Executive
Summary
Cloud computing can provide major benefits to
organizations from a cost, flexibility and scalability perspective, but serious
concerns have been raised about the security measures used to protect Cloud
environments. This is because the threat landscape associated with this form of
IT provision is so different to that associated with traditional dedicated
hosting. If organizations no longer have direct control over the hardware or
physical locations of their servers, data segregation becomes harder to achieve
and regulatory compliance far more difficult to guarantee.
Introduction
Cloud computing shifts the
responsibility of configuring, deploying and maintaining computing infrastructure
from clients to Cloud providers. Providers generally expose an interface for
clients to interact with their resources as if they were their own standalone
resource; however often a number of resources may be aggregated on the same
computer or cluster of computers. The user does not necessarily know the
details of the location, equipment or configuration of their resources, rather
they are provided with a “virtualized” computer resource hosted in “the Cloud”.
With cloud computing,
applications and data are available to an organization’s user base, wherever
and whenever users choose to connect and access the service and data.
This means the business does not
have to maintain the hardware and software require delivering those
services.
Types of Cloud
Providers
Cloud
services are usually divided in the three main types, Software-as-a-Service
(SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS).
Software as a
Service (SaaS)
Dedicated
|
Company 1
|
Company 2
|
Company 3
|
Company 4
|
Data
|
Data
|
Data
|
Data
|
|
Shared
|
Application
Database (RDBMS)
Middle-ware
OS (Operating System)
Network
Physical
|
|||
SaaS
clients rent usage of applications running within the Cloud’s
provider infrastructure. The applications are typically offered to the clients
via the Internet and are managed completely by the Cloud provider. That means
that the administration of these services such as updating and patching are in
the provider’s responsibility. One big benefit
of SaaS is that all clients are running the same software version and new
functionality can be easily integrated by the provider and is therefore
available to all clients.
Platform as a
Service (PaaS)
Dedicated
|
Company 1
|
Company 2
|
Company 3
|
Company 4
|
|
Data
|
Data
|
Data
|
Data
|
||
Application
|
Application
|
Application
|
Application
|
||
Shared
|
Database (RDBMS)
Middleware
OS (Operating System)
Network
Physical
|
||||
PaaS
Cloud providers offer an application platform as a service, for example Google
App Engine. This enables clients to deploy custom software using the tools and
programming languages offered by the provider. Clients have control over the
deployed applications and environment-related settings. As with SaaS, the
management of the underlying infrastructure lies within the responsibility of
the provider.
Infrastructure
as a Service (IaaS)
Dedicated
|
Company 1
|
Company 2
|
Company 3
|
Company 4
|
|
Data
|
Data
|
Data
|
Data
|
||
Application
|
Application
|
Application
|
Application
|
||
Database
(RDBMS)
|
Database
(RDBMS)
|
Database
(RDBMS)
|
Database
(RDBMS)
|
||
Middleware
|
Middleware
|
Middleware
|
Middleware
|
||
OS
(Operating System)
|
OS
(Operating System)
|
OS
(Operating System)
|
OS
(Operating System)
|
||
Shared
|
Network
Physical
|
||||
IaaS
delivers hardware resources such as CPU, disk space or network components as a
service. These resources are usually delivered as a virtualization platform by
the Cloud provider and can be accessed across the Internet by the client. The
client has full control of the virtualized platform and is not responsible for
managing the underlying infrastructure.
Types
of Cloud Computing
Public Cloud
Public
cloud (also referred to as ‘external’ cloud) describes the conventional meaning
of cloud computing: scalable, dynamically provisioned, often virtualized
resources available over the Internet from an off-site third-party provider,
which divides up resources and bills its customers on a ‘utility’ basis.
Private Cloud
Private
cloud (also referred to as ‘corporate’ or ‘internal’ cloud) is a term used to
denote a proprietary computing architecture providing hosted services on
private networks. This type of cloud computing is generally used by large
companies, and allows their corporate network and data center administrators to
effectively become in-house ‘service providers’ catering to ‘customers’ within
the corporation. However, it negates many of the benefits of cloud computing,
as organizations still need to purchase, set up and manage their own clouds.
