CLOUD COMPUTING- CONCEPT AND OPPORTUNITIES FOR CHARTERED ACCOUNTANTS Vinod Pahilwani FCA,CPA(AUS),ISA(ICAI) 1. Meaning and Definition Cloud computing is a way of delivering IT enabled capabilities to users in the form of ‘Utility Service’, where users can make use of resources, platform, or software without having to possess and manage the underlying complexity of the technology. The easiest way to think about cloud computing is as doing business on the Web, therefore eliminating the need for in-house technology infrastructure-servers and software to purchase, run and maintain. Unlike traditional software, which is deployed on premise, cloud applications are designed for web deployment. They are multitenant (delivered by one vendor to many customers), ad users share processing power and space that is managed by the vendor. Most widely used definition of the term has been given by National Institute of Standards and Technology (NIST), U.S. Department of Commerce: “Cloud computing is a model for enabling ubiquitous, convenient, on demand access to a shared pool of configurable computing resources (e.g. network, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 2. Characteristics a. On-Demand Self Service: Users provision capabilities as needed and/or automatically, without human interaction by a service provider. b. Broad Network Access: Standard network/Internet access mechanisms promote location-independent use by diverse platforms such as smartphones. c. Resource Pooling: The service provider hosts compute, network, and storage resources in a model that supports multi-tenancy, with dynamic assignment and reassignment of resources according to demand. d. Rapid Elasticity: Rapid scale out and scale back of resources; from the user's point of view, there are unlimited resources that are paid for based on the quantities actually consumed. e. Measured Service: Resources are optimized and controlled with a metering capability, with transparent reports on consumption shared with the user. 3. Cloud Computing Service Models a. Software as a Service (Saas) i. You access the cloud provider’s applications, which are running on a cloud infrastructure. ii. Applications are accessible from client devices through a thin client interface (e.g. web browser). iii. You don’t manage or control the data center, network, servers, operating system, middleware, DBMS, or even individual application capabilities (with the possible exception of limited user-specific application configuration settings). iv. You do have control over your data. b. Platform as a Service (PaaS) i. You deploy applications you created or acquired onto the provider’s cloud infrastructure, using programming languages and tools supported by the cloud provider. ii. You don’t manage or control the data center, network, servers, OS’s, middleware, or DBMS. iii. You do have control over your data and the deployed applications, and possibly application hosting environment configuration. c. Infrastructure as a Service (IaaS) i. Processing, storage, networks, and other fundamental computing resources are rented from the cloud provider. ii. You don’t manage or control the data center or network. iii. You do have control over your data, OS’s, middleware, DBMS, and deployed applications. EXHIBIT- Extent of Control 4. Deployment Models a. Private Cloud i. Operated solely for an enterprise ii. May be managed by the enterprise or a third party iii. May exist on – or – off – premises iv. Most closely resembles in – house data centers. b. Public Cloud i. Made available to the general public or a large industry group ii. Owned by an organization selling cloud services iii. Resources are shared with other organizations c. Community Cloud i. Shared by several enterprises ii. Supports a specific community or a group of entities that have a shared mission or interest iii. May be managed by the enterprise or a third party iv. May reside on – or – off - premises d. Hybrid Cloud i. a composition of two or more clouds (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data application portability 5. Benefits of Cloud Computing a. 24/7 Support b. Location – independent c. Scalability & sustainability d. Optimized server utilization e. Shortened development life cycle f. Reduced time for implementation g. Cost saving – low Total Cost of Ownership h. Lower energy costs & environmental impact i. Agile deployment j. Virtualized & dynamic k. Secure storage & management l. Utility-based, time-sharing model m. Greater availability of IT resources n. Adaptability to evolving market conditions o. Pay – as – you - go model = better IT budget forecasting 6. Challenges and Risks a. Data location b. Comingled data c. CSP business viability d. Cloud data ownership e. Lock – in with CSP’s proprietary APIs f. Record protection for forensic audits g. Identity and access management (IAM) h. Cloud security policy / procedure transparency i. Disaster recovery j. Penetration detection k. Compliance requirements l. Data erasure for current SaaS or PaaS applications m. Public cloud server owner’s due diligence n. Screening of other cloud computing clients o. Screening of employees and contractors 7. Security and Reliability Consideration With all this sharing of storage space in the “sky”, one of the biggest concerns expressed by those considering switching over to cloud applications is the safety of their data and their clients’ data. It’s a concern cloud vendors have been fighting to overcome for years. How can you know the data is safe? Here arises need for system examination by independent external auditor. A vendor that undergoes such an examination is stringently evaluated on its controls over the system or service it provides to user entities. The controls address the components of a system which include: • Infrastructure. The physical and hardware components of a system (facilities, equipment and networks). • Software. The programs and operating software of a system (systems, applications and utilities). • People. The personnel involved in the operation and use of a system (developers, operators, users and managers). • Procedures. The programmed and manual procedures involved in the operation of a system (automated and manual). • Data. The information used and supported by a system (transaction streams, files, databases and tables). User Entity should make sure the vendor uses a data center that has received an AICPA Service Organization Controls Report (SOC), formerly know as a SAS 70 report. The AICPA developed the guidance to provide a highly specialized examination of a service organization’s internal control. There are three types of SOC reports: 1. AICPA SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of user entities’ management and their auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. 