Cloud Computing – Panel
Discussion
October 22, 2011
Introductions
 Barnaby Jeans, Sr. Systems Engineer, VMware




Canada
Richard Livesley, BMO
Malik Datardina, UWCISA
Chris Andersen, Partner, Grant Thornton
Skip White, Professor of Accounting & MIS,
University of Delaware
Barnaby Jeans
Sr. Systems Engineer, VMware Canada
@bjeans
Previously:
Sr. Technology Advisor & Evangelist – Microsoft
Sr. Sales Engineer – Red Hat
Sr. Sales Consultant – Oracle
What is the Cloud?
3
50 Years Ago…
“
“
Computing may
someday be organized
as a public utility
John McCarthy, MIT 1961
What is Cloud Computing
Providing
IT
resources
as a
Service
* National Institute of Standards and Technology v15
Service Models
Consume
Build
Host
Deployment Models
Public Cloud
Hybrid Cloud
Private Cloud
“Virtualization is a modernization catalyst and unlocks cloud computing.”
―Gartner
Why the “Cloud” Matters…
“If you can’t measure it, you can’t manage it” – Andy Grove
 The Cloud Era (Virtualization, Cloud, SaaS) enable
standardized IT metrics, e.g.:
• Cost to provision per VM
• Cost per GB of storage
• Time to Provision
• Cost to provision an email box, …
 To be compared, shopped for
• Public Cloud Providers are
establishing a “rate card” for IT
 Will lead to better informed
consumption & production of
IT
Parting thought…
Corporate IT
Public Cloud
Providers
Where are Lines of Business getting the
IT resources for their next project?
Data in the Clouds:
A Risk Management Approach
Richard Livesley and Malik Datardina
10
Disclaimer
 The opinions presented by Richard and Malik do
not necessarily reflect that of their respective
employers
11
Cloud Computing
 Agenda:
 Why cloud?
 Defining the Cloud: Technology vs Risk based
approach
 Risk of Rogue Clouds
 Cloud Control: A Risk Management Approach
12
Why Cloud?
 Agility: Faster introduction of desired functionality
 Potential for Cost Reduction:
 Moving expenses from OpEx to CapEx
 Reduced maintenance, especially SaaS
 More efficient use of computing resources:
 Public cloud: Start-ups don’t need a data center, large
companies can send extra workloads to the cloud
 E.g. Animoto, flightcaster, NY Times
 Private clouds: Easier to maximize pooled resources
 e.g. Revlon: 1:7 1:34 servers, $70M in cost savings
(unaudited)
13
Challenge of Cloud Compliance
 Not all clouds are equal:
 Risk profile of concern: High risk self-provisioning public
clouds
 Amazon EC2 versus Amazon VPC
 Don’t invest time, effort on tech definitions, but focus on
risk & leverage existing processes
 Key Risks:
 Geographic dislocation: Where’s my data?
 Potential for data to be sent to India, China, etc, if public cloud
provider’s data center exist in those countries
 Multi-tenancy & self-provisioning: Who is my neighbour?
 Hackers used Amazon Web Services to hack into Sony PSN
 Security researchers were able to extract info about co-tenants
 Potential for malicious co-tenants to hack into your instance
14
Risk of Rogue Clouds
 Rogue Clouds
 Clouds that enter the business environment with the
going through all the appropriate control processes
 Direct to business marketing
 Businesses, instead of IT, are marketed SaaS
 Similar phenomenon to Business Managed Applications
 Easier for business to get up & running with SaaS then work
with central IT
 Consumerization: Bring-your-own-cloud
 Google Docs users want same functionality at work as at
home; e.g. Collaborating on confidential contract
15
Cloud Control: Risk Mgmt
Approach
 Risk Identification
 Inventorying use: register current use, identify
what’s acceptable and what is not
 Working with users is critical
 Risk Measurement & Assessment
 Risk needs to be assessed in each information
asset, i.e. the specific cloud environment
 The need for additional controls needs to be based
on the data
16
Cloud Control: Risk Mgmt
Approach
 Risk Mitigation and Control
 Leverage existing vendor management processes to identify
high risk cloud environments
 Emerging best practice: Encrypt data and hold the keys
 Providers are being acquired, e.g. Navajo systems was bought by
Salesforce.com
 Current practice: Use vendor based encryption, but this is not
feasible for all fields in SaaS
 Training and awareness: Users should understand risks of
public cloud
17
Cloud Control: Risk Mgmt
Approach
 Monitoring and reporting
 Traditional controls won’t catch everything: similar
to BMAs
 DLP Tools: Identify traffic moving to unauthorized
clouds
 Cloud vendors: Annual Risk Assessment and
update registry accordingly
18
Closing Thoughts
 Cloud computing is still in motion
 Need to monitor developments within public cloud
computing:
 “Book” on risks is still be written
 Need to monitor threats and attacks on public clouds to
determine what risks need to be identified
 Need to monitor development within encryption e.g.
Homomorphic encryption
19
Cloud Panel
Assurance Provider Perspective
Chris Anderson, CA(NZ), CISA, CMC,
CISSP, PCI QSA
© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Assurance on Outsourcing to the
Cloud
 The usual assurance challenges but more of it!
 Service providers have their own service providers
 Service Organisation Controls reports mostly
 ICFR (ISAE 3402/ SSAE16/ CSAE3416) not fully
addressing operational and regulatory risks
 Carve out sub-service providers causes customer to have to
assemble its own assurance after sleuthing who does what
iteratively
Its not your swimming pool any more!
© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
SOC 1 is a start, SOC 2 and SOC 3
better!
CSAE 3416
What is
covered
by the
report
Controls related to
financial reporting
5025
TSP Seal
Controls over security,
availability, processing
integrity confidentiality,
or privacy
Controls over security,
availability, processing
integrity confidentiality,
or privacy
Intended Auditors and
Audience management of user
organizations ("auditor
to auditor
communication")
Auditors, stakeholders
(e.g. management,
business partners,
customers), and
regulators
Publicly available
reports that can be
freely distributed or
posted on a website as
a seal
Report
Format
Long form which
includes detailed
description of testing
Short form which does
not include detailed
description of testing
Long form which
includes detailed
description of testing
© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Plus net new assurance
considerations mostly caused by
dynamic characteristics
 Physical
 Location can change
 The fishbowl (our traditional data centre)
 Was first outsourced but stayed out or moved en-masse
 Then became a cage at a hosting centre
 Now is a virtual cage, with little visibility by customer
 Itinerant nature of some use cases combined with multi-
tenancy
 Access to other customer's data
 Collateral nature of security risk increases – your neighbour
could be a problem/ threat
 Metered service raises questions
 Completeness of billing (CSP objective)
 Verification of service delivery and accuracy of billing
(Customer objective)
© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Assurance Provider opportunity
 Work with CSPs to design and implement SOC2/ 3
assurance reports based on
 ENISA Cloud Computing Information Assurance
Framework or equivalent
 Cloud Audit
 Shared Assessments Program
 Common Assurance Maturity Model
 Develop a dynamic assurance product/ service
relevant and proportional to nature and extent of use
of CSP products/ services
 These probably require that audit firms strengthen
their technical IT audit capability!
© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Shared Assessments Program
Looks like a comprehensive approach to

