In a complicated world, we can help you make sense <strong>of</strong> it all. kpmg.co.za © 2011 KPMG Services (Proprietary) Limited, a <strong>South</strong> <strong>Africa</strong>n company and a member firm <strong>of</strong> the KPMG network <strong>of</strong> independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in <strong>South</strong> <strong>Africa</strong> MC6425. <strong>The</strong> KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks <strong>of</strong> KPMG International.
AUDITING THE THUNDERS IN THE CLOUD More companies the world over are adopting the cloud. According to Gartner (2010) the cloud market will be worth US $148.8 billion (about R1 trillion) by 2014. Gartner forecast the cloud growth rate to be about 20% per year. In <strong>South</strong> <strong>Africa</strong> companies like T Systems are already providing cloud services. <strong>The</strong> cloud providers are growing on a daily basis. CLOUD COMPUTING DEFINITION <strong>The</strong> term cloud computing was inspired by the cloud symbol shown in Figure. 2. <strong>The</strong> symbol is <strong>of</strong>ten used to represent the Internet in fl ow charts and diagrams. Simply defi ned cloud computing is IT services accessible via the web and internet connection. <strong>The</strong> US National <strong>Institute</strong> <strong>of</strong> Standards and Technology (NIST) describes cloud computing as a model for enabling convenient, on-demand network access to a shared pool <strong>of</strong> confi gurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management eff ort or service provider interaction. ISACA CEO defi nes Cloud computing as a “delivery model for consuming IT as a service and another way for an IT organization to deliver the technology necessary to run the enterprise business.” In its broadest usage, the term cloud computing refers to the delivery <strong>of</strong> scalable IT resources over the Internet, as opposed to hosting and operating those resources locally. It is a general term for anything that involves delivering hosted services over the Internet. Gartner defi nes cloud computing as “A style <strong>of</strong> computing where scalable and elastic IT related capabilities are provided ‘as a service’ to customers using Internet Technologies.” <strong>The</strong> essential characteristics <strong>of</strong> the cloud as described by NIST and Gartner are: on demand self services, broad network access, resource pooling, rapid elasticity, measured service and multi tenacity. Multi tenacity shown in Figure. 3 means users in diff erent sections <strong>of</strong> an enterprise will be rendered services on their own terms – usage rates, access restrictions uptimes. Cloud allows computing to be removed from the traditional shops to remote data centres. Cloud computing enables computer services such as email, applications, network or server service to be provided without requiring human interaction with each service provider. Cloud capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms such as mobile phones, laptops and PDAs. <strong>The</strong> provider’s computing resources are pooled together to serve multiple consumers using multiple-tenant model, with diff erent physical and virtual resources dynamically assigned and reassigned according to consumer demand. <strong>The</strong> resources include storage, processing, memory, network bandwidth, virtual machines and email services which build economies <strong>of</strong> scale. Cloud services can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in, thereby giving the client the ability to align IT with business objectives and requirements. To the consumer, the capabilities available for provisioning <strong>of</strong>ten appear to be unlimited and can be purchased in any quantity at any time. Under the cloud resource usage can be measured, controlled, and reported providing transparency for both the provider and consumer <strong>of</strong> the utilised service. This enables the user to control and optimise resource use. Just like air time, electricity or municipality water IT services are charged per usage metrics – pay per use. <strong>The</strong> more you utilise the higher the bill. Cloud impacts organisation’s IT size, structure, diversity, material assets and skill pool. <strong>The</strong> cloud changes the whole information technology (IT) landscape – IT roles, IT policies, processes and procedures, IT structures and the business governance <strong>of</strong> IT and may introduce an enterprise to more regulatory compliance issues. <strong>The</strong> shift in the traditional operation <strong>of</strong> IT requires Chief Information Offi cers (CIOs), Chief Risk Offi cers (RISOs), Chief Information Security Offi cers (CISOs), Chief Technology Offi cers (CTOs), Business Information Security Offi cers (BISOs), Chief Executive Offi cers (CEOs) or Chief Operations Offi cers (COOs) to develop diff erent IT strategies and skills. Skills required for eff ective enterprise governance <strong>of</strong> the cloud include managing contracts, overseeing integration between in-house and outsourced services, and mastering a diff erent model <strong>of</strong> IT budgets. <strong>The</strong> change in the IT set up requires a paradigm shift in providing assurance. According to ISACA in its IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud “assurance needs to become more real time, continuous and process oriented versus transactional in focus.” <strong>The</strong>re is a strong need for assurance mechanisms before moving ahead with the decision to roll out cloud services or utilise cloud services. IA ADVISER September 2011 | 25