Cloud Computing Risk

Assessments

Donald Gallien
March 31, 2011

www.isaca.org
 Overview

• Cloud Computing Refresher

• Assessing Cloud Computing Universe
Completeness
• Using a Cloud Computing Risk Ranking
Model
• Risk Ranking Case Study

www.isaca.org
2
 Quiz

• What do the following have in common?

– Paisley GRC
– Salesforce.com
– Amazon EC2
– Google Apps
– Microsoft Business Productivity Online Suite
(BPOS)
– Rackspace
– WebEx
www.isaca.org
3
 Cloud Computing Refresher

www.isaca.org
 Cloud Computing Basics

• Internet-based computing, whereby shared

resources, software and information are
provided to computers and other devices on-
demand, like the electricity grid (Source:
Wikipedia)
• Based on virtualization and abstraction of the
underlying infrastructure
• IT Audit Risk is largely driven by:
– Deployment Model
– Service Model
– Nature of Applications & Data in Cloud

www.isaca.org
5
 Deployment Models

Model Definition Example

Public Available to the general public Google Apps
or a large industry group (Free)
Community Shared by several Google Apps
organizations and supports a for Government
specific community that has
shared concerns
Private Operated solely for an Microsoft BPOS
organization for a Business

Source: NIST
www.isaca.org
6
 Service Models

Model Definition Example

Infrastructure Fundamental computing Rackspace
as a Service resources to deploy software, Cloud
(IaaS) including OS and applications
Platform as a Applications based on Force.com
Service programming languages and
(PaaS) tools supported by the cloud
provider
Software as a Cloud provider applications Salesforce.
Service running on a cloud infrastructure com (CRM)
(SaaS)

Source: NIST
www.isaca.org
7
 Another Way to Look as Service
Models

Example
SaaS WebEx
Provider Control

PaaS BPOS

IaaS Amazon EC2

www.isaca.org
8
 Deployment Model Risk Profile

Public Community Private

Likelihood of
Higher Data Security, Lower
Privacy, and
Control Breach

www.isaca.org
9
 Service Model Risk Profile

IaaS PaaS SaaS

Impact of Loss of
Higher Control & Security Lower
Breach

www.isaca.org
10
 Cloud Refresher Summary

• Public clouds are inexpensive, but provide

less security and service
• Private clouds are expensive, but align better
with technology and security standards
• IaaS models are very broad in scope, but
organizations maintain more control
• SaaS models are narrow in scope, but
organizations relinquish almost all control
What is the impact of cloud computing on
the IT audit function?
www.isaca.org
11
 But one thing never changes

• All IT Audit and Governance groups must:

1. Identify an Universe
2. Risk Rank the Universe
3. Provide Appropriate Coverage based on Risk

www.isaca.org
12
 Assessing Cloud Computing
Universe Completeness

www.isaca.org
 The Cloud Universe Challenge

Transient

Flexible Abstract

Rapidly
Dynamic Cloud Deployed

www.isaca.org
14
 Finding the Clouds

Technology Firewalls & Encryption

Governance Certificates

Control
Points

Invoices / Time &

Process Walkthroughs
Expense Reporting

www.isaca.org
15
 Technology Governance

•Oversight
•Technology Approvals
•Partner Approvals

How does your organization

promote controlled cloud
computing?

www.isaca.org
16
 Firewalls and Encryption Certificates

•Firewall & VPN Rule

Changes
•Firewall Logs
•Encryption Certificate
Requests

Cloud computing
environments are unlikely
to stand-alone.
www.isaca.org
17
 Invoices / T&E Reporting

•Vendor Master
•Invoice Lists
• •T&E Reporting

How much does it cost

to deploy cloud based
e-mail service at
Google?

www.isaca.org
18
 Process Walkthroughs

•Business Process
•Data Flow
•Technology Overview

Has anyone discovered

cloud based computing in a
walkthrough meeting?

www.isaca.org
19
 Summary – Universe Completeness

• Cloud computing can be difficult to identify

• Traditional technology governance, security,
and procurement controls can be used to
identify cloud computing
• Users and business analysts could be your
best source of cloud computing information
What else can you do to identify cloud
computing?

www.isaca.org
20
 Using a Cloud Computing Risk
Ranking Model

www.isaca.org
 A few thoughts before we start

• Risk models include elements of judgment

and must fit the organization
• Some model assumptions may be
completely wrong for your organization
– We should have a lot of debate on this topic
• Risk ranking scores must drive governance
requirements and audit activities

www.isaca.org
22
 Cloud Risk Ranking Example

Attribute High (5) Med (3) Low (1)

Deployment Model Public Community Private
Service Model IaaS PaaS SaaS
Data Security level Secret Restricted Unclassified
Physical Hosting Site Undefined Int'l Location Domestic Location
SOX Critical Yes No
Dependent Apps Greater than 10 4 to 10 0 to 3
Recovery Time 4 Hours 7 Days 31 Days
Region Supported Europe or Global US All other
www.isaca.org
23
 Potential Governance & Audit
Requirements

Audit
Cloud Risk Governance
Score Requirements /
Category Requirements
Frequency
Full Scope /
High >25 SAS 70 Type II
Annual
Limited Scope /
Medium 11-24 SAS 70 Type I
Bi – Annual
Risk Assess
Low <10 None
Only

www.isaca.org
24
 Deployment Model Considerations

High Medium Low

Deploy Public Community Private
Model

- Security and privacy are not a priority

Public - Service level agreements may not exist

- Private environments provide

adequate security and privacy Private
- Service level agreements should exist

www.isaca.org
25
 Service Model Considerations

High Medium Low

Service IaaS PaaS SaaS
Model

- Issues may impact all hosted applications

and data
IaaS
- No control over foundational general
controls

- PaaS - Impact limited to outsourced platform

SaaS
- SaaS - Impact limited to applications and data

www.isaca.org
26
 Data Security Considerations

High Medium Low

Security Secret Restricted Unclassified
Level

- Difficult to enforce security standards when

outsourcing
Secret
- Difficult to demonstrate compliance with
regulations like GLBA

- Security and privacy is not a concern

(good candidate for cloud computing) Unclassified

www.isaca.org
27
 Physical Hosting Site
Considerations
High Medium Low
Hosting Undefined International Domestic
Site Location Location
- May result in cross border data protection
regulatory issues
Undefined - Difficult to demonstrate compliance with
regulations like GLBA

- Minimizes concerns about cross Domestic

border data protection regulations Location

www.isaca.org
28
 SOX Criticality Considerations

High Medium Low

SOX Yes No
Critical

- SAS 70 reports may not cover SOX critical

application controls
Yes - Business units may not have visibility or
access to test SOX controls

- Non SOX critical applications may be good

candidates for cloud computing
No

www.isaca.org
29
 Dependent Applications

High Medium Low

Number Greater than 10 4 to 9 Less than 3
of Apps

- Implies complexity and greater organizational

> 10 significance

- Implies simplicity and less organizational <3

significance

www.isaca.org
30
 Recovery Time Objectives (RTO)
Considerations
High Medium Low
RTO 4 Hours 7 days 31 Days

Implies increased business importance

4 Hours Cloud provider may lack geographic diversity
Single points of failure may exist in network

Implies lower business importance - good 31 Days

candidate for cloud computing

www.isaca.org
31
 Regions Supported Considerations

High Medium Low

Region Europe or United States All Other
Global

- Strictest cross border data protection

Europe regulations – can be at odds with abstract
/ Global cloud computing

- “Other” countries may have less

restrictive cross border data protection All Other
regulations

www.isaca.org
32
 Summary – Cloud Risk Ranking
Models
• Cloud risk ranking attributes and scoring
must vary based on environment and need
• Risk attributes and scoring require alignment
with organizational standards

What other risk attributes might you use, and how would your
rank them on a high, medium, low basis?

www.isaca.org
33
 Risk Ranking Case Study

www.isaca.org
 Conclusions

• Business and technology leaders are

embracing cloud computing - it is here to
stay and growing
• Cloud computing standards and risk ranked
cloud universes are foundational
requirements for governance
• We must adjust our approach to remain
relevant

www.isaca.org
35
 Questions

Contact Information:
donald.w.gallien@aexp.com

www.isaca.org
36