Efficient and effective assurance ('audit
once, assure many times)

Preventing cherry picking control objectives
and procedures
The Shared Assessments Program
(www.sharedassessments.org) was
originally developed by Bank of America
Corporation, The Bank of New York Mellon,
Citi, JPMorgan Chase & Company, U.S.
Bank, and Wells Fargo & Company in
collaboration with leading service providers
and the Big 4 accounting firms. These
founding organizations saw the need for a
standardized and objective vendor
management assessment methodology
that would help outsourcers meet
regulatory and risk management
requirements while significantly reducing
costs for all stakeholders

November 10, 2009 – Santa Fe, NM – The
Shared Assessments Program announced today
the launch of Version 5.0 of its tools for evaluating
service provider controls for information security,
privacy and business continuity. The free tools,
whose previous versions are in use around the
globe including in the US, Canada, the EU,
Australia, India and Brazil, comprise a rigorous
toolkit for service provider audits that can be used
in popular cloud computing and software-as-aservice (SaaS) environments.

The Shared Assessments Technical Development
Committee has added 22 new procedures to its
assessment tool (the “AUP”) with an eye to
computing services offered “in the cloud,” that is,
on-demand IT services that rely on Internet-based
virtualization technologies. Questions relevant to
cloud and SaaS environments have been inserted
into several sections of the Shared Assessments
questionnaire, known as the “SIG,” as well.

