Cloud Computing Risk Assessments - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Cloud Computing Risk Assessments

Description:

Cloud Computing Risk Assessments Donald Gallien March 31, 2011 Risk Ranking Case Study Conclusions Business and technology leaders are embracing cloud computing - it ... – PowerPoint PPT presentation

Number of Views:872
Avg rating:3.0/5.0
Slides: 37
Provided by: dgal5
Learn more at: http://www.isaca.org
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Cloud Computing Risk Assessments


1
Cloud Computing Risk Assessments
  • Donald Gallien
  • March 31, 2011

2
Overview
  • Cloud Computing Refresher
  • Assessing Cloud Computing Universe Completeness
  • Using a Cloud Computing Risk Ranking Model
  • Risk Ranking Case Study

3
Quiz
  • What do the following have in common?
  • Paisley GRC
  • Salesforce.com
  • Amazon EC2
  • Google Apps
  • Microsoft Business Productivity Online Suite
    (BPOS)
  • Rackspace
  • WebEx

4
Cloud Computing Refresher

5
Cloud Computing Basics
  • Internet-based computing, whereby shared
    resources, software and information are provided
    to computers and other devices on-demand, like
    the electricity grid (Source Wikipedia)
  • Based on virtualization and abstraction of the
    underlying infrastructure
  • IT Audit Risk is largely driven by
  • Deployment Model
  • Service Model
  • Nature of Applications Data in Cloud

6
Deployment Models
Model Definition Example
Public Available to the general public or a large industry group Google Apps (Free)
Community Shared by several organizations and supports a specific community that has shared concerns Google Apps for Government
Private Operated solely for an organization Microsoft BPOS for a Business
Source NIST
7
Service Models
Model Definition Example
Infrastructure as a Service (IaaS) Fundamental computing resources to deploy software, including OS and applications Rackspace Cloud
Platform as a Service (PaaS) Applications based on programming languages and tools supported by the cloud provider Force.com
Software as a Service (SaaS) Cloud provider applications running on a cloud infrastructure Salesforce.com (CRM)
Source NIST
8
Another Way to Look as Service Models
Example
WebEx
Provider Control
BPOS
Amazon EC2
9
Deployment Model Risk Profile
Public
Private
Community
Likelihood of Data Security, Privacy, and Control
Breach
10
Service Model Risk Profile
IaaS
SaaS
PaaS
Impact of Loss of Control Security Breach
11
Cloud Refresher Summary
  • Public clouds are inexpensive, but provide less
    security and service
  • Private clouds are expensive, but align better
    with technology and security standards
  • IaaS models are very broad in scope, but
    organizations maintain more control
  • SaaS models are narrow in scope, but
    organizations relinquish almost all control

What is the impact of cloud computing on the IT
audit function?
12
But one thing never changes
  • All IT Audit and Governance groups must
  • Identify an Universe
  • Risk Rank the Universe
  • Provide Appropriate Coverage based on Risk

13
Assessing Cloud Computing Universe Completeness

14
The Cloud Universe Challenge
15
Finding the Clouds
16
Technology Governance
  • Oversight
  • Technology Approvals
  • Partner Approvals

How does your organization promote controlled
cloud computing?
17
Firewalls and Encryption Certificates
  • Firewall VPN Rule Changes
  • Firewall Logs
  • Encryption Certificate Requests

Cloud computing environments are unlikely to
stand-alone.
18
Invoices / TE Reporting
  • Vendor Master
  • Invoice Lists
  • TE Reporting

How much does it cost to deploy cloud based
e-mail service at Google?
19
Process Walkthroughs
  • Business Process
  • Data Flow
  • Technology Overview

Has anyone discovered cloud based computing in a
walkthrough meeting?
20
Summary Universe Completeness
  • Cloud computing can be difficult to identify
  • Traditional technology governance, security, and
    procurement controls can be used to identify
    cloud computing
  • Users and business analysts could be your best
    source of cloud computing information

What else can you do to identify cloud computing?
21
Using a Cloud Computing Risk Ranking Model

22
A few thoughts before we start
  • Risk models include elements of judgment and must
    fit the organization
  • Some model assumptions may be completely wrong
    for your organization
  • We should have a lot of debate on this topic
  • Risk ranking scores must drive governance
    requirements and audit activities

23
Cloud Risk Ranking Example
24
Potential Governance Audit Requirements
25
Deployment Model Considerations
High Medium Low
Deploy Model Public Community Private
Public
Private
26
Service Model Considerations
High Medium Low
Service Model IaaS PaaS SaaS
IaaS
SaaS
27
Data Security Considerations
High Medium Low
Security Level Secret Restricted Unclassified
Secret
Unclassified
28
Physical Hosting Site Considerations
High Medium Low
Hosting Site Undefined International Location Domestic Location
Undefined
Domestic Location
29
SOX Criticality Considerations
High Medium Low
SOX Critical Yes No
Yes
No
30
Dependent Applications
High Medium Low
Number of Apps Greater than 10 4 to 9 Less than 3
gt 10
lt 3
31
Recovery Time Objectives (RTO) Considerations
High Medium Low
RTO 4 Hours 7 days 31 Days
4 Hours
31 Days
32
Regions Supported Considerations
High Medium Low
Region Europe or Global United States All Other
Europe / Global
All Other
33
Summary Cloud Risk Ranking Models
  • Cloud risk ranking attributes and scoring must
    vary based on environment and need
  • Risk attributes and scoring require alignment
    with organizational standards

What other risk attributes might you use, and how
would your rank them on a high, medium, low basis?
34
Risk Ranking Case Study

35
Conclusions
  • Business and technology leaders are embracing
    cloud computing - it is here to stay and growing
  • Cloud computing standards and risk ranked cloud
    universes are foundational requirements for
    governance
  • We must adjust our approach to remain relevant

36
Questions
Contact Information donald.w.gallien_at_aexp.com
About PowerShow.com