1 / 37

Cloud Computing Security and Governance

Cloud Computing Security and Governance. What Auditors Need to Know?. AICPA Upcoming Webcasts. May 25, 2011 (Wednesday) 2:00 – 3:30 EST CITP Career Path Jim Boomer, Jim Bourke, Ron Box, Chandni Sarawagi 2011 Top Technology Initiatives Webcast Series Coming Soon!

ismael
Download Presentation

Cloud Computing Security and Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing Security and Governance What Auditors Need to Know?

  2. AICPA Upcoming Webcasts • May 25, 2011 (Wednesday) 2:00 – 3:30 EST • CITP Career Path • Jim Boomer, Jim Bourke, Ron Box, Chandni Sarawagi • 2011 Top Technology Initiatives Webcast Series • Coming Soon! www.aicpa.org/itinfocasts

  3. Introductions

  4. Introductions • Sarah Adams • Sarah is a Director at Deloitte & Touche LLP with more than 20 years of audit, risk, and controls experience in both • operations and technology with extensive experience in risk assessments, quality assurance reviews and strategic • assurance reviews. She has a strong background in IT and serves as the National Leader of Deloitte’s IT Internal Audit • practice. She supports the Internal Audit function of multiple large, global retail, publishing, and technology companies. • Rob Zanella • Rob Zanella is Vice President of IT Compliance & Security for CA and is responsible for all compliance and security • activities within Information Technology. Rob joined CA in 2005 as Director of Internal Audit to develop the company’s • first IT Audit practice. Rob has over 25 years of IT experience in operations, software development, project management, • auditing, compliance and security

  5. Agenda • Introductions • What is Cloud computing • Key attributes • Key drivers • Cloud – Risk Intelligence Map • Role of Internal Audit • Q & A

  6. Poll Question # 1 • What kind of entity do you work for? • Consulting Firm • Accounting Firm • Business and Industry • Government • Nonprofit

  7. Cloud computing Cloud computing represents a major shift in information technology architecture, sourcing, and services delivery Cloud computing has emerged based on the convergence of Internet technologies, virtualization, and IT standardization. Network-based applications and data services, decoupled from enterprise data centers, has evolved into a growing "cloud" of software services and methods of computing. Industry analysts have defined capabilities and services offered by Cloud computing to include three major qualities: • Abstracted hardware resources • Consumed as variable expense • Increased elastic capacity and capability 7

  8. Cloud computing architectures Cloud computing technology is deployed in three general types, based on the level of internal or external ownership and technical architectures

  9. Poll Question # 2 • How would you describe your level of understanding of the cloud? • None - want to understand Cloud • Toe in the water • All in • I had nothing else to do today

  10. Cloud computing services – X as a Service Different types of Cloud computing services are grouped into specific categories: Infrastructure, Platform and Software services

  11. Sample services within the 3 categories of Cloud computing There is an evolving “ecosystem” of services providers Software-as-a-Service: • Customer Relationship Management • salesforce.com • myERP.com • Oracle OnDemand • RightNow • Business Intelligence • SAS Suite of On-Demand Applications • Vitria M3O • Human Resources • Oracle Peoplesoft • NetSuiteePayroll • Workday • Productivity and Collaboration • Gmail, Google Apps • Zoho.com Infrastructure-as-a-Service: • Amazon Web Services • Provide on-demand Cloud computing services using variable cost model • Amazon Virtual Private Cloud • Provide fully private Cloud services model using the Amazon cloud infrastructure • Mozy.com • Provides backup services over the Internet Platform-as-a-Service: • Google Applications Engine • Allows Web applications to be deployed on Google’s architecture • Microsoft Windows Azure • Cloud computing architecture that is offered to host .NET applications 11

  12. Key attributes of Cloud computing

  13. Poll Question # 3 • What is the general status of your Cloud computing environment? • No Cloud at this time • Cloud computing is in design/concept at this time • Cloud is being developed/ pilot phase • Cloud computing environment is established • We use/have multiple cloud environments • Don’t know/unsure

