Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
IIA2013 PPT SLIDES DECK
1. Auditing in the Subscription Economy
– CAE Overview
Implementing the next generation best practices in
Governance and Risk
Mr. Bhavesh Bhagat
Founder - EnCrisp – ConfidentGovernance.com
Founding Chair - CSADC
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
2. “Clouds come floating into my life, no longer to
carry rain or storm,
but to add color to my sunset sky.”
– Rabindranath Tagore, Nobel Laureate Literature -150 year Anniversary
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
3. Agenda
• Understand Subscription
Economy
• Cloud Computing concepts
• Risks and challenges
• “Democratizing Governance”
use case
• Role of CAE and Internal Audit
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
4. TenYear Computing Cycles
10X more users with each cycle
2000s Mobile
Cloud
Computing
1990s Desktop Cloud
Computing
1980s Client/server
Computing
1970s Mini Computing
1960s Mainframe
Computing
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
5. Social Networking Surpasses Email
1,000 Social Networking Users
Email Users
750
Inflection Point
Global Users (MM)
500
250
11/06 5/07 11/07 5/08 11/08 5/09 11/09 5/10 11/10
Facebook has reached its half-billion member mark, with an online population
larger than the combined population of the U.S., Mexico, and France.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
6. Broad Change in Internet Usage
Top Internet Users
22% of Internet time is social.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
7. Next Generation Devices Changing
How We Access the Internet
2000
1000
Annual unit shipments(MM)
2007 2008 2oo9 2010 2011E 2012E 2013E 2014E
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
8. Cloud Computing
NIST Definition
• National Institute of Standards and Technology (NIST) Special
Publication 800-145
– Model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing
resources,
(e.g., networks, servers, storage, applications, and services)
– Rapidly provisioned and released with minimal management
effort or service provider interaction
– Composed of 5 essential characteristics, 3 service models,
and 4 deployment models
– Source: http://www.nist.gov/itl/csd/cloud-020111.cfm
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
9. Cloud Computing
Five Essential Characteristics:
• On-demand self-service: Get it when you need it
• Measured service: Pay for what you use
• Rapid elasticity: Increase and decrease capacity quickly
• Broad network access: Access it from any Internet
connection
• Resource pooling: Share fixed costs, which lowers
individual costs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
10. Cloud Computing
Three Service Models
• Software as a Service (SaaS)
– Capability made available to tenant (or consumer) to use provider’s applications
running on cloud infrastructure, accessible via web browser, mobile apps, and
system interfaces
– Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx
• Platform as a Service (PaaS)
– Capability made available to tenant to deploy tenant owned (created or acquired)
applications using programming languages and tools supported by provider
– Examples: Force.com, Microsoft Azure, Amazon Web Services
• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)
– Capability made available to tenant to provision processing, storage, networks or
other fundamental computing resources to host and run tenant’s apps
– Examples: Rackspace, Terremark (Verizon), Savvis, AT&T
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
11. Cloud Computing
Four Deployment Models
(1) PRIVATE (2) COMMUNITY (3)PUBLIC
Shared with
General Public /
ACCESSIBILITY Single Organization Common Interests /
Large Industry Group
Requirements
Organization or Third Organization or Third
MANAGEMENT Cloud Provider
Party Party
HOST On or Off Premise On or Off Premise On or Off Premise
(4) HYBRID
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
12. Cloud Computing
Why cloud – Business Impact and Use Case Considerations
Data Infrastructure Access Method
Virtualized Local Data On or Off
Off premises On or Off Premises
Technology premises
Local Data plus BIG
Virtualized Processes Shared local and
DATA (social media On or Off Premises
and Data Cloud
domain)
Virtualized
On or Off Premise On or Off Premise BYOD
Organizations
Virtualized Business Models
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
13. Cloud Computing
CAEs need to think from CFOs perspective
Virtualized Business Models
• Faster Time to Results
• Better Working Capital cycle
• Reduced CAPEX
• Reduced CGS
• Reduced SG&A
• Environmental Sustainability as byproduct
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
14. CAE’s guide to Cloud Use Cases
Source CIO.com Annual CIO survey 2010-2011
Plans to Use Cloud Services Currently using, Actively Planning to use No plans to use
Researching, Planning to three to five years
use in one to three years
Application platforms and 68% 2% 30%
development software
Collaboration tools 79% 4% 17%
Enterprise application 63% 3% 34%
software
Personal productivity 53% 4% 43%
software
Utilities / management 66% 2% 32%
software
Networks 52% 2% 45%
Storage 63% 7% 30%
Servers 59% 2% 39%
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
15. CAE decision enablers
Evaluating the Cloud Model
CAE Cloud Vendor Considerations How Does our Enterprise Benefit From
Cloud Opportunity?
Do they understand our business and needs? How do we reduce complexity of my Business
process and IT footprint by taking non-core
Can they provide support that we are used to? computing to the cloud, Transfer non-core
applications to the cloud or outsource to the
How does it fit with my existing architecture? cloud?
Who else has adopted within my industry - Can we improve the efficiency of my
relevant references? development organization through speedy
access to computing resources?
How do the new entrants in the enterprise IT
market (Amazon, Google, etc) view the Can we make IT more responsive/nimble by
enterprise market? using cloud computing architectures?
What are the new Risk Domains? Can we assist in reduced CAPEX spend in line
with CFO needs?
What are the Regulatory, Compliance and Risk
mitigation guidelines? Can we get higher availability and recovery at
lower price?
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
16. New Opportunities - New
Challenges
New Risk Mitigating Strategies
• Security - New ways of thinking about Security need to evolve for new issues -
Cloud computing presents new security challenges
– Trusting vendor's security model
– Customer inability to respond to audit findings
– Obtaining support for investigations
– Indirect administrator accountability
– Proprietary implementations cannot be examined
– Loss of physical control
– Attraction to hackers (high value target)
• Privacy
Issues moving PII and sensitive data into the cloud
• Fear of mass outages
Fueled by high-profile outages of many popular cloud services (i.e., Gmail,
Google Apps, Apple's Mobile Me, Amazon's S3)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
17. New Opportunities - New
Challenges
New Risk Mitigating Strategies
• Cultural and organizational barriers
Organization must acquire new core capabilities Cloud skepticism
• Difficulty tracking and delivering against defined SLAs
Especially significant in the federal government, where a data breach
could constitute a violation of the law
• International sovereignty / cooperation
Cloud computing could involve the movement of data
between countries with differing laws regarding technology and property.
Determining jurisdiction and facilitating cross-border cooperation on
these matters may prove challenging.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
18. What is Different about Cloud?
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
19. GRC-XML: What is it?
• Standard language for Risks and Controls definition/exchange
• One language for many areas:
– Security risk
– IT risk
– Financial risk
– Operational risk, etc.
• Visibility across silos
• Eliminate redundancy and duplication
• Facilitate effective continuous monitoring and audit of controls
• Extensible: Companies can add their own
– Activities
– Risks
– Control Objectives
– Control Activities, etc.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
20. GRC-XML: Illustrated Business
Integration
Risk & Controls Controls GRC
Repository Testing & Monitoring Applications & Systems
GRC-XML GRC-XML
Risk models Automated Control Tests
Transactions Enterprise GRC,
Controls documentation
Configurations Operational GRC,
Organization / Process
User access IT GRC,
Test Procedures
Manual Control Tests Cloud GRC,
Test Results
Surveys etc.
Sampling
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
21. Cloud Governance
Practical approach with
CSA and other third
party tools
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
22. Holistic Approach
Around Controls . . .
Your Cloud
Controls
Matrix
Trusted Cloud Initiative
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
23. Suggested Approach to Use the CSA Cloud Audit
Guideline
Roadmap • Security Patterns
• Control Mapping
• Guidelines
• Operational Checklists
• Capability mapping • Vendor Certification
Assess the • Strategy alignment
• Use Cases (OSA) Reuse
opportunity
BOSS ITOS Presentation SRM
Application
Information
Infrastructure
CSA Controls Matrix Security Framework
CSA Questionnaire Reference Architecture and Patterns
Trusted Cloud Initiative
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
24. How it Works (A Simplified View) . . .
Risk Maturity Third party requesting access
Appetite
Third Party
Assurance Centre
Maturity Cloud provider
1. Business sets level of risk they are
willing to tolerate (number of levels
depending on the data). Maturity will
include CAMM plus possible bespoke
Maturity Internal hosting provider
modules. 2.Level of risk
management maturity is 4. Leverage existing expenditure
3. Evidence of compliance may be
communicated to and remove need for duplicate
uploaded to central repository that can
business partners (and verification (note: May remove
be used by numerous customers.
possible partners) audit requirement altogether)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
25. Evaluate Key Control Domains
Source Domains Maturity
Governance
-Subcontractor due diligence
ISO 27001 -Risk Management 5
NIST SP800-53 Human Resources 4
PCI Physical Security
-Site security 3
CSA Controls Matrix -Environmental Protection
COBIT IT Services 2
-Networks
ENISA Cloud doc. -Change Management
-Service Management 1
ITIL -Development, etc
Incident Management
BS25999
Business Continuity
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
26. Mapping Example
Cloud Matrix FedRAMP
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
27. Cloud Audit Automation
Leveraging CSA CAIQ Example
CSA Cloud
Audit modules bit.ly/ClearGRC
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
28. CAMM & CAIQ Data Governance Risk
RISK: Inadequate Cloud Data Governance
Results: Benchmarking vendors based on CSA standards
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
29. Aggregate CSA Analytic Dashboards
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
30. CAE Leadership in
Internal Auditor
assured
Cloud Governance and
Emerging Technologies
adoption
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
31. 3 Things CAEs will
need to understand
Cloud Computing
Big DATA
Mobility
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
32. Cloud Governance Internal
Audit Leadership
Business Advisor
•Advise on benefits, risks, and mitigation techniques
•Create awareness
•Participate in cloud conversion activities
•Study and measure opportunities for increase efficiency
and cost-savings
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
33. Cloud Governance Internal Audit
Auditor
Leadership
•Interact with cloud provider to understand operation of
key controls and monitoring program
•Participate in SLA and contract development
•Review service organization reports and determine
assurance needs
•Audit end-user control responsibilities (browser and
device security, APIs, admin access)
•Monitor changes and update risk assessment
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
34. Cloud Governance Internal Audit
Leadership
User
•Collaboration - Email, Documents
•Application Development-Audit Document
Repositories, Tools
•Mobility- Improve connections, monitoring
•Back-office - Transparent use for data storage
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
35. About EnCrisp
is an INC 500 award winning global leader in providing
“business driven” solutions enhancing trust, governance, and transparency
since 2004.
EnCrisp is a “Governance and Compliance Niche” specialist and its
efforts result in strategic Increases in Trust, Efficiency, Compliance and Less
Risks Without the complexities and overburdened capital costs for leaders in
IT, finance, business, quality, security and audit.
AWARDS – INC 500 2009, NVTC Hot Ticket Tech 2007,2009,2011 –
Hottest Bootstrap Category
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
36. Three Take-aways
• Define your AUDIT challenges
– Technological as well as do not ignore Process
• Set realistic MANAGEMENT expectation
– Start using technology first then AUDIT
– Expertise is not instantaneous
• Keep your eye on the BUSINESS goal
– Mentorship programs
– Work with SME and third party experts
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
37. RESOURCES
• NIST - http://www.nist.gov/itl/csd/cloud-020111.cfm
• CSA - Cloudsecurityalliance.org
• GRCXchange Executive LinkedIN Group
• CIO.com
• http://Trust.Salesforce.com
• http://www.google.com/apps/intl/en-
GB/trust/data_protection.html
• http://aws.amazon.com/security/
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
38. Thank You!
Hopefully you have found new
appreciation for CLOUDY days!
Mr. Bhavesh Bhagat
703.728.2493
bb@EnCrisp.com
EnCrisp President
Founding Chair - CSA Washington DC federal center
Chairman - GRCXchange Global Policy Thinktank
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
Editor's Notes
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of locationindependence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations, typically through a pay-per-use business model.Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of locationindependence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Add slides to each topic section as necessary, including slides with tables, graphs, and images. See next section for sample table, graph, image, and video layouts.
This is a screen shot of some of the CSA assessment questions integrated in Archer’s questionnaire workflow. Again, the CSA Consensus Assessment Initiative Questionnaire (CAI) has been developed specifically to provide organizations and auditors with a standard framework of metrics for the assessments of cloud service providers and has been built into the Archer platform as standard content as you can see here.
This shows you a scorecard for a fictitious cloud service provider called “newcloud.com” created by using the Archer questionnaire workflow together with the CSA Assessment Questionnaire included in Archer. The questionnaire may be used to evaluate external vendors as part of a vendor management program or even to evaluate internal cloud infrastructure against those standards and offerings. So you could compile a number of these scorecards across several service providers and compare results to assess which vendor best fits your requirements. <Brian, I am getting definition of “Inherent Score” and “Residual Score” – all other columns self explanatory.>>
Keep it brief. Make your text as brief as possible to maintain a larger font size.
Summarize presentation content by restating the important points from the lessons.What do you want the audience to remember when they leave your presentation?Save your presentation to a video for easy distribution (To create a video, click the File tab, and then click Share. Under File Types, click Create a Video.)
Summarize presentation content by restating the important points from the lessons.What do you want the audience to remember when they leave your presentation?Save your presentation to a video for easy distribution (To create a video, click the File tab, and then click Share. Under File Types, click Create a Video.)