CLOUD COMPUTING- CONCEPT AND OPPORTUNITIES FOR
CHARTERED ACCOUNTANTS
Vinod Pahilwani FCA,CPA(AUS),ISA(ICAI)
1. Meaning and Definition
Cloud computing is a way of delivering IT enabled capabilities to users in the
form of ‘Utility Service’, where users can make use of resources, platform, or
software without having to possess and manage the underlying complexity of
the technology.
The easiest way to think about cloud computing is as doing business on the Web,
therefore eliminating the need for in-house technology infrastructure-servers
and software to purchase, run and maintain. Unlike traditional software, which
is deployed on premise, cloud applications are designed for web deployment.
They are multitenant (delivered by one vendor to many customers), ad users
share processing power and space that is managed by the vendor.
Most widely used definition of the term has been given by National Institute of
Standards and Technology (NIST), U.S. Department of Commerce: “Cloud
computing is a model for enabling ubiquitous, convenient, on demand access to a
shared pool of configurable computing resources (e.g. network, servers, storage,
applications and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.
2. Characteristics
a. On-Demand Self Service: Users provision capabilities as needed
and/or automatically, without human interaction by a service
provider.
b. Broad Network Access: Standard network/Internet access
mechanisms promote location-independent use by diverse
platforms such as smartphones.
c. Resource Pooling: The service provider hosts compute, network,
and storage resources in a model that supports multi-tenancy, with
dynamic assignment and reassignment of resources according to
demand.
d. Rapid Elasticity: Rapid scale out and scale back of resources; from
the user's point of view, there are unlimited resources that are paid
for based on the quantities actually consumed.
e. Measured Service: Resources are optimized and controlled with a
metering capability, with transparent reports on consumption
shared with the user.
3. Cloud Computing Service Models
a. Software as a Service (Saas)
i. You access the cloud provider’s applications, which are
running on a cloud infrastructure.
ii. Applications are accessible from client devices through a
thin client interface (e.g. web browser).
iii. You don’t manage or control the data center, network,
servers, operating system, middleware, DBMS, or even
individual application capabilities (with the possible
exception of limited user-specific application configuration
settings).
iv. You do have control over your data.
b. Platform as a Service (PaaS)
i. You deploy applications you created or acquired onto the
provider’s cloud infrastructure, using programming
languages and tools supported by the cloud provider.
ii. You don’t manage or control the data center, network,
servers, OS’s, middleware, or DBMS.
iii. You do have control over your data and the deployed
applications, and possibly application hosting environment
configuration.
c. Infrastructure as a Service (IaaS)
i. Processing, storage, networks, and other fundamental
computing resources are rented from the cloud provider.
ii. You don’t manage or control the data center or network.
iii. You do have control over your data, OS’s, middleware,
DBMS, and deployed applications.
EXHIBIT- Extent of Control
4. Deployment Models
a. Private Cloud
i. Operated solely for an enterprise
ii. May be managed by the enterprise or a third party
iii. May exist on – or – off – premises
iv. Most closely resembles in – house data centers.
b. Public Cloud
i. Made available to the general public or a large industry
group
ii. Owned by an organization selling cloud services
iii. Resources are shared with other organizations
c. Community Cloud
i. Shared by several enterprises
ii. Supports a specific community or a group of entities that
have a shared mission or interest
iii. May be managed by the enterprise or a third party
iv. May reside on – or – off - premises
d. Hybrid Cloud
i. a composition of two or more clouds (private, community,
or public) that remain unique entities, but are bound
together by standardized or proprietary technology that
enables data application portability
5. Benefits of Cloud Computing
a. 24/7 Support
b. Location – independent
c. Scalability & sustainability
d. Optimized server utilization
e. Shortened development life cycle
f.
Reduced time for implementation
g. Cost saving – low Total Cost of Ownership
h. Lower energy costs & environmental impact
i.
Agile deployment
j.
Virtualized & dynamic
k. Secure storage & management
l.
Utility-based, time-sharing model
m. Greater availability of IT resources
n. Adaptability to evolving market conditions
o. Pay – as – you - go model = better IT budget forecasting
6. Challenges and Risks
a. Data location
b. Comingled data
c. CSP business viability
d. Cloud data ownership
e. Lock – in with CSP’s proprietary APIs
f.
Record protection for forensic audits
g. Identity and access management (IAM)
h. Cloud security policy / procedure transparency
i.
Disaster recovery
j.
Penetration detection
k. Compliance requirements
l.
Data erasure for current SaaS or PaaS applications
m. Public cloud server owner’s due diligence
n. Screening of other cloud computing clients
o. Screening of employees and contractors
7. Security and Reliability Consideration
With all this sharing of storage space in the “sky”, one of the
biggest concerns expressed by those considering switching over to cloud
applications is the safety of their data and their clients’ data. It’s a concern
cloud vendors have been fighting to overcome for years. How can you
know the data is safe? Here arises need for system examination by
independent external auditor.