  14. Cloud computing - drivers Cloud computing is being driven by many urgent IT priorities: • Reduce amounts of IT capital equipment spending • Lower implementation costs compared to on-premise solutions • Less hardware to purchase and support; few assets on the balance sheet • Fewer IT resources required in-house • Costs are treated as operating expense, not capital expenses • Gain flexibility and speed in implementations • Allows greater flexibility and shorter time to implementation • Shift IT from supporting the infrastructure to innovating • Software maintenance and upgrades may be handled by Cloud providers • Greater ability to flexibly respond to the business as needs change • Leverage IT technology evolution • Rapidly changing technology standards and practices are driving enterprise to consider Cloud computing as a viable alternative 14

  15. Top Cloud consideration & risks • Considerations around moving IT components into the Cloud: • What corporate security policies are in place? • What type of configuration management is used to protect against accidental changes that could negatively affect security? • How is data backed up? • How will availability objectives, recovery time objectives, and recovery point objectives be met? • How will disaster recovery testing occur and will clients have access to truthful results? • Who will have access to the data? • Where will the data be housed? • Will you have accessibility to the data for audits, etc.? • Consumer users – Privacy, data usage • Enterprise users – Encryption, data integrity • Service providers – Cross-border issues, regulations Security tops Cloud concerns How concerned are you with following issues as they relate to cloud computing? Security Control Performance Support Vendor lock-in Speed to activate new services/expand capacity Configurability Data: InformationWeek Analytics Cloud computing Survey of 453 business technology professionals A recent survey was conducted of 244 IT executives/CIOs about their companies’ use of, and views about, IT Cloud services. Biggest Cloud challenge reported was security. 15

  16. Risks, Threats, Vulnerabilities (1/6)

  17. Risks, Threats, Vulnerabilities (2/6)

  18. Risks, Threats, Vulnerabilities (3/6)

  19. Poll Question # 4 • What is the primary driver of your use/planned use of cloud? • Cost savings • Increased capacity/availability • Flexibility to increase/decrease usage easily • Minimal capital investment • We don’t use the Cloud/Don’t plan to use the Cloud

  20. Risks, Threats, Vulnerabilities (4/6)

  21. Risks, Threats, Vulnerabilities (5/6)

  22. Risks, Threats, Vulnerabilities (6/6)

  23. Cloud Computing Risk Intelligence Map

  24. Poll Question # 5 • Which statement do you most agree with? • There are no new risks with Cloud computing; this is just a new version of what we've always dealt with • Although there are new risks with Cloud computing, we have reasonable mitigation strategies that can be implemented • There are significant new risks with Cloud computing

  25. Role of Internal Audit (1/3) Internal Audit can play a role of strategic advisor and assist the business to understand and manage the risks associated with Cloud computing Risks Involved Implementation Phases Requirements ► Understanding the business case ► Incomplete requirements ► Poorly designed business case ► Requirements are not aligned within corporate policies and requirements ► Develop Requirements Specifications Vendor Selection ► Vendor evaluation and selection ► Update business case ► Incomplete selection criteria ► Lack of understanding vendor internal controls ► Excessive Costs Implementation ► Prioritization of migration ► Vendor contract ► Network Considerations ► Controls not considered ► Insecure design, no fault tolerant Pilot / Test ► Select area to pilot ► Migrate processes to test cloud ► Non existent/ineffective controls ► Inadequate testing ► Inadvertent exposure of data Migration ► Build infrastructure ► Migrate data and processes ► Inadvertent exposure of data ► Business processes don’t work as expected Validate and Monitor ► Decommission legacy systems ► Loss of financial records ► Loss due to inadequate monitoring ► SAS70, ISO reviews / Right to Audit

  26. Role of Internal Audit (2/3) Sample support activities Identify control requirements (requirements, vendor selection, implementation phases) • Scope – identify controls to be implemented • Value – IA can help understand and manage the risks and therefore support their business case Vendor selection support (requirements, vendor selection phases) • Scope – support the evaluation of vendors and ensure balanced assessment • Value – manages the significant risk that the selected vendor will not be around tomorrow, internal technology won’t integrate, evidence of reliability Vendor management review (vendor selection, implementation, validate and monitor phases) • Scope – evaluate controls for managing vendor relationships (SLA’s/OLA’s), invoice review, escalation etc • Value – ensures that appropriate processes are in place to manage the significant new vendor relationship and maximize the value the company gets from it

  27. Role of Internal Audit (3/3) Sample support activities Data migration assessment (implementation, pilot, migration phases) • Scope – assess planned data migration scope and method as well as future state data interface design • Value – helps the business and finance gain comfort around the plans for cut over from old new systems and for the completeness and accuracy of data transferred • PMO / Project management assessment (implementation, pilot, migration phases) • Scope – review project management / PMO capabilities • Value – ensures processes are in place that can support managing this complex and high risk project to the greatest benefit in the shortest time Controls review / assessment / test (all phases) • Scope – perform review of controls to be put in place, test controls and provide advice on improvement • Value – ensures IT and business have taken appropriate steps to mitigate implementation and business process risk that will arise as part of the implementation

  28. Poll Question # 6 • Do we need to have data classification polices prior to moving on the Cloud? • Why worry, the Cloud provider will take care of my data • Yes, we should, but need to move to the Cloud asap to save costs • Yes, however, we need to implement data classification policies • Don’t care

  29. Service Organization Controls (SOC) Reports Formerly – SAS70’s The AICPA has outlined 3 types of SOC reports designed to help service organizations meet User Entity objectives: • SOC 1 Report • Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ISAE 3402/SSAE 16) • SOC 2 Report • Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (AT101 – Attest Engagements) • SOC 3 Report • Trust Services Report for Service Organizations (SysTrust/WebTrust)

  30. AICPA Products Related to Service Organization Controls • The AICPA recently developed resources for CPAs, service organizations and • user entities who need to build trust and confidence in outsourced services. The • sources include: • Online source center: www.aicpa.org/SOC • www.aicpa.org/infotech • Online brochure to provide an introduction to the concept of Service Organization Control (SOC) reports. • AICPA Alert: Service Organizations: New Reporting Options—2010/11 (NEW - IT Section members receive 10% off the purchase starting 01/11/11!) • SSAE 16 Publication: http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/SSAEs/PRDOVR~PC-023035/PC-023035.jsp • Two Service Organization Control (SOC) guides are under development

  31. Q&A More info is available at: aicpa.org/soc or aicpa.org/infotech

  32. More information is available at: aicpa.org/soc or aicpa.org/infotechAlso, for an overview of how guidance and reports have been developed in response to the explosive growth in cloud computing and outsourcing, watch the below video with AICPA President & CEO Barry Melancon, CPA. http://www.aicpa.org/NEWS/AICPATV/ACCOUNTINGAUDITING/Pages/ServiceOrganizationControlReports.aspx

  33. Poll Question # 7 • If you had to determine what to accept from a Cloud provider, what would you require? • A SAS70 or SYSTRUST independent attestation • An attestation against a new Standard - which should be developed • A review of the Provider’s controls by the User’s Internal Audit function • A self-assessment provided by the Provider • Don’t know

  34. Q&A

  35. Questions, References and Contact Info Rob Zanella VP, IT Service Management Robert.Zanella@ca.com

  36. IT Community Benefits at a Glance • IT Section Members Receive: • Discounts on Educational programs, such as AICPA Tech + Conference, National Advanced Accounting and Auditing Technical Symposium (NAAATS), Controller’s Conference and IT Audit School Program. • Discounts on valuable software and tools, including IDEA products. • Free monthly web seminars on topics critical to CPAs (plus an opportunity for CPE discounts!) • Valuable technology content, including discussion papers, studies, and practice aids. • Communications, including electronic newsletter, podcasts, featured articles, profiles, and news about the profession and the IT Community. • Networking groups and IT Community events at Tech + Conference

  37. IT Community Benefits at a Glance • CITP Credential holders automatically receive IT Section • Membership, plus: • Differentiation from CPAs and other technology and financial management professionals. • Customizable marketing materials, including targeted brochures that highlight your ability to leverage technology for real business results. • CITP Networking Groups • Additional discounts, including $125 discount on conference registration to Tech +, National Advanced Accounting and Auditing Technical Symposium (NAAATS) and Controller’s conferences. • To find out more about the IT Section membership or the Certified • Information Technology Professional (CITP) Credentials, please go to • www.aicpa.org/infotechfor more details.

More Related