Hybrid Cloud
It has been suggested that a hybrid
cloud environment combining resources from both internal and external providers
will become the most popular choice for enterprises. For example, a company
could choose to use a public cloud service for general computing, but store its
business-critical data within its own data center. This may be because larger organizations
are likely to have already invested heavily in the infrastructure required to
provide resources in-house – or they may be concerned about the security of
public clouds.
Cloud Computing implementation Road - map
The
following diagram, SaaS is consumed by end users (employees, clients, and
partners), PaaS is consumed by software developers and IaaS is consumed by IT
administrators and all those components must be managed either by your company
or by a third-party solution provider.
Benefits
There
are many reasons why organizations of all sizes and types are adopting this
model of IT. It provides a way to increase capacity or add capabilities on the
fly without investing in new infrastructure, training new personnel, or
licensing new software. Ultimately, it can save companies a considerable amount
of money...
Removal / reduction of capital expenditure
Customers
can avoid spending large amounts of capital on purchasing and installing their
IT infrastructure or applications by moving to the cloud model. Capital
expenditure on IT reduces available working capital for other critical
operations and business investments. Cloud computing offers a simple
operational expense that is easier to budget for month-by-month, and prevents
money being wasted on depreciating assets. Additionally, customers do not need
to pay for excess resource capacity in-house to meet fluctuating demand.
Reduced administration costs
IT
solutions can be deployed extremely quickly and managed, maintained, patched
and upgraded remotely by your service provider. Technical support is provided
round the clock by reputable providers, for no extra charge, reducing the
burden on IT staff. This means that they are free to focus on business-critical
tasks, and businesses can avoid incurring additional manpower and training
costs.
Improved resource utilization
Combining
resources into large clouds reduces costs and maximizes utilization by
delivering resources only when they are needed. Businesses needn’t worry about
over-provisioning for a service whose use does not meet their predictions, or
under-provisioning for one that becomes unexpectedly popular. Moving more and
more applications, infrastructure, and even support into the cloud can free up
precious time, effort and budgets to concentrate on the real job of exploiting
technology to improve the mission of the company. It really comes down to
making better use of your time – focusing on your business and allowing cloud
providers to manage the resources to get you to where you need to go. Sharing
computing power among multiple tenants can improve utilization rates, as
servers are not left idle, which can reduce costs significantly while
increasing the speed of application development. A side effect of this approach
is that computer capacity rises dramatically, as customers do not have to
engineer for peak loads.
Economies of scale
Cloud
computing customers can benefit from the economies of scale enjoyed by
providers, who typically use very large-scale data centers operating at much
higher efficiency levels, and multi-tenant architecture to share resources
between many different customers. This model of IT provision allows them to
pass on savings to their customers.
Scalability on demand
Scalability
and flexibility are highly valuable advantages offered by cloud computing,
allowing customers to react quickly to changing IT needs, adding or subtracting
capacity and users as and when required and responding to real rather than
projected requirements. Even better, because cloud-computing follows a utility
model in which service costs are based on actual consumption, you only pay for
what you use. Customers benefit from greater elasticity of resources, without
paying a premium for large scale.
Quick and easy implementation
Without
the need to purchase hardware, software licenses or implementation services, a
company can get its cloud-computing arrangement off the ground in minutes.
Helps smaller businesses
compete
Historically,
there has been a huge disparity between the IT resources available to small
businesses and to enterprises. Cloud computing has made it possible for smaller
companies to compete on an even playing field with much bigger competitors.
‘Renting’ IT services instead of investing in hardware and software makes them
much more affordable, and means that capital can instead be used for other
vital projects.
Quality of service
Your
selected vendor should offer 24/7 customer support and an immediate response to
emergency situations.
Guaranteed uptime, SLAs
Always
ask a prospective provider about reliability and guaranteed service levels –
ensure your applications and/or services are always online and accessible.
