© All rights reserved. Rob Livingstone Advisory Pty Ltd. Unauthorized redistribution prohibited without prior approval.‘Na...
Agenda What I will be covering1.   Exploring the real definition of Cloud2.   Scope of this presentation3.   Systemic vs. ...
1. Exploring the real definition of Cloud    The most sensible Definition of Cloud:“Forget your technical definition of th...
2. Scope of this presentation
2. Scope of this presentation                                                           lo   ud                           ...
2. Scope of this presentation         Inherent Risk Relationship with Cloud         Service Delivery and Deployment Models...
2. Scope of this presentation         Inherent Risk Relationship with Cloud         Service Delivery and Deployment Models...
2. Scope of this presentation   •   Mission critical, non-commodity, enterprise systems   •   Multi-year investment in a c...
3. Systemic vs. Technical RiskSystemic Risks• Taking a systemic view of risk will give you a better perspective of  the ac...
3. Systemic vs. Technical Risk Technical (or functional) Risk • Identifying, categorising and ranking technical and functi...
4. Hybrid Cloud is the reality   Hybrid will be the dominant form in the enterprise   “Within five years, it will be prima...
4. Hybrid Cloud is the reality       …. And with the Hybrid Cloud comes complexity….
4. Hybrid Cloud is the reality       …. And with the Hybrid Cloud comes complexity….                                      ...
4. Hybrid Cloud is the reality……      …. As is the potential for complexity….!                            • Orchestrating ...
4. Hybrid Cloud is the reality……      …. As is the potential for complexity….!                                 •    Orches...
4. Hybrid Cloud is the reality……   "Cloud consumers should budget for additional integration costs   which can range from ...
4. Hybrid Cloud is the reality…… Review, define and assign key roles in your Cloud   environment.    – Define your Cloud C...
4. Hybrid Cloud is the reality……   The emergence of the ‘Cloud Broker’
4. Hybrid Cloud is the reality……                                   IT Department in the Cloud?
4. Hybrid Cloud is the reality……                                       vices                                   Ser        ...
4. Hybrid Cloud is the reality    Hybrid cloud can contribute to….    •Increased vulnerability due to its fragmented archi...
5. Adding in Mobility    Mobile Devices    •Are powerful cloud access devices    •Extend the perimeter of your cloud    •D...
6. BYOD or Bring Your Own Disaster?   BYOD stands for Bring Your Own Device,   •Reflects the increasing demands of users a...
6. BYOD or Bring Your Own Disaster?  BYOD requires management:  •Deploy Mobile Device Management systems (Remote wipe, pol...
7 . Hybrid Cloud + Mobility + BYOD  Systemic Risk?      Is the Systemic risk increased by the combination of:           –...
8. Standards? Which standards? Plethora of forums, industry groups and associations    –   Cloud Security Alliance    –   ...
8. Standards? Which standards?•   Compliance standards were originally designed for on-premise IT    systems and infrastru...
9. Orchestrating the Transition#1: Adopt an integrated approach to enterprise Cloud• Standardised, traditional methodologi...
9. Orchestrating the Transition #2: Manage the conflicting messages • 24% of CEOs surveyed in the 2012 PWC CEO Survey expe...
9. Orchestrating the Transition #3: Actively identify, embrace and managing shadow IT “Shadow IT can create risks of data ...
9. Orchestrating the Transition #4: Identify systemic risks across the organisation •   Systemic risks can jeopardise all ...
9. Orchestrating the Transition #5: Don’t gloss over complexity • Senior LOB managers with agency and/or functional respon...
ThankYou!ROB LIVINGSTONE- Fellow, University of Technology, Sydney- Principal, Rob Livingstone Advisory Pty Ltd   W1:     ...
Upcoming SlideShare
Loading in …5
×

Exposing the systemic risks in enterprise cloud computing

407 views
346 views

Published on

This is a copy of the presentation delivered to the Australian Not-for-Profit CIO Forum in Sydney in October

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
407
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Exposing the systemic risks in enterprise cloud computing

