The Essentials of Cloud Computing for Audit Professionals
CPE Credits: 7 (one-day version) 14 (two-day version) 28 (four-day version)
Description:
We can argue that it is not a matter of whether cloud computing will become ubiquitous—
because the economic forces are inescapable—but rather what can we do to assess enterprise
governance, risk assessment and development of strong internal controls, in the implementation
and management of ever increasing cloud computing environments.
This program will begin by first establishing the definition of cloud computing, then describing
the various service delivery models of a cloud computing architecture, and the ways in which
clouds can be deployed as public, private, hybrid, and community clouds, followed by a much
deeper review of the security and privacy issues related to cloud computing environments.
We will examine cloud computing models, look into the threat model and security issues related
to data and computation outsourcing, and explore practical applications of secure cloud
computing. Using the confidentiality, integrity, and availability of data (CIA) model we will
examine the threats and security implications to befall poorly established and maintained cloud
computing environment. Audit approaches and methodologies for assessing internal control
exposures within cloud computing environments will also be fully discussed and examined.
Participants will develop a cloud ICQ as part of the multiple exercises included in the multi-day
presentation.
Audience:
This presentation is intended for Internal and external auditors (IT, financial, operational), Chief
Technology Officers, General Counsels, Chief Information Officers, Chief Security Officers,
Controllers, and persons charged with establishing or reviewing the implications of establishing
strategies that embrace cloud computing and coordinate the role of organizational IT in
substantiating organizational compliance to today’s (and tomorrow’s) governance regulations, as
well as professionals who generally want to learn more about cloud computing and assessing
their organization’s implementation of cloud computing technologies.
Prerequisites:
There is no prerequisite for this seminar.
Objectives:
After completing this seminar, participants will be able to:
1. Discuss, with confidence, what is cloud computing and what are key security and control
considerations within cloud computing environments.
2. Identify various cloud services.
3. Assess cloud characteristics and service attributes, for compliance with enterprise
objectives.
4. Explain the four primary cloud category “types”.
5. Evaluate various cloud delivery models.
6. Contrast the risks and benefits of implementing cloud computing.
7. Specify security threat exposure within a cloud computing infrastructure.
8. Recognize steps and processes used to perform an audit assessment of a cloud computing
environment.
9. Summarize specific environments that would benefit from implementing cloud
computing, contrasted against those environments that might not benefit.
10. Weight the impact of improperly controlled cloud computing environments on
organizational sustainability.
Course Outline:
PART 1
Cloud Computing Definition
What are Cloud Services
Cloud Service Attributes
Access to the Cloud
Cloud Hosting
Information Technology Support
Provisioning
Pricing
Underestimated costs
User Interface
System Interface
Shared Resources/Common Versions
Characteristics of Cloud Computing
Rapid elasticity
Pay per use
Independent resource pooling
Network access
On-demand self-service
The Five Levels of Redundancy
Physical
Virtual resource
Availability zone
Region
Cloud
Cloud Categories
Public Cloud
Private Cloud
Hybrid Cloud
Community Cloud
Cloud Delivery Models
SaaS
PaaS
Iaas
Cloud Architectural Models
Design for Failure (DFF)
Traditional
Cloud Architecture Summary
Customization
Service Reliability and Disruptions
Integration Challenges
Loss of Control
Emerging Technology
Vendor Choices
Infrastructure Limitations
Negligence
Cloud Scenarios and Considerations
Would you want the computer that controls safety local or in the cloud
Someone you know is in a hospital. Do you want there respirator and medical dosage managed
in the cloud or locally
Weapons control system
Corporate web server
Satellite navigation system
DNS, Firewall rules, Active Directory
ERP
Workforce management
The Evolution of the Cloud
Advantages
Savings
Benefits
PART 2
Security in the Cloud
Data Security and Control
Provider Loss
Subpoenaed Data
Lack of Provider Security
Encryption
Regulatory Compliance
Directive 95/46/EC
HIPPA
PCI/PCI DSS
SOX
21CFR11
Cloud Threats
Threat Mitigation
Cloud Security
Cloud Security vs. Traditional IT
Ponemon Study Discussion
Cloud Security Attributes
Security as a Service from the Cloud
Cloud and Security Risks
Risk Areas
Privileged User Access
Data Location and Ownership
Data Segregation
Data Recovery
Investigative Support
Long Term Viability
Data Confidentiality and Privacy
Service Availability
Cloud Risk Summary
Real World Issues with Cloud Computing
Cloud Security Alliance
National Institute of Standards and Technology
Strategy
Security Model
Process Maturity Model
Core Technologies
Information Assurance Framework
Cloud Leverage for IA
.
Roadmap
Next Steps
Expanding to New Markets
Small and Medium Enterprises
Adjacent Markets
New Acquisitions
Expansion
Cloud Computing and Business Commerce
Cloud Movement
Financial Services
Media
Automotive
High Tech
Google.com
Amazon.com
Microsoft.com
PART 3
Cloud Audit
Value
Tactics
Cloud Management Audit/Assurance Program
Internal Audit Role
Minimum Audit Skills
Planning for a Cloud Audit
Support Activities
Cloud Business Continuity Planning
Retention and E-Discovery
Privacy Requirements
Portability and Interoperability
Cloud Sourcing
Cloud Impacts
Realities of Cloud Services
Defining Cloud Services
Cloud Performance Limitations
Determining the Cloud Category
Your Environment
Optimize
Consolidate
Web Security
Addressing Web Threats
Web Threats in the Cloud
Risks of Web Threats
Web Threat Mitigation
Web Security Summary
Conclusion