cloud computing panel discussion l.
Skip this Video
Loading SlideShow in 5 Seconds..
Cloud Computing – Panel Discussion PowerPoint Presentation
Download Presentation
Cloud Computing – Panel Discussion

Loading in 2 Seconds...

play fullscreen
1 / 37

Cloud Computing – Panel Discussion - PowerPoint PPT Presentation

  • Uploaded on

Cloud Computing – Panel Discussion. October 22, 2011. Introductions. Barnaby Jeans , Sr. Systems Engineer, VMware Canada Richard Livesley , BMO Malik Datardina , UWCISA Chris Andersen , Partner, Grant Thornton Skip White , Professor of Accounting & MIS , University of Delaware.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Cloud Computing – Panel Discussion' - tobit

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Barnaby Jeans, Sr. Systems Engineer, VMware Canada
  • Richard Livesley, BMO
  • Malik Datardina, UWCISA
  • Chris Andersen, Partner, Grant Thornton
  • Skip White, Professor of Accounting & MIS, University of Delaware
what is the cloud

Barnaby JeansSr. Systems Engineer, VMware Canada @bjeans


Sr. Technology Advisor & Evangelist – Microsoft

Sr. Sales Engineer – Red Hat

Sr. Sales Consultant – Oracle

What is the Cloud?

50 years ago
50 Years Ago…

Computing may someday be organized as a public utility

John McCarthy, MIT 1961

what is cloud computing
What is Cloud Computing

Providing IT resources as a Service

* National Institute of Standards and Technology v15

service models
Service Models


Software as a Service - SaaS

Platform as a Service - PaaS


Infrastructure as a Service - IaaS


deployment models
Deployment Models

Public Cloud

Hybrid Cloud

Private Cloud

“Virtualization is a modernization catalyst and unlocks cloud computing.” ―Gartner

why the cloud matters
Why the “Cloud” Matters…
  • The Cloud Era (Virtualization, Cloud, SaaS) enable standardized IT metrics, e.g.:
    • Cost to provision per VM
    • Cost per GB of storage
    • Time to Provision
    • Cost to provision an email box, …

“If you can’t measure it, you can’t manage it” – Andy Grove

Virtual Machine

  • To be compared, shopped for
    • Public Cloud Providers are establishing a “rate card” for IT
  • Will lead to better informed consumption & production of IT
parting thought
Parting thought…

Where are Lines of Business getting the IT resources for their next project?

data in the clouds a risk management approach

Data in the Clouds: A Risk Management Approach

Richard Livesley and Malik Datardina

  • The opinions presented by Richard and Malik do not necessarily reflect that of their respective employers
cloud computing
Cloud Computing
  • Agenda:
  • Why cloud?
  • Defining the Cloud: Technology vs Risk based approach
  • Risk of Rogue Clouds
  • Cloud Control: A Risk Management Approach
why cloud
Why Cloud?
  • Agility: Faster introduction of desired functionality
  • Potential for Cost Reduction:
    • Moving expenses from OpEx to CapEx
    • Reduced maintenance, especially SaaS
  • More efficient use of computing resources:
    • Public cloud: Start-ups don’t need a data center, large companies can send extra workloads to the cloud
      • E.g. Animoto, flightcaster, NY Times
    • Private clouds: Easier to maximize pooled resources
      • e.g. Revlon: 1:7 1:34 servers, $70M in cost savings (unaudited)
challenge of cloud compliance
Challenge of Cloud Compliance
  • Not all clouds are equal:
    • Risk profile of concern: High risk self-provisioning public clouds
      • Amazon EC2 versus Amazon VPC
    • Don’t invest time, effort on tech definitions, but focus on risk & leverage existing processes
  • Key Risks:
    • Geographic dislocation: Where’s my data?
      • Potential for data to be sent to India, China, etc, if public cloud provider’s data center exist in those countries
    • Multi-tenancy & self-provisioning: Who is my neighbour?
      • Hackers used Amazon Web Services to hack into Sony PSN
      • Security researchers were able to extract info about co-tenants
      • Potential for malicious co-tenants to hack into your instance
risk of rogue clouds
Risk of Rogue Clouds
  • Rogue Clouds
    • Clouds that enter the business environment with the going through all the appropriate control processes
  • Direct to business marketing
    • Businesses, instead of IT, are marketed SaaS
    • Similar phenomenon to Business Managed Applications
      • Easier for business to get up & running with SaaS then work with central IT
  • Consumerization: Bring-your-own-cloud
    • Google Docs users want same functionality at work as at home; e.g. Collaborating on confidential contract
cloud control risk mgmt approach
Cloud Control: Risk Mgmt Approach
  • Risk Identification
    • Inventorying use: register current use, identify what’s acceptable and what is not
    • Working with users is critical
  • Risk Measurement & Assessment
    • Risk needs to be assessed in each information asset, i.e. the specific cloud environment
    • The need for additional controls needs to be based on the data
cloud control risk mgmt approach17
Cloud Control: Risk Mgmt Approach
  • Risk Mitigation and Control
    • Leverage existing vendor management processes to identify high risk cloud environments
    • Emerging best practice: Encrypt data and hold the keys
      • Providers are being acquired, e.g. Navajo systems was bought by
    • Current practice: Use vendor based encryption, but this is not feasible for all fields in SaaS
    • Training and awareness: Users should understand risks of public cloud
cloud control risk mgmt approach18
Cloud Control: Risk Mgmt Approach
  • Monitoring and reporting
    • Traditional controls won’t catch everything: similar to BMAs
    • DLP Tools: Identify traffic moving to unauthorized clouds
    • Cloud vendors: Annual Risk Assessment and update registry accordingly
closing thoughts
Closing Thoughts
  • Cloud computing is still in motion
    • Need to monitor developments within public cloud computing:
      • “Book” on risks is still be written
      • Need to monitor threats and attacks on public clouds to determine what risks need to be identified
      • Need to monitor development within encryption e.g. Homomorphic encryption
cloud panel assurance provider perspective

