Submitted for ACC 626, University of Waterloo.
Cloud computing availability concerns, implications and recommendations for corporate governance, cloud vendors, and assurance professionals.
2. Agenda
1. Introduction
2. Business in the Cloud Environment
3. Availability- Risks and Implications
4. Recommendations for Risk Mitigation
5. Conclusion
3. 1. Introduction
• No longer a trend, but a “landrush”
• Cloud revenue to reach $14.0M this year
• Many benefits, but also risks
• CEOs, CFOs CIOs have roles
– Budget
– Strategy planning
4. 2. Business in the Cloud
• NIST categorizes cloud services as 3
categories:
– Software as a Service (eg. Salesforce)
– Platform as a Service (eg. Sun Microsystem)
– Infrastructure as a Service (eg. Microsoft SQL
Azure)
5. 2. Business in the Cloud
• Many benefits:
– Lower capital expenditures
– Focus resources on core activities
– Attractive pricing model
– Scalable with demand
9. 4. Recommendations
• Corporate governance:
– Business case reviews
– Risk Assessment
– Evaluate vendors/contracts (service-level
agreements)
– Test it out!
– Monitoring
– Continue disaster recovery
10. 4. Recommendations
• Cloud vendors:
– System architecture
• Data redundance
• Virtualizatoin
• Load balancing
– Transparency
– Award programs/certifications
11. 4. Recommendations
• Assurance professionals:
– Assist in standardization of cloud vendors
– Trust services
– No existing accreditation
– Existing control frameworks offer some
guidance:
• ISACA- ITAF
• COSO
• COBIT
12. 4. Recommendations
• Assurance professionals:
– Cloud-specific framework needed for clear
guidance in:
• Trans-border information flow
• Certification
– Cloud Security Alliance attempting to bridge
gap
– Implications for financial audits
13. Conclusion
• Cloud computing comes with many
benefits but also risks
• Unavailable service can be costly
• Risk mitigation done by management and
vendors
• “Current issue”: lack of audit and control
frameworks
Editor's Notes
Welcome to the slidecast titled Cloud AvailabilityImplications and Recommendations for Corporate Governance, Vendors, and Assurance ProfessionalsMy name is Henry Hsu, and this presentation is prepared as part of my research paper submission for the ACC 626 course at the University of Waterloo.
As an overview of my presentation, I will start with background information of the cloud business environment, highlighting the benefits and risks through illustrating the implications of security failures with an emphasis on availability concerns. Then, mitigation of availability risks will be discussed at three levels: how corporate governance and management of the company receiving cloud services can mitigate risks internally, how cloud vendors can prevent security breaches and promote best practices, and how assurance professionals may be able to assist in providing trust services between vendors and customers in light of a current lack of frameworks and guidance.
Doing business in the cloud is no longer a trend but could be described as a “land rush,” where Gartner Inc. has predicted that cloud computing revenue will reach $14.0 billion by the end of 2013. This is not surprisingocnsidering the many benefits the cloud service model offers to businesses, but the very model that conveys convenience through the Internet also carries many unique risks. These risks need to be considered by corporate executives as they budget and plan on outsourcing functions to cloud vendors.
IT experts, such as those at the National Institute of Standards and Technology, generally classify the cloud services in to three categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). SaaS providers such as Salesforce.com offer a thin-client interface to use a specialized software, usually with multiple clients at the same time (“multi-tenancy”) and accessible on demand; PaaS such as Sun Microsystems offers a computing platform whereby database management and security functions can be carried out; IaaS such as Microsoft SQL Azure offers components such as processors, memory, network firewalls and storage capacity
The value prop that cloud vendors offer business customers is resources that are dynamically scalable on-demand as needed, and this comes at lower initial capital investments, siginficant because IT represents on average 50% of capital budgets, allows businesses to focus their resources on core activities, potentailly offer cost savings since the user pays for only what they need and not excess capacity, and the services can be easily scaled upwards or downwards as needed.
Moving to a cloud infrastrucutre doesn’t mean that the threats of outages, downtimes and ultimately lost revenue from using a traditional data centre have gone away . Downtimes of only a few hours, as I will demonstrate, can lead to losses in the thousands of dollars. This underlines the importance for firms to carefully evaluate the reliability of the vendor’s availability. Several notable examples of outages have already occurred. Although infrequent, when they do happen the consequences are significant.
Amazon is one such vendor where there is abundant negative publicity. There were highly publicized outages in each of the last three years. The causes include both human error, as well as sever weather. The outage in 2013 of only 49 minutes represented approximately a $5.0M loss in revenue for Amazon. Amazon web services outage in 2012 affected major sites such as Netflix and Instagram. The Amazon examples demonstrate that even an otherwise solid infrastructure built by a reputable company can be prone to a single unpredictable act of nature, or a single act of human error within the highly automated environment.
Risks of availability also include malware given the service is received through the Internet. Considering the risks and implications of service outages, clearly there needs for work done to ensure that enterprises subscribing to cloud services are getting what they’ve asked for.In the context of a cloud service arrangement, I have identified three levels at which the risk of unavailable service can be mitigated: internally the management and corporate governance of the user company, externally at the cloud vendors, and also through the use of assurance professionals.
Management should conduct a thorough case review of a cloud service proposal, As with any investment decision, the opportunity cost of planning and deploying cloud services in relation to other existing investment opportunities need to be evaluated. The entity itself need to be assessed for readiness to use a cloud service including a review of existing busines processes and the competencies of the relevant individuals. The user entity should also carefully conduct a risk assessment, to identify data and applications that the business cannot afford to have rendered unavailable for even short periods of time.Assessing the reputation of the vendor is an area where certifications discussed later may be helpful. Additionally, management should carefully review and insist on a service level agremeent to gain protection and set mutual expectations. Setting the appropriate terms will be crucial in obtaining the protection it seeks. [perhaps add more]Testing out the cloud environment before commitments is also advisable. An ISACA white paper suggests that testing can be done at three layers ofcommunication: the Wide Area Network (WAN) that connects the customer to a “data communicationservice” such as an internet service provider, Local Area Network (LAN) which is the connection betweena data communication service and the data centre, and finally at the specific data centre’s performance. The SLA should also address monitoring requirements and determine which party will be responsible for monitoring, and also include right-to-audit clausesAgain, considering the risks and implications of unavailable service, relying solely on the vendor’s backup controls may not be wise. A recommendation would be to consider the vendor’s facilities as just another layer of redundancy.
Given the inherent risk of failure existing inhardware components, the challenge of maintaining a large cloud infrastructure and delivering service aspromised lies in recovery from failure with no effect noticeable to the client. Being able to offer superb uptimescould be a way a vendor differentiates from competitors. To assist users with the unavailability concerns, vendors should implement key elements in to the infrastructure such as data-redundancy to allow uninterrupted service, virtualization to allow quick recovery, and load balancing to accommodate times of high usage.Having the proper infrastructure is not enough, the vendor also needs to work with its customers in a transparent manner in order to give them comfort they will deliver the services as promised. The previous discussion recommended managers to take an active role in monitoring and obtaining audit reports from cloud vendors is only possible if the vendor has open and transparent operations.Lastly, there are award programs that demonstrate the industry’s commitment to providing reliable service. Participating and matching its services offered to the standards of award winners will be a way for vendors to gain the trust of customers. Although there is currently little guidance for assurance professionals on providing attestations to cloudavailability, there is the speculation that in the near future audit reports similar in concept to SAS 70.
Assurance professionals have a major opportunity to improve the confidence the business community has in cloud vendors. They can provide services for both cloud vendors and their customers over subject matters including verifying contractual claims, processing integrity, controls over security of information and compliance with the relevant regulations. Currently, there is a lack of such standards and if one can be developed, systems auditors can provide uniform assessments.Although there are existing frameworks, they offer limited guidance, and are not specific to challenges of the cloud environment. For example, ISACA’s ITAF includes a section that addresses outsourcing to third parties, while cross-referencing COBIT sections but it is not specific to a cloud vendor. Additionally, COSO released an exposure draft in December 2011 acknowledging evolving technology, but it doesn’t mention control policies, procedures or processes for risk management that relate to cloud computing
Clearly, there is much work to be done in coming up with a useful framework.An ISACA white paper has called for a suitable cloud computing control framework to address issues in trans-border information flow, given that the Internet flows through multiple geographical jurisdictions, and also develop certification programs to help customers make an informed choice.One entity that has been established to bridge this gap between existing frameworks and the cloud model is the Cloud Security Alliance, but there is plenty of work to do in this area. Asides from trust services, financial statement audits will also change as businesses use cloud vendor modules that relate to financial reporting. The current audit standards are not yet up to date to reflect the emerging cloud technology. Existing guidance require auditors to understand business processes and internal controls, but are not specific enough to guide IT auditors in understanding the impact of cloud services on financial statements. Since understanding the entity’s control environment is a requirement for any audit, the profession clearly has a duty to acknowledge the emerging technology’s impact on the financial reporting process.
To conclude, Cloud computing as an alternative computing model has proven to be attractive because of the cost saving and flexibility it confers. However, the risks and implications of outsourcing processes and entrusting data to a third party need to be evaluated.This slidecastdiscussed the benefits of cloud computing in relation to the risks (with an emphasis on service outages) which those in charge with corporate governance need to evaluate while considering outsourcing. Methods of improving availability of cloud services by mitigating risks are discussed, for both cloud vendors and their customers. The role of assurance professionals is discussed as they can provide trust services where cloud security is concerned, noting that there is substantial development to be done by IT control framework setters as well as assurance standards setters. Future work by the standard setters is called upon to develop frameworks that specifically address the dynamics of the cloud environment, acknowledging the cloud computing model’s impact on the business environment in both operations and financial reporting. Thank you for listening.