Cloud Computing – What Auditors need to know

1 Cloud Computing what Auditors need to know This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your Auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

2 Deloitte shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on these courses for such purposes. 1. Contents Section 1 Cloud overview Section 2 Risk and Controls Section 3 Internal audit's role Section 4 Solution Section 5 Service organization controls 2. Cloud Overview Cloud Computing Overview Section 3: what is Cloud Computing ? Service Models On-demand self-service Software-as-a-Service Measured Rapid elasticity . Platform-as-a-Service Service . Infrastructure-as-a-Service Deployment Models Having a common definition Public Cloud (external).

3 Helps with managing the Cloud Private Cloud (internal). Hybrid Cloud Community Cloud Resource pooling Broad network access . Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable Computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This Cloud model is composed of five essential characteristics, three service models, and four deployment The NIST 800-145. Definition of Cloud Computing 4. Cloud Computing Overview Deployment Models Cloud Computing technology is deployed in four general types, based on the level of internal or external ownership and technical architectures Cloud Computing services from vendors that can be accessed across the Internet or a private network, using systems in one or more data Public Cloud centers, shared among multiple customers, with varying degrees of data privacy control.

4 Computing architectures modeled after Public Clouds, yet built, managed, and used internally by an enterprise; uses a shared Private Cloud services model with variable usage of a common pool of virtualized Computing resources. Data is controlled within the enterprise. A mix of vendor Cloud services, internal Cloud Computing Hybrid Cloud architectures, and classic IT infrastructure, forming a hybrid model that uses the best-of-breed technologies to meet specific needs The Cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for Community example, mission, objectives, security requirements, policy, and Cloud compliance considerations).

5 It may be managed by the organizations or a third party, and may exist on-premise or off-premise. 5. Cloud Computing Overview Service Delivery Different types of Cloud Computing services are grouped into specific categories: Infrastructure, Platform and Software services Infrastructure as a Service Platform as a Service Software as a Service (IaaS) (PaaS) (SaaS). Definition Definition Definition Delivers computer infrastructure, Delivers a Computing platform as Delivers software as a service typically a platform virtualization a service. It facilitates deployment over the Internet, avoiding the environment as a service.

6 Service of applications while limiting or need to install and run the is typically billed on a utility reducing the cost and complexity application on the customer's own Computing basis and amount of of buying and managing the computers and simplifying resources consumed. underlying hardware and software maintenance and support. Customization layers Customization Customization where technology Customization Limited customization existing being deployed requires minimal Moderate customization build applications likely not be able to configuration applications within the constraints migrate Operational notes of the platform Operational notes Easier to migrate applications Operational notes Applications may require to be re- User of Cloud maintains a large Applications may require to be re- written to meet the specifications portion of the technical staff written to meet the

7 Specifications of the vendor (Developer, System Administrator, of the vendor User utilizes the vendors IT staff and DBA) User of the Cloud maintains a and has limited to no technical development staff staff 6. Cloud Computing Overview Service Delivery Responsibility chart Your Organization vs Cloud Vendor Infrastructure as a Service Platform as a Service Software as a Service (IaaS) (PaaS) (SaaS). Definition Definition Your Organization Definition Delivers computer infrastructure, Delivers a Computing platform as Delivers software as a service typically a platform virtualization a service.

8 It facilitates deployment over the Internet, avoiding the environment as a service. Service Your Organization of applications while limiting or need to install and run the is typically billed on a utility reducing the cost and complexity application on the customer's own Computing basis and amount of of buying and managing the computers and simplifying Your Organization resources consumed. underlying hardware and software maintenance and support. Customization layers Customization Customization where technology Customization Limited customization existing being deployed requires minimal Moderate customization build applications likely not be able to configuration applications within the constraints of the platform Cloud Vendor migrate Operational notes Operational notes Operational notes Easier to migrate applications Cloud Vendor Applications may require to be re- User of Cloud maintains a large Applications may require to be re- written to meet the specifications portion of the technical staff

9 Written to meet the specifications of the vendor (Developer, System Administrator, of the vendor User utilizes the vendors IT staff Cloud Vendor and DBA) User of the Cloud maintains a and has limited to no technical development staff staff 7. Risk and Controls Risks (and Controls) are Widespread We believe that Cloud architectures can be a disruptive force enabling new business models and structures to deliver information services Software as 1. SaaS controls a Service 1. 2. PaaS controls (SaaS). 5. Business processes, IT operational Data 3. IaaS controls Data Application Application processes, information security Data storage storage storage 4.

10 Virtualization Platform as controls 2 a Service 5. Data management (PaaS). Governance and storage controls 6. ACLs Programming environment 7. Communication channels 6 Infrastructure Application Application 3 as a Service 8. Supporting Application Application Application Application (IaaS). Operating Operating infrastructure system Operating system Operating system Operating system Operating VIRTUAL system VIRTUAL system VIRTUAL. computer VIRTUAL. computer VIRTUAL. computer VIRTUAL. computer computer computer End users, laptops, 7 Virtual cell phones, etc. Virtualization 4 layer Cloud Supporting infrastructure 8 supporting (physical hardware, network devices) infrastructure 9.