2. AICPA SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy. These reports, prepared using the AICPA guide Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development), are intended for users that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of the users’ oversight of the service organization; vendor management; and internal corporate governance and risk management. 3. AICPA SOC 3: Trust Service Report (Trust Service Principles, Criteria, and illustrations) (AICPA, Technical Practice Aids, vol. 1, (TPA sec 100) commonly referred to as Sys Trust reports). These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not need the level of detail provided in a SOC 2 Report. These reports are general use reports and can be freely distributed or posted on a website as a seal. 8. Opportunities for Chartered Accountants 1. Evaluating Cloud Strategy CA may be able to assist management in this process by helping to address the following questions: A. What is the business case for moving to the cloud? Organizations need a true understanding of the value they seek to gain by moving to the cloud, and determine if they can fully mitigate or accept the risks associated with working in this environment. B. Would this decision align with business needs? Before migrating to a cloud environment, companies should determine if such a move would align with their overall business strategy and objectives. C. Do we understand the current state of systems and data to be moved to the cloud? It is important to understand what exactly is being moved to the cloud. a. Would your company be moving sensitive and/or critical data? b. Will the business be able to continue complying with data retention requirements? c. Are there other applications or infrastructure that will have to be rearchitected from a communications standpoint? d. Is your transaction volume going to exceed your (or the provider’s) available bandwidth? 2. Evaluating Vendors When evaluating potential cloud providers, CA should consider the following questions: A. How are assets protected? Information is arguably an organization’s most valuable assets – as well as a potential liability. Cloud vendors should be able to describe the internal data security controls in place to protect data – from intellectual property to customer information to internal bank account numbers. CA should understand how the vendor manages its own security – both physical and logical security (e.g., access rights, user identification) – by requesting security policies, vulnerability and operation test results, and attestations on internal control environments. SSAE 16s (new industry standard that replaces the legacy SAS 70) and reports on compliance often provide insight into the vendor’s control environment and any considerations a prospective client might need to address. Where SSAE 16s or other assessment reports are not available, it is still important to determine how you will obtain assurance that the vendor’s security practices meet your business needs. B. How is responsibility divided? CA needs a clear understanding of which party is operationally responsible for data stored in the cloud. Determine up front who is responsible for monitoring and controlling the servers, applications and data hosted in the cloud. Monitoring activities may include measuring bandwidth, monitoring server performance, applying patches and updates, managing network infrastructure, monitoring backups and providing intrusion detection services. Also, determine who is financially and legally responsible for the data, security and uptime. C. How will moving to the cloud impact disaster recovery planning? Disaster preparedness is growing in priority and significance for business of all types. One benefit of a cloud-computing model is that many providers guarantee defined uptime and failover capabilities as a component of their business model and signed contract. CA should request the prospective vendor’s business continuity and disaster recovery plans and determines if they align with your business needs and recovery objectives. D. How does the vendor manage multiple tenants? In the cloud, your client’s data may be stored on the same physical machine with other client’s data. Your company should know what controls are in place to logically and even physically (whether on separate devices, sectioned off in separate cages or in completely separate bays) separate your data from other client’s data. E. How would this change the technology environment? Implementing a cloud solution may change your organization’s technology environment, including network topology, interaction between systems and the flow of data. It is necessary for your company to understand which data sits on and flows between which devices. Also, determine who owns each of those components and who is responsible for governing the environment in each step along the way. F. Where is data physically stored? Cloud hosting providers can host data in a variety of locations, and your company should understand where your data would reside. If the vendor hosts data internationally, this may impose additional regulatory, international and ownership risks, depending on the country in which the vendor maintains its servers. G. How do the company’s risks and controls align with the prospective vendor’s? By performing a gap analysis, your company will be able to determine if there are any control or process gaps in place, which may expose your organization to additional risks. Reports on compliance, SSAE 16s or other assessment reports from the vendor can provide additional insight into known deficiencies, operational risks and user control considerations. 