The document provides an overview of cloud computing, outlining its definitions, historical context, and key concepts such as IaaS, PaaS, and SaaS. It highlights significant security concerns surrounding cloud adoption, including data integrity, system integration, and compliance issues, while also calling attention to responsibilities for ISACA members in addressing these challenges. Additionally, it emphasizes the need for robust audit and security practices in cloud services to ensure accountability and transparency.

1. Cloud Security and Audit Issues1Rapp Consulting peet.rapp@yahoo.com

2. Agenda Cloud Computing 101Reality CheckSecurity IssuesISACA Member ResponsibilitiesWhat’s Missing2Rapp Consulting peet.rapp@yahoo.com

3. Cloud Computing 101 Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. - NIST Definition of Cloud Computing3Rapp Consulting peet.rapp@yahoo.com

4. Cloud Computing 101 History - DefinitionsDistributedCentralizedDe-CentralizedRe-CentralizedApplicationsSystem PlatformHardware19702010Per Novell Cloud Presentation 09/094Rapp Consulting peet.rapp@yahoo.com

5. Cloud Computing 101 History - Definitions5Rapp Consulting peet.rapp@yahoo.com

6. Basic Concepts – Cloud Enabling Technologies / FunctionsSOA - XML – APIHypervisorDynamic Partitioning API - Application Programming InterfaceServer OptimizationOS / Application / Data Server MigrationClient CPU/Memory Utilization Monitoring 6Rapp Consulting peet.rapp@yahoo.com

7. Basic Concepts – Enabling Technologies Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one serverRapp Consulting peet.rapp@yahoo.com

8. Basic Concepts – Cloud Enabling Technologies / FunctionsSOA – XML -APIHypervisorDynamic Partitioning Load Balancing / Server OptimizationOS / Application / Data Server MigrationClient CPU/Memory Utilization Monitoring 8Rapp Consulting peet.rapp@yahoo.com

9. Cloud Computing 101 History - Definitions9Rapp Consulting peet.rapp@yahoo.com

10. Cloud Computing 101ASPs vs SaaSASPs are traditional, single-tenant applications, hosted by a third party.SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor 10Rapp Consulting peet.rapp@yahoo.com

11. Cloud Computing 101 History - Definitions11Rapp Consulting peet.rapp@yahoo.com

12. Cloud Computing 101PaaSA Development Environment (Platform) as a Service. Developer Tool Kits provided. “Pay as you develop/test” business modelRapid Propagation of Software Applications – Low Cost of Entry 12Rapp Consulting peet.rapp@yahoo.com

13. Cloud Computing 101IaaSThe “Bare Metal” Infrastructure as a Service Clients provide all OS, security andapplication softwareUsed for quick-implementation, as-needed data processing / data storage13Rapp Consulting peet.rapp@yahoo.com

14. Cloud Computing 101 - Service Delivery ModelsSaaSSoftware as a ServicePaaSPlatform as a ServiceIaaSInfrastructure as a Service14Rapp Consulting peet.rapp@yahoo.com

15. Cloud Deployment ModelsPublic cloudSold to the public, mega-scale infrastructuresPrivate cloud Enterprise-owned or leased to a Single ClientCommunity cloudShared infrastructure for a Specific CommunityHybrid cloudComposition of two or more Cloud Models15Rapp Consulting peet.rapp@yahoo.com

16. Cloud Computing 101 16Rapp Consulting peet.rapp@yahoo.com

17. Cloud Computing 101 17Rapp Consulting peet.rapp@yahoo.com

18. Reality CheckThe Cloud Is and Will HappenCurrent Major Players – IaaS, PaaSAmazon Web Services, ATT, IBM Rackspace, Terramark, SavvisCurrent Major Players - SaaSFaceBook, Salesforce.com, Google (Gmail), Netsuite18Rapp Consulting peet.rapp@yahoo.com

19. Reality Check19Rapp Consulting peet.rapp@yahoo.com

20. Reality Check20Rapp Consulting peet.rapp@yahoo.com

21. Reality Check Spending Forecasts21Rapp Consulting peet.rapp@yahoo.com

22. Claimed Cloud Computing Business AdvantagesOptimizes Server UtilizationCost SavingsDynamic ScalabilityTime Savings for New ProgramsRight-sizes your enterpriseOutsources ITTransitions CAPEX to OPEX22Rapp Consulting peet.rapp@yahoo.com

23. Excellent Cloud ExamplesNASDAQ / NYTSalesForce.comSigniantThinLaunch Software Intuit QuickBaseWebroot23Rapp Consulting peet.rapp@yahoo.com

24. A Disruptive TechnologyThe Cloud Reshuffles the IT deckShrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced OS will tend towards web-partial systemsDesktops and Notebooks Lose Hard DrivesBusinesses’ IT Staffing Requirements Will Drop 24Rapp Consulting peet.rapp@yahoo.com