Cloud PanelAssurance Provider Perspective

Chris Anderson, CA(NZ), CISA, CMC, CISSP, PCI QSA

© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

assurance on outsourcing to the cloud
Assurance on Outsourcing to the Cloud
  • The usual assurance challenges but more of it!
    • Service providers have their own service providers
    • Service Organisation Controls reports mostly
      • ICFR (ISAE 3402/ SSAE16/ CSAE3416) not fully addressing operational and regulatory risks
      • Carve out sub-service providers causes customer to have to assemble its own assurance after sleuthing who does what iteratively

Its not your swimming pool any more!

© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

soc 1 is a start soc 2 and soc 3 better
SOC 1 is a start, SOC 2 and SOC 3 better!

© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

plus net new assurance considerations mostly caused by dynamic characteristics
Plus net new assurance considerations mostly caused by dynamic characteristics
  • Physical
    • Location can change
    • The fishbowl (our traditional data centre)
      • Was first outsourced but stayed out or moved en-masse
      • Then became a cage at a hosting centre
      • Now is a virtual cage, with little visibility by customer
  • Itinerant nature of some use cases combined with multi-tenancy
    • Access to other customer's data
    • Collateral nature of security risk increases – your neighbour could be a problem/ threat
  • Metered service raises questions
    • Completeness of billing (CSP objective)
    • Verification of service delivery and accuracy of billing (Customer objective)

© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

assurance provider opportunity
Assurance Provider opportunity
  • Work with CSPs to design and implement SOC2/ 3 assurance reports based on
    • ENISA Cloud Computing Information Assurance Framework or equivalent
    • Cloud Audit
    • Shared Assessments Program
    • Common Assurance Maturity Model
  • Develop a dynamic assurance product/ service relevant and proportional to nature and extent of use of CSP products/ services
  • These probably require that audit firms strengthen their technical IT audit capability!

© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

shared assessments program
Shared Assessments Program
  • November 10, 2009 – Santa Fe, NM – The Shared Assessments Program announced today the launch of Version 5.0 of its tools for evaluating service provider controls for information security, privacy and business continuity. The free tools, whose previous versions are in use around the globe including in the US, Canada, the EU, Australia, India and Brazil, comprise a rigorous toolkit for service provider audits that can be used in popular cloud computing and software-as-a-service (SaaS) environments.
  • The Shared Assessments Technical Development Committee has added 22 new procedures to its assessment tool (the “AUP”) with an eye to computing services offered “in the cloud,” that is, on-demand IT services that rely on Internet-based virtualization technologies. Questions relevant to cloud and SaaS environments have been inserted into several sections of the Shared Assessments questionnaire, known as the “SIG,” as well.
  • 'Delta Controls' list

Looks like a comprehensive approach to

  • Efficient and effective assurance ('audit once, assure many times)
  • Preventing cherry picking control objectives and procedures

The Shared Assessments Program ( was originally developed by Bank of America Corporation, The Bank of New York Mellon, Citi, JPMorgan Chase & Company, U.S. Bank, and Wells Fargo & Company in collaboration with leading service providers and the Big 4 accounting firms. These founding organizations saw the need for a standardized and objective vendor management assessment methodology that would help outsourcers meet regulatory and risk management requirements while significantly reducing costs for all stakeholders

© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

cloud computing research results

Cloud Computing:Research Results

Clinton E. White, Jr

Professor of Accounting & MIS

Lerner College of Business

University of Delaware

cloud computing research
Cloud Computing Research
  • 4 categories of research:
    • Practitioner-oriented (surveys & whitepapers)
    • Practitioner-oriented (standards & professional guidance)
    • Academic computer science
    • Academic MIS
cloud computing research28
Cloud Computing Research
  • Practitioner-oriented surveys & WPs:
    • CIO magazine (
      • Surveys of IT leaders
        • 2008: Big promise … Big security questions (1)
        • 2009: Adoption prospects are hazy (2)
        • 2011: CIOs are putting the cloud first (3)
        • 2011: Cloud is now (4)
cloud computing research29
Cloud Computing Research
  • Practitioner-oriented standards & guidance:
    • CSA (Cloud Security Alliance) (5)
    • ENISA (Euo Network & Info Sec Alliance) (6)
    • OWASP (Open World Appl Security Proj (7)
    • ISO (ISO Disb Appl Platforms & Services (8)
    • OWF (Open Web Foundation) (9)
    • EuroCloud (10)
    • CICA (11)
    • AICPA (12)
cloud computing research30
Cloud Computing Research
  • Academic computer science:
    • Cloud Computing – Issues, Research and Implementations (13)
    • Open research issues:
      • Economy of scale & economics of image & service construction
      • Temporal & spatial feedback that large scale workflows present
      • Cloud provenance (ascertaining the source of goods)
        • Data management
        • Process control flows, execution, & performance
        • Dynamics of data flows, file location, & application input & output
        • The structure, form, & evolution of workflows
        • System information, O/S information, compilers, versions, & load libraries
      • Security issues & complexities
      • ROI & total cost of ownership
cloud computing research31
Cloud Computing Research
  • Academic MIS
    • Cloud Computing – The Business Perspective (14)
    • Open research issues:
      • Economics:
        • Cloud service strategy
        • Cloud computing provider economic value & the entire value chain
      • Strategy
        • Impact on corporate culture
        • Impact on business partnerships
      • IS policy
        • Policy consistency across multiple providers & applications
        • Software management for both providers & users
        • Audit policy, security stds, risk assmt, forensics, & evidence gathering
      • Technology adoption & implementation
        • Design of optimal rules for adoption, moving apps, & private vs pub
      • Government policy & regulation
        • Identification of pertinent issues to be addressed

1) McLaughlin, Laurianne, Cloud Computing Survey: IT Leaders See Big Promise, Have Big Security Questions,, Oct 21, 2008

2) Johnson, Carolyn, Cloud Computing Survey: Adoption Prospects Are Hazy, July 31, 2009

3) Brousell, Layren, Survey: CIOs Are Putting the Cloud First,, June 14, 2011

4) KPMG, ‘Cloud is Now’; Technology Spending to Leap Next Year,, Oct 6, 2011


5) CSA (

6) ENISA (

7) OWASP (

8) ISO ( html?commid=601355)

9) OWF (

10) EuroCloud (

11) CICA (

12) AICPA (


13) Vauk, Mladen A., Cloud Computing – Issues, Research and Implementations. Journal of Computing and Information Technology CIT 16, 2008, 4

14) Marston, Sean, Zhi Li, SubhajyotiBandyopadhyay, Juheng Zhang, AnandGhalsasi, Cloud Computing – The Business Perspective, Decision Support Systems, 51 (2011)



Barnaby Jeans, Sr. Systems Engineer, VMware Canada

Richard Livesley, BMO

Malik Datardina, UWCISA

Chris Andersen, Partner, Grant Thornton

Skip White, Professor of Accounting & MIS, University of Delaware

the nist definition of cloud computing
The NIST Definition of Cloud Computing
  • Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.