Cloud Computing Guide & Handbook SAI USA Madhav

Cloud Computing Guide & Handbook SAI USA Madhav

Cloud Computing Guide & Handbook SAI USA Madhav Panwar Background 2010 WGITA approved the cloud computing project with SAI USA as lead and Canada & India as members 2011

A status report was presented and comments solicited 2012 Final project description and common cloud computing risks were presented Members requested that this work be augmented cloud computing guide and audit handbook with a 2013Guide & handbook completed for CC. 2013 Will be incorporated into the overall IT Audit Guide & Handbook in cooperation with IDI

2 What Is Cloud Computing? Generally speaking, cloud computing can be thought of as anything that involves delivering hosted services over the Internet. According to NIST Cloud computing is

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (Special Publication 800-145) 3 What It Provides

Cloud computing provides shared services as opposed to local servers or storage resources Enables access to information from most web-enabled hardware Allows for cost savings reduced facility, hardware/software investments, support 4 Essential Characteristics On-demand self-service A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically

without requiring human interaction with each service provider. Broad network access Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Source: NIST Special Publication 800-145 5 Characteristics Resource pooling

The providers computing resources are pooled to serve multiple consumers Resources can be dynamically assigned and reassigned according to customer demand Customer generally may not care where the resources are physically located but should be aware of risks if they are located offshore Source: NIST Special Publication 800-145 6 Characteristics

Rapid elasticity Capabilities can be expanded or released automatically (i.e., more cpu power, or ability to handle additional users) To the customer this appears seamless, limitless, and responsive to their changing requirements Measured service Customers are charged for the services they use and the amounts There is a metering concept where customer resource usage can be

monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service Source: NIST Special Publication 800-145 7 Service Models Software/ Application Platform

Infrastructure 8 Service Models Infrastructure-as-a-Service (IaaS) A service model that involves outsourcing the basic infrastructure used to support operations--including storage, hardware, servers, and networking components. The service provider owns the infrastructure equipment and is responsible for housing, running, and maintaining it. The customer typically pays on a

per-use basis. The customer uses their own platform (Windows, Unix), and applications 9 Service Models Platform-as-a-Service (PaaS) A service model that involves outsourcing the basic infrastructure and platform (Windows, Unix)

PaaS facilitates deploying applications without the cost and complexity of buying and managing the underlying hardware and software where the applications are hosted. The customer uses their own applications 10

Service Models Software-as-a-Service (SaaS) Also referred to as software on demand, this service model involves outsourcing the infrastructure, platform, and software/applications. Typically, these services are available

to the customer for a fee, pay-as-yougo, or a no charge model. The customer accesses the applications over the internet. 11 Where Is My Data? Data resides on servers that the customer cannot physically access

Vendors may store data anywhere at lowest cost if not restrained by agreement 12 Cloud Computing Guide The guide is about a 10 page document that describes cloud computing and areas of risk These risks should be managed by the IT organization that chooses to utilize cloud computing For IT Auditors these risks are a roadmap which you can

utilize to create your audit program 13 Cloud Computing Guide 14 Cloud Computing Guide What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited entities still has control over the application and the data.

Outsourcing may also include utilizing the vendors computers to store, backup, and provide online access to the organization data. The organization will need to have a robust access to the internet if they want their staff or users to have ready access to the data or even the application that process the data. In the current environment, the data or applications are also available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets). 15 Cloud Computing Guide Audit Concerns When an organization chooses to utilize cloud computing, they need to

be aware of risks that they may face with the service provider, the risk they face if they are unable to effectively oversee the service provider, and other risks related to management and security weaknesses in the service providers approach. As an auditor you will need to understand what the agency has done to mitigate the risks with cloud computing. When we as auditors are asked to appraise whether an entity or organization getting the benefits of cloud computing are managing the vendor to ensure that they get the required services we need to be aware of the risks that they may face. 16 Cloud Computing Guide

Risk Areas Service Provider Risks Technical Risks External (Overseas) Risks Management/Oversight Risks Security / Connectivity / Privacy Risks

These were discussed at the last meeting along with some mitigation strategies that the IT organization could use The IT auditor would use those as a road map to frame audit questions 17 Cloud Computing Handbook The handbook provides the IT Auditor with some audit related questions that begin to explore whether the organization is managing the risks and the vendor 18

Cloud Computing Handbook 19 Cloud Computing Handbook 20 Cloud Computing Handbook 21 Next Steps

As and when members conduct IT Audits that involve Cloud Computing we would like to receive your audit questions so we may update the guide Members may contact the Chair or SAI USA for additional information 22 Contacts SAI India Jagbans Singh [email protected]

SAI USA Madhav Panwar [email protected] 23

Recently Viewed Presentations

  • July 24 th 2016 Prelude for  Worship Martha

    July 24 th 2016 Prelude for Worship Martha

    9 For behold, the stone that I have set before Joshua; on one stone are seven eyes. Behold, I will engrave an inscription on it,' declares the Lord of hosts, 'and I will remove the iniquity of that land in...


    REALIST DRAMA Prepared by: Lea Turner REALISM IN THEATRE movement in the late 19th century steered theatrical texts and performances towards greater fidelity to real life (=natančna reprodukcija resničnega življenja) describes life without idealization or romantic subjectivity characters product of...
  • I. Introduction to Bonding

    I. Introduction to Bonding

    Foundations for Understanding Nomenclature and Formulas. Understanding Nomenclature and Formulas Requires a Basic Understanding of Chemical Bonding. Understanding Chemical Bonding Requires some basic knowledge of the of the
  • Ventilatory and Blood Gas Response to Exercise Rest

    Ventilatory and Blood Gas Response to Exercise Rest

    *low arterial PO2 vales during exercise = exercise induced hypoxemia * Low arterial Po2 values are also seen in patients with severe lung disease. Males Vs. Female athletes. 50% of highly trained male endurance athletes develop exercise induced hypoxemia.
  • Ecology Study of interactions between organisms and their

    Ecology Study of interactions between organisms and their

    Food chains Energy flow in a food chain What you will learn in Ecology Food Webs Adaptations Competition Interdependence. Examples of how organisms interact Animals need plants for food and shelter. (can you think of two examples) Plants need animals...
  • Invasive Species - Mr. Waters' Website

    Invasive Species - Mr. Waters' Website

    Some introduced species can be very helpful or valuable. 98% of the US food supply comes from introduced plants and animals including… Wheat Rice Cattle Poultry. Introduced species are not always bad. Introduced species only become invasive when they displace...
  • ECE 352 Electronics II - Course Overview

    ECE 352 Electronics II - Course Overview

    No channel of electrons for vGS < VTh No drain current for vGS < VTh N-Channel Depletion MOSFET N-type channel VTh Saturation mode operation iDS vGS Cutoff region (vGS < VTh) Triode region (vDS < vDSsat) Triode-saturation boundary at vDS...
  • Building American Psychology  Four stages of psychology in

    Building American Psychology Four stages of psychology in

    Mind-body debate. Principles of Psychology generally supports a dualist, interactionist approach to human nature. Dualism - rejecting the nature of materialism, dualism is based on separated mind and body. Interactionism - the mind can influence the body, and the body...