'Delta Controls' list
© 2010 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.
Cloud Computing:
Research Results
Clinton E. White, Jr
Professor of Accounting & MIS
Lerner College of Business
University of Delaware
Cloud Computing Research
 4 categories of research:
 Practitioner-oriented (surveys & whitepapers)
 Practitioner-oriented (standards & professional
guidance)
 Academic computer science
 Academic MIS
Cloud Computing Research
 Practitioner-oriented surveys & WPs:
 CIO magazine (www.cio.com)
 Surveys of IT leaders
 2008: Big promise … Big security questions (1)
 2009: Adoption prospects are hazy (2)
 2011: CIOs are putting the cloud first (3)
 2011: Cloud is now (4)
Cloud Computing Research
 Practitioner-oriented standards & guidance:
 CSA (Cloud Security Alliance) (5)
 ENISA (Euo Network & Info Sec Alliance) (6)
 OWASP (Open World Appl Security Proj (7)
 ISO (ISO Disb Appl Platforms & Services (8)
 OWF (Open Web Foundation) (9)
 EuroCloud (10)
 CICA (11)
 AICPA (12)
Cloud Computing Research
 Academic computer science:
 Cloud Computing – Issues, Research and Implementations
(13)
 Open research issues:
 Economy of scale & economics of image & service construction
 Temporal & spatial feedback that large scale workflows present
 Cloud provenance (ascertaining the source of goods)
Data management
 Process control flows, execution, & performance
 Dynamics of data flows, file location, & application input & output
 The structure, form, & evolution of workflows
 System information, O/S information, compilers, versions, & load
libraries
 Security issues & complexities
 ROI & total cost of ownership

Cloud Computing Research
 Academic MIS
 Cloud Computing – The Business Perspective (14)
 Open research issues:
 Economics:
Cloud service strategy
 Cloud computing provider economic value & the entire value chain
Strategy
 Impact on corporate culture
 Impact on business partnerships
IS policy
 Policy consistency across multiple providers & applications
 Software management for both providers & users
 Audit policy, security stds, risk assmt, forensics, & evidence gathering
Technology adoption & implementation
 Design of optimal rules for adoption, moving apps, & private vs pub
Government policy & regulation
 Identification of pertinent issues to be addressed





References
1) McLaughlin, Laurianne, Cloud Computing
Survey: IT Leaders See Big Promise, Have Big
Security Questions, CIO.com, Oct 21, 2008
2) Johnson, Carolyn, Cloud Computing Survey:
Adoption Prospects Are Hazy, CIO.com July 31,
2009
3) Brousell, Layren, Survey: CIOs Are Putting the
Cloud First, CIO.com, June 14, 2011
4) KPMG, ‘Cloud is Now’; Technology Spending to
Leap Next Year, SmartPros.com, Oct 6, 2011
References
5) CSA (https://cloudsecurityalliance.org/)
6) ENISA (http://www.enisa.europa.eu/)
7) OWASP
(https://www.owasp.org/index.php/Main_Page)
8) ISO (http://www.iso.org/iso/iso_technical_committee.
html?commid=601355)
9) OWF (http://www.openwebfoundation.org/)
10) EuroCloud (http://www.eurocloud.org/)
11) CICA (http://www.cica.ca/)
12) AICPA (http://www.aicpa.org/Pages/Default.aspx)
References
13) Vauk, Mladen A., Cloud Computing – Issues,
Research and Implementations. Journal of
Computing and Information Technology CIT 16,
2008, 4
14) Marston, Sean, Zhi Li, Subhajyoti
Bandyopadhyay, Juheng Zhang, Anand Ghalsasi,
Cloud Computing – The Business Perspective,
Decision Support Systems, 51 (2011)
Questions?
Barnaby Jeans, Sr. Systems Engineer, VMware Canada
Richard Livesley, BMO
Malik Datardina, UWCISA
Chris Andersen, Partner, Grant Thornton
Skip White, Professor of Accounting & MIS, University of Delaware
Appendix
The NIST Definition of Cloud
Computing
 Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing resources
(e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and
released with minimal management effort or
service provider interaction. This cloud model
promotes availability and is composed of five
essential characteristics, three service models,
and four deployment models.
http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf