Cloud computing jason lannen_4-28-10
Upcoming SlideShare
Loading in...5
×
 

Cloud computing jason lannen_4-28-10

on

  • 1,286 views

 

Statistics

Views

Total Views
1,286
Views on SlideShare
1,276
Embed Views
10

Actions

Likes
0
Downloads
20
Comments
0

2 Embeds 10

http://www.ptpblog.com 9
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud computing jason lannen_4-28-10 Cloud computing jason lannen_4-28-10 Presentation Transcript

  • Cloud Computing Jason D. Lannen, CISA Wednesday, April 28, 2010 ISACA Atlanta TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Agenda • What is Cloud Computing • Evolution & Drivers • Recent Case Studies • Components • Risks • Risk Mitigation • An Audit Perspective • Q&A TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 2 W W W .TUR N K EYI T.N ET
  • What is Cloud Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Definitions • “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST & Cloud Security Alliance) • “Performing computing tasks via a network connection while remaining isolated from the complex computing hardware and networking infrastructures that supports it” (ISACA Journal, Volume 6 2009, Sailesh Gadia) TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 4 W W W .TUR N K EYI T.N ET
  • Definitions • “Taking advantage of services, storage space, and resources provided somewhere else – on another computer, through an Internet connection.” (Tim O’Reilly, Web 2.0) • “Computing over the internet using a web- browser” TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 5 W W W .TUR N K EYI T.N ET
  • Characteristics of Cloud Computing On Demand Resource Pooling Across Networks Rapid Elasticity Flexible Pricing Models TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 6 W W W .TUR N K EYI T.N ET
  • Cloud Computing Examples • Everyday User – E-mail – Pictures – Video – Personal Calendar – Online Banking / EFT – Social Media Where is this information stored? TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 7 W W W .TUR N K EYI T.N ET
  • Cloud Computing Diagram Source: Cloud Computing: An Auditor’s Perspective, ISACA Journal Volume 6, 2009 TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 8 W W W .TUR N K EYI T.N ET
  • U.S. CIO – Vivek Kundra Posted by Vivek Kundra on September 15, 2009 at 12:09 PM EDT on the White House Blog (http://www.whitehouse.gov/blog/streaming-at-100-in- the-cloud/): • “Today, I am excited to announce that we have launched Apps.gov to help continue the President’s initiative to lower the cost of government operations while driving innovation within government…Apps.gov is an online storefront for federal agencies to quickly browse and purchase cloud-based IT services, for productivity, collaboration, and efficiency.” • “Cloud computing is the next generation of IT in which data and applications will be housed centrally and accessible anywhere and anytime by a various devices (this is opposed to the current model where applications and most data is housed on individual devices). By consolidating available services, Apps.gov is a one-stop source for cloud services – an innovation that not only can change how IT operates, but also save taxpayer dollars in the process.” TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 9 W W W .TUR N K EYI T.N ET
  • Evolution to Cloud Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Evolution to Cloud Computing 1990s • Internet gained widespread 1980s popularity and • Client Server acceptance architecture was invented • Virtualization of desktops and Late 1960s servers • Idea centralized computing • Grid Computing • Implementation • Utility of mainframes Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 11 W W W .TUR N K EYI T.N ET
  • Evolution to Cloud Computing 1999 2002 2004 • Salesforce.com • Amazon Web • Web 2.0 (SaaS) Service (IaaS) Conference 2006 2009 • Amazon • Google, launched its Microsoft Elastic Compute offering cloud (EC2/S3) browser-based enterprise applications TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 12 W W W .TUR N K EYI T.N ET
  • Drivers to Cloud Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Drivers to Cloud Computing Marketplace Technology People Cloud Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 14 W W W .TUR N K EYI T.N ET
  • Drivers to Cloud Computing Technology: • Encryption • Virtualization (Multi-tenancy) – Centralization of infrastructure in locations with lower costs (such as real estate, electricity, etc.) – Peak-load capacity increases (users need not engineer for highest possible load-levels) – Utilization and efficiency improvements for systems that are often only 10–20% utilized. • Affordable high-speed bandwidth Source: VMWare website TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 15 W W W .TUR N K EYI T.N ET
  • Drivers to Cloud Computing Marketplace: • Changes in World Markets • Global Competition • Increased cost of computing & resources • Current economic conditions – Operational Costs – Shareholder Pressures TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 16 W W W .TUR N K EYI T.N ET
  • Drivers to Cloud Computing People: • We have embraced technology • Trust internet • Need IT to survive in our lives TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 17 W W W .TUR N K EYI T.N ET
  • IT Computing Demands • IT computing, processing and storing demands are ever-increasing. • Without the ‘Cloud’ and the emergence of technology to support computing, there would be exponential increases in: – Number of servers – Number of support staff to manage them – Energy Consumption / Greenhouse Gas Emission – Costs of using IT for business and consumers TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 18 W W W .TUR N K EYI T.N ET
  • Dilbert says… TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 19 W W W .TUR N K EYI T.N ET
  • Cloud Computing Case Studies TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Cloud Computing Case Studies • Blue Coat - December 2009: • 20-25% stated they had a cloud computing application • 25-30% stated their organization has started to implement private cloud computing. • Companies with fewer than 99 employees were more likely to use public cloud computing services than implement a private cloud computing solution. • Companies with greater than 10,000 employees are more likely to have implemented private cloud computing than they are to be using public cloud computing services. TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 21 W W W .TUR N K EYI T.N ET
  • Cloud Computing Case Studies • Blue Coat (Continued): • 33% of respondents indicated their organization would either make an initial or additional use of public and or private cloud computing in the next year. • 25% of respondents indicated that their organization sees value in cloud computing but the risks outweigh the benefits. • Less than 8% indicated that their organization did not see any significant value in cloud computing. TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 22 W W W .TUR N K EYI T.N ET
  • Cloud Computing Case Studies 2010 ISACA Survey Risk / Reward Barometer (Published 4/7/10): • Only 10 percent of respondents’ organizations plan to use cloud computing for mission-critical IT services • 26 percent do not plan to use it for any IT services. • Close to half of US IT professionals say that the risks of cloud computing outweigh the benefits TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 23 W W W .TUR N K EYI T.N ET
  • Benefits of Cloud Computing Focus is the end-user:  Users don’t need to have knowledge to manage and support it  Users don’t own the infrastructure  Users don’t need storage space  Data is always backed up and is always available, anywhere you need it  Capacity and processing can change as demand changes  Less up front capital is required to develop and deploy (Time & $)  Lower total cost of ownership (TCO) and higher return on investment (ROI)  Cost transparency Key is understanding and managing Cloud Computing risks! TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 24 W W W .TUR N K EYI T.N ET
  • Components of Cloud Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Deployment Models Source: ISACA eSymposium, “Service Management – a linchpin to effective cloud computing” by Bruce E. Ott, IBM Cloud Marketing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 26 W W W .TUR N K EYI T.N ET
  • Delivery Models Google Apps, Gmail Software as a service (SaaS) Salesforce.com Google Platform as a service AppEngine (PaaS) Force.com Amazon EC2 Infrastructure as a service (IaaS) Data Centers TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 27 W W W .TUR N K EYI T.N ET
  • Infrastructure as a Service TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 28 W W W .TUR N K EYI T.N ET
  • Infrastructure as a Service TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 29 W W W .TUR N K EYI T.N ET
  • Infrastructure as a Service TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 30 W W W .TUR N K EYI T.N ET
  • Infrastructure as a Service • Data centers – Ping (aka Remote Access) – Pipe (aka Bandwidth) – Power • Data Centers provide: – Managed Services – Co-location – Point to Point Connections TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 31 W W W .TUR N K EYI T.N ET
  • Risks of Cloud Computing TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Implementation Risk Higher Risk Lower Small Company Size and IT Complexity Large TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 33 W W W .TUR N K EYI T.N ET
  • Security Risk Authentication Data Loss & Administration Privacy Data Access Control Ownership TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 34 W W W .TUR N K EYI T.N ET
  • Operational Risk System Interfaces Backup & System Recovery Integration Business System Continuity Availability TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 35 W W W .TUR N K EYI T.N ET
  • Operational Risk TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 36 W W W .TUR N K EYI T.N ET
  • Operational Risk TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 37 W W W .TUR N K EYI T.N ET
  • Regulatory Risk Sarbanes Oxley GLBA SAS 70 ISO PCI HIPPA TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 38 W W W .TUR N K EYI T.N ET
  • Risk Mitigation TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Risk Mitigation Governance Policies & Procedures Implementation of Controls TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 40 W W W .TUR N K EYI T.N ET
  • Risk Mitigation Layers Inputs Outputs Governance Determine governance Cloud vendor framework Cloud application Business needs user Cloud platform requirements Cloud infrastructure Involve all relevant business units (i.e. finance, marketing, legal, sales, etc). Develop IT strategy Policies & Procedures Work with management and Implementation of policies & staff to document user awareness Setup periodic review of policies & training seminars Implementation of Controls Via Internal Audit, Legal, Sustainable control consultants, etc environment to mitigate Cloud risks TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 41 W W W .TUR N K EYI T.N ET
  • Audit Key Considerations TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 W W W .TUR N K EYI T.N ET
  • Auditing - Take a TurnKey approach… TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 43 W W W .TUR N K EYI T.N ET
  • Audit Key Considerations • Understand your client – How do they make money? – What is their current financial state? – What are their business goals (short and long term)? – How does IT fit in with their business strategy? • Understand their IT systems – What are the significant applications & underlying infrastructure? Where are they located? – How is IT access administration currently managed? – How is data managed? – Are there plans to move processes to the Cloud? If so, who is the project champion(s) and what processes and data? TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 44 W W W .TUR N K EYI T.N ET
  • Audit Key Considerations • Understand their control environment – Business Process Controls – IT General Controls – Prior Year Deficiencies – Areas of Risk • Understand changes in roles at your client resulting from Cloud Computing – CIO – CISO – Tactical management & staff TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 45 W W W .TUR N K EYI T.N ET
  • Audit Key Considerations Cloud Control Considerations • How did the client choose the Cloud vendor? • What controls will be managed by the Cloud vendor? • What controls will continue to be managed by the client? • What risk mitigation strategy has the client put in place in the event the Cloud provider does not come through on its promises? TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 46 W W W .TUR N K EYI T.N ET
  • Q&A TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 47 W W W .TUR N K EYI T.N ET
  • Contact Information Jason Lannen, CISA Phone: 770.402.9102 Email: Jason.Lannen@turnkeyit.net Website: http://www.turnkeyit.net TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 48 W W W .TUR N K EYI T.N ET
  • Resources Identified – Gerard, Scott, “Maximize your Web 2.0 efforts with Cloud Computing,” IBM Cloud Computing, April 2 2009 – Clyde, Rob., “5 Questions with Cloud Computing,” ISACA JOURNAL, published 2010; Vol. 2 2010, pp. 1-4 – Gadia, Sailesh, “Cloud Computing: An Auditors Perspective,” ISACA JOURNAL, published 2009; Vol. 6 2009, pp. 1-5 – Hardy, Gary, “Cloud Computing: Improving the Business Management and Governance of Services,” ISACA e-Symposium – Raval, Vasant, “Risk Landscape of Cloud Computing,” ISACA JOURNAL, published 2010; Vol. 1 2010, pp. 1-5 – Otte, Bruce E., “Service Management – a Linchpin to Effective Cloud Computing,” ISACA e-Symposium – Wikipedia, “Cloud Computing,” http://en.wikipedia.org/wiki/Cloud_computing [retrieved April 27, 2010]. TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 49 W W W .TUR N K EYI T.N ET
  • Resources Identified – Mulholland, Andy , “Why are Clouds so Hard to Understand?”, Cap Gemini [online], Feb. 1, 2010, http://www.capgemini.com/cgi- bin/blog/mt-tb.cgi/1233 [retrieved 13 April 2010]. – Antonick, Jasmine , “A Brief History of… Cloud Computing”, Under the Radar [online], March 30, 2010, http://www.undertheradarblog.com/blog/a-brief-history-of-cloud- computing/ [retrieved 13 April 2010]. – Mohamed, Arif , “A History of Cloud Computing”, ComputerWeekly.com [online], March 27, 2009, http://utilitycomputing.com/links/AHistoryOfCloudComputing20090327. asp [retrieved 13 April 2010]. – Claburn, Thomas , “FTC Examining Cloud Computing”, Information Week [online], Jan. 5, 2010, http://www.informationweek.com/news/government/policy/showArticle .jhtml?articleID=22 [retrieved 7 January 2010]. TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 50 W W W .TUR N K EYI T.N ET
  • Resources Identified – Metzler, Dr. Jim, "Cloud Computing: A Reality check & Guide to Risk Mitigation", Webtorials [online], December 2009, www.bluecoat.com/doc/direct/12771 [retrieved 20 April 2009]. – Almond, Carl, "A Practical Guide to Cloud Computing Security: What you need to know now about your business and cloud security", Avanade [online], Aug. 27, 2009, http://www.avanade.com/_uploaded/pdf/practicalguidetocloudcomputingsecurity6814 82.pdf [retrieved 20 April 2009]. – Stokes, Jon, “The Cloud: A Short Introduction,” ars technica [online], Nov. 8, 2009, http://arstechnica.com/business/news/2009/11/the-cloud-a-short-introduction.ars/2 [retrieved 13 April 2010]. – McCroy, Dave, “Is Cloud Computing Really New? (The History Behind the Cloud)”, The Collective [online], Jan. 20, 2010, http://community.hyper9.com/blogs/streettalk/archive/2010/01/20/is-cloud- computing-really-new-the-history-behind-the-cloud.aspx [retrieved 13 April 2010]. – Chiu, Willy, “From Cloud Computing to the New Enterprise Data Center”, IBM [online], May 28, 2008, www.ibm.com/developerworks/websphere/zones/hipods/ [retrieved 7 January 2010]. – Karpinski, Rich, “Study: IT shops have cash in hand for cloud computing”, Telephony Online [online], Aug. 5, 2009, http://telephonyonline.com/business_services/news/it- study-cloud-computing-0825/ [retrieved 3 Sept 2009]. TUR N K EY I T S OLUTI ON S , LLC Wednesday April 28, 2010 51 W W W .TUR N K EYI T.N ET