A vendor that undergoes such an examination is stringently
evaluated on its controls over the system or service it provides to user
entities. The controls address the components of a system which include:
•
Infrastructure. The physical and hardware components of a system
(facilities, equipment and networks).
•
Software. The programs and operating software of a system (systems,
applications and utilities).
•
People. The personnel involved in the operation and use of a system
(developers, operators, users and managers).
•
Procedures. The programmed and manual procedures involved in the
operation of a system (automated and manual).
•
Data. The information used and supported by a system (transaction
streams, files, databases and tables).
User Entity should make sure the vendor uses a data center that
has received an AICPA Service Organization Controls Report (SOC),
formerly know as a SAS 70 report. The AICPA developed the guidance to
provide a highly specialized examination of a service organization’s
internal control. There are three types of SOC reports:
1. AICPA SOC 1: Report on Controls at a Service Organization Relevant
to User Entities’ Internal Control over Financial Reporting. These
reports, prepared in accordance with Statement on Standards for
Attestation Engagements (SSAE) no. 16, Reporting on Controls at a
Service Organization, are specifically intended to meet the needs of
user entities’ management and their auditors, as they evaluate the
effect of the controls at the service organization on the user entities’
financial statement assertions.
2. AICPA SOC 2: Report on Controls at a Service Organization Relevant
to Security, Availability, Processing Integrity, Confidentiality and/or
Privacy. These reports, prepared using the AICPA guide Reports on
Controls at a Service Organization over Security, Availability, Processing
Integrity, Confidentiality, or Privacy (currently under development), are
intended for users that have a thorough understanding of the service
organization and its internal controls. These reports can form an
important part of the users’ oversight of the service organization;
vendor management; and internal corporate governance and risk
management.
3. AICPA SOC 3: Trust Service Report (Trust Service Principles, Criteria,
and illustrations) (AICPA, Technical Practice Aids, vol. 1, (TPA sec 100)
commonly referred to as Sys Trust reports). These reports are designed
to meet the needs of users who want assurance on the controls at a
service organization related to security, availability, processing integrity,
confidentiality, or privacy but do not need the level of detail provided
in a SOC 2 Report. These reports are general use reports and can be
freely distributed or posted on a website as a seal.
8. Opportunities for Chartered Accountants
1. Evaluating Cloud Strategy
CA may be able to assist management in this process by helping to address the
following questions:
A. What is the business case for moving to the cloud? Organizations need a
true understanding of the value they seek to gain by moving to the cloud, and
determine if they can fully mitigate or accept the risks associated with
working in this environment.
B. Would this decision align with business needs? Before migrating to a
cloud environment, companies should determine if such a move would align
with their overall business strategy and objectives.
C. Do we understand the current state of systems and data to be moved to
the cloud? It is important to understand what exactly is being moved to the
cloud.
a. Would your company be moving sensitive and/or critical data?
b. Will the business be able to continue complying with data retention
requirements?
c. Are there other applications or infrastructure that will have to be rearchitected from a communications standpoint?
d. Is your transaction volume going to exceed your (or the provider’s)
available bandwidth?
2. Evaluating Vendors
When evaluating potential cloud providers, CA should consider the following
questions:
A. How are assets protected? Information is arguably an organization’s most
valuable assets – as well as a potential liability. Cloud vendors should be able
to describe the internal data security controls in place to protect data – from
intellectual property to customer information to internal bank account
numbers. CA should understand how the vendor manages its own security –
both physical and logical security (e.g., access rights, user identification) – by
requesting security policies, vulnerability and operation test results, and
attestations on internal control environments. SSAE 16s (new industry
standard that replaces the legacy SAS 70) and reports on compliance often
provide insight into the vendor’s control environment and any
considerations a prospective client might need to address. Where SSAE 16s
or other assessment reports are not available, it is still important to
determine how you will obtain assurance that the vendor’s security
practices meet your business needs.
B. How is responsibility divided? CA needs a clear understanding of which
party is operationally responsible for data stored in the cloud. Determine up
front who is responsible for monitoring and controlling the servers,
applications and data hosted in the cloud. Monitoring activities may include
measuring bandwidth, monitoring server performance, applying patches and
updates, managing network infrastructure, monitoring backups and
providing intrusion detection services. Also, determine who is financially
and legally responsible for the data, security and uptime.
C. How will moving to the cloud impact disaster recovery planning?
Disaster preparedness is growing in priority and significance for business of
all types. One benefit of a cloud-computing model is that many providers
guarantee defined uptime and failover capabilities as a component of their
business model and signed contract. CA should request the prospective
vendor’s business continuity and disaster recovery plans and determines if
they align with your business needs and recovery objectives.
D. How does the vendor manage multiple tenants? In the cloud, your client’s
data may be stored on the same physical machine with other client’s data.
Your company should know what controls are in place to logically and even
physically (whether on separate devices, sectioned off in separate cages or in
completely separate bays) separate your data from other client’s data.
E. How would this change the technology environment? Implementing a
cloud solution may change your organization’s technology environment,
including network topology, interaction between systems and the flow of
data. It is necessary for your company to understand which data sits on and
flows between which devices. Also, determine who owns each of those
components and who is responsible for governing the environment in each
step along the way.
