8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 1/29
Rick Link, CISA, CISSP, CISM, CGEIT 1ISACA North Texas Chapter September 9, 2010
Cloud ComputingA Discussion of this New Mystery
Sponsored byISACA North Texas Chapter
September 9, 2010
Presented ByRick Link, CISA, CISSP, CISM, CGEIT
IT Governance Executive and Leader
Rick Link, CISA, CISSP, CISM, CGEIT 2ISACA North Texas Chapter September 9, 2010
I. What is Cloud Computing?
II. Cloud Services – SaaS,PaaS, IaaS
III. Cloud Deployments – Private,Public, Hybrid, Community
IV. Companies Leading inCloud Computing
V. Governance and ControlIssues
VI. Supplemental Information
Cloud – Agenda
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 2/29
Rick Link, CISA, CISSP, CISM, CGEIT 3ISACA North Texas Chapter September 9, 2010
Attendees will be able to: Better understand “What is Cloud Computing”
What are the various XaaS service offerings andthe deployment models available
Learn who are some of the key industry players
Audit, security and control issues to be aware of in
industry and your organization
Where to get more information
Cloud – Learning Objectives
Rick Link, CISA, CISSP, CISM, CGEIT 4ISACA North Texas Chapter September 9, 2010
Cloud – Disclaimer Statement
The information contained in thispresentation is for the sole purpose of
information and education.
Every effort has been made to ensureaccuracy of information presented;
however, errors may exist.
Any reference of a vendor or product is NOTan endorsement and/or recommendation.
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 3/29
Rick Link, CISA, CISSP, CISM, CGEIT 5ISACA North Texas Chapter September 9, 2010
I. What is Cloud Computing?
Rick Link, CISA, CISSP, CISM, CGEIT 6ISACA North Texas Chapter September 9, 2010
Cloud – NIST Definition
Source: National Institute of Standards & Technology (NIST) & Cloud Security Alliance
NIST and the Cloud SecurityAlliance defines Cloud Computing
as “a model for enablingconvenient, on-demand network
access to a shared pool ofconfigurable computing resources(e.g., networks, servers, storage,applications, services) that can berapidly provisioned and released
with minimal management effort or
service provider interaction.”
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 4/29
Rick Link, CISA, CISSP, CISM, CGEIT 7ISACA North Texas Chapter September 9, 2010
“Cloud” is simply a metaphor forthe Internet…
Users do not have or needknowledge, control, ownership in thecomputer infrastructure
Users simply rent or access thesoftware, paying only for what theyuse
Example is like using a taxi, train,
airplane, etc. where you do not ownand/or operate the vehicle as you arerenting it for a period of time.
Cloud – Demystified
Michael Sheehan, June 24, 2008blog.gogrid.com/2008/06/24/the-cloud-pyramid/
Rick Link, CISA, CISSP, CISM, CGEIT 8ISACA North Texas Chapter September 9, 2010
Cloud – Demystified
Source: CloudTweaks – www.cloudtweaks/com/2010/05/cloud-computing-demystifying-saas-paas-iaas/
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 5/29
Rick Link, CISA, CISSP, CISM, CGEIT 9ISACA North Texas Chapter September 9, 2010
Cloud – Terms
Cloudware
GridComputing
On Demand
UtilityComputing
Software onDemand
CloudProvider
Virtual / PrivateCloud
CloudOriented
Cloud ServiceArchitecture
ArchitectureCloudburst
Private CloudPublic CloudHybrid CloudCommunity Cloud
Peer-to-Peer
AutonomicComputing
SaaSPaaSIaaS
CloudEnabler
Virtualization
Cloudsourcing
Source: Adnan I. Patel, Vice President, On Demand
Rick Link, CISA, CISSP, CISM, CGEIT 10ISACA North Texas Chapter September 9, 2010
Cloud – A Plain English Video
http://www.youtube.com/watch?v=QJncFirhjPg
YouTube video by Tim Wayne and Michael Sheehan atGoGrid discusses IaaS and Cloud Hosting in a way that
everyone can understand!
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 6/29
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 7/29
Rick Link, CISA, CISSP, CISM, CGEIT 13ISACA North Texas Chapter September 9, 2010
Cloud – Layers / Stack
INFRASTRUCTURE(IaaS)
PLATFORM(PaaS)
SOFTWARE(APPLICATION)
(SaaS)
BUSINESSPROCESS
IaaS is the delivery of a compute foundationincluding servers, network devices, storage,
and data center space as a service. It alsoincludes the delivery of operating systems andvirtualization technology to manage theresources.