  1. 1. © All rights reserved. Rob Livingstone Advisory Pty Ltd. Unauthorized redistribution prohibited without prior approval.‘Navigating through the Cloud’ is a Trademark of Rob Livingstone Advisory Pty Ltd. Exposing the systemic risks in Enterprise Cloud Computing Australian Not-for-Profit CIO Forum 10th October 2012 ROB LIVINGSTONE - PRINCIPAL, Rob Livingstone Advisory Pty Ltd, and - Fellow, University of Technology, Sydney, Australia navigatingthrougthecloud.com
  2. 2. Agenda What I will be covering1. Exploring the real definition of Cloud2. Scope of this presentation3. Systemic vs. Technical risks4. Hybrid Cloud is the reality5. Adding in mobility6. BYOD, or Bring your own Disaster?7. Hybrid Cloud + Mobility + BYOD  Systemic Risk?8. Standards? Which standards?9. Orchestrating the transition
  3. 3. 1. Exploring the real definition of Cloud The most sensible Definition of Cloud:“Forget your technical definition of the Cloud, askyour mom what the Cloud is….…And what your mother will tell you about the Cloudis that it means it’s not on my computer.”Dave Asprey – Global VP, Cloud Security, Trend Micro‘Navigating through the Cloud ‘ - Podcast Episode 23 rd May 2012
  4. 4. 2. Scope of this presentation
  5. 5. 2. Scope of this presentation lo ud ci fic C R spe re? Y OU e futu a p to d in th th is m w an d oes oth no H ow es , b iv in itiat
  6. 6. 2. Scope of this presentation Inherent Risk Relationship with Cloud Service Delivery and Deployment Models http://www.coso.org
  7. 7. 2. Scope of this presentation Inherent Risk Relationship with Cloud Service Delivery and Deployment Models lo ud ci fic C spe re? http://www.coso.org R Y OU e futu a p to d in th th is m w an d oes oth no H ow es , b iv in itiat
  8. 8. 2. Scope of this presentation • Mission critical, non-commodity, enterprise systems • Multi-year investment in a cloud solution • Shifting existing enterprise capability to Cloud, (or integrating) • Mid to large enterprise • High security, privacy and confidentiality needs • High governance loads and compliance environments • Low risk appetite / high failure penalty environments
  9. 9. 3. Systemic vs. Technical RiskSystemic Risks• Taking a systemic view of risk will give you a better perspective of the actual risk, rather that what you think the risk might be• Systemic risks are those with the greatest potential impact as they affect the entire system (ie: Organisation, government, country, world…) • Case in Point: How is that the finance industry, which is one of the more regulated, and invests heavily in risk identification, mitigation and transference could be the cause of the current global financial problems?• Systemic risk for the enterprise is the silent killer and is often the hardest to identify as only a few have a complete, transparent and objective overview of the overall enterprise in sufficient detail.• Mitigation through approaches such as Enterprise Risk Management (ERM), origins in fraud, organisational governance, insurance, etc
  10. 10. 3. Systemic vs. Technical Risk Technical (or functional) Risk • Identifying, categorising and ranking technical and functional risks is core to conventional IT risk assessment approaches: o Risk of a specific event = (Impact x Probability of that event occurring) + Risk Adjustment • Underpins conventional risk certification frameworks e.g. ISO 2700X • Certification does not necessarily equal security or effectiveness of your risk management model • Often focusing on the diverse range of technical risks, does not account for the interaction between risks. • Systemic risks are often more significant than the sum of the individual, technical risks
  11. 11. 4. Hybrid Cloud is the reality Hybrid will be the dominant form in the enterprise “Within five years, it will be primarily deployed by enterprises working in a hybrid mode”. - Gartner Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality” (Published: 8 December 2011 ID:G00226103)
  12. 12. 4. Hybrid Cloud is the reality …. And with the Hybrid Cloud comes complexity….
  13. 13. 4. Hybrid Cloud is the reality …. And with the Hybrid Cloud comes complexity…. p le si m s not e mi os yst e c gt his i n a na g M
