Transcript Slide 1

CFIT Meeting
June 17, 2011
Cloud Assurance
“Going forward, we’ll see complete
self-service and agility — as a user
you should have the quickest,
shortest path to getting
whatever you want. This shift
has been coming in bits and
pieces, but now they’re coming
together.”
Shekar Ayyar, Head of Strategy,
VMware
“The transformation to a true
‘digital enterprise’ will be the
business challenge of the next
decade. To achieve this, I see the
implementation of a flexible,
software based process layer
across company departments,
suppliers, and partners as the
key enabling technology. This
transformation has already started
and today we are radically
changing the way our customers do
business. We are opening a whole
new world of business models and
business opportunities to them.”
Karl-Heinz Streibich, CEO,
Software AG
Entire industries are going through a
transformation that leverages cloud capabilities…
and with any transformation comes the
need to manage change and mitigate risk
Business benefits
Enhanced
customer
expectations
Strategy
Structure
People
Process
Revenue
growth
Risk and
compliance
Cost
reduction
New
business
models
Technology
Cloud
Computing
PwC
Consumer
loyalty
Why “Go Cloud?”
•
•
•
•
Cost Savings
Innovation
Agility
Efficiency
Business
Imperative
Benefits
•
•
•
•
PwC
Customer
Expectation
Industry
Shift
New revenue
streams
Scalability
3
Realization that the cloud changes industry
Yesterday
Today
2000: At $6B Blockbuster
declined to purchase Netflix
$50M
for
(2011: now Blockbuster is for
sale for $290M)
Blockbuster owes
Tomorrow
Downstream
It’s more than
the
Internet
technology.
Traffic
It’s the reality 20%
of the need
to innovate,
Netflix users
$21.6M Fox
$20M Warner
transform and
9.89%
$13.3M Sony
optimize businesses.
Closed 1/3 stores
Youtube users
+
It’s the business partner's
need to change
interactions and
expectations as a result
of cloud-based businesses
change.
PwC
Source: Business Insider “How Netflix Bankrupted
And Destroyed Blockbuster”, March 2011
Recent predictions of Cloud Computing growth
“MarketsandMarkets.com
predicts that the global cloud
computing market is expected to
“Cloud Computing was the #1
inquiry topic from Gartner
grow from
clients in 2010.”
“At the Cloud Connect
conference Vijay
Bhagavath, technology
equity researcher for
Deutsche Bank, estimates
investment in ‘private
clouds’ could be a
$20 billion dollar
opportunity by 2012.”
“Gartner predicts that by
2015, 80% of enterprises
using external cloud
services will demand
independent
certification that providers
can restore operations and
data. “
“Gartner predicts by 2015,
20% of non-IT Global 500
companies will be cloud service
providers.”
“Joe McKendrick at ZDNet
states that “very soon, a third
of all software will be
delivered via cloud.
PwC
$37.8
billion in 2010 to
$121.1 billion in 2015
at a CAGR of 26.2% from 2010 to
2015.”
“Infonetics Research is
forecasting spending on
security-related SaaS
applications will experience a
compound annual growth
rate of 31% through 2014.”
“Renub Research predicts Worldwide
Cloud Computing market is growing at a
rapid rate and it is expected to cross
$25 Billion by the end of 2013 .”
5
Managing Change in Moving to the Cloud
Moving to the
cloud requires
ongoing
preparation,
planning,
management
and oversight
Adapt
capabilities of
personnel
Assess change in
control and
compliance
Establish new
responsibilities
PwC
Have a clear
understanding of
the current
process
Clearly articulate
the expected
outcome and
benefits of the
move
Identify,
communicate
and address lost
capabilities
You still
maintain
responsibility
of processes after
the move
6
Managing Change in Moving to the Cloud
Adapt capabilities of personnel
• Depending on the “XaaS” cloud offering, the nature of processes
moved to the cloud may require different skills internally
Have a clear understanding of the
current process
• Moving to the cloud successfully means not losing any capability.
Understand current outcomes, including governance and control
Clearly articulate the expected
outcome and benefits of the move
• Service level agreements should reflect specific expectations for
services, metrics and responses for non-achievement
Identify, communicate and
address lost capabilities
PwC
• With standardization of most “XaaS” solutions, changes in internal
processes may be needed to fill any gaps
Establish new responsibilities
• Update job descriptions, training, performance metrics and
documentation
Assess change in control and
compliance
• Inventory requirements to determine information and control
assessment needs from service provider
7
Cloud Assurance – Setting the Stage
Cloud computing’s potential to lower IT costs and boost efficiencies is unprecedented, however, the
reliability of cloud service providers is all but unmeasurable.
In PwC’s 2011 Global Information Security Survey, 14% of respondents who had experienced a data
breach cited negative impact to brand or reputation—a business impact that has increased 180% in
the past three years.
Recent examples of data loss, data privacy breaches and availability – Epsilon, Sony Entertainment,
Amazon EC2 – to name just a few, continue to remind cloud consumers of the risks.
For many organizations, the risk to brand reputation is simply too big to ignore.
Among customers, concerns about the cloud’s risks – security, privacy, availability, and data
protection, to name a few – have created an atmosphere in which uncertainty and risk are top of
mind.
Currently, there is no comprehensive framework for cloud controls that enables potential cloud
customers to confidently assess and verify a cloud provider’s controls and environments.
This lack of reliable control framework has opened a trust gap between cloud providers and
customers, and that has impeded the advance of cloud computing.
PwC
8
Cloud Assurance – What exists today
Currently, most cloud customers are gathering information through a
series of highly inefficient activities often led by vendor management or
procurement functions:
• Provider self-assessments, typically focus on security policies
• Responses to customer-prepared questionnaires
• Service level agreements (SLAs) describing the provider’s obligations
• Third-party SAS 70 (now SSAE 16) reports
• Other certifications – PCI, ISO 27002, HIPAA, FISMA, etc.
These efforts have been largely unsuccessful because they do not address
comprehensively address the service offering and the relevant compliance requirements
from the perspective of the customer’s needs or expectations
• A globally recognized framework of controls and standard for
reporting may come in time, but cloud adopters need something sooner
PwC
9
Cloud Assurance – Looking forward
Consideration
Point
AICPA Service Organization Reports
SOC 1 / SSAE16
(Replacement for
SAS70 6/11)
AICPA suggested scope
Controls relevant to report
users’ financial statements
SOC2
Custom
Attest
SOC3
Controls relevant to compliance or operations, which could
include (*)
•Security
•Availability and processing integrity
•Confidentiality
•Privacy
•Data integrity and ownership
(*) Use of AICPA Trust Principles Required
Management defined
Can include controls
relevant and unique to
•Operations,
•Billing,
•Technology
•Security,
•Privacy
•and beyond
Intended Audience
Restricted; limited distribution
General Use (with public
seal); unrestricted
distribution
Generally restricted
distribution but may be
unrestricted
Content of Report
•Description of service organization's system
•Description of controls
•PwC opinion on:
•fairness of presentation of description
•Control Design (Type I and II)
•Control Effectiveness, including description of PwC’s test
of controls and results (Type II only)
•Unaudited system
description
•PwC opinion of controls
effectiveness
•Description of mgmt
assertions & control
objectives
•List of criteria PwC
evaluated
•Description of controls
•PwC opinion
AICPA Audit Standard
SSAE 16
PwC
AT 101, Attest Engagements
10
Summary - Plan for Success
• Understand rationale for adopting cloud
• Engage with relevant functions leaders to identify changes
• Review impacted business activities in ‘as is’ and ‘to be’ state
• Assess capabilities of existing personnel to manage transition and to
perform roles in new state
• Treat the move as a “process” not a project
• Assess risk and build a plan to manage accordingly
PwC
11
Thank you
Cara Beston
Cloud Assurance Partner
[email protected]
Cara is the National Technology sector leader for PwC’s Risk Assurance practice based in San Jose, CA. She is also a member of
PwC’s national Cloud Action Committee and the firm’s representative to the Cloud Security Alliance. She specializes in IT and
process risk and control assurance services to IT, Internal Audit, finance and business leaders in the Technology sector. Prior to
joining the Risk Assurance practice, Cara has spent 15 years serving the financial accounting and reporting needs of clients
across a broad array of clients and sectors including manufacturing, real estate, financial services and technology. In her 2w
years with PwC, Cara has served over 80 technology clients, including key Cloud enabling enterprises, Cisco Systems, VMware,
3Par, SaaS providers, and a number of on-line businesses including Shutterfly, CBS Interactive, Zappos.com and others. Cara
graduated summa cum laude from Bridgewater College, MA and is a member of the AICPA. She lives in Pleasanton, CA with her
husband and 3 children.
PwC
12