Anywhere Access
Cloud-based
IT services let you access your applications and data securely from any
location via an internet connection. It’s easier to collaborate too; with both
the application and the data stored in the cloud, multiple users can work
together on the same project, share calendars and contacts etc. It has been
pointed out that if your internet connection fails, you will not be able to
access your data. However, due to the ‘anywhere access’ nature of the cloud,
users can simply connect from a different location – so if your office
connection fails and you have no redundancy, you can access your data from home
or the nearest Wi-Fi enabled point. Because of this, flexible / remote working
is easily enabled, allowing you to cut overheads, meet new working regulations
and keep your staff happy!
Technical Support
A
good cloud computing provider will offer round the clock technical support. The
customers, for instance, are assigned one of our support pods, and all
subsequent contact is then handled by the same small group of skilled
engineers, who are available 24/7. This type of support model allows a provider
to build a better understanding of your business requirements, effectively
becoming an extension of your team.
Disaster recovery / backup
Recent
research has indicated that around 90% of businesses do not have adequate
disaster recovery or business continuity plans, leaving them vulnerable to any
disruptions that might occur. Providers can provide an array of disaster
recovery services, from cloud backup (allowing you to store important files
from your desktop or office network within their data centers) to having
ready-to-go desktops and services in case your business is hit by problems. Don’t
have worry about data backup or disaster recovery, as this is taken care of as
part of the service. Files are stored twice at different remote locations to
ensure that there’s always a copy available 24 hours a day, 7 days per week.
The Potential Risks of Cloud Computing
The use of cloud computing does pose risks to the
enterprise; but if key risks to the business are understood and planed for from
the outset, they can be managed. Before moving to the cloud companies should
evaluate the below following areas.
Privileged user access – How will provider control access to our data? How can
we be assured they will not abuse that access?
Regulatory compliance – Our business must adhere to regulatory requirements? How will know if the provider is complying with these requirements?
Regulatory compliance – Our business must adhere to regulatory requirements? How will know if the provider is complying with these requirements?
Data location and ownership – Once our data is “in the
cloud,” where exactly will it reside? Is the provider’s data center located in
a jurisdiction in which we don’t currently operate? Do we understand the
requirements of that jurisdiction? Do we have contracts with any customers that
prohibit our company from storing data in certain jurisdictions? If there is a
problem, or legal matter, what rights do we have to that data?
Data segregation – If the same servers are used to store data from multiple customers, how will be provider ensure other customers cannot see our data – and that we will not see theirs? Can other people access and change our data once it is in the cloud?
Recovery – Can the cloud go offline? If so, who is responsible for getting it back online? How quickly can that be done? What happens while we are waiting? Could our data be lost in the process? Do recovery capabilities support our obligations to stakeholders and /or customers?
Investigative support – What happens if we receive a legal hold notice? Will the cloud service provider help us secure the data? How do we know legal holds will be properly processed? What about other types of investigations?
Long-term viability – If our cloud service provider goes out of business, how do we get our data back? If our provider is a startup, do they have the long-term funding and business model to serve us? And if we are fully leveraging the cloud (SaaS, PaaS and IaaS), do we even have the capability to get the data back? How would we restore our data and applications if we get it back?
IT general controls – Will our cloud environment be supported by fundamental IT general controls? How do we know the environment is secure? What is our provider doing to protect us from third parties hacking into our data? Can we perform periodic audits of the vendor’s environment? What if we need to perform testing to support Sarbanes-Oxley or other regulatory requirements?
Unknown cloud services – Dow we know all the cloud services already in use in our organization? Due to increasing consumers (employees’ introducing and adopting technology in the enterprise) of cloud services, business units already may be using these services without IT knowledge – or any thought of data security.
Data segregation – If the same servers are used to store data from multiple customers, how will be provider ensure other customers cannot see our data – and that we will not see theirs? Can other people access and change our data once it is in the cloud?
Recovery – Can the cloud go offline? If so, who is responsible for getting it back online? How quickly can that be done? What happens while we are waiting? Could our data be lost in the process? Do recovery capabilities support our obligations to stakeholders and /or customers?
