1 / 36

Cloud Computing Risk Assessments

Cloud Computing Risk Assessments. Donald Gallien March 31, 2011. Overview. Cloud Computing Refresher Assessing Cloud Computing Universe Completeness Using a Cloud Computing Risk Ranking Model Risk Ranking Case Study. Quiz. What do the following have in common? Paisley GRC

suki
Download Presentation

Cloud Computing Risk Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing Risk Assessments Donald Gallien March 31, 2011

  2. Overview • Cloud Computing Refresher • Assessing Cloud Computing Universe Completeness • Using a Cloud Computing Risk Ranking Model • Risk Ranking Case Study

  3. Quiz • What do the following have in common? • Paisley GRC • Salesforce.com • Amazon EC2 • Google Apps • Microsoft Business Productivity Online Suite (BPOS) • Rackspace • WebEx

  4. Cloud Computing Refresher

  5. Cloud Computing Basics • Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid (Source: Wikipedia) • Based on virtualization and abstraction of the underlying infrastructure • IT Audit Risk is largely driven by: • Deployment Model • Service Model • Nature of Applications & Data in Cloud

  6. Deployment Models Source: NIST

  7. Service Models Source: NIST

  8. Another Way to Look as Service Models Example WebEx Provider Control BPOS Amazon EC2

  9. Deployment Model Risk Profile Public Community Private Likelihood of Data Security, Privacy, and Control Breach

  10. Service Model Risk Profile IaaS PaaS SaaS Impact of Loss of Control & Security Breach

  11. Cloud Refresher Summary • Public clouds are inexpensive, but provide less security and service • Private clouds are expensive, but align better with technology and security standards • IaaS models are very broad in scope, but organizations maintain more control • SaaS models are narrow in scope, but organizations relinquish almost all control What is the impact of cloud computing on the IT audit function?

  12. But one thing never changes • All IT Audit and Governance groups must: • Identify an Universe • Risk Rank the Universe • Provide Appropriate Coverage based on Risk

  13. Assessing Cloud Computing Universe Completeness

  14. The Cloud Universe Challenge

  15. Finding the Clouds

  16. Technology Governance • Oversight • Technology Approvals • Partner Approvals How does your organization promote controlled cloud computing?

  17. Firewalls and Encryption Certificates • Firewall & VPN Rule Changes • Firewall Logs • Encryption Certificate Requests Cloud computing environments are unlikely to stand-alone.

  18. Invoices / T&E Reporting • Vendor Master • Invoice Lists • T&E Reporting How much does it cost to deploy cloud based e-mail service at Google?

  19. Process Walkthroughs • Business Process • Data Flow • Technology Overview Has anyone discovered cloud based computing in a walkthrough meeting?

  20. Summary – Universe Completeness • Cloud computing can be difficult to identify • Traditional technology governance, security, and procurement controls can be used to identify cloud computing • Users and business analysts could be your best source of cloud computing information What else can you do to identify cloud computing?

  21. Using a Cloud Computing Risk Ranking Model

  22. A few thoughts before we start • Risk models include elements of judgment and must fit the organization • Some model assumptions may be completely wrong for your organization • We should have a lot of debate on this topic • Risk ranking scores must drive governance requirements and audit activities

  23. Cloud Risk Ranking Example

  24. Potential Governance & Audit Requirements

  25. Deployment Model Considerations Public Private

  26. Service Model Considerations IaaS SaaS

  27. Data Security Considerations Secret Unclassified

  28. Physical Hosting Site Considerations Undefined Domestic Location

  29. SOX Criticality Considerations Yes No

  30. Dependent Applications > 10 < 3

  31. Recovery Time Objectives (RTO) Considerations 4 Hours 31 Days

  32. Regions Supported Considerations Europe / Global All Other

  33. Summary – Cloud Risk Ranking Models • Cloud risk ranking attributes and scoring must vary based on environment and need • Risk attributes and scoring require alignment with organizational standards What other risk attributes might you use, and how would your rank them on a high, medium, low basis?

  34. Risk Ranking Case Study

  35. Conclusions • Business and technology leaders are embracing cloud computing - it is here to stay and growing • Cloud computing standards and risk ranked cloud universes are foundational requirements for governance • We must adjust our approach to remain relevant

  36. Questions Contact Information: donald.w.gallien@aexp.com

More Related