PaaS delivers more than infrastructure. Itdelivers what you can call a “Solution Stack” fora software development, testing and morerecently life cycle management.
SaaS is where the vendor offers the customerthe ability to run business applications hostedby the provider. An example would be anApplication Service Provider (ASP).
Hardware and software that relies on CC forapplication delivery. Examples includecomputers, phones, operating systems,browsers.
Rick Link, CISA, CISSP, CISM, CGEIT 14ISACA North Texas Chapter September 9, 2010
Virtualization
Grid Technology
Service Oriented Architectures
Distributed Computing
Broadband Networks
Browsers
Free and Open SourceSoftware
Autonomic Computing (i.e.,self management)
Web 2.0
Web ApplicationFrameworks
Service Level Agreementfor metrics and reporting
Primary Technologies Other Technologies
Cloud – Key IT Elements
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 8/29
Rick Link, CISA, CISSP, CISM, CGEIT 15ISACA North Texas Chapter September 9, 2010
On-DemandSelf-Services
Broad NetworkAccess
ResourcePooling
Rapid Elasticity
Measure Service
Cloud – Essential Characteristics
Source: ISACA White Paper – Cloud Computing: Business Benefits With Security, Governance andAssurance Perspectives
Rick Link, CISA, CISSP, CISM, CGEIT 16ISACA North Texas Chapter September 9, 2010
Gartner predicts the worldwide market for Cloud computing isincreasing from $45B in 2009 to $150B in 2013. And, by 2012,“20% of businesses will own no IT assets.”
IDC points to security as the #1 challenge for Cloud serviceproviders and thus “remains the top opportunity for IT suppliersto tackle as they position themselves as market leaders in theCloud era.
Cloud – Leading Researchers’ Comments
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 9/29
Rick Link, CISA, CISSP, CISM, CGEIT 17ISACA North Texas Chapter September 9, 2010
ISACA – The promise of cloud computing is arguablyrevolutionizing the IT services world by transformingcomputing into an omnipresent utility. (Cloud Computing:Business Benefits With Security, Governance andAssurance Perspectives October 2009).
Cloud – Leading Researchers’ Comments
Forrester Researchadvices CFOs to takea closer look at CloudComputing formessaging andcollaboration andenterprise applications.The payoffs could benoticeable duringcurrent economicdownturn.
Rick Link, CISA, CISSP, CISM, CGEIT 18ISACA North Texas Chapter September 9, 2010
II. Cloud Service Models(SaaS, PaaS, and IaaS)
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 10/291
Rick Link, CISA, CISSP, CISM, CGEIT 19ISACA North Texas Chapter September 9, 2010
Cloud – Service Model Architectures
Source: National Institute of Standards & Technology (NIST)
Rick Link, CISA, CISSP, CISM, CGEIT 20ISACA North Texas Chapter September 9, 2010
Cloud – SaaS Service Model
Who owns theapplications?
Where do theapplicationsactually reside – even the backups?
Capability to use theprovider’s applicationsrunning on cloudinfrastructure. Theapplications are accessiblefrom various client devicesthrough a thin clientinterface such as a webbrowser.
Software as aService (SaaS)
Key Point:Vendor RentsSoftwareApplications
Issues To ConsiderDefinitionService Model
SaaS Examples: Customer Relationship Management (CRM), EnterpriseResource Planning (ERP) for Financial Applications, Electronic Mail, RetailPoint of Sale, Word Processor, Spreadsheet, Database Applications.
Using an Internet Service Provider (ISP) for email is SaaS.
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 11/291
Rick Link, CISA, CISSP, CISM, CGEIT 21ISACA North Texas Chapter September 9, 2010
Cloud – PaaS Service Model
Availability
Confidentiality
Privacy and legal liability in theevent of a security breach (asdatabases housing sensitiveinformation can be hostedoffsite)
Data ownership
Concerns around e-discovery
Capability todeploy onto thecloudinfrastructurecustomer-createdor acquiredsoftware createdusingprogramminglanguages andtools supported bythe provider.
Platform as aService (PaaS)
Key Point:Vendor rentshardware, OS,storage &networkcapacity andoverlay withIaaS
Issues To ConsiderDefinitionService Model
PaaS Examples: Google App Engine; SalesForce.com’ Force.com; MicrosoftAzure; Bungee Connect; Wavemaker; Longjump, Metrisoft.
Rick Link, CISA, CISSP, CISM, CGEIT 22ISACA North Texas Chapter September 9, 2010
Cloud – IaaS Service Model
Options to minimizethe impact if the cloudprovider has a serviceinterruption
Capability to provisionprocessing, storage,networks and otherfundamental computingresources, offering thecustomer the ability todeploy and run arbitrarysoftware, which can includeoperating systems andapplications. IaaS puts
these IT operations into thehands of a third party.
Infrastructure as aService (IaaS)
Key Point:Vendor RentsHardware(Servers) –Does Overlaywith PaaS
Issues To ConsiderDefinitionService Model
IaaS Examples: Hosting web sites of organizations including Amazon,Rackspace, Joyent, Fujitsu, and ElasticHosts (UK).
Basically, IaaS is relocating your hardware to a service provider.
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 12/291
Rick Link, CISA, CISSP, CISM, CGEIT 23ISACA North Texas Chapter September 9, 2010
III. Deployment Models(Private, Public, Hybrid,
and Community)
Rick Link, CISA, CISSP, CISM, CGEIT 24ISACA North Texas Chapter September 9, 2010
The Cloud
Private /Internal
Public /External
Cloud – Deployment Models
Off Premises /Third Party
Hybrid / Community
On Premises /Internal
Source: Wikipedia
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 13/291
Rick Link, CISA, CISSP, CISM, CGEIT 25ISACA North Texas Chapter September 9, 2010
Cloud – Private Deployment Model
Cloud services whichhas internal risksincluding datasecurity, reliability,governance… NOTE:ISACA states “Cloudservices with minimalrisk…”
May not provide thescalability and agility
of public cloudservices.
Operated and maintained solely for anorganization on a private network.
Could be managed by the organizationand/or a third party.
Could exist on-premises and/or off-premises.
Issues To ConsiderDescription of PrivateCloud Infrastructure
Source: ISACA White Paper – Cloud Computing: Business Benefits With Security, Governance andAssurance Perspectives
Rick Link, CISA, CISSP, CISM, CGEIT 26ISACA North Texas Chapter September 9, 2010
Cloud – Public Deployment Model
Same as Private andCommunity Clouds(data security,reliability, governance),plus:
Data may be storedwith the data ofcompetitors.
Data may be stored inunknown locations andmay not be easilyretrievable.
Made available to the general public ora large industry group.
Owned by an organization selling theCloud services.
May be managed by the organization ora third party.
Exists off-premises.
Issues To ConsiderDescription of PublicCloud Infrastructure
Source: ISACA White Paper – Cloud Computing: Business Benefits With Security, Governance andAssurance Perspectives
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 14/291
Rick Link, CISA, CISSP, CISM, CGEIT 27ISACA North Texas Chapter September 9, 2010
Cloud – Hybrid Deployment Model
Aggregate risk ofmerging differentdeployment models.
Classification andlabeling of data will bea significantconsideration.
A composition of two or more clouds(Private, Public, Community) thatremain unique entities but are boundtogether by standardized or proprietarytechnology.
Typical for most companies.
May be managed by the organization ora third party.
May reside on-premises or off-premises.
Issues To ConsiderDescription of HybridCloud Infrastructure
Source: ISACA White Paper – Cloud Computing: Business Benefits With Security, Governance andAssurance Perspectives
Rick Link, CISA, CISSP, CISM, CGEIT 28ISACA North Texas Chapter September 9, 2010
Cloud – Community Deployment Model
Costs are spread overfewer users than a PublicCloud.
Data may be stored withthe data of competitors.
May be established where severalorganizations have similar business, legal,and regulatory requirements and seek toshare infrastructure so as to realize someof the benefits of Cloud Computing.
Examples include automobile,government, media and healthcareindustries.
Non business-critical information andprocessing can be sourced to the publiccloud, while business critical services arekept in-house or in a Private Cloud.
Issues To ConsiderDescription of CommunityCloud Infrastructure
Source: ISACA Cloud Computing: Business Benefits With Security, Governance and AssurancePerspectives
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 15/291
Rick Link, CISA, CISSP, CISM, CGEIT 29ISACA North Texas Chapter September 9, 2010
Community
CloudPrivateCloud
Public Cloud
Hybrid CloudsDeploymentModels
Service
Models
EssentialCharacteristics
CommonCharacteristics
Software as aService (SaaS)
Platform as aService (PaaS)
Infrastructure as aService (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
Cloud – The NIST Definition Framework
Rick Link, CISA, CISSP, CISM, CGEIT 30ISACA North Texas Chapter September 9, 2010
Cloud – Private, Public, Hybrid, Community
Source: Rice University
Community cloud
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 16/291
Rick Link, CISA, CISSP, CISM, CGEIT 31ISACA North Texas Chapter September 9, 2010
IV.Companies Leading inCloud Computing
Rick Link, CISA, CISSP, CISM, CGEIT 32ISACA North Texas Chapter September 9, 2010
Cloud – Vendors
The Cloud
IBM
Microsoft
Savvis
ATT
Salesforce
Cisco
Rackspace
Amazon
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 17/291
Rick Link, CISA, CISSP, CISM, CGEIT 33ISACA North Texas Chapter September 9, 2010
“Google 101” – Network made up of millions of cheap servers, that would store
staggering amounts of data, including numerous copies of theworld wide web
– Makes search faster, helping ferret out answers to billions ofqueries in a fraction of a second
Google has invested more than $2 billion a yearin data centers for cloud computing.
By far the leader in the technology
Controls 500,000 systems, 1 million CPUs andprovides 1,500 GB/second of Internet broadbandconnectivity.
Rick Link, CISA, CISSP, CISM, CGEIT 34ISACA North Texas Chapter September 9, 2010
Amazon Elastic Compute Cloud “Amazon EC2”
Web service interface that provides resizable computingcapacity in a cloud
Designed to make web-scale computing easier for developers
Reduces the time required to obtain and boot new serverspace from weeks to minutes
Allows developers to pay only for capacity that they actuallyuse
Controls 160,000 systems, 320,000 CPUs and 400GB/second of Internet broadband connectivity.
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 18/291
Rick Link, CISA, CISSP, CISM, CGEIT 35ISACA North Texas Chapter September 9, 2010
“Azure”
Internet-scale cloud computing and services platformhosted in Microsoft data centers
Provides a range of functionality to build applications thatspan from consumer web to enterprise scenarios
Designed to help developers quickly and easily create,deploy, manage, and distribute web services andapplications on the internet.
Controls 560,000 systems, 1.27 million CPUs and 500GB/second of Internet broadband connectivity.
Rick Link, CISA, CISSP, CISM, CGEIT 36ISACA North Texas Chapter September 9, 2010
Cloud – Commercial
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 19/291
Rick Link, CISA, CISSP, CISM, CGEIT 37ISACA North Texas Chapter September 9, 2010
1) Free – Does not provide technical support so not abusiness option for mission-critical systems…
2) Subscription Model – Pay a fixed periodical feetypically on an annual basis for infrastructuresoftware.
3) Pay Per Use – more flexible then subscription modelas it gives you higher granularity based on CPU orbandwidth utilization (Amazon EC2 uses this model).
Cloud – Scalable Pricing
Rick Link, CISA, CISSP, CISM, CGEIT 38ISACA North Texas Chapter September 9, 2010
4) Perpetual License – Used to buy licenses in advanceand pay for support separately. Most commonly usedmodel with commercial software product.
5) Enterprise Unlimited License - Enables you to paypremium price in advance and gives you the freedomto use the software without any limit. This fits to anenvironment where it is anticipated that over a fairlyshort period of time the usage of the product willbecome wide and therefore the others above may bemore expensive.
Cloud – Scalable Pricing
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 20/292
Rick Link, CISA, CISSP, CISM, CGEIT 39ISACA North Texas Chapter September 9, 2010
Cloud computing will lead to an increase in thefollowing categories:
Cloud – What Do These Services Offer?
1) Virtualization – Hardware and software cost savings asadditional computers no longer needed.
2) Usability – End user are not required to necessarilyunderstand the computer power and architecture to meettheir business goals.
3) Standardization – Allows for newer software to work onthe same infrastructure so less interoperability issues.
4) Scalability – Allows for easier provisioning andimplementation so faster to meet client value.