3. Implementing a Cloud Computing Model CA should evaluate implementation activities for adherence to the company’s system development life cycle, project management and change management methodologies. Where deviations form these internal policies, processes and methodologies are required, it should be confirmed that all updates follow expected approval procedures. In addition to ensuring that fundamental cloud computing risk areas have been identified, this evaluation may provide an opportunity for internal audit to help assess the effectiveness of mitigation strategies/controls prior to implementing a cloud-computing model. Questions the business should consider when implementing a cloud computing model include: A. What are the service level and operating level agreements (SLAs and OLAs)? While SLAs and OLAs are important for service hosted internally, these agreements have additional significance when the service is hosted in the cloud. With this objective measurement, there is a defined expectation of the level of service being provided. When the SLAs and OLAs were drafted, was the business involved in the decisionmaking process, or did IT unilaterally decide what was acceptable? Are there any legal, regulatory or contractual compliance requirements that must be taken into account? As the amount of permitted downtime (or other measure) decreases, the cost to the provider – and presumably, the customer – increases. B. What are our (and our cloud provider’s) compliance responsibilities? There are many legal (e.g., legal hold, e-discovery), regulatory (e.g., Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, the European Union’s Data Protection Directive), and contractual compliance requirements that organizations need to consider when moving to the cloud. Outsourcing the hosting of a service to third party does not change these requirements, which should be incorporated into the contract to provide a solid base for establishing necessary controls. How does the vendor prove compliance with relevant regulatory requirements? How will customers be notified of a security breach? C. How are incidents managed? What is the process for identifying and escalating an issue (e.g., a data breach) in a timely and efficient manner? Are you responsible for initiating contact with the vendor, or does the service provider have proactive monitoring in place so that it knows when something goes wrong? Establishing these basic processes and understanding escalation procedures and expected time to resolution are important. D. Who determines user access rights to data? Depending on the type of service purchased, user provisioning may be automated or manual. If it is a manual process, it may be executed by the organization, the provider or both. Developing and defining a process for all situations, including end users and administrators, is important so that expectations are universally understood. While the process may not be identical to that of your organization’s internally hosted services, the same core principles should exist. E. How often is data backed up? Who is responsible for that process? Depending on the responsibilities defined between your organization and the cloud vendor, backup and recovery processes that formally assign responsibility for monitoring backups; identifying, resolving and escalating errors and failures; and rotating data and media to a separate location for recovery purposes should be defined. If a daily backup routine fails, what happens? F. How will we inform and train end users? As with any significant change to an IT environment, end-user training is critical for ensuring process owners and other users in the organization have adequate knowledge of newly defined processes and fully understand their roles in helping the business to meet data security and compliance expectations. 4. Monitoring the Vendor CA should routinely evaluate regulatory requirements and determine if they are being addressed adequately by the cloud vendor and the company. In monitoring the cloud vendor relationship, the following should be confirmed: • How the company’s relationship with the vendor is managed – A single person (i.e., relationship manager) should be identified as the primary point of contact with the cloud provider. That person (and any necessary backups) should regularly communicate with a counterpart at the provider. This existing relationship should be used to address issues that arise with the service (e.g., the breach of an SLA or OLA) and to reach resolution. • Who is confirming the accuracy of invoices – Prior to being paid, invoices should be reviewed to confirm pricing terms are consistent with the contract and the quantity of services being billed is accurate. Independent reports should be obtained to confirm the accuracy of any quantity on the invoice. • Whether SLAs and/or OLAs are being monitored and reviewed – Where SLAs and OLAs have been agreed to, they should be recalculated to confirm that the values provided by the cloud vendor are accurate. Additionally, penalties or incentive obtained due to SLA/OLA deviations should be recalculated to confirm the accuracy of the resulting payments and/or credits. • How contractual control requirements (e.g., regulatory, security, privacy) are being monitored – Contractual control requirements should be evaluated using the means made available through the contract, including “right to audit”, assessment reports (e.g., SSAE 16s, reports on compliance) and other evaluations. These methods should be used as frequently as possible, based on the term of the contract, and the evaluation should be documented.