Investigative support – What happens if we receive a legal hold notice? Will the cloud service provider help us secure the data? How do we know legal holds will be properly processed? What about other types of investigations?
Long-term viability – If our cloud service provider goes out of business, how do we get our data back? If our provider is a startup, do they have the long-term funding and business model to serve us? And if we are fully leveraging the cloud (SaaS, PaaS and IaaS), do we even have the capability to get the data back? How would we restore our data and applications if we get it back?
IT general controls – Will our cloud environment be supported by fundamental IT general controls? How do we know the environment is secure? What is our provider doing to protect us from third parties hacking into our data? Can we perform periodic audits of the vendor’s environment? What if we need to perform testing to support Sarbanes-Oxley or other regulatory requirements?
Unknown cloud services – Dow we know all the cloud services already in use in our organization? Due to increasing consumers (employees’ introducing and adopting technology in the enterprise) of cloud services, business units already may be using these services without IT knowledge – or any thought of data security.
Audit’s Role in the Cloud Computing
The risks outlined above are generally applicable
throughout the cloud computing life cycle, whether an organization is thinking
about moving to the cloud, is in the process of implementing a cloud-based
solution, or is already working in a cloud environment. (Some companies may be
in various stages of all three.) Regardless of which stage your company is in,
internal audit is well positioned through its role as an assurance function of
the organization to help management and the board identifies and considers the
key risks of leveraging cloud computing technology. Internal audit also can
help the business determine whether those risks are being appropriately
mitigated.
Defining a Cloud Strategy
Internal audit should engage company
management to determine if a cloud computing strategy has been defined and
communicated. If not, internal audit may be able to assist management in this
process by helping to address the following questions:
What is the business case for moving to the cloud? Organizations need a true understanding of the value they seek to gain by moving to the cloud, and determine if they can fully mitigate or accept the risks associated with working in this environment. Consider the following: Does your organization have a complex application infrastructure? Are your applications no longer supported by the vendor or reliant upon legacy systems? If so, cloud vendors may not be able to support these applications or the servers on which they run. However, if your business looks to become increasingly scalable and efficient while reducing costs, a cloud hosting solution may be appropriate.
Would this decision align with business needs? Before migrating to a cloud environment, companies should determine if such a move would align with their overall business strategy and objectives. Are your IT assets aging or reaching the point of retirement? Is there a strategy in place to reduce the cost of IT assets? If your organization is looking for ways to decrease operational or labor costs, the business may be able to realize some cost benefits by selecting a cloud solution.
Do
we understand the current state of systems and data to be moved to the cloud? It is important to
understand what exactly is being moved to the cloud. Would your company be
moving sensitive and/or critical data? Will the business be able to continue
complying with data retention requirements? Are there other applications or
infrastructure that will have to be re-architected from a communications
standpoint? Is your transaction volume going to exceed your (or the provider’s)
available bandwidth?
Evaluating Vendors
After weighing the potential benefits and risks of moving to the
cloud computing model, the next step is to select the right vendor. Companies
are often tempted to leverage the first cloud vendor they identify, or opt for
the most popular provider. However, as is the case with any vendor
relationship, many risks merit attention to help ensure your organization’s
specific risks and controls are addressed. When evaluating potential cloud
providers, companies should consider the following questions:
Who
will manage the vendor relationship? Companies that use
third-party cloud providers should determine who will act as the liaison
between the company and the vendor. This will help to ensure there are clear
lines of communication between your company and the vendor’s legal department,
IT organizations and account managers.
How
are assets protected? Information is arguably an organization’s most valuable asset – as
well as a potential liability. Cloud vendors should be able to describe the
internal data security controls in place to protect data – from intellectual
property to customer information to internal bank account numbers. Your company
should understand how the vendor manages its own security – both physical security
and logical security (e.g., access rights, user identification) – by requesting
security policies, vulnerability and penetration test results, and attestations
on internal control environments. SSAE 16s (new industry standard that replaces
the legacy SAS 70) and reports on compliance often provide insight into the
vendor’s control environment and any considerations a prospective client might
need to address. Where SSAE 16s or other assessment reports are not available,
it is still important to determine how you will obtain assurance that the
vendor’s security practices meet your business needs.
How
is responsibility divided? Your company needs a clear understanding of which party is operationally
responsible for data stored in the cloud. Determine up front who is responsible
for monitoring and controlling the servers, applications and data hosted in the
cloud. Monitoring activities may include measuring bandwidth, monitoring server
performance, applying patches and updates, managing network infrastructure,
monitoring backups and providing intrusion detection services. Also, determine
who is financially and legally responsible for the data, security and uptime.
How
will moving to the cloud impact disaster recovery planning?
Disaster preparedness is growing in priority and significance for
businesses of all types. One benefit of a cloud computing model is that many
providers guarantee defined uptime and failover capabilities as a component of their
business model and signed contract. Your company should request the prospective
vendor’s business continuity and disaster recovery plans and determine if they
align with your business needs and recovery objectives.
How
does the vendor manage multiple tenants? In the cloud, your data may be stored on the same physical machine
with other clients’ data. Your company should know what controls are in place
to logically and even physically (whether on separate devices, sectioned off in
separate cages or in completely separate bays) separate your data from other
clients’ data.
How
would this change the technology environment?
Implementing a cloud solution may change your organization’s
technology environment, including network topology, interaction between systems
and the flow of data. It is necessary for your company to understand which data
sits on and flows between which devices. Also, determine who owns each of those
components and who is responsible for governing the environment in each step
along the way.
Where
is data physically stored? Cloud hosting providers can host data in a variety of locations, and
your company should understand where your data will reside. If the vendor hosts
data internationally, this may impose additional regulatory, international and
ownership risks, depending on the country in which the vendor maintains its
servers.
How
do the company’s risks and controls align with the prospective vendor’s?
By performing a gap analysis, your company will be able to
determine if there are any control or process gaps in place, which may expose
your organization to additional risks. Reports on compliance, SSAE 16s or other
assessment reports from the vendor can provide additional insight into known
deficiencies, operational risks and user control considerations.
Implementing a Cloud Computing
Model
Once due diligence activities are complete, and a cloud service
provider that aligns with the company’s strategy, objectives and control
framework has been selected, internal audit may shift to evaluating the implementation
process. Internal audit can be integral in determining whether the level of
planning was adequate to reduce project risk, while also providing independent
feedback about the migration process. Internal audit should evaluate
implementation activities for adherence to the company’s system development
life cycle, project management and change management methodologies. Where
deviations from these internal policies, processes and methodologies are
required, it should be confirmed that all updates follow expected approval
procedures. In addition to ensuring that fundamental cloud computing risk areas
have been identified, this evaluation may provide an opportunity for internal
audit to help assess the effectiveness of mitigation strategies/controls prior
to implementing a cloud computing model.
Questions the business should consider when implementing a cloud
computing model include:
What
are the service level and operating level agreements (SLAs and OLAs)?
While SLAs and OLAs are important for services hosted internally,
these agreements have additional significance when the service is hosted in the
cloud. With this objective measurement, there is a defined expectation of the
level of service being provided. When the SLAs and OLAs were drafted, was the business
involved in the decision-making process, or did IT unilaterally decide what was
acceptable? Are there any legal, regulatory or contractual compliance
requirements that must be taken into account? As the amount of permitted
downtime (or other measure) decreases, the cost to the provider – and
presumably, the customer – increases.
What
are our (and our cloud provider’s) compliance responsibilities?
There are many legal (e.g., legal hold, e-discovery), regulatory
(e.g., Payment Card Industry Data Security Standard, Health Insurance
Portability and Accountability Act, Gramm-Leach-Bliley Act, the European Union’s
Data Protection Directive, UK Data Protection Act, FSA Data Security
Guidelines), and contractual compliance requirements that organizations need to
consider when moving to the cloud. Outsourcing the hosting of a service to a
third party does not change these requirements, which should be incorporated
into the contract to provide a solid base for establishing necessary controls. How
does the vendor prove compliance with relevant regulatory requirements? How
will customers be notified of a security breach?
