Cloud Computing - COBIT- Group 1

8/12/2019 Cloud Computing - COBIT- Group 1

1/22

2014

03-Mar-14

Cloud Computing: Management of Risk using COBIT

Report Prepared by (Group 1):

Shubham Chandra- A013

Dipen Patani- A038

Saurabh Sharma- A047


2/22


2

Table of Contents

Brief about Cloud computing ................................................................................................................... 3

Key characteristics of Cloud computing ................................................................................................... 3

Goals and Benefits ................................................................................................................................... 4

Risks and Challenges................................................................................................................................ 4

Service Models in Cloud Computing......................................................................................................... 4

Infrastructure as a service (IaaS) .......................................................................................................... 4

Platform as a service (PaaS) ................................................................................................................. 5

Software as a service (SaaS) ................................................................................................................. 5

Cloud Computing Deployment Methods .................................................................................................. 6

Private Cloud ....................................................................................................................................... 6

Public Cloud......................................................................................................................................... 6

Hybrid Cloud........................................................................................................................................ 6

Community Cloud ................................................................................................................................ 6

Market Overview of Cloud Computing ..................................................................................................... 7

Market Leaders: Clients, Vendors for these models ................................................................................. 7

Controls and Risks in Cloud environment ................................................................................................. 8

Mapping the benefits of Cloud computing to COBIT .............................................................................. 10

Cloud Implementation by AWS at Expedia Inc. ...................................................................................... 16

Organization brief .............................................................................................................................. 16

Cloud Computing: Model and Service (Requirements &Scope) .......................................................... 16

References ............................................................................................................................................ 20

Exhibits ................................................................................................................................................. 21


3/22


3

Brief about Cloud computing

Cloud computing is a model for enabling on-demand access to shared pool of compute resources e.g.

server, application & service. In other words, cloud computing is a model for delivering IT services.

Instead of a direct connection to the server, the resources are retrieved from the Internet though web-

based tools and applications.

Cloud computing, the recent buzz word in the internet market, in simple terms is the process of

delivering hosted services through the internet. Though the concept is in its nave stage, it is generating

tremendous interest among users of all types, and has become a promising business opportunity to

venture in and explore.

The cloud computing services market which is currently valued at USD 79.60 billion for the year 2011 is

projected to grow steeply at a CAGR of 23.21% and reach a market size of USD 148.9 billion by year

2014. However, with rising competition and saturation and technology limitations, the market may see a

drop in CAGR, but still grow at a CAGR of 8.39% and reach USD 205.48 USD by year 2018.

Key characteristics of Cloud computing

1. Agility: Improves with users' ability to re-provision technological infrastructure resources.2. Application programming interface (API) accessibility to software:It enables machines to

interact with cloud software in the same way that a traditional user interface (e.g., a computer

desktop) facilitates interaction between humans and computers. Cloud computing systems

typically use Representational State Transfer (REST)-based APIs.

3. Cost: Cloud providers claim that computing costs reduce. A public-cloud delivery model convertscapital expenditure to operational expenditure. This purportedly lowers barriers to entry, as

infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. Pricing on a utility computing basis is fine-grained,

with usage-based options and fewer IT skills are required for implementation (in-house).

4. Device and location independence: It enable users to access systems using a web browserregardless of their location or what device they use (e.g., PC, mobile phone). As infrastructure is

off-site (typically provided by a third-party) and accessed via the Internet, users can connect

from anywhere.

5. Virtualization technology: It allows sharing of servers and storage devices and increasedutilization. Applications can be easily migrated from one physical server to another.

6. Multitenancy: It enables sharing of resources and costs across a large pool of users thusallowing for centralization of infrastructure in locations with lower costs (such as real estate,electricity, etc.)

7. Reliability: Improves with the use of multiple redundant sites, which makes well-designed cloudcomputing suitable for business continuity and disaster recovery.

8. Maintenanceof cloud computing applications is easier, because they do not need to be installedon each user's computer and can be accessed from different places.


4/22


4

Goals and Benefits

The common benefits associated with adopting cloud computing are:

Reduced investments and proportional costs

Increased scalability

Increased availability and reliability

Risks and Challenges

Several of the most critical cloud computing challenges pertaining mostly to cloud consumers that use IT

resources located in public clouds are:.

Increased security vulnerabilities

Reduced operational governance control

Limited portability between cloud providers

Multi-regional regulatory and legal issues

Service Models in Cloud Computing

Cloud computing providers offer their services (Refer Figure. 1 in Annexure) according to following

fundamental models:

Infrastructure as a service (IaaS)

In the most basic cloud-service model, providers of IaaS offer computersphysical or (more often)

virtual machinesand other resources. (A hypervisor, such as Hyper-V or Xen or KVM or VMware

ESX/ESXi, runs the virtual machines as guests. Pools of hypervisors within the cloud operational support-system can support large numbers of virtual machines and the ability to scale services up and down

according to customers' varying requirements.) IaaS clouds often offer additional resources such as a

virtual-machine disk image library, raw (block) and file-based storage, firewalls, load balancers, IP

addresses, virtual local area networks (VLANs), and software bundles. IaaS-cloud providers supply these

resources on-demand from their large pools installed in data centers. For wide-area connectivity,

customers can use either the Internet or carrier clouds (dedicated virtual private networks).

To deploy their applications, cloud users install operating-system images and their application software

on the cloud infrastructure. In this model, the cloud user patches and maintains the operating systems

and the application software. Cloud providers typically bill IaaS services on a utility computing basis; cost

reflects the amount of resources allocated and consumed.

Cloud communications and cloud telephony, rather than replacing local computing infrastructure,

replace local telecommunications infrastructure with Voice over IP and other off-site Internet services.


5/22


5

Platform as a service (PaaS)

In the PaaS models, cloud providers deliver a computing platform, typically including operating system,

programming language execution environment, database, and web server. Application developers can

develop and run their software solutions on a cloud platform without the cost and complexity of buying

and managing the underlying hardware and software layers. With some PaaS offers like Windows Azure,

the underlying computer and storage resources scale automatically to match application demand so

that the cloud user does not have to allocate resources manually. The latter has also been proposed by

an architecture aiming to facilitate real-time in cloud environments.

Software as a service (SaaS)

In the business model using software as a service (SaaS), users are provided access to application

software and databases. Cloud providers manage the infrastructure and platforms that run the

applications. SaaS is sometimes referred to as "on-demand software" and is usually priced on a pay-per-

use basis. SaaS providers generally price applications using a subscription fee.

In the SaaS model, cloud providers install and operate application software in the cloud and cloud usersaccess the software from cloud clients. Cloud users do not manage the cloud infrastructure and platform

where the application runs. This eliminates the need to install and run the application on the cloud

user's own computers, which simplifies maintenance and support. Cloud applications are different from

other applications in their scalabilitywhich can be achieved by cloning tasks onto multiple virtual

machines at run-time to meet changing work demand. Load balancers distribute the work over the set

of virtual machines. This process is transparent to the cloud user, who sees only a single access point. To

accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine

serves more than one cloud user organization. It is common to refer to special types of cloud-based

application software with a similar naming convention: desktop as a service, business process as a

service, test environment as a service, communication as a service.

The pricing model for SaaS applications is typically a monthly or yearly flat fee per user, so price is

scalable and adjustable if users are added or removed at any point.

Proponents claim SaaS allows a business the potential to reduce IT operational costs by outsourcing

hardware and software maintenance and support to the cloud provider. This enables the business to

reallocate IT operations costs away from hardware/software spending and personnel expenses, towards

meeting other goals. In addition, with applications hosted centrally, updates can be released without the

need for users to install new software. One drawback of SaaS is that the users' data are stored on the

cloud provider's server. As a result, there could be unauthorized access to the data. For this reason,

users are increasingly adopting intelligent third-party key management systems to help secure their

data.


6/22


6

Cloud Computing Deployment Methods

There are three main cloud deployment models (Refer Figure. 2 in Annexure), each on with its own set

of customers its targeting.

Private Cloud

Private cloud is cloud infrastructure operated solely for a single organization, whether managed

internally or by a third-party and hosted internally or externally. Undertaking a private cloud project

requires a significant level and degree of engagement to virtualize the business environment, and

requires the organization to reevaluate decisions about existing resources. When done right, it can

improve business, but every step in the project raises security issues that must be addressed to prevent

serious vulnerabilities. Self-run data centers are generally capital intensive. They have attracted criticism

because users "still have to buy, build, and manage them" and thus do not benefit from less hands-on

management, essentially "[lacking] the economic model that makes cloud computing such an intriguing

concept".

Public CloudA cloud is called a "public cloud" when the services are rendered over a network that is open for public

use. Technically there may be little or no difference between public and private cloud architecture,

however, security consideration may be substantially different for services (applications, storage, and

other resources) that are made available by a service provider for a public audience and when

communication is effected over a non-trusted network. Generally, public cloud service providers like

Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via

Internet (direct connectivity is not offered).

Hybrid Cloud

Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique

entities but are bound together, offering the benefits of multiple deployment models. Hybrid cloud can

also mean the ability to connect collocation, managed and/or dedicated services with cloud resources.

Gartner, Inc. defines a hybrid cloud service as a cloud computing service that is composed of some

combination of private, public and community cloud services, from different service providers. A hybrid

cloud service crosses isolation and provider boundaries so that it cant be simply put in one category of

private, public, or community cloud service. It allows one to extend either the capacity or the capability

of a cloud service, by aggregation, integration or customization with another cloud service.

Community CloudCommunity cloud shares infrastructure between several organizations from a specific community with

common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-

party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but

more than a private cloud), so only some of the cost savings potential of cloud computing are realized.


7/22


7

Market Overview of Cloud Computing

Cloud computing provides significant cost effective IT resources as cost on demand IT based on the

actual usage of the customer. Due to rapid growth, many companies are unable to handle their IT

requirement even after having an in-house datacenter. Cloud services helps to improve IT capabilities

without investing large amounts in new datacenters. This technology helps companies with much more

efficient computing by centralizing storage, memory, processing and bandwidth.

SaaS is the largest segment of cloud computing, having market size of USD 12 billion in 2011. On the

basis of geography the entire cloud service market is divided among the U.S, Europe, Asia and others.

In 2011, the cloud service market reported USD 41.2 billion globally which is estimated to grow up to

USD 205 billion in 2018 (Refer Figure. 3 in Exhibit) with CAGR of 26% from 2011 to 2017. The mobile

SaaS market in 2011 was about USD 1.2 billon which is expected to grow with CAGR 25% up to 2018. The

U.S federal government market entered into double digit growth which is expected to grow with CAGR

of 16.2% up to 2018. Also the U.S cloud computing market for medical imagery is expected to grow with

CAGR of 26.8% up to 2018.

The cloud computing services market growth would be influenced by the global demand for technology

based services, which in turn depends on the state of the global economy. Currently the growth is driven

by demand in developed nations in Western markets such as North America and Europe. The developing

nations are slow to adapt to the concept, and are expected to drive the growth towards the later part of

the decade.

Market Leaders: Clients, Vendors for these models

The current cloud computing services market leaders who are defining the growth path are:

Service Models Vendors Clients

SaaS (Service as a

service)

PaaS (Platform as

a service)

IaaS

(Infrastructure as

a service)


8/22


9/22


9

Outsourcing results in the loss of a level of control by becoming dependent on another party to fulfil the

enterprises needs and to provide adequate controls. Use of Internet technologies or wide area network

access to access IT capabilities and data creates dependency on these possibly more vulnerable access

paths. The main risks arising from these dependencies and vulnerabilities are risks relating to continuity

issues and security of information. Continuity is complicated by the fact that downtime of Internet or

network access, or downtime at the cloud service provider, could translate into unavailability of all IT

capabilities outsourced by the consumer enterprise. Security is complicated as the cloud service

provider utilizes a multi-tenant model and therefore stores various enterprises data at any one physical

location, creating the risk of the leakage of data belonging to one consumer to another, or to

unauthorized third parties. In addition, the fact that all data relating to the IT capabilities which are

outsourced travels on the Internet or network in order to be accessed or processed, creates the risk of

unauthorized access to, or manipulation or corruption of data.

Loss of GovernanceJust as in traditional IT outsourcing, using the services of a cloud provider requires

enterprises to give up control over their IT infrastructure. To make it easier for customers that take this

step, cloud providers should make management and maintenance more transparent and auditable by

customers. This should include recording logs and complete administrative sessions that affect the part of

the cloud infrastructure used by customers, and, if requested, making these records accessible to

customers There must be strong authentication and authorization for the staff of the cloud provider and

customers. This includes strong and possibly multifactor authorization methods, such as tokens or one-

time passwords, on the one hand and strong authorization methods, such as 4-eyes authorization, on the

other. Ideally, customers should be able to authorize and possibly monitor access to the system for the

key systems they use. Such monitoring could be as simple as following the logs on an online interface or

as sophisticated as watching a real-time audit trail of the administrators actions on the systembe it on a

specific virtual machine or the hypervisor of the entire system. Allowing access to the audit trails of the

hypervisor or providing 4-eyes authorization to customers may initially seem excessive, but it may be

necessary for customers for compliance reasons.

ComplianceCompliance requirements are becoming stricter almost every year, and a cloud provider

that can meet these requirements and offer hard evidence of this compliance can gain significant

advantage. Compliance usually covers the entire range of IT procedures, from system logging and log

analysis to user and administrator authentication, authorization and auditing, but can also include data

archiving, backups and recoverynot to mention the physical security of the servers in the cloud. The

trick here is to develop a system that can make the cloud compliant and that can prove the compliance of

individual customers during an inevitable compliance audit.

Data protectionData protection and data abuse prevention are traditionally handled via authorization

and strong access control and partly by using an intrusion detection system (IDS) and a data leakage

prevention (DLP) system. Authorization can be handled by strong and possibly multifactor authentication,

and access control and authorization can be enhanced by 4-eyes authorization methods. However, for

obvious reasons, users must access a remote cloud using secure connections, which makes the use of IDS

and a DLP system increasingly more difficult. Thus, a solution that can share the traffic of the encrypted

channels with clients IDS/DLP system is highly beneficial.


10/22


10

Cloud provider selectionPublic clouds allow high-availability systems to be developed at service

levels often impossible to create in private networks, except at extraordinary costs. Compliance with

regulations and laws in different geographical regions can be a challenge for enterprises. At this time,

there is little legal precedent regarding liability in the cloud. It is critical to obtain proper legal advice to

ensure that the contract specifies the areas in which the cloud provider is responsible and liable for

ramifications arising from potential issues. Enterprises could leverage the global compliance

requirements that are becoming stricter and go for a cloud provider that can meet these requirements

and is able to offer hard evidence of its compliance.

COBITis a proven set of standards and processes that businesses can use to ensure that IT is working as

effectively as possible to minimize IT-related risks and maximize the benefits of cloud.

The security benefits of utilizing COBIT with the cloud include:

Customer complianceConnections from cloud customers using 4-eyes authorization to access a

service running in the cloud (e.g., a Windows Terminal Service) can be audited. This can be useful if

customers have specific compliance needs.

Selected authentication methodsThe use of selected authentication methods (e.g., certificates,

passwords, public keys) should be enforced.

Customizable access controlThere should be strict yet easily customizable access control granted for

users to have access only to selected log messages, e.g., messages related to the cloud services of a single

customer.

Enforcement of 4-eyes authorizationThe enforcement of 4-eyes authorization with real-time

monitoring and auditing capabilities effectively creates a strong auditing layer above the super user layer

accessing the devices, with the possibility to greatly increase the security of the cloud. For every security-

aware customer, or for customers with special security needs, it is possible to require the representative

of the customer to authorize cloud administrators, making the maintenance of the clouds infrastructure

that is relevant to the customer completely transparent, auditable and reviewable.

Forensics and contractsTamper-proof evidence for service level agreement (SLA) contracts and

forensic situations should be provided.

Mapping the benefits of Cloud computing to COBIT

All the points P, A, D are covered in the table below


11/22


11

COBIT Process Possible Benefit

PO1 Define a Strategic IT plan Cloud services add a new dynamic to

strategic IT planning as the outsourcing of

capital expenditure in hardware,

operating platform and software as all

become viable options.New enterprises will incur significantly less

IT-related start-up costs to establish IT

capabilities.

PO3 Determine technological

direction

Cloud computing should support business

opportunities, such as expansion of

business (e.g. opening new branches), as

it enables expansion of IT capabilities with

minimal capital outlay in terms of IT

infrastructure.

The economies of scale of cloud

computing also have a positive

environmental impact. The adoption of

cloud computing may lower a CS consumer

enterprises carbon footprint (greener

business practice).

PO5 Manage IT investment Cloud computing enables the realisation of

economies of scale by CS providers, due to

the multi-tenant principle, that each CS

consumer enterprise would not be able to

realise on its own. In order to be

competitive in the future cloud computing

market, the CS provider would have to

pass some of the benefits of theseeconomies of scale through to the CS

consumers. This should enable a CS

consumer enterprise to achieve a better

return on IT investment.

