cloud computing risk assessments n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cloud Computing Risk Assessments PowerPoint Presentation
Download Presentation
Cloud Computing Risk Assessments

Loading in 2 Seconds...

play fullscreen
1 / 36

Cloud Computing Risk Assessments - PowerPoint PPT Presentation

  • Uploaded on

Cloud Computing Risk Assessments. Donald Gallien March 31, 2011. Overview. Cloud Computing Refresher Assessing Cloud Computing Universe Completeness Using a Cloud Computing Risk Ranking Model Risk Ranking Case Study. Quiz. What do the following have in common? Paisley GRC

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Cloud Computing Risk Assessments

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cloud computing risk assessments

Cloud Computing Risk Assessments

Donald Gallien

March 31, 2011

  • Cloud Computing Refresher
  • Assessing Cloud Computing Universe Completeness
  • Using a Cloud Computing Risk Ranking Model
  • Risk Ranking Case Study
  • What do the following have in common?
    • Paisley GRC
    • Amazon EC2
    • Google Apps
    • Microsoft Business Productivity Online Suite (BPOS)
    • Rackspace
    • WebEx
cloud computing basics
Cloud Computing Basics
  • Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid (Source: Wikipedia)
  • Based on virtualization and abstraction of the underlying infrastructure
  • IT Audit Risk is largely driven by:
    • Deployment Model
    • Service Model
    • Nature of Applications & Data in Cloud
deployment models
Deployment Models

Source: NIST

service models
Service Models

Source: NIST

another way to look as service models
Another Way to Look as Service Models



Provider Control


Amazon EC2

deployment model risk profile
Deployment Model Risk Profile




Likelihood of Data Security, Privacy, and Control Breach

service model risk profile
Service Model Risk Profile




Impact of Loss of Control & Security Breach

cloud refresher summary
Cloud Refresher Summary
  • Public clouds are inexpensive, but provide less security and service
  • Private clouds are expensive, but align better with technology and security standards
  • IaaS models are very broad in scope, but organizations maintain more control
  • SaaS models are narrow in scope, but organizations relinquish almost all control

What is the impact of cloud computing on the IT audit function?

but one thing never changes
But one thing never changes
  • All IT Audit and Governance groups must:
    • Identify an Universe
    • Risk Rank the Universe
    • Provide Appropriate Coverage based on Risk
technology governance
Technology Governance
  • Oversight
  • Technology Approvals
  • Partner Approvals

How does your organization promote controlled cloud computing?

firewalls and encryption certificates
Firewalls and Encryption Certificates
  • Firewall & VPN Rule Changes
  • Firewall Logs
  • Encryption Certificate Requests

Cloud computing environments are unlikely to stand-alone.

invoices t e reporting
Invoices / T&E Reporting
  • Vendor Master
  • Invoice Lists
  • T&E Reporting

How much does it cost to deploy cloud based e-mail service at Google?

process walkthroughs
Process Walkthroughs
  • Business Process
  • Data Flow
  • Technology Overview

Has anyone discovered cloud based computing in a walkthrough meeting?

summary universe completeness
Summary – Universe Completeness
  • Cloud computing can be difficult to identify
  • Traditional technology governance, security, and procurement controls can be used to identify cloud computing
  • Users and business analysts could be your best source of cloud computing information

What else can you do to identify cloud computing?

a few thoughts before we start
A few thoughts before we start
  • Risk models include elements of judgment and must fit the organization
  • Some model assumptions may be completely wrong for your organization
    • We should have a lot of debate on this topic
  • Risk ranking scores must drive governance requirements and audit activities
physical hosting site considerations
Physical Hosting Site Considerations




regions supported considerations
Regions Supported Considerations


/ Global

All Other

summary cloud risk ranking models
Summary – Cloud Risk Ranking Models
  • Cloud risk ranking attributes and scoring must vary based on environment and need
  • Risk attributes and scoring require alignment with organizational standards

What other risk attributes might you use, and how would your rank them on a high, medium, low basis?

  • Business and technology leaders are embracing cloud computing - it is here to stay and growing
  • Cloud computing standards and risk ranked cloud universes are foundational requirements for governance
  • We must adjust our approach to remain relevant

Contact Information: