Deloitte's Cloud Computing Risk Intelligence Map - Build Security In
Deloitte's Cloud Computing Risk Intelligence Map - Build Security In
Deloitte's Cloud Computing Risk Intelligence Map - Build Security In
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Business <strong>Risk</strong>s of Softwarein the <strong>Cloud</strong>March 2, 2011Andrew MurrenDeloitte & Touche, LLPamurren@deloitte.com
Table of contents<strong>Cloud</strong> <strong>Computing</strong> Overview<strong>Risk</strong>s in the <strong>Cloud</strong>1Copyright © 2011 Deloitte Development LLC. All rights reserved.
<strong>Cloud</strong> <strong>Computing</strong>Overview
Definition of cloud computing<strong>Cloud</strong> computing is a model for enabling convenient, on-demand network access to ashared pool of configurable computing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisioned and released with minimalmanagement effort or service provider interaction. This cloud model promotes availabilityand is composed of five essential characteristics, three service models, and fourdeployment models.Essential Characteristics:1. On-demand self-service.2. Broad network access3. Resource pooling4. Rapid elasticity5. Measured ServiceDeployment Models:1. Private cloud2. Community cloud3. Public cloud4. Hybrid cloudService Models:1. <strong>Cloud</strong> Software as a Service (SaaS)2. <strong>Cloud</strong> Platform as a Service (PaaS)3. <strong>Cloud</strong> <strong>In</strong>frastructure as a Service (IaaS)Source: http://csrc.nist.gov/groups/SNS/cloud-computing/3Copyright © 2011 Deloitte Development LLC. All rights reserved.
<strong>Cloud</strong> computing delivery models, based on theircharacteristics and purpose<strong>Cloud</strong> computing technology is deployed in different ways, with varying internal orexternal ownership and technical architecturesVendor cloud(External)<strong>Cloud</strong> computing services from vendors that can be accessed across the<strong>In</strong>ternet or a private network, using one or more data centers, shared amongmultiple customers, with varying degrees of data privacy control. Sometimescalled “public” cloud computing.Private cloud(<strong>In</strong>ternal)<strong>Computing</strong> architectures modeled after vendor clouds, yet built, managed, andused internally by an enterprise; uses a shared services model with variableusage of a common pool of virtualized computing resources. Data is controlledwithin the enterprise.Hybrid cloudA mix of vendor cloud services, internal cloud computing architectures, andclassic IT infrastructure, forming a hybrid model that uses the best-of-breedtechnologies to meet specific needs.Community cloudCommunity clouds are used across organizations that have similar objectivesand concerns, allowing for shared infrastructure and services. Communityclouds can be deployed using any of the three methods outlined above,simplifying cross-functional IT governance.4Copyright © 2011 Deloitte Development LLC. All rights reserved.
Visualizing the differencesApplication Application ApplicationApplication Application Application<strong>Cloud</strong>FabricSoftware as a service(SaaS)SaaS covers the range of application that arelicensed for use as services provided to customerson demand typically across the Web.Applicatio ApplicatioApplicatio nApplicatio nApplication nApplication nProgramming EnvironmentPlatform as a service(PaaS)The PaaS model makes all of the facilities requiredto support the complete life cycle of building anddelivering Web applications and services entirelyavailable from the <strong>In</strong>ternet.ApplicationApplicationApplicationOperatingOperatingSystem OperatingSystemSystemPhysicalPhysicalComputer VIRTUALComputerComputerApplicationApplicationApplicationOperatingOperatingSystem OperatingSystemSystemPhysicalPhysicalComputer VIRTUALComputerComputerVirtualization<strong>In</strong>frastructure as a service(IaaS)IaaS is the delivery of computer infrastructure as aservice. Rather than purchasing servers, software,data center space, or network equipment, clientsinstead buy those resources as a fully outsourcedservice.Supporting <strong>In</strong>frastructure(Physical Hardware, Network Devices)Virtual layerCommon IT <strong>In</strong>frastructure5Copyright © 2011 Deloitte Development LLC. All rights reserved.
<strong>Risk</strong>s in the <strong>Cloud</strong>
Deloitte’s <strong>Cloud</strong> <strong>Computing</strong> <strong>Risk</strong> <strong><strong>In</strong>telligence</strong> <strong>Map</strong>The <strong>Cloud</strong> <strong>Computing</strong> <strong>Risk</strong> <strong><strong>In</strong>telligence</strong> <strong>Map</strong>:• Identifies significant risks that may be introduced by cloud computing• Expands the risk discussion to the broad range of risks that need to be considered across theenterprise• Spurs discussion about risk management topics, including risk identification, prioritization,measurement, and mitigation• Facilitates the connection of risk management silos and identification of redundant efforts• Can be customized for the client’s individual cloud strategy and risk profileLevel 1: Broad risk categoriesLevel 2: More granular subcategoriesLevel 3: <strong>In</strong>dividual risk statementsAs used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for adetailed description of the legal structure of Deloitte LLP and its subsidiaries.7Copyright © 2011 Deloitte Development LLC. All rights reserved.
Deloitte’s <strong>Cloud</strong> <strong>Computing</strong> <strong>Risk</strong> <strong><strong>In</strong>telligence</strong> <strong>Map</strong><strong>Map</strong> categories and sub-categoriesGovernance, <strong>Risk</strong>Management, andComplianceDelivery Strategy andArchitecture<strong>In</strong>frastructure<strong>Security</strong>Identity and AccessManagementData ManagementGovernanceStrategySystem <strong>Security</strong>Identity ManagementData Acquisition<strong>Risk</strong> ManagementComplianceArchitectureVulnerabilityManagementNetwork <strong>Security</strong>Access ManagementData UsageData StorageApplication<strong>Security</strong>Data TransferData DisposalEncryptionBusiness ResiliencyAnd AvailabilityIT OperationsVendor ManagementBusiness OperationsTechnology ResilienceAsset ManagementVendor SelectionHuman Resources<strong>Cloud</strong> ProviderContinuitySupply ChainContinuityProject ManagementChangeManagement<strong>In</strong>cident ManagementOperationsContractingMonitoringVendor Lock-inResource ProvisioningLegalFinanceTaxPhysical &Environmental8Copyright © 2011 Deloitte Development LLC. All rights reserved.
IT OperationsChange ManagementUpdates to system and application configuration• Who is responsible for what updates and within what time frame?• Testing and validating configurations in constantly changing environments• Ensuring only authorized people make approved changes to software andconfigurations• Patching running systems and system templatesPre and Post Deployment testing• What environment to conduct testing in?• Testing for correct functioning in constantly changing environment9Copyright © 2011 Deloitte Development LLC. All rights reserved.
Vendor ManagementVendor Selection<strong>Cloud</strong> computing can push responsibility for software ownership and licensingissues to other organizations – but it can also disrupt your ability to operate.Software developed in house by your cloud provider can run into patent orcopyright problems, also putting you at risk.Some questions to ask:• Who is responsible for software licensing and ownership?• What options are available if there is an issue with software we own or license?• What can we do if parties we depend on have issues with the software theyown, develop or license?• How can we manage software costs in an elastic environment?10Copyright © 2011 Deloitte Development LLC. All rights reserved.
<strong>In</strong>frastructure <strong>Security</strong><strong>In</strong>ability to independently test application securityWorking with the <strong>Cloud</strong> provider• Restrictions on continuous assessment and periodic security testing• Coordinating software and configuration changes that may impact yoursystemsWhat is the security of the <strong>Cloud</strong> providers software• What is the security posture of the software the <strong>Cloud</strong> provider is running?• Does the cloud vendor securely configure their systems?• What evidence of their security posture can they provide?How will other <strong>Cloud</strong> users impact you• Are other <strong>Cloud</strong> clients fully patched and up to date?• What other software is running on systems?11Copyright © 2011 Deloitte Development LLC. All rights reserved.
Questions?
Contact informationFor additional information, please contact:Amry JunaideenPrincipalDeloitte & Touche LLPajunaideen@deloitte.com+1 202 220 2664Irfan SaifPrincipalDeloitte & Touche LLPisaif@deloitte.com+1 408 704 4109Raymond SorianoDirectorDeloitte & Touche LLPrsoriano@deloitte.com+1 561 962 7735Andrew MurrenManagerDeloitte & Touche LLPamurren@deloitte.com+1 202 220 212113Copyright © 2011 Deloitte Development LLC. All rights reserved.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax,or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decisionor action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professionaladvisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.Copyright © 2011 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited
Change language