PO7 Manage IT human resources The number of IT staff members required

by a CS consumer enterprise is likely to

decrease with the adoption of cloud

computing, thereby ensuring a savings in

operational expenditure relating to a

decrease in human resources.

PO8 Manage quality Most aspects of quality management areoutsourced to the CS provider. The CS

consumer enterprise should benefit from

economies of scale of the CS provider

relating to the cost and employment of

specialised IT professionals to ensure

adequate controls. The CS providers

reputation depends on the adequacy of


12/22


12

controls.

PO9 Assess and manage IT risks Certain IT risks, previously managed solely

by the CS consumer enterprise, are now

part of the outsourced services, enabling

the enterprise to possibly benefit from the

CS providers superior ability to attract andemploy specialised IT risk mitigating

professionals, due to the CS providers

increased economies of scale.

AI1 Identify automated solutions Cloud services provide automated

solutions to satisfy infrastructure

(hardware) requirements that could not

traditionally be satisfied by automated

solutions (specifically Iaas and Paas).

Saas and PaaS are also subject to greater

automation than traditionally possible.

A CS consumer enterprise can experiment

with a larger array of different innovative

IT capabilities and technologies than it

would have been able to afford if it had to

purchase such technologies before

experimenting with them.

The usage of Internet technologies also

enables access, irrespective of location, as

an option.

AI2 Acquire and maintain software Patching and version upgrades of software

accessed as a cloud service by a CS

consumer enterprise, should be up to date

if a trustworthy CS provider (consider

including this in a service level agreement

(SLA)) is used who will benefit from

economies of scale regarding such

upgrading or patching. This can be

achieved without the usual capital

expenditure required on the CS consumer

enterprises side.

AI3 Acquire and maintain technology

infrastructure

Technology infrastructure accessed as a

cloud service by a CS consumer enterprise,

should be up to date if a trustworthy CS

provider (consider including this in an SLA)is used who will benefit from economies of

scale regarding such upgrading of

infrastructure. This can be achieved

without the usual capital expenditure

required on the CS consumer enterprises

side.

AI4 Enable operation and use Cloud computing is characterized by a


13/22


13

multi-tenant model. Thus, the CS provider

should have standardized user manuals

and/or training available to all CS

consumers (tenants)

AI6 Manage changes Most cloud services-related changes, such

as patching and/or upgrading ofinfrastructure, are done by the CS provider,

significantly reducing the workload

regarding the management of changes on

the CS consumer enterprises side.

The level of IT capabilities required by the

CS consumer can be scaled up or down

through a self-service process. This

significantly decreases the number of

controls which were traditionally needed,

where changes to IT capabilities required

major changes such as the installation of a

new server, etc.

DS3 Manage performance and capacity Cloud services are characterized by rapid

elasticity on-demand, ensuring that IT

resource capacity can be rapidly scaled up

or down to meet the CS consumer

enterprises changing requirements at all

times.

DS4 Ensure continuous service Most aspects of ensuring continued IT

services are transferred to the CS

provider. The CS provider will be inclined

to ensure adequate controls relating to

continuity of services due to the fact thata significant number of the CS providers

CS customers may be affected by

downtime as a shared pool of resources is

used to provide services to all of the CS

providers CS customers.Any interruption

of services will have a major impact on the

CS providers reputation.

As cloud services are provided using broad

network access (Internet technologies),

continuation of service is not dependent

on the location of the CS consumerenterprises users. This means the CS

consumer enterprise can easily access the

IT capabilities from different locations

(enhanced mobility).

As cloud services are provided using broad

network access (Internet technologies),

continuation of service is not necessarily


14/22


14

dependent on a specific access route to a

network or the Internet (.i.e. if the ADSL

line is not functioning, 3.5G wireless

access could, for example, be used to

continue service in the interim). This could

translate into fewer single points of failure(SPOF) risk than in the case of leased VPN

lines, for example.

DS5 Ensure systems security Most aspects of ensuring system security

relating to IT services are transferred to

the CS provider who will be inclined to

ensure adequate controls relating to

security due to the fact that a security

breach relating to inadequate controls on

the CS providers side will have a major

impact on the CS providers reputation.

DS6 Identify and allocate cost One of the defining characteristics of cloud

services is that the service is measured or

metered by use. The CS provider would

therefore already have such an

accounting/metering system in place. This

system could possibly meter use by

individual groups within the CS consumer

enterprise, making the allocation of IT-

related costs to different segments of the

CS consumer enterprise a vastly simpler

task.

DS7 Educate and train users Cloud computing is characterized by a

multi-tenant model. Thus, the CS providershould have standardized user manuals

and/or training available to all CS

consumers (tenants)

DS8 Manage service desk and incidents Most aspects of the IT service desk

management are outsourced to the CS

provider who would be required by all its

CS consumer enterprise clients to have an

adequate service desk to resolve user

queries and incidents. The adequacy of

this service will influence the CS providers

reputation.DS9 Manage configuration Most aspects of configuration

management are outsourced to the CS

provider. The CS provider should benefit

from economies of scale relating to the

cost and employment of specialised IT

professionals to ensure adequate controls.

The CS providers reputation depends on


15/22


15

the adequacy of controls. (

DS10 Manage problems Most aspects of problem management are

outsourced to the CS provider. The CS

provider should benefit from economies of

scale relating to the cost and employment

of specialised IT professionals to ensureadequate controls. The CS providers


controls.

DS11 Manage data Most aspects of data management are

outsourced to the CS provider. The CS

provider should benefit from economies of

scale relating to the cost and employment

of specialised IT professionals to ensure



controls.

DS12 Manage the physical environment Most aspects of managing the physical

environment are outsourced to the CS




professionals, securing the physical

environment and ensuring off-site backup

(distributed data centres) to ensure



controls.

DS13 Manage operations Most aspects of managing the physicalenvironment are outsourced to the CS




professionals, securing the physical

environment and ensuring off-site backup

(distributed data centres) to ensure



controls.


16/22


16

Cloud Implementation by AWS at Expedia Inc.

Organization brief

Expedia, Inc. is a leading online travel company, providing leisure and business travel to customers

worldwide. Expedias extensive brand portfolio includes Expedia.com , one of the worlds largest full

service online travel agency, with sites localized for more than 20 countries; Hotels.com , the hotel

specialist with sites in more than 60 countries; Hotwire.com , the hotel specialist with sites in more than

60 countries, and other travel brands.

The company delivers consumer value in leisure and business travel, drives incremental demand and

direct bookings to travel suppliers, and provides advertisers the opportunity to reach a highly valuable

audience of in-market travel consumers through Expedia Media Solutions. Expedia also powers bookings

for some of the worlds leading airlines and hotels, top consumer brands, high traffic websites, and

thousands of active affiliates through Expedia Affiliate Network.

Cloud Computing: Model and Service (Requirements &Scope)Expedia used AWS to develop standard deployment model for its development teams globally. Expedia

chose Amazon Web Services (AWS) because it was the only solution with the global infrastructure in

place to support Asia Pacific customers. From an architectural perspective, infrastructure, automation,

and proximity to the customer were key factors and AWS was the way to solve the problem .

Launching Expedia Suggest Service (ESS) on AWS

ESS uses algorithms based on customer location and aggregated shopping and booking data from past

customers to display suggestions when a customer starts typing. For example, if a customer in Seattle

entered sea when booking a flight, the service would display Seattle, SeaTac, and other relevant

destinations.

Expedia launched ESS instances initially in the Asia Pacific (Singapore) Region and then quickly replicated

the service in the US West (Northern California) and EU (Ireland) Regions. Expedia engineers initially

used Apache Lucene and other open source tools to build the service, but eventually developed

powerful tools in-house to store indexes and queries.

By deploying ESS on AWS, Expedia was able to improve service to customers in the Asia Pacific region as

well as Europe.


17/22


17

By 2011, Expedia was running several critical, high-volumes applications on AWS, such as the GlobalDeals Engine (GDE). GDE delivers deals to its online partners and allows them to create custom websites

and applications using Expedia APIs and product inventory tools.

Expedia provisions Hadoop clusters using Amazon Elastic Map Reduce (Amazon EMR) to analyze and

process streams of data coming from Expedias global network of websites, primarily clickstream, user

interaction, and supply data, which is stored on Amazon Simple Storage Service (Amazon S3). Expedia

processes approximately240 requests per second. The advantage of AWS is that Auto Scaling can match

load demand instead of having to maintain capacity for peak load in traditional datacenters. Expedia

uses AWS CloudFormation with Chef to deploy its entire front and backend stack into its Amazon Virtual

Private Cloud (Amazon VPC) environment. Expedia uses a multi-region, multi-availability zonearchitecture with a proprietary DNS service to add resiliency to the applications.


18/22


18

Risk analysis to cloud and Mapping with COBIT

There are several risks related to cloud usage for the firm. These include mainly the following risks:

a) Lack of control with security operations directly related to cloud-based IT resources used forinternal purposes.

b) Privacy concerns associated with sensitive and/or regulated data stored and/or processed by acloud infrastructure provider.

c) Lack of security visibility into cloud services infrastructure.d) Risk of a network breach between internal networks and cloud service providers.

Risk Management

AWS management has developed a strategic business plan which includes risk identification and theimplementation of controls to mitigate or manage risks for the clients. They re

evaluate the strategic business plan at least biannually.

This process requires management to identify risks

within its areas of responsibility and to implement appropriate measures designed to address

those risks.


19/22


19

In addition, the AWS control environment is subject to various internal and external risk assessments. A

WSsCompliance and Security teams have established an information security framework and policies b

ased on the Control Objectives for Information and related Technology (COBIT) framework and have

effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, American

Institute of Certified Public Accountants (AICPA) Trust Services Principles, the PCI DSS v2.0

and the National Institute of Standards and Technology (NIST) Publication 80053Rev 3.

Main Controls

AWS manages a comprehensive control environment that includes policies, processes and control activities

that leverage various aspects of Amazonsoverall control environment. This control environment is

in place for the secure delivery of AWSsservice offerings. The collective control environment encompasses

the people, processes, and technology necessary to establish and maintain an environment that supports t

he operating effectiveness of AWSscontrol framework. AWS has integrated applicable cloudspecific

controls identified by leading cloud computing industry bodies into the AWS control framework.

To simplify the management of GDE, Expedia developed an identity federation broker that uses AWS

Identity and Access Management (AWS IAM) and the AWS Security Token Service (AWS STS). The

federation broker allows systems administrators and developers to use their existing Windows Active

Directory (AD) accounts to single sign-on (SSO) to the AWS Management Console. In doing so, Expedia

eliminates the need to create IAM users and maintain multiple environments where user identities are

stored. Federation broker users sign into their Windows machines with their existing Active Directory

credentials, browse to the federation broker, and transparently log into the AWS Management Console.

This allows Expedia to enforce password and permissions management within their existing directory

and to enforce group policies and other governance rules. Additionally, if an employee ever leaves the

company or takes a different role, Expedia simply make changes to Active Directory to revoke or

changes AWS permissions for the user instead of inside of AWS.

Conclusion

Expedia uses AWS to develop applications faster, scale to process large volumes of data, and

troubleshoot issues quickly. By using AWS to build a standard deployment model, development teams

can quickly create the infrastructure for new initiatives. Critical applications run in multiple Availability

Zones in different Regions to ensure data is always available and to enable disaster recovery. Expedia

Worldwide Engineering is working on building a monitoring infrastructure in all Regions and moving to asingle infrastructure.

Generally, teams have more control over development and operations on AWS. When Expedia

experienced conversion issues for its Client Logging service, engineers were able to track and identify

critical issues within two days. Expedia estimates that it would have taken six weeks to find the script

errors if the service ran in a physical environment.


20/22


20

References

All the below web pages were accessed between 25th Feb-1st March, 2014.

http://www.ibm.com/cloud-computing/in/en/what-is-cloud-computing.html

http://cloud.dzone.com/articles/introduction-cloud-computing

http://clean-clouds.com/

http://www.focus.com/articles/hosting-bandwidth/top-10-cloud-computing-trends/

http://architects.dzone.com/news/5-key-events-history-cloud http://www.transparencymarketresearch.com/

http://aws.amazon.com/solutions

http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
http://clean-clouds.com/http://clean-clouds.com/


21/22


21

Exhibits

Figure 1: Service Models

Figure 2: Deployment Models

Figure 3: Cloud Computing Market Forecast


22/22


22

Figure 4 Framework for COBIT in cloud computing

Date post:	03-Jun-2018
Category:	Documents
Upload:	dipen-patani
View:	218 times
Download:	0 times

Cloud Computing - COBIT- Group 1

Documents