow Deploy Model PublicCommunityPrivate - Security and privacy are not a priority - Service level agreements may not exist - Private environments provide adequate security and privacy - Service level agreements should exist Public Private

26 www.isaca.org 26 Service Model Considerations HighMediumLow Service Model IaaSPaaSSaaS - Issues may impact all hosted applications and data - No control over foundational general controls - PaaS - Impact limited to outsourced platform - SaaS - Impact limited to applications and data IaaS SaaS

27 www.isaca.org 27 Data Security Considerations HighMediumLow Security Level SecretRestrictedUnclassified - Difficult to enforce security standards when outsourcing - Difficult to demonstrate compliance with regulations like GLBA - Security and privacy is not a concern (good candidate for cloud computing) Secret Unclassified

28 www.isaca.org 28 Physical Hosting Site Considerations HighMediumLow Hosting Site UndefinedInternational Location Domestic Location - May result in cross border data protection regulatory issues - Difficult to demonstrate compliance with regulations like GLBA - Minimizes concerns about cross border data protection regulations Undefined Domestic Location

29 www.isaca.org 29 SOX Criticality Considerations HighMediumLow SOX Critical YesNo - SAS 70 reports may not cover SOX critical application controls - Business units may not have visibility or access to test SOX controls - Non SOX critical applications may be good candidates for cloud computing Yes No

30 www.isaca.org 30 Dependent Applications HighMediumLow Number of Apps Greater than 104 to 9Less than 3 - Implies complexity and greater organizational significance - Implies simplicity and less organizational significance > 10 < 3

31 www.isaca.org 31 Recovery Time Objectives (RTO) Considerations HighMediumLow RTO4 Hours7 days31 Days Implies increased business importance Cloud provider may lack geographic diversity Single points of failure may exist in network Implies lower business importance - good candidate for cloud computing 4 Hours 31 Days

32 www.isaca.org 32 Regions Supported Considerations HighMediumLow RegionEurope or Global United StatesAll Other - Strictest cross border data protection regulations – can be at odds with abstract cloud computing - “Other” countries may have less restrictive cross border data protection regulations Europe / Global All Other

33 www.isaca.org 33 Summary – Cloud Risk Ranking Models Cloud risk ranking attributes and scoring must vary based on environment and need Risk attributes and scoring require alignment with organizational standards What other risk attributes might you use, and how would your rank them on a high, medium, low basis?

34 www.isaca.org Risk Ranking Case Study

35 www.isaca.org 35 Conclusions Business and technology leaders are embracing cloud computing - it is here to stay and growing Cloud computing standards and risk ranked cloud universes are foundational requirements for governance We must adjust our approach to remain relevant

36 www.isaca.org 36 Questions Contact Information: donald.w.gallien@aexp.com

Download ppt "Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011."

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
How Virtualization and the Cloud Will Change Your Business and What You Can Do To Prepare.

How Virtualization and the Cloud Will Change Your Business and What You Can Do To Prepare.
Cloud Computing - clearing the fog Rob Gear 8 th December 2009.

Cloud Computing - clearing the fog Rob Gear 8 th December 2009.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
The Cloud: Demystified Neil Cattermull Frontier Technology.

The Cloud: Demystified Neil Cattermull Frontier Technology.
SAM for Mobile Device Management Presenter Name. of employees spend at least some portion of their time working outside their office. Mobility is the.

SAM for Mobile Device Management Presenter Name. of employees spend at least some portion of their time working outside their office. Mobility is the.
Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.

Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.
Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Cloud Computing Risk Assessments & Governance Donald Gallien Obinna Nwagbara April 21, 2015.

Cloud Computing Risk Assessments & Governance Donald Gallien Obinna Nwagbara April 21, 2015.
Does The Cloud Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847) 912-3244.

Does "The Cloud" Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847)
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?
Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.
Effectively and Securely Using the Cloud Computing Paradigm.

Effectively and Securely Using the Cloud Computing Paradigm.
Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.

Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.
September 2010. * Provide analysis, advice, and recommendations on the impacts that new and emerging technologies are likely to have on the management.

September * Provide analysis, advice, and recommendations on the impacts that new and emerging technologies are likely to have on the management.

Similar presentations

Ads by Google