25. Claimed Cloud Computing Business Advantages25Rapp Consulting peet.rapp@yahoo.com

26. Current Press StatusThe Majority of Press Coverage supports Service Providers attempting to gain mindshare.Most IT Analysis is very positive about (hyping) the merits of the cloud.Very little is written of Cloud Security or its Audit- ability 26Rapp Consulting peet.rapp@yahoo.com

27. The Gartner Hype Curve27Rapp Consulting peet.rapp@yahoo.com

28. The Gartner Hype Curve28Rapp Consulting peet.rapp@yahoo.com

29. Company/Product Life Cycle: Key to Understanding OpportunitiesPhase IIRapid Market Growth Through Internal Expansion and AcquisitionPhase IVSustained Niche or“Last One Standing”Phase IIIMaturation &ConsolidationPhase IBusiness Start-up & Product RolloutBOutputACDTimeStart-up Capital > Labor/Facilities/Capital > Minimize Cost > Sustained MarketCritical Decisions Made in Phase IIIA: Attempt to go back to Phase II (new market expansion/product improvements)B: Consolidate with competition to grow share in a shrinking marketC: Go/stay private with niche operation and proceed to Phase IVD: Continue to enhance productivity to sustain margins (production improvements/cost takeouts)Moran, Stahl & Boyer29Rapp Consulting peet.rapp@yahoo.com

30. Current Press StatusThe Majority of Press Coverage supports Service Providers attempting to gain mindshare.Most IT Analysis is very positive about (hyping) the merits of the cloud.Very little is written of Cloud Security or its Audit- ability 30Rapp Consulting peet.rapp@yahoo.com

31. Reality CheckGreatest concerns surrounding cloud adoption at your company (per CIO)Security 45%31Rapp Consulting peet.rapp@yahoo.com

32. Security Issues “Cyber Crime in 2008 measured more to be a larger societal loss than illegal drugs.“The main objective of most attackers is to makemoney. The underground prices for stolen bank login accounts range from $10–$1000 (depending on theavailable amount of funds), $0.40–$20 for credit cardnumbers, $1–$8 for online auction site accounts and $4–$30 for email passwords.” Symantec Global Internet Security Threat Report – April 200932Rapp Consulting peet.rapp@yahoo.com

33. Security Issues “Cybersecurity risks pose some of the most serious economic and national security challengesof the 21st Century. The digital infrastructure’sarchitecture was driven more by considerations ofinteroperability and efficiency than of security.”White House Cyberspace Security Review May 200933Rapp Consulting peet.rapp@yahoo.com

34. Security Issues 34Rapp Consulting peet.rapp@yahoo.com

35. Reality CheckGreatest concerns surrounding cloud adoption at your company (per CIO)Security 45%Integration with existing systems 26%Loss of control over data 26%Availability concerns 25%Performance issues 24%IT governance issues 19%Regulatory/compliance concerns 19%35Rapp Consulting peet.rapp@yahoo.com

36. Cloud Security & Control Groups ENISACloud Security Alliance – CSAISACADMTFNISTJericho ForumApps.govOWASPRapp Consulting peet.rapp@yahoo.com36

37. Cloud Security Alliance MembersRapp Consulting peet.rapp@yahoo.com37

38. Cloud Security Alliance MembersRapp Consulting peet.rapp@yahoo.com38

39. Cloud Security Alliance39Rapp Consulting peet.rapp@yahoo.com

40. ISACA40Rapp Consulting peet.rapp@yahoo.com

41. ENISA41Rapp Consulting peet.rapp@yahoo.com

42. DMTF42Rapp Consulting peet.rapp@yahoo.com

43. DMTF43Rapp Consulting peet.rapp@yahoo.com

44. Security Issues Data LocationSaaS Clients’ data co-mingledForensics Possible?Penetration Detection & Multi-Client UAPublic Cloud-Server Owner – Due Diligence?Data Erasure?44Rapp Consulting peet.rapp@yahoo.com

45. Current RegulationsPCI ComplianceStates’ PII requirementsSarbanes OxleyHIPAA45Rapp Consulting peet.rapp@yahoo.com

46. Current Regulations & Standards46Rapp Consulting peet.rapp@yahoo.com

47. ISACA Member Responsibilities – OpportunitiesGreatest concerns surrounding cloud adoption at your company (per CIO)Security 45%Integration with existing systems 26%Loss of control over data 26%Availability concerns 25%Performance issues 24%IT governance issues 19%Regulatory/compliance concerns 19%47Rapp Consulting peet.rapp@yahoo.com

48. ISACA Member Responsibilities – Opportunities48Rapp Consulting peet.rapp@yahoo.com

49. ISACA Member Responsibilities – OpportunitiesEnsure Organization’s Key Players Aware of Cloud Security IssuesAudit Data / Applications targeted for Cloud ComputingInput / Review Cloud Provider’s SLA AgreementStrengthen internal IAM ProgramRapp Consulting49Rapp Consulting peet.rapp@yahoo.com

50. ISACA Member Responsibilities – OpportunitiesEnsure Organization’s Key Players Aware of Cloud Security IssueTarget respected type “A”championsBusiness Application OwnersCorporate AttorneysCxOsHR50Rapp Consulting peet.rapp@yahoo.com

51. ISACA Member Responsibilities – OpportunitiesAudit Data/Applications targeted for Cloud ComputingData MappingWhat is the application data’s internal security level? Who are the Data Owners?What Type of Cloud (public, private, etc) is targeted? 51Rapp Consulting peet.rapp@yahoo.com

52. ISACA Member Responsibilities – OpportunitiesInput / Review Cloud Provider’s SLAOpen Sourced API’s, etcXACML-based IAM programSecurity Transparency Ownership of DataAudit at WillDR/BC policy and practiceReturn of application and data policy52Rapp Consulting peet.rapp@yahoo.com

53. ISACA Member Responsibilities – OpportunitiesEnsure Organization’s Key Players Aware of Cloud Security IssuesAudit Data / Applications targeted for Cloud ComputingInput / Review Cloud Provider’s SLA AgreementStrengthen internal IAM Program53Rapp Consulting peet.rapp@yahoo.com

54. ISACA Member Responsibilities – OpportunitiesStrengthen IAM Program54Rapp Consulting peet.rapp@yahoo.com

55. ISACA Member Responsibilities – OpportunitiesStrengthen Identity – Access Management ProgramXACML Based IAM programFederated User Access – integrated across both cloud and internal enterpriseAligned with compliance requirementsSSO – (Single Sign On) IAM Security Monitoring – ReportingOppty to implement risk-based provisioningRapp ConsultingRapp Consulting peet.rapp@yahoo.com

56. ISACA Member Responsibilities – OpportunitiesKEY TAKE-AWAY #1Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures.56Rapp Consulting peet.rapp@yahoo.com

57. ISACA Member Responsibilities – OpportunitiesKEY TAKE-AWAY #2Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career. 57Rapp Consulting peet.rapp@yahoo.com

58. ISACA Member Responsibilities – OpportunitiesKey Take Away #3Develop an Overarching Business ImpactAnalysis Moving an Application / Data to the cloud58Rapp Consulting peet.rapp@yahoo.com

59. ISACA Member Responsibilities – OpportunitiesCloud computing can be evaluated much in the same way as a new operating system. And yet, it's somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelismhttp://www.ddj.com/web-development/220300736?pgno=459Rapp Consulting peet.rapp@yahoo.com

60. Claimed Cloud Computing Business Advantages60Rapp Consulting peet.rapp@yahoo.com

61. ISACA Member Responsibilities – OpportunitiesThis fundamental difference between probabilistic riskand risk introduced by an intelligent adversary (or adaptive threats) leads to the conclusion that more understanding of the cyber security issues and impactsthat are possible on the electric grid is needed. Indeed,there really is no statistical norm for the behavior of cyber attackers and information systems and components failure, and their potential impacts to grid reliability. NERC - 2009 Long-Term Reliability Assessment61Rapp Consulting peet.rapp@yahoo.com

62. ISACA Member Responsibilities – OpportunitiesWhat are the pure goals of auditing?62Rapp Consulting peet.rapp@yahoo.com

63. ISACA Member Responsibilities – OpportunitiesWhat are the pure goals of auditing?Transparency and Accountability63Rapp Consulting peet.rapp@yahoo.com

64. ISACA Member Responsibilities – OpportunitiesCRM Cloud AppSuppliersInternal EnterpriseERP Cloud AppDistributionResellers64Rapp Consulting peet.rapp@yahoo.com

65. ISACA Member Responsibilities – OpportunitiesStock OptCRM Cloud AppHRSuppliersInternal EnterpriseERP Cloud AppCust ServiceDistributionResellersAdvrtz65Rapp Consulting peet.rapp@yahoo.com

66. ISACA Member Responsibilities – Opportunities66Rapp Consulting peet.rapp@yahoo.com

67. ISACA Member Responsibilities – OpportunitiesThere needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs)67Rapp Consulting peet.rapp@yahoo.com

68. What’s NeededThe current US military “jeep” 68Rapp Consulting peet.rapp@yahoo.com

69. What’s NeededThe HUMVEE’s Replacement:The M-ATV69Rapp Consulting peet.rapp@yahoo.com

70. ISACA Member Responsibilities – OpportunitiesSummary –Audit CSP’s Security and DR/BC Policies

71. Is CSP promoting best security practices?

72. Upgrade Current Internal IAM program

73. Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises70Rapp Consulting peet.rapp@yahoo.com

74. What’s Still NeededCommercial Cloud Applications Security Standards.Training & Certification requirements for Individual Cloud Developers Cloud Service ProvidersCloud Security Tool Providers71Rapp Consulting peet.rapp@yahoo.com

75. What’s Still NeededBest Practice Standards for Internal Audits of Enterprises Employing Cloud Applications.Combination of the ENISA cloud risk assessment with the financial Shared Assessment programImplement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.72Rapp Consulting peet.rapp@yahoo.com