Rick Link, CISA, CISSP, CISM, CGEIT 40ISACA North Texas Chapter September 9, 2010
V. Governance and Control Issues
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 21/292
Rick Link, CISA, CISSP, CISM, CGEIT 41ISACA North Texas Chapter September 9, 2010
Cloud – Issues Noted in Aug 2008
Rick Link, CISA, CISSP, CISM, CGEIT 42ISACA North Texas Chapter September 9, 2010
Evaluate
IT AuditReport
DefineRequirements
Analyze ITRisk
Develop Plan
RequirementsDocument
IT RiskAnalysis
IT AuditPlan
Plan the IT Audit
ConductClosing Meeting
Deliver the Report
Interviews
Inspection
ObservationTesting
Analytics
The traditional audit process still works!
Traditional IT Audit Process
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 22/292
Rick Link, CISA, CISSP, CISM, CGEIT 43ISACA North Texas Chapter September 9, 2010
It’s changing the topology of business & IT!
The new belt-tightening economic models forcomputing has found fertile ground in cloud technologyand is seeing massive global investment.
Cloud – Why Important to Auditors?
Rick Link, CISA, CISSP, CISM, CGEIT 44ISACA North Texas Chapter September 9, 2010
Regulatory and Compliance Implications
– Gramm-Leach-Bliley Act of 1999
– Sarbanes-Oxley Act of 2002
– Health Insurance Portability & Accountability Act (HIPAA) of2006
– Payment Card Industry (PCI) Data Security Standards of2004…
– Family Educational Rights & Privacy Act (FERPA) of 1974
– SAS70, PCI, etc. etc. etc.
– Cloud Computing Certification?
Reputation
– Your company’s and your business partners
Cloud – What Issues are Important and Why?
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 23/292
Rick Link, CISA, CISSP, CISM, CGEIT 45ISACA North Texas Chapter September 9, 2010
1. Board level education i.e.,cost vs. benefits vs. risks.
2. Contracts, terms &conditions, penalties, SLAs(uptime, throughput,response time), vendor exitstrategy, audit clauses.
3. System and applicationmigration issues.
4. Security, Security,Security, Security.
Cloud – New Problems, New Complexities
Rick Link, CISA, CISSP, CISM, CGEIT 46ISACA North Texas Chapter September 9, 2010
Cloud – Top Security Benefits
Benefits of Scale – The same investment buys betterprotection.
Standard Interfaces for Security Services – Creates amore open market for security services.
Rapid, smart scaling of resources – Dynamic reallocationof resources improves resilience.
Audit and Evidence Gathering – Provide dedicated, pay-per-use forensic images of VMs.
Better updates and defaults – Default VM images withbest configuration and patches.
Source: European Network and Information Security Agency (ENISA) Cloud Computing -Benefits, risks andrecommendations for information security http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 24/292
Rick Link, CISA, CISSP, CISM, CGEIT 47ISACA North Texas Chapter September 9, 2010
1. Abuse and Disreputable Use of Cloud Computing
2. Insecure Interfaces and APIs
3. Malicious Insiders
4. Shared Technology Issues and Vulnerabilities
5. Data Loss and/or Leakage
6. Account, Service & Traffic Hijacking
7. Unknown Risk Profile of Provider
Cloud – Security Alliance Top Threats
Source: Cloud Security Alliance – Top Threats to Cloud Computing V1.0www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Rick Link, CISA, CISSP, CISM, CGEIT 48ISACA North Texas Chapter September 9, 2010
Due Diligence by Customer
Ask Questions
Fully specify Security Service Levels
Clear Division of Liabilities
Example: Customer = Data Controller, Provider = DataProcessor (External)
Clear Division of Responsibilities
Depends upon Service Model (SaaS, PaaS or IaaS)
Certification of Providers
Cloud – Managing Risk
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 25/292
Rick Link, CISA, CISSP, CISM, CGEIT 49ISACA North Texas Chapter September 9, 2010
Cloud Computing – It’s inevitable.
You’re already doing it…
There will be challenges.
Not overnight and not everything.
Your role is to help assess risks and communicate.
Cloud – Your Opportunities
Same job, different technology…
Rick Link, CISA, CISSP, CISM, CGEIT 50ISACA North Texas Chapter September 9, 2010
Opportunity for you to engage with the IT andbusiness to help manage risk.