  14. 14. 4. Hybrid Cloud is the reality…… …. As is the potential for complexity….! • Orchestrating versioning, change control and rollback • Life expectancy alignments • Business Continuity • Identity Management • Due diligence • Forensics • BYOD • Mobility • Legislative / Jurisdictional • Contractual complexity ….. To name but a few
  15. 15. 4. Hybrid Cloud is the reality…… …. As is the potential for complexity….! • Orchestrating versioning, change control and rollback • Life expectancy alignments • Business Continuity • Identity Management • Due diligence n ctio s t ra s • Forensics ? f ab r oBYODisk er • c r lay stemi the e s• Mobility y no th • Legislative / Jurisdictional a d s t a re A d ha • Contractual complexity … w ….. To name but a few
  16. 16. 4. Hybrid Cloud is the reality…… "Cloud consumers should budget for additional integration costs which can range from 10% to 30% — and sometimes as high as 50% — of the total cost of cloud IT projects.“ Gartner Predicts 2012: Cloud Services Brokerage Will Bring New Benefits and Planning Challenges - Published: 22 November 2011 G00227370
  17. 17. 4. Hybrid Cloud is the reality…… Review, define and assign key roles in your Cloud environment. – Define your Cloud Computing Reference Architecture (CCRA) by reviewing applicability against published models (Eg NIST, IBM, etc) – Ensure you do not miss important roles (Eg: IBM CCRA does not include Cloud Broker, Cloud Auditor yet included in NIST CCRA)
  18. 18. 4. Hybrid Cloud is the reality…… The emergence of the ‘Cloud Broker’
  19. 19. 4. Hybrid Cloud is the reality…… IT Department in the Cloud?
  20. 20. 4. Hybrid Cloud is the reality…… vices Ser loud se? IT Department in the Cloud? r a “C to u hybrid d fo easy rise nee and p ! e re a ple nter cheap s th t’s sim rated, e le or hy i ” if i W er nteg l, simp Brok ause i rivia … Bec s not t ud i Clo
  21. 21. 4. Hybrid Cloud is the reality Hybrid cloud can contribute to…. •Increased vulnerability due to its fragmented architecture and larger surface … •however if it is properly architected, risks largely eliminated by implementing measures such as… o Deploying effective policy based key management processes o Properly segmenting your public and private clouds o Encrypting each part of the hybrid Cloud with separate keys o … amongst other measures
  22. 22. 5. Adding in Mobility Mobile Devices •Are powerful cloud access devices •Extend the perimeter of your cloud •Disperse the perimeter to your cloud Have the potential to increase the vulnerability •The compromising of one of these mobile devices could be significant and compromise your entire cloud. •Use policy based key management regimes for your data.
  23. 23. 6. BYOD or Bring Your Own Disaster? BYOD stands for Bring Your Own Device, •Reflects the increasing demands of users and organisations of their own IT departments to be increasingly agile and responsive to their needs when it comes to iPads, tablets and other mobile devices. •Read the NIST Draft Guidelines http://csrc.nist.gov/publications/drafts/800- 124r1/draft_sp800-124-rev1.pdf
  24. 24. 6. BYOD or Bring Your Own Disaster? BYOD requires management: •Deploy Mobile Device Management systems (Remote wipe, policy enforcement) •Introduce a non-porous Virtual Desktop environment - No data can flow between the Cloud system and the mobile device itself •Containerisation: • Segregates corporate from personal data and applications • Enforces encryption and prevention of data leakage between containers • Application / device specific therefore can be a challenge to expand across the entire mobile environment for all applications.
  25. 25. 7 . Hybrid Cloud + Mobility + BYOD  Systemic Risk? Is the Systemic risk increased by the combination of: – Hybrid Cloud Y es ’ r is ‘ – Mobility we e a ns – BYOD? a t th t th ges d s ug o ul Iw