F. Where is data physically stored? Cloud hosting providers can host data in
a variety of locations, and your company should understand where your data
would reside. If the vendor hosts data internationally, this may impose
additional regulatory, international and ownership risks, depending on the
country in which the vendor maintains its servers.
G. How do the company’s risks and controls align with the prospective
vendor’s? By performing a gap analysis, your company will be able to
determine if there are any control or process gaps in place, which may
expose your organization to additional risks. Reports on compliance, SSAE
16s or other assessment reports from the vendor can provide additional
insight into known deficiencies, operational risks and user control
considerations.
3. Implementing a Cloud Computing Model
CA should evaluate implementation activities for adherence to the company’s
system development life cycle, project management and change management
methodologies. Where deviations form these internal policies, processes and
methodologies are required, it should be confirmed that all updates follow
expected approval procedures. In addition to ensuring that fundamental cloud
computing risk areas have been identified, this evaluation may provide an
opportunity for internal audit to help assess the effectiveness of mitigation
strategies/controls prior to implementing a cloud-computing model.
Questions the business should consider when implementing a cloud computing
model include:
A. What are the service level and operating level agreements (SLAs and
OLAs)? While SLAs and OLAs are important for service hosted internally, these
agreements have additional significance when the service is hosted in the cloud.
With this objective measurement, there is a defined expectation of the level of
service being provided.
When the SLAs and OLAs were drafted, was the business involved in the decisionmaking process, or did IT unilaterally decide what was acceptable?
Are there any legal, regulatory or contractual compliance requirements that must be
taken into account?
As the amount of permitted downtime (or other measure) decreases, the cost to
the provider – and presumably, the customer – increases.
B. What are our (and our cloud provider’s) compliance responsibilities?
There are many legal (e.g., legal hold, e-discovery), regulatory (e.g., Payment
Card Industry Data Security Standard, Health Insurance Portability and
Accountability Act, Gramm-Leach-Bliley Act, the European Union’s Data
Protection Directive), and contractual compliance requirements that
organizations need to consider when moving to the cloud. Outsourcing the
hosting of a service to third party does not change these requirements, which
should be incorporated into the contract to provide a solid base for establishing
necessary controls.
How does the vendor prove compliance with relevant regulatory requirements?
How will customers be notified of a security breach?
C. How are incidents managed? What is the process for identifying and
escalating an issue (e.g., a data breach) in a timely and efficient manner? Are you
responsible for initiating contact with the vendor, or does the service provider
have proactive monitoring in place so that it knows when something goes
wrong? Establishing these basic processes and understanding escalation
procedures and expected time to resolution are important.
D. Who determines user access rights to data? Depending on the type of
service purchased, user provisioning may be automated or manual. If it is a
manual process, it may be executed by the organization, the provider or both.
Developing and defining a process for all situations, including end users and
administrators, is important so that expectations are universally understood.
While the process may not be identical to that of your organization’s internally
hosted services, the same core principles should exist.
E. How often is data backed up? Who is responsible for that process?
Depending on the responsibilities defined between your organization and the
cloud vendor, backup and recovery processes that formally assign responsibility
for monitoring backups; identifying, resolving and escalating errors and failures;
and rotating data and media to a separate location for recovery purposes should
be defined. If a daily backup routine fails, what happens?
F. How will we inform and train end users? As with any significant change to
an IT environment, end-user training is critical for ensuring process owners and
other users in the organization have adequate knowledge of newly defined
processes and fully understand their roles in helping the business to meet data
security and compliance expectations.
4. Monitoring the Vendor
CA should routinely evaluate regulatory requirements and determine if they are
being addressed adequately by the cloud vendor and the company.
In monitoring the cloud vendor relationship, the following should be confirmed:
• How the company’s relationship with the vendor is managed – A single
person (i.e., relationship manager) should be identified as the primary point of
contact with the cloud provider. That person (and any necessary backups)
should regularly communicate with a counterpart at the provider. This existing
relationship should be used to address issues that arise with the service (e.g., the
breach of an SLA or OLA) and to reach resolution.
• Who is confirming the accuracy of invoices – Prior to being paid, invoices
should be reviewed to confirm pricing terms are consistent with the contract
and the quantity of services being billed is accurate. Independent reports should
be obtained to confirm the accuracy of any quantity on the invoice.
• Whether SLAs and/or OLAs are being monitored and reviewed – Where
SLAs and OLAs have been agreed to, they should be recalculated to confirm that
the values provided by the cloud vendor are accurate. Additionally, penalties or
incentive obtained due to SLA/OLA deviations should be recalculated to confirm
the accuracy of the resulting payments and/or credits.
• How contractual control requirements (e.g., regulatory, security, privacy)
are being monitored – Contractual control requirements should be evaluated
using the means made available through the contract, including “right to audit”,
assessment reports (e.g., SSAE 16s, reports on compliance) and other
evaluations. These methods should be used as frequently as possible, based on
the term of the contract, and the evaluation should be documented.