Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Compliance Auditing - Closer 2011

1,763 views

Published on

Published in: Technology
  • Be the first to comment

Cloud Compliance Auditing - Closer 2011

  1. 1. Cloud Compliance Auditing<br />Jonathan Sinclair<br />SAP Research BelfastMay 7th, 2011<br />
  2. 2. Agenda<br />Fundamentals of Cloud, Compliance and Auditing<br />Use Case: Customer Relationship Management<br />Cloud Compliance Challenges<br />Compliance Auditing<br />Conclusions<br />
  3. 3. Fundamentals <br />Cloud, Compliance and Auditing<br />“An undefined problem has an infinite number of solutions” <br />Robert A. Humphrey<br />
  4. 4. FundamentalsDefinitions<br />Compliance<br />Compliance is defined as being in accordance with relevant governmental or industrial laws, regulations and standards through governance processes.<br />Cloud Computing<br />Clouds are a large pool of easily usable and accessible virtualized resources that can be dynamically reconfigured to adjust to a variable load.<br />Business Web<br />Auditing<br />A business model and technical framework that represents a marketplace allowing providers and consumers to negotiate the usage of products.<br />The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.<br />
  5. 5. FundamentalsAuditing Legislation & Regulation <br />creates<br />creates<br />creates<br />creates<br />Regulator<br />Regulator<br />Government<br />Government<br />Legislation<br />Regulation<br />Legislation<br />Regulation<br />Governance<br />Governance<br />Compliance<br />Compliance<br />have to comply with<br />have to comply with<br />have to comply with<br />have to comply with<br />Auditor<br />Auditor<br />store and are responsible for<br />store and are responsible for<br />use IT to improve operations<br />use IT to improve operations<br />Compliance Check<br />Compliance Check<br />Compliance Report<br />Compliance Report<br />IT Department<br />IT Department<br />Businesses<br />Businesses<br />Customer Data<br />Customer Data<br />
  6. 6. FundamentalsService Level Agreements and Event Processing<br />Service Level Agreements<br />SLA’s are important in facilitating the definition of compliance requirements:<br /><ul><li>Legal Responsibilities
  7. 7. Quality of Service
  8. 8. Remedial Actions / Penalties</li></ul>Event Processing<br />SLA’s are no support to the consumer <br />without enforcement or traceability<br /><ul><li>Logs (Physical, Virtual, Logical)
  9. 9. Event Transport and Storage for services
  10. 10. Event Processing Rules derived from SLA’s</li></li></ul><li>Use Case<br />Customer Relationship Management<br />“Most human beings have an almost infinite capacity for taking things for granted” <br />Aldous Huxley<br />
  11. 11. Use Case: Customer Relationship Management (CRM)Problem Identification<br />Traditional Approach<br />Due to increasing enforcement and financial penalties legislation requirements are seen as equally important as functional requirements.<br />Application Heterogeneity<br />Various applications perform differing tasks and <br />integrate with CRM systems.<br />Storage Redundancy<br />Data redundancy occurs when customer data is<br />collected, stored and processed by different systems<br />within the same organisation<br />Resource Utilization<br />Periodic Processing causes elastic utilization<br />Power Consumption<br />Cost of power and consumption can varies with <br />hardware and location<br />
  12. 12. Cloud Compliance Challenges<br />“The greatest challenge to any thinker is stating the problem in a way that will allow a solution.” <br />Bertrand Russell<br />
  13. 13. Cloud Compliance ChallengesGeo-Locality<br />The locality of data is of key importance to adhere to legislation, but what are the implications:<br />Cross-jurisdictional conflictions<br />Difficulty in simultaneously <br /> complying with multiple laws.<br />Performance and Availability<br />Geographic placement may hinder <br /> performance.<br />Disaster Recovery and Backup<br />Legal restrictions may reduce the<br /> possibilities of providing an adequate<br /> disaster recovery solution.<br />
  14. 14. Cloud Compliance ChallengesData Accessibility<br />Company Multi-tenancy<br />Different companies virtually co-located on same physical infrastructure<br />Systems Multi-tenancy<br />Same company co-locates different virtualized systems on same physical infrastructure <br />Who can access data ?<br />What data can be accessed ?<br />How should data be accessed ?<br />
  15. 15. Cloud Compliance ChallengesData Retention<br />Retaining data in the Cloud<br /><ul><li>How long can data be stored ?
  16. 16. How should data be archived ?
  17. 17. How much is budgeted to retain data ?</li></ul>Retaining data from the Cloud<br /><ul><li>How can data be retrieved ?
  18. 18. Is data integrity maintained ?
  19. 19. Is data removed from the cloud ?</li></li></ul><li>Compliance Auditing<br />“A complex system that works is invariably found to have evolved from a simple system that works” <br />John Gaule<br />
  20. 20. Compliance Auditing<br />
  21. 21. <ul><li> Architecture comprised of 5 </li></ul>distinct layers<br /><ul><li> Event source, processing and </li></ul>storage layers are distributed <br />helping tackle geographic <br />Placement.<br /><ul><li>Components of the architecture </li></ul>can be deployed on premise for<br />data confidentiality<br />Compliance AuditingLogical Architecture<br />
  22. 22. Compliance AuditingImplementedArchitecture<br />
  23. 23. Conclusions<br />“A conclusion is the place where you got tired of thinking” <br />Harold Fricklestein<br />
  24. 24. Conclusions<br /><ul><li>Ensure the security of consumer’s data
  25. 25. Maintain compliance with data security / privacy laws
  26. 26. Assure that service providers, integrators or composers cannot
  27. 27. access data within a consumer’s service
  28. 28. transfer data from a consumer’s service</li></li></ul><li>Thank You!<br />Contact information:<br />F name MI. L name<br />Title<br />Address<br />Phone number<br />Twitter:<br />jonnygsinclair<br />LinkedIn:<br />jonathangsinclair<br />Blogger:<br />cloudauditing.blogspot.com<br />Slideshare:<br />jonathansinclair86<br />Jonathan SinclairResearch Associate<br />SAP Research Belfast<br />SAP [UK] LtdThe Concourse, Queen‘s Road<br />Queen‘s Island, Titanic Quarter<br />Belfast BT3 9DT<br />T+44 (0)28 9078 5749<br />Ejonathan.sinclair@sap.com<br />

×