  26. 26. 8. Standards? Which standards? Plethora of forums, industry groups and associations – Cloud Security Alliance – Cloud Standards Customer Council – Distributed Management Task Force (DMTF) – Cloud Management Working Group (CMWG) – The European Telecommunications Standards Institute (ETSI) – National Institute of Standards and Technology (NIST) – Open Grid Forum (OGF) – Object Management Group (OMG) – Open Cloud Consortium (OCC) – Organization for the Advancement of Structured Information Standards (OASIS) – Storage Networking Industry Association (SNIA) – The Open Group – Association for Retail Technology Standards (ARTS) – TM Forum’s Cloud Services Initiative Source: cloud-standards.org
  27. 27. 8. Standards? Which standards?• Compliance standards were originally designed for on-premise IT systems and infrastructure that were relatively static• Auditing institutions are averse to cutting edge technologies• Is your organisation (or parts thereof) standards/compliance driven? – Compliance to Standards vs. Unimpeded Innovation based on principle of caveat emptor?• Regulators not providing much specific and concrete guidance on Cloud
  28. 28. 9. Orchestrating the Transition#1: Adopt an integrated approach to enterprise Cloud• Standardised, traditional methodologies within specific disciplines such as IT security, project management, audit, and information security, in and of themselves, can be self limiting.• Each discipline and/or technology is only really effective when applied actively coordinated with the other key moving parts of the organisation Harmonization of functionally specific methodologies and technologies unleashes value and eliminates waste Cloud solutions may or may not help!
  29. 29. 9. Orchestrating the Transition #2: Manage the conflicting messages • 24% of CEOs surveyed in the 2012 PWC CEO Survey expect ‘major change’. • The eighth annual KPMG 2012 Audit Institute Report identified “IT Risk and Emerging Technologies” as the second-highest concern for audit committees, which is unprecedented in the history of the report. • Cloud evangelists see cloud as imperative, others not • Rigorously test generic, enterprise Cloud policy statements in the context of your business unit, agency or department. Map and quantify the gaps  Develop an effective mechanism for interpreting these messages in the context of your organisation
  30. 30. 9. Orchestrating the Transition #3: Actively identify, embrace and managing shadow IT “Shadow IT can create risks of data loss, corruption or misuse, and risks of inefficient and disconnected processes and information” – Gartner*  Embrace shadow IT, and define what and what is not eligible to be considered enterprise IT  Develop, socialize and police appropriate policies on the selection of Cloud based services, no matter how innocuous for your key information assets. *CIO New Years Resolutions, 2012 ID:G00227785)
  31. 31. 9. Orchestrating the Transition #4: Identify systemic risks across the organisation • Systemic risks can jeopardise all or major parts of the organisation  Ensure your executives and key decision makers are aware of long term, systemic risks  Understand the systemic risks inherent in long lead time IT projects where Cloud plays a critical part  Consider implementing Enterprise Risk Management (ERM)
  32. 32. 9. Orchestrating the Transition #5: Don’t gloss over complexity • Senior LOB managers with agency and/or functional responsibility over specific vertical silos of the organisation may underestimate the overall complexity of their own organisations as a whole. • From a functional perspective, specific methodologies and technologies exist to support specific activities, however integration can be the Achilles heel for single instance Cloud applications. • Cost your medium / long term Cloud strategy with rigour.  Don’t believe that simple IT solutions can paper over underlying business complexity. Test assumptions if critical.
  33. 33. ThankYou!ROB LIVINGSTONE- Fellow, University of Technology, Sydney- Principal, Rob Livingstone Advisory Pty Ltd W1: www.rob-livingstone.com W2: www.navigatingthroughthecloud.com E: rob@rob-livingstone.com P: +61 2 8005 1972 M: +61 419 632 673 F: +61 2 9879 5004 @rladvisory © All rights reserved. Rob Livingstone Advisory Pty Ltd ABN 41 146 643 165. Unauthorized redistribution prohibited without prior approval. ‘Navigating through the Cloud’ is a Trademark of Rob Livingstone Advisory Pty Ltd.

×