Download Presentation

KPMG Advisory Services:
The Business of Clouds: Preparing For the Future
of IT
December 4, 2009
KPMG LLP
Shahed Latif
KPMG LLP
With You Today
Shahed Latif
•
•
•
•
US Lead Partner for Cloud Computing
Mountain View
650-404-4217
[email protected]
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
2
Agenda




What is the Cloud
Key IT Security risks
Key challenges with the Cloud
Closing Remarks
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
3
What is the Cloud: Evolution of the Cloud
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
4
What is the Cloud: Definition of the cloud
Characteristics
• Mulit-tenancy
(shared resources)
• Massive scalability
• Elasticity
• Pay as you go
• Self-provisioning of
resources
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
5
What is the Cloud: Examples
SaaS
PaaS
IaaS
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
6
What is the Cloud: Surveys on the Cloud?
Scalability and flexibility is
the prime reason for using
the Cloud
Security is the biggest
challenge with the Cloud
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
77
What is the Cloud: Impact of the Cloud on traditional architecture (SaaS model)
Customer
Customer
Customer
ICT Technology
Client computer infrastructure
Governance
Risk Management
Business Process
Management
Integral Security
Management
Service Management
Federation
Federation
Federation
Identity and Access
Management
Job scheduling and event
automation
More
control
Demand Management
Directory services
Boundary
Service Processes
Delivery Management
Service (integration) broker
Application architecture
Risk Management
Change and Configuration
Management
Storage and replication
Service Portfolio
Management
Product life cycle
management
ICT procurement
Back-end infrastructure
Less
control
Vendor
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
8
IT Security challenges: Infrastructure Security
Trust boundaries have moved
 Specifically, customers are unsure where
those trust boundaries have moved to
 Established model of network tiers or
zones no longer exists

Domain model does not fully replicate
previous model
 No viable (scalable) model for host-tohost trust
 Data labeling/tagging required at
application-level

Data separation is logical, not physical
 Need for greater transparency regarding
which party (CSP or customer) provides
which security capability
 Inter-relationships between systems,
services, and people needs to be
addressed by identity management
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
9
9
IT Security challenges: Data Security
Understanding data is more critical





Provider’s data collection efforts and monitoring of such (e.g.,
IPS, NBA)
Use of encryption





Point-to-multipoint data-in-transit an issue
Data-at-rest possibly not encrypted
Data being processed definitely not encrypted
Key management is a significant issue
Advocated alternative methods (e.g., obfuscation, redaction, truncation)
are non-sense
Data lineage
Data provenance
Data remanence
Fully homomorphic encryption
 Potentially huge boon to cloud computing
 Indirectly “aggravates” need for:
Large-scale multi-entity key management

Must scale past multi-enterprise to inter-cloud


Not just hundreds of thousands of systems or even millions of virtual machine
images, but billions of files or objects
not only handle key management lifecycle (per NIST SP 800-57,
Must
Recommendation for Key Management), but also:



Key recovery
Key archiving
Key hierarchies/chaining for legal entities
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
10
10
IT Security challenges: Considerations in performing risk assessments
Risks
Geographic locations
Definition of
Ownership,
Custodianship,
Processing & Use
Rights and Obligations
New Risk Implications
Understanding various countries and regulatory authorities is more
complicated, controls for cross boarder data views and use become more
critical
Clear responsibilities associated with data assets must be established which
will be challenging in a cloud environment due to the transient nature of data
processing. Establishing trust boundaries are key between user and cloud
service provider.
Multi-Tenancy
In a multi-tenant cloud environment, users may gain access to shared
resources, and possibly gaining unauthorized access to other users either
inadvertently or deliberately.
Data seizures
It is possible for a cloud service provider, during server seizures for one
customer may include another customer’s data, simply because they were on
the same physical server. Seizing the hardware may lead to data loss or data
disclosure of other customers.
Data Loss
On ephemeral or transient systems, a cloud vendor provider instance failure
may lead to permanent loss of system information including system
configuration and data stored locally
Dynamically changing Disposing of servers, hard drives or hygiene is challenging for Cloud Service
Providers and raises the questions on the process of change control.
systems
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
11
IT Security challenges: Some Examples of New dimensions for security risks
Area
Risk factor
Virtualization
Is the access to the Hypervisor managed effectively
Is virtualization software secure
Monitoring
Limited log data may be available
BGP Prefix hijacking (mis-configurations and deliberate attacks)
Multi-tenancy
Re-used IP addresses and limited IP Ageing
DNS attacks, such as weak protocol, cache poisoning attacks
Data Integrity
Data-at-rest being subject to unauthorized changes
Data-in-transit being exposed subject to unauthorized changes
Processing in the cloud using decrypted data
Data remanence in cache, and inefficient cleaning process
Continuity
DDoS attacks have greater impact on Cloud providers
Robust Disaster Recovery and Business Recovery Plans
Reliance on user having adequate and secure bandwidth
Regulation
Conforming to Privacy laws globally and state wide
Handling e-Discovery in a timely and cost efficient manner
Having inappropriate retention policies
Complying to financial statement audits
Costs
Understanding the true total cost of ownership
Amending accounting policies and impact to budgets
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
12
Key Challenges: Audit Planning considerations
Traditional audit techniques
Revised audit techniques for the cloud
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Boundaries of audit well understood
Changing IT landscape
Reliance on SAS 70 for service providers
Look back audits, auditing after the event
Transaction based auditing
Ability to isolate hosted facilities to audit
Niche regulatory needs
Audit evidence readily available
Boundaries of audit will need to be reassessed
Dynamically changing IT landscape
SAS 70 may not be sufficient for audit reliance
Real time audit and continuous assessment
Process based auditing
Multi-tenanted environment
Global regulatory needs faced by Cloud
Audit evidence will be in the Cloud (may not be
retained, and electronic in nature)
There will be new dimensions and re-thinking of how to
audit the cloud components
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
13
Key Challenges: Some Key Audit Areas to be impacted by the Cloud
• Depends on the role the Client may play:
• If the Organization starts to provide cloud services:
• Revenue recognition
• Order to cash cycle
• Taxation
• Legal structure
• Traditional areas that may be impacted:
SaaS:
email in the Cloud
CRM in the Cloud
HR in the Cloud
Web content filtering
Vulnerability Mgt
IaaS, Paas
• Procurement process
• Corporate structure
• Organizational changes – roles and responsibilities
• IT general controls and application controls
• Vendor management (SLA monitoring)
• Key IT processes (i.e. SDLC, Monitoring, Incident Response, Business
Continuity)
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
14
Closing remarks
Service Architecture
IT - Business Alignment
End to end security
Security &
Continuity/
Availability
Data Management
Integration
Redundancy
Cloud
Capacity Management
SLAs
Development & Tests
Identity & Access
Management
Legal &
Contractual
Pricing models
Performance &
Support
Portfolio & Contract
Management
Rules & Regulations
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
15
Contacts
Shahed Latif, BSc(Hons), ACA
Partner
KPMG LLP
US Lead partner on Cloud Computing,
Silicon Valley Office
650-404-4217
[email protected]
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
This document is protected under the copyright laws of the United States and other countries as an unpublished work. This document
contains information that is proprietary and confidential to KPMG LLP or its technical alliance partners, which shall not be disclosed
outside or duplicated, used or disclosed in whole or in part for any purpose other than to evaluate KPMG LLP. Any use or disclosure in
whole or in part of this information without the express written permission of KPMG LLP is prohibited.
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 15265SEA
16