How
are incidents managed? What is the process for identifying and escalating an issue (e.g.,
a data breach) in a timely and efficient manner? Are you responsible for
initiating contact with the vendor, or does the service provider have proactive
monitoring in place so that it knows when something goes wrong? Establishing
these basic processes and understanding escalation procedures and expected time
to resolution are important.
Who
determines user access rights to data? Depending on the type of service purchased, user provisioning may
be automated or manual. If it is a manual process, it may be executed by the
organization, the provider or both. Developing and defining a process for all
situations, including end users and administrators, is important so that
expectations are universally understood. While the process may not be identical
to that of your organization’s internally hosted services, the same core principles
should exist.
How
often is data backed up? Who is responsible for that process? Depending on the responsibilities
defined between your organization and the cloud vendor, backup and recovery processes
that formally assign responsibility for monitoring backups; identifying,
resolving and escalating errors and failures; and rotating data and media to a
separate location for recovery purposes should be defined. If a daily backup
routine fails, what happens?
How
will we inform and train end users? As with any significant change to an IT
environment, end-user training is critical for ensuring process owners and
other users in the organization have adequate knowledge of newly defined
processes and fully understand their roles in helping the business to meet data
security and compliance expectations.
Monitoring the Vendor
Once your company integrates the planned systems and data into a
cloud environment, internal audit may evaluate whether the defined owner is
adequately monitoring and controlling the vendor relationship. By this time,
the organization should be formally monitoring and reporting on the agreed-upon
service levels, while investigating and resolving any variances. As a component
of monitoring activities, your company should routinely review any
documentation provided by the vendor relating to internal control assessments (whether
from SSAE 16s, vulnerability scans or penetration tests). Additionally,
internal audit should routinely evaluate regulatory requirements and determine
if they are being addressed adequately by the cloud vendor and the company.
In monitoring the cloud vendor relationship, the following should
be confirmed:
How
the company’s relationship with the vendor is managed – A single person (i.e., relationship manager) should be identified
as the primary point of contact with the cloud provider. That person (and any
necessary backups) should regularly communicate with a counterpart at the
provider. This existing relationship should be used to address issues that
arise with the service (e.g., the breach of an SLA or OLA) and to reach
resolution.
Who
is confirming the accuracy of invoices – Prior to being paid, invoices should be reviewed to
confirm pricing terms are consistent with the contract and the quantity of
services being billed is accurate. Independent reports should be obtained to
confirm the accuracy of any quantity on the invoice.
Whether
SLAs and/or OLAs are being monitored and reviewed – Where SLAs and OLAs have been
agreed to, they should be recalculated to confirm that the values provided by
the cloud vendor are accurate. Additionally, penalties or incentives obtained
due to SLA/OLA deviations should be recalculated to confirm the accuracy of the
resulting payments and/or credits.
How
contractual control requirements (e.g., regulatory, security, privacy) are
being monitored – Contractual control requirements should be
evaluated using the means made available through the contract, including “right
to audit,” assessment reports (e.g., SSAE 16s, reports on compliance) and other
evaluations. These methods should be used as frequently as possible, based on
the terms of the contract, and the evaluation should be documented.
Conclusion
Cloud computing will continue to transform the way organizations
manage IT – increasing efficiencies while reducing costs – but there are risks.
Proactively identifying and understanding relevant risks before signing a
contract and committing to a cloud hosting implementation is essential for
success and for ensuring both data security and adherence to compliance
demands.
Organizations should establish processes to routinely re-evaluate
and monitor risks once the business is working “in the cloud.” Internal audit
should consider the risks and controls outlined in this paper and ensure
management has evaluated potential risks and taken steps to address them
proactively.
Further, it is the responsibility of the chief audit executive to
understand the security risks facing the organization, and to work as a conduit
to ensure the audit committee understands the risks and how well management is
mitigating them.
No comments:
Post a Comment