Clouds are just starting and build on/are related toGrids.
Clear need for best practice in use and technology.
Likely to be need for new standards and novel use ofexisting/projected standards.
New ISACA NTx Cloud Forum SIG? – Chairs, participants?
– Share experiences and issues
Cloud – Your Opportunities
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 26/292
Rick Link, CISA, CISSP, CISM, CGEIT 51ISACA North Texas Chapter September 9, 2010
Deliver strategic value in addition to measurable cost-savings.
Move core business operations to the Cloud.
Fight off escalating security threats.
Address growing integration complexities.
Focus on international growth.
Cloud – Issues for 2010 & Beyond
Rick Link, CISA, CISSP, CISM, CGEIT 52ISACA North Texas Chapter September 9, 2010
Cloud – Other Challenges
New ones emerge asservices become moredistributed:
Who owns the Cloud?
Everyone uses the Cloud
Each individual, autonomoussystem is responsible forsecuring their section of theCloud
Each system has an impacton everyone – even morethan before
Bottom-line – things thatimpact you and yourbusiness don’t end at yourgateway anymore…
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 27/292
Rick Link, CISA, CISSP, CISM, CGEIT 53ISACA North Texas Chapter September 9, 2010
Clouds inject yet another layer of: Technology
Configuration
Controls
Multi-Tenancy Multi-Attestation…
Global Location & Regulatory Concerns
Legal Questions & Issues
Security Innovation Requirements
Cloud – Summary Comments
Rick Link, CISA, CISSP, CISM, CGEIT 54ISACA North Texas Chapter September 9, 2010
VI.Supplemental Information
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 28/292
Rick Link, CISA, CISSP, CISM, CGEIT 55ISACA North Texas Chapter September 9, 2010
ISACA “Cloud Computing: Business Benefits With Security, Governance and
Assurance Perspectives”; An ISACA Emerging Technology WhitePaper. Source www.isaca.org/cloud (October 2009)
“Risk Perception and Trust in Cloud”; ISACA Journal V4 2010; byFariborz Farahmand, Ph.D., Center for Education and Research inInformation Assurance and Security at Purdue University. Source:www.isaca.org/Journal/Past-Issues/2010/Volume-4/Documents/jpdf1004-risk-perception.pdf
“Security, Privacy, and eDiscovery in the Cloud” eSymposium; Source:www.brighttalk.com to register and receive 3.0 CPEs (August 2010)
“Cloud Computing Management Audit/Assurance Program”. Source:www.isaca.org/knowledge-center/ITAF-IT-Assurance-Audit/Audit-Programs (August 2010)
Cloud – Supplemental Information
Rick Link, CISA, CISSP, CISM, CGEIT 56ISACA North Texas Chapter September 9, 2010
National Institute of Standards Technology (NIST)
“NIST Definition of Cloud Computing” (v15) by Peter Mell and Tim Grance(October 7, 2009) http://csrc.nist.gov/groups/sns/cloud-computing.
Dummies Store
“Cloud Computing for Dummies” by Judith Hurwitz, Robin Bloor, MarciaKaufman, ISBN: 978-0-470-63881-1 (November 2009) www.dummies.com.
Wikipedia – The Free Encyclopedia
“Cloud Computing” http://enwikipedia.org/wiki/cloud_computing
The Cloud.com CloudStack 2.0
The CloudStack is an open source software product that enablesdeployment, management, and configuration of multi-tier and multi-tenantinfrastructure cloud services.
Cloud – Supplemental Information
8/3/2019 432 9-9-10 Cloud Computing Discussion - IsACA NTX
http://slidepdf.com/reader/full/432-9-9-10-cloud-computing-discussion-isaca-ntx 29/29
Rick Link, CISA, CISSP, CISM, CGEIT 57ISACA North Texas Chapter September 9, 2010
LinkedIn Groups “Cloud Computing” with over 39,000 members.
“Cloud Security Alliance” with over 11,000members.
“Cloud Computing, VMware, Virtualization andEnterprise Group 2.0” with over 33,000 members
Go to LinkedIn.com to see the others – some 725more…
Cloud – Supplemental Information
Rick Link, CISA, CISSP, CISM, CGEIT 58ISACA North Texas Chapter September 9, 2010
Rick Link, CISA, CISSP, CISM, [email protected]